From lars+lister.mailscanner at adventuras.no Wed Nov 1 00:24:24 2006 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Wed Nov 1 00:24:54 2006 Subject: dcc logs In-Reply-To: <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> Message-ID: <4547E938.60607@adventuras.no> shuttlebox skrev: > On 10/31/06, Ugo Bellavance wrote: >> I'll try to do it if I can find some time. BTW I think this only >> happens when one uses dccifd. Correct me if I'm wrong but if you're >> only using dccproc, you don't have those logs... > > That's correct. > Does this apply? From http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html : " If dccproc is run more than 500 times in fewer than 5000 seconds, dccproc tries to start Dccifd(8). The attempt is made at most once per hour. Dccifd is significantly more efficient than dccproc. With luck, mecha-nisms such as SpamAssassin will notice when dccifd is running and switch to dccifd. " -- Regards, Lars From itdept at fractalweb.com Wed Nov 1 01:42:34 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Nov 1 01:42:46 2006 Subject: Duplicate messages, first the full, then a blank Message-ID: <4547FB8A.7020503@fractalweb.com> Hi everyone, I'm stumped. Intermittently, but dozens of times a day, our system sends the full message and body to the recipient, then a few minutes later sends an empty message with the same message ID to the same recipient. I don't know where to start looking at this. We're running MailScanner with Sendmail. Thanks, Chris From drew at technologytiger.net Wed Nov 1 01:59:51 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 1 01:59:55 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <4547FB8A.7020503@fractalweb.com> References: <4547FB8A.7020503@fractalweb.com> Message-ID: <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> On 1 Nov 2006, at 01:42, Chris Yuzik wrote: > Hi everyone, > > I'm stumped. Intermittently, but dozens of times a day, our system > sends the full message and body to the recipient, then a few > minutes later sends an empty message with the same message ID to > the same recipient. I don't know where to start looking at this. You could try in the list archives :-) Then, try looking at the file locking in Sendmail and if you are running 8.13.x (From memory) you need to make sure you are not using flock in MailScanner.conf The exact details have been posted a good few times already. Drew From ugob at camo-route.com Wed Nov 1 02:47:47 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Nov 1 02:49:24 2006 Subject: dcc logs In-Reply-To: <4547E938.60607@adventuras.no> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> <4547E938.60607@adventuras.no> Message-ID: Lars Kristiansen wrote: > shuttlebox skrev: >> On 10/31/06, Ugo Bellavance wrote: >>> I'll try to do it if I can find some time. BTW I think this only >>> happens when one uses dccifd. Correct me if I'm wrong but if you're >>> only using dccproc, you don't have those logs... >> >> That's correct. >> > > Does this apply? > From http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html : > " > If dccproc is run more than 500 times in fewer than 5000 seconds, > dccproc tries to start Dccifd(8). The attempt is made at most once per > hour. Dccifd is significantly more efficient than dccproc. With luck, > mecha-nisms such as SpamAssassin will notice when dccifd is running and > switch to dccifd. > " Maybe it does, but is it fairly easy (see the wiki entry) to set up Dccifd, so I think it is worth setting it up. At worse, if Dccifd is not available, SpamAssassin falls back to dccproc. From itlist at gmail.com Wed Nov 1 03:58:48 2006 From: itlist at gmail.com (Cheng Bruce) Date: Wed Nov 1 03:58:52 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <4547A142.5030204@ecs.soton.ac.uk> References: <4547A142.5030204@ecs.soton.ac.uk> Message-ID: Hi, Thank you for your hint. You are right. But how can I modified this to real pass it. Becuase I released it, user still needed me to copy from server. # file /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl: MS-DOS executable (EXE), OS/2 or MS Windows 2006/11/1, Julian Field : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Cheng Bruce wrote: > > Dear all, > > > > I am starting to use mailscanner with mailwatch, recently get a lot of > > spams going through my mail server which are treated as no-spam. > > They have legitimate helo, sender , domains and so on. And they passed > > the RBL which I set in "spam list" of mailcanner. > > If I can review the messages like SPAM, I can add some rules in my > > server to block them. > > > > by the way, is it possible to release the none-spam message as > > original messages to users but not included in the message ? > > > > When our vendor send the update file (*.bpl) to us, it was blocked. I > > don't know how to release this rule, because I only can do is remark > > "deny executable No executables No programs allowed" > > this line in "/etc/MailScanner/filetype.rules.conf". > > > > Would you please advise me how to do it ? > What does the "file" command output when given one of the *.bpl files? > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFR6I7EfZZRxQVtlQRAjK1AJ9yQIwaD3DL9qjZaP3uHRI//FHzwQCg3L+G > ysz/3TXUmmGo1I2nSjqNwfI= > =MPAB > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/51f279c1/attachment.html From daniel at danielf.ch Wed Nov 1 09:18:32 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Wed Nov 1 09:18:39 2006 Subject: MCP Rules Message-ID: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> Hi all Is it possible that each user uses some default MPC rule sets and has an own rule set? Something like this. User1@domain.com uses "mcp.default.rule" & "mcp.user1.rule" User2@domain.com uses "mcp.default.rule" & "mcp.user2.rule" But the users doesent exist on mailscanner box. So he has no home directory. The own rule sets can be different files and don't has to correspondent with the username in the email address. If so, can someone give me an example? Thanks for your help. Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/000cd22f/attachment.html From glenn.steen at gmail.com Wed Nov 1 09:59:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 1 09:59:55 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> Message-ID: <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> On 01/11/06, Cheng Bruce wrote: > Hi, > > Thank you for your hint. You are right. But how can I modified this to real > pass it. > Becuase I released it, user still needed me to copy from server. > > # file > /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl > /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl: > MS-DOS executable (EXE), OS/2 or MS Windows > Some (linux) versions of file have a very "optimistic" detection of DOS executables. What to look for and where to edit (your magic file) has been covered before on this list... Try a search over at gman;-). Or just search your magic file for the detected string, it is likely very obvious what to do:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard.thomas at psysolutions.com Wed Nov 1 14:29:59 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 14:40:22 2006 Subject: Mailscanner- Quarantine to SQL DB instead of Filesystem? In-Reply-To: References: Message-ID: <4548AF67.8010307@psysolutions.com> falz wrote: > I'm curious if anyone's written a patch, or know of a trick to > quarantine a message to a SQL db INSTEAD OF a filesystem path. This is > in conjunction with Mailwatch, which would obviously have to be > patched to view this correctly. > > The reason for this is so that I can have multiple Mailscanner servers > with RRDNS or balanced with same weight MX records and have the > Mailwatch web interface and SQL database all be seperate. > > Any suggestions? > > --falz Ouch. The best place to store files is in the filesystem (except in very special cases). If you want to share between several computers, you might look into one of the several network file systems. Rich From richard.thomas at psysolutions.com Wed Nov 1 14:38:49 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 14:50:35 2006 Subject: two messages repeatedly processed In-Reply-To: References: <45464609.4010208@dalsemi.com> Message-ID: <4548B179.1090508@psysolutions.com> Scott Silva wrote: >> > Are there any thing common to these messages? TNEF? Mimetype? Encoding? > Are they overly large than average? > I have seen this in messages that failed the TNEF decoder in the past, but any > process that chokes on them could be leaving them un-processed. > > I have had similar. When I run MailScanner manually with debug on, it gives an error about a character (can't remember off the top of my head). It unfortunately causes the mail queue to back up quite a lot. Rich From andoni.auzmendi at robertwalters.com Wed Nov 1 15:29:15 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Wed Nov 1 15:29:44 2006 Subject: rejecting botnets with sendmail Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Experiencing the recent increase in spam from botnets, is there a way to reject (or discard) connections coming from servers containing their ip address within the hostname? I can see lots of connections from broadband or dialup addresses. Some of them even bypass greylilst as they resend the messages several times. We use Sendmail here and I guess there must be a milter which is capable of doing that. Andoni Auzmendi ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From richard.thomas at psysolutions.com Wed Nov 1 15:47:08 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 15:54:22 2006 Subject: Disarmed HTML -> Blank messages Message-ID: <4548C17C.5010608@psysolutions.com> We have the occasional issue of users complaining about receiving blank messages. Checking in the logs, it looks as if Mailscanner has "disarmed" the HTML (Unfortunately, it doesn't log the exact reason). For whatever reason, this breaks the HTML and the page is blank. This in itself wouldn't be so much of an issue but there is no explanatory message from MailScanner in the email and no way to recover the original email (it is not quarantined). So questions are: 1)Can I add an explanatory message 2)Can I make MailScanner keep a copy of the original message in quarantine? Thanks Rich From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 16:06:34 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 16:07:04 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548C60A.7000202@USherbrooke.ca> Andoni Auzmendi a ?crit : > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > > Andoni Auzmendi > Andoni, This saved us: FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl Put it in your sendmail.mc and then make your sendmail.cf from it. Last step is to restart sendmail using MailScanner's script. I guess you can use other RBLs but I don't know which ones to recommend. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/d4536082/smime.bin From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:11:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:14:34 2006 Subject: MCP Rules In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> Message-ID: <4548C723.6080005@ecs.soton.ac.uk> You cannot do this yet, but when I get time I will work on solving this problem completely. Matt Hampton ---- Please can you re-send me your contributions for solving this? Daniel Fuhrer wrote: > > Hi all > > Is it possible that each user uses some default MPC rule sets and has > an own rule set? > > Something like this. > > User1@domain.com uses ?mcp.default.rule? & > ?mcp.user1.rule? > > User2@domain.com uses ?mcp.default.rule? & > ?mcp.user2.rule? > > But the users doesent exist on mailscanner box. So he has no home > directory. The own rule sets can be different files and don?t has to > correspondent with the username in the email address. > > If so, can someone give me an example? > > Thanks for your help. > > Cheers Daniel > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:16:39 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:17:58 2006 Subject: two messages repeatedly processed In-Reply-To: <4548B179.1090508@psysolutions.com> References: <45464609.4010208@dalsemi.com> <4548B179.1090508@psysolutions.com> Message-ID: <4548C867.9030109@ecs.soton.ac.uk> Richard Thomas wrote: > Scott Silva wrote: >>> >> Are there any thing common to these messages? TNEF? Mimetype? Encoding? >> Are they overly large than average? >> I have seen this in messages that failed the TNEF decoder in the >> past, but any >> process that chokes on them could be leaving them un-processed. >> >> > I have had similar. When I run MailScanner manually with debug on, it > gives an error about a character (can't remember off the top of my > head). It unfortunately causes the mail queue to back up quite a lot. If it's of any use to you, the author of the tnef program recently produced a new version to solve a unicode problem with "foreign" characters appearing in the filenames. Upgrade to the latest version of the tnef program (which is already included in my distributions) and you may well find your TNEF problems go away. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:27:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:29:33 2006 Subject: Disarmed HTML -> Blank messages In-Reply-To: <4548C17C.5010608@psysolutions.com> References: <4548C17C.5010608@psysolutions.com> Message-ID: <4548CAD7.9030207@ecs.soton.ac.uk> Richard Thomas wrote: > We have the occasional issue of users complaining about receiving > blank messages. Checking in the logs, it looks as if Mailscanner has > "disarmed" the HTML (Unfortunately, it doesn't log the exact reason). > For whatever reason, this breaks the HTML and the page is blank. This > in itself wouldn't be so much of an issue but there is no explanatory > message from MailScanner in the email and no way to recover the > original email (it is not quarantined). So questions are: > > 1)Can I add an explanatory message > 2)Can I make MailScanner keep a copy of the original message in > quarantine? Search MailScanner.conf for the word Quarantine. It pops up quite a bit... > > Thanks > > Rich Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jrudd at ucsc.edu Wed Nov 1 16:33:55 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 16:37:10 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548CC73.7060508@ucsc.edu> Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > I have done it with mimedefang. It's pretty trivial to put the code into filter_sender in mimedefang. However, I've been asked to not talk about mimedefang widely on this list, so if you have more questions, you can probably look on that mailing list. (and I think my code might even be in their list archives; if not, go ahead and ask over there, and I'll post the code) From dave.list at pixelhammer.com Wed Nov 1 16:41:20 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 1 16:41:36 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548C60A.7000202@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> Message-ID: <4548CE30.7070005@pixelhammer.com> Denis Beauchemin wrote: > Andoni Auzmendi a ?crit : >> Experiencing the recent increase in spam from botnets, is there a way to >> reject (or discard) connections coming from servers containing their ip >> address within the hostname? I can see lots of connections from >> broadband or dialup addresses. Some of them even bypass greylilst as >> they resend the messages several times. We use Sendmail here and I guess >> there must be a milter which is capable of doing that. >> >> Andoni Auzmendi >> > Andoni, > > This saved us: > FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl What list is this? I don't see it on the sorbs.net website. I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to remove it. Our VOIP provider (we are a reseller) has their VM server on the dul list. All VM wave files have been blocked since I started using dul last week to thwart a dictionary attack. I hate spammers, really, I wish them all constant pain and eternal agony. DAve > > Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. > > I guess you can use other RBLs but I don't know which ones to recommend. > > Denis > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From martinh at solidstatelogic.com Wed Nov 1 16:47:56 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 1 16:48:11 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548CFBC.9080800@solidstatelogic.com> DAve wrote: > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> >> Put it in your sendmail.mc and then make your sendmail.cf from it. >> Last step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > for me I find the DUL RBLs too sensitive and I don't run them.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at dwford.com Wed Nov 1 17:09:11 2006 From: rcooper at dwford.com (Rick Cooper) Date: Wed Nov 1 17:09:28 2006 Subject: A note about ClamAV 0.90rc2 Message-ID: <00ba01c6fdd8$751f8100$0301a8c0@SAHOMELT> I installed the 0.90rc2 release this morning, to test the internal unrar code mainly, and found it breaks the ClamAVModule in a big way. And MailScanner dies without explanation over and over. In debug mode you will find the error in the module. I did a manual compile on Mail::ClamAV and found the problem is in the CL_DISABLERAR section. Apparently the ClamAV maintainers did nothing to accommodate backward compatibility in this regard, so you cannot even compile the module (without doing some rewriting) with the 90rc2 (and probably RC1) version. If you use the rc2 version you will have to switch to the command line clam scanner. I did note that clamscan now detects rar files regardless of their extension (or lack there of) unlike the previous versions. I think, therefore, the --unrar= line for the clamscanners is no longer required but there would have to be some code to detect versions that are older than 0.90rc2 so the external rar switch is not passed. Or Julian will have to require the 0.9x versions once they are the standard release. Of course if the Mail::ClamAV author doesn't release a compatible version by then the module shouldn't be used, or some form of version clam check should automatically disable it. Rick Cooper -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jrudd at ucsc.edu Wed Nov 1 17:11:22 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 17:13:48 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548D53A.2030407@ucsc.edu> Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > By the way, if you wanted to just look at scoring them in spam assassin, instead of hard rejecting them, I'm actually moving my code from (a milter) to a Spam Assassin plugin. I've been discussing it over on the SA list. The thread subject is: Relay Checker Plugin (code review please?) By doing this in spam assassin, you can quarantine these messages instead of outright rejecting them. This helps you avoid rejecting any (difficult to detect) false positives. Though, honestly, I haven't been aware of any false positives from doing it at the milter level during the last 15 months. From andoni.auzmendi at robertwalters.com Wed Nov 1 17:25:00 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Wed Nov 1 17:25:42 2006 Subject: rejecting botnets with sendmail Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Currently we are using relays.orbs.org, sbl.spamhaus.org and dnsbl.njabl.org. I will also add safe.dnsbl.sorbs.net and see how it goes. Using the lists I rely on the lists maintainers to add those affected pcs. Is there a way I can use regular expressions to block hostnames containing ip addresses allowing at the same time a whitelist for small companies? I think mimedefang can do it, but I would rather install a sendmail milter to keep the set up simpler if possible. Thanks Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: 01 November 2006 16:41 To: MailScanner discussion Subject: Re: rejecting botnets with sendmail Denis Beauchemin wrote: > Andoni Auzmendi a ?crit : >> Experiencing the recent increase in spam from botnets, is there a way to >> reject (or discard) connections coming from servers containing their ip >> address within the hostname? I can see lots of connections from >> broadband or dialup addresses. Some of them even bypass greylilst as >> they resend the messages several times. We use Sendmail here and I guess >> there must be a milter which is capable of doing that. >> >> Andoni Auzmendi >> > Andoni, > > This saved us: > FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl What list is this? I don't see it on the sorbs.net website. I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to remove it. Our VOIP provider (we are a reseller) has their VM server on the dul list. All VM wave files have been blocked since I started using dul last week to thwart a dictionary attack. I hate spammers, really, I wish them all constant pain and eternal agony. DAve > > Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. > > I guess you can use other RBLs but I don't know which ones to recommend. > > Denis > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From jrudd at ucsc.edu Wed Nov 1 17:32:05 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 17:36:57 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Message-ID: <4548DA15.9030901@ucsc.edu> Andoni Auzmendi wrote: > Currently we are using relays.orbs.org, sbl.spamhaus.org and dnsbl.njabl.org. I will also add safe.dnsbl.sorbs.net and see how it goes. > > Using the lists I rely on the lists maintainers to add those affected pcs. Is there a way I can use regular expressions to block hostnames containing ip addresses allowing at the same time a whitelist for small companies? > > I think mimedefang can do it, but I would rather install a sendmail milter to keep the set up simpler if possible. > Mimedefang _is_ a sendmail milter. > Thanks > > Andoni > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 01 November 2006 16:41 > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail > > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 18:21:11 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 18:21:38 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548E597.7060009@USherbrooke.ca> DAve a ?crit : > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a >>> way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I >>> guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. Dave, It's an aggregate of: http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net dul.dnsbl.sorbs.net I really needed to block them at the MTA level because our hw wasn't able to cope with the big increase of spam we saw in the last weeks. Even though I had 3 equal priority MX servers, one was receiving twice as much as the other 2 combined. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/e3ee6194/smime.bin From dave.list at pixelhammer.com Wed Nov 1 18:31:25 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 1 18:31:40 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E597.7060009@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> Message-ID: <4548E7FD.9010205@pixelhammer.com> Denis Beauchemin wrote: > DAve a ?crit : >> Denis Beauchemin wrote: >>> Andoni Auzmendi a ?crit : >>>> Experiencing the recent increase in spam from botnets, is there a >>>> way to >>>> reject (or discard) connections coming from servers containing their ip >>>> address within the hostname? I can see lots of connections from >>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>> they resend the messages several times. We use Sendmail here and I >>>> guess >>>> there must be a milter which is capable of doing that. >>>> >>>> Andoni Auzmendi >>>> >>> Andoni, >>> >>> This saved us: >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >> >> What list is this? I don't see it on the sorbs.net website. > > Dave, > > It's an aggregate of: > > http.dnsbl.sorbs.net > socks.dnsbl.sorbs.net > misc.dnsbl.sorbs.net > smtp.dnsbl.sorbs.net > new.spam.dnsbl.sorbs.net > web.dnsbl.sorbs.net > block.dnsbl.sorbs.net > zombie.dnsbl.sorbs.net > dul.dnsbl.sorbs.net > > > I really needed to block them at the MTA level because our hw wasn't > able to cope with the big increase of spam we saw in the last weeks. > Even though I had 3 equal priority MX servers, one was receiving twice > as much as the other 2 combined. > > Denis > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold on and keep my pager batteries fresh. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Wed Nov 1 18:54:32 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 18:55:11 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? In-Reply-To: <4547A1AC.8020203@ecs.soton.ac.uk> References: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> <454688F7.2090405@nkpanama.com> <4547A1AC.8020203@ecs.soton.ac.uk> Message-ID: <4548ED68.3090905@nkpanama.com> WOW! Thanks! Didn't know about that smiley thingy... Julian Field wrote: > A shorter command that achieves the same thing is the lovely smiley command > :> /path/to/your/fuzzyocr.log > ':' is the null command. It does nothing and produces null output. The > '>' redirects that null output to the following filename, so that > ':>file' wipes the contents of "file". > > Jules From itdept at fractalweb.com Wed Nov 1 18:57:36 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Nov 1 18:57:52 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> References: <4547FB8A.7020503@fractalweb.com> <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> Message-ID: <4548EE20.20107@fractalweb.com> Drew Marshall wrote: > You could try in the list archives :-) > > Then, try looking at the file locking in Sendmail and if you are > running 8.13.x (From memory) you need to make sure you are not using > flock in MailScanner.conf The exact details have been posted a good > few times already. > Drew, Hit the nail on the head. I think that did it. It somehow got blanked out with the last update. Thanks for your help. Chris From alex at nkpanama.com Wed Nov 1 19:00:56 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 19:01:35 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548EEE8.4020905@nkpanama.com> Couldn't you just have whitelisted the VM server? DAve wrote: > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> >> Put it in your sendmail.mc and then make your sendmail.cf from it. >> Last step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > From max at assuredata.com Wed Nov 1 19:09:09 2006 From: max at assuredata.com (Max Kipness) Date: Wed Nov 1 19:09:22 2006 Subject: Stocks and P-R-O-F-I-T Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Hello, I had recently tried what I thought was a good technique, and created a script that fed all email from every MailScanner white listed email address into sa-learn as ham nightly, without doing a check on the emails. This was obviously a bad choice as jokes and other spam like emails must have processed for months. Anyway, I scrapped the bayes database and started from scratch using the a sample bayes db from FSL (I think it's called). From there I've been feeding quite a bit of spam into sa-learn for about a week or two. I'd say I've fed about 400 spam mails thus far. However, as of today I'm still getting the p-r-o-f-i-t and stock spasm with bayes scores of anywhere from 10% to 50%. My question is how long or how many emails should it take bayes to figure out these spam emails? Is there a way of viewing the progress? With the other scores from DCC, Pyzor, Razor, the score is close to being tagged as spam, but sometimes it's not quite there because of the bayes score. Thanks, Max From rcooper at dwford.com Wed Nov 1 19:10:55 2006 From: rcooper at dwford.com (Rick Cooper) Date: Wed Nov 1 19:11:09 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> Message-ID: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Wednesday, November 01, 2006 1:31 PM > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail > [...] > >>> This saved us: > >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > >> > >> What list is this? I don't see it on the sorbs.net website. > > > > Dave, > > > > It's an aggregate of: > > > > http.dnsbl.sorbs.net > > socks.dnsbl.sorbs.net > > misc.dnsbl.sorbs.net > > smtp.dnsbl.sorbs.net > > new.spam.dnsbl.sorbs.net > > web.dnsbl.sorbs.net > > block.dnsbl.sorbs.net > > zombie.dnsbl.sorbs.net > > dul.dnsbl.sorbs.net > > > > [...] > > Ouch, I wouldn't call anything using dul safe ;^) I guess > I'll just hold > on and keep my pager batteries fresh. > > DAve > > I use exim and it allows you to reject based on specific returns (such as 127.0.0.10) or anything but a specific return for rbls that return more than one possible address. I figured this is such a good idea perhaps sendmail had something similar so I hit google and found enhdnsbl, did a quick google on FEATURE(enhdnsbl, and found you could use something like FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in safe.dnsbl.sorbs.net"', ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') Which would reject on all the lists except dul. Or you could have multiple FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there are more too). Of course the single call and choose your reject addresses, would be more economical I would think. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Wed Nov 1 19:39:06 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 1 19:39:15 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <4548EE20.20107@fractalweb.com> References: <4547FB8A.7020503@fractalweb.com> <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> <4548EE20.20107@fractalweb.com> Message-ID: <275735A6-D021-4AC7-91C9-D4E6623F5466@technologytiger.net> On 1 Nov 2006, at 18:57, Chris Yuzik wrote: > Drew Marshall wrote: >> You could try in the list archives :-) >> >> Then, try looking at the file locking in Sendmail and if you are >> running 8.13.x (From memory) you need to make sure you are not >> using flock in MailScanner.conf The exact details have been posted >> a good few times already. >> > Drew, > > Hit the nail on the head. I think that did it. It somehow got > blanked out with the last update. > > Thanks for your help. No worries. Always a pleasure :-) Drew From mkettler at evi-inc.com Wed Nov 1 19:39:20 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 1 19:39:43 2006 Subject: Spam Detection Around 55% In-Reply-To: <45479D4C.8090107@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> Message-ID: <4548F7E8.7090107@evi-inc.com> Julian Field wrote: > But if you read the instructions printed at the end of the install, it > tells you to uncomment the DCC statement in init.pre. It doesn't do it > automatically as this would break the licence. You mean we're supposed to read the 6 miles of text spit out by your installer? :) That said, what if they don't have DCC at all on their system? Make em load the plugin anyway? Any chance you might consider adding an ifplugin statement to frame the dcc_path command? ifplugin Mail::SpamAssassin::Plugin::DCC dcc_path endif That might cause DCC to break for someone making a new setup using SA 3.0.x and the latest MailScanner, but who's going to get the latest MailScanner while using an old version of SA? >>> Which is of course, what triggered my reply in the first place. The dcc_path >>> statement was causing parse errors. That's bad. It breaks RDJ. >>> > And, as the RDJ setup instructions from www.fsl.com/support tell you to > do, you should run the RDJ once by hand to get the initial rulesets and > check everything's okay. Really? where? Inside the installer tarball? And what about the folks that don't go the the fsl.com website? I'm not a FSL user. I'm a MailScanner user. I don't go to fsl.com/support. I go to mailscanner.info/support.html Perhaps you might consider adding a link to fsl.com/support to that page? Right now it mentions FSL, but only as a commercial support option. It might be worth pointing to all the free good FAQs fsl has created from the MailScanner website. > If you didn't follow the earlier instructions, > this will highlight the dcc_path error for you, allowing you to either > comment out the dcc_path line or re-read the earlier instruction > printing by my install script. > > Maybe we should have a wiki page that lists all the things that you and > I disagree on :-) > Just I've never had a complaint sent to me by a user who's really had > problems figuring out my instructions and has been badly bitten by all > these things. Ok... I'd agree none have mentioned being badly bitten. However, some HAVE been bitten. After all, that's how this conversation started. Someone got bit by the dcc_path bit. I just put my feet in the shoes of a particular kind of > user, one that barely knows what they are doing, who runs a little box > for him/herself and a few customers/friends and who loves to have > instructions telling them what to do. I'd agree. It's just my perspective while in these shoes is a bit different. When I put my feet in those shoes, I think "what can I do to make this work for the broadest variety of scenarios?" ie: "works no matter what". You appear to think "What can I do to make this work best for the most common scenario?" ie: maximal performance and ease for the typical small-box user. Neither of these views is outright incorrect, it's just a different approach to what's important when dealing with the "less knowledgeable" > > Jules > From brian.duncan at kattenlaw.com Wed Nov 1 19:40:56 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Nov 1 19:41:16 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> I never was aware of people have some issues back in August with flock and posix with sendmail 8.13.x and MailScanner. I have looked through the archives regarding this issue, after seeing mention of it in a recent posting. I have found people telling others to change it to Posix for fixing problem X. I have found at least 1 post where a person says we have no issues, but is told turn it to Posix or you will. We run Linux, we use Sendmail 8.13.x on 3 servers and MailScanner + SpamAssasin etc.. We dot NOT have anything specified in the Mailscanner.conf file regarding lock type. Based on the comments in the Mailscanner.conf it says it will default to using POSIX on Sendmail. (but says to change it to Posix if running 8.13.x Does that mean it ONLY auto detects and works properly with Sendmail 8.12.x and below? Because mine is defaulting to supposedly using flock. When I look in the maillog logs, it says it is using flock. When I run the command: sendmail -d0.1 -d0.4 -bt References: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Message-ID: <4548F8AC.50504@evi-inc.com> Max Kipness wrote: > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. My question is what kind of stock spams are they? Are they image based, or text based? If it's image, bayes won't help you much, as bayes doesn't understand images. > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. for image spams, try adding the SARE stocks ruleset. From sandrews at andrewscompanies.com Wed Nov 1 19:56:03 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Nov 1 19:56:11 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> I'm currently using mailscanner to scan all inbound mail and that works great. Is there a way to use mailscanner to also be the outbound mail server and add a disclaimer/signature block to all outbound messages like it does for inbound scanned messages? Thanks, Steve From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 20:07:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 20:10:56 2006 Subject: rejecting botnets with sendmail In-Reply-To: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> Message-ID: <4548FE66.7010702@USherbrooke.ca> Rick Cooper a ?crit : > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve >> Sent: Wednesday, November 01, 2006 1:31 PM >> To: MailScanner discussion >> Subject: Re: rejecting botnets with sendmail >> >> > [...] > >>>>> This saved us: >>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>>>> >>>> What list is this? I don't see it on the sorbs.net website. >>>> >>> Dave, >>> >>> It's an aggregate of: >>> >>> http.dnsbl.sorbs.net >>> socks.dnsbl.sorbs.net >>> misc.dnsbl.sorbs.net >>> smtp.dnsbl.sorbs.net >>> new.spam.dnsbl.sorbs.net >>> web.dnsbl.sorbs.net >>> block.dnsbl.sorbs.net >>> zombie.dnsbl.sorbs.net >>> dul.dnsbl.sorbs.net >>> >>> >>> > > [...] > > >> Ouch, I wouldn't call anything using dul safe ;^) I guess >> I'll just hold >> on and keep my pager batteries fresh. >> >> DAve >> >> >> > > I use exim and it allows you to reject based on specific returns (such as > 127.0.0.10) or anything but a specific return for rbls that return more than > one possible address. I figured this is such a good idea perhaps sendmail > had something similar so I hit google and found enhdnsbl, did a quick google > on FEATURE(enhdnsbl, and found you could use something like > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > Which would reject on all the lists except dul. Or you could have multiple > FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there > are more too). Of course the single call and choose your reject addresses, > would be more economical I would think. > > Rick > Rick, This is really interesting! My stats for yesterday are: 127.0.0.2 : 929 127.0.0.3 : 608 127.0.0.4 : 46 127.0.0.5 : 5 127.0.0.6 : 539 127.0.0.7 : 12587 127.0.0.9 : 2 127.0.0.10 : 97940 So if I omit dul.dnsbl.sorbs.net I will not block much... Any ideas on how I could whitelist some IP addresses or domain names if needed? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/c29bd8b6/smime.bin From alex at nkpanama.com Wed Nov 1 20:31:57 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 20:32:42 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <4549043D.2030006@nkpanama.com> You need to understand the architecture behind MailScanner. It's not a mail server. It sits between servers and does what you tell it to do. That being said, if your mail server is not the same computer where MailScanner is running, you need to tell your mail server to use the computer running MailScanner to be its "smart host"; this means that local e-mail won't be scanned but outbound e-mail will. In order to add a disclaimer you'd have to set up "Sign Clean Messages" to a ruleset saying: FromOrTo: default no To: *@yourdomain.com no From: *@yourdomain.com and To: *@yourdomain.com no From: *@yourdomain.com yes ... for example. sandrews@andrewscompanies.com wrote: > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve From evan at espphotography.com Wed Nov 1 20:39:57 2006 From: evan at espphotography.com (Evan Platt) Date: Wed Nov 1 20:39:40 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewsc ompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <200611012022.MAA22346@partners7.yack.com> At 11:56 AM 11/1/2006, you wrote: >I'm currently using mailscanner to scan all inbound mail and that works >great. > >Is there a way to use mailscanner to also be the outbound mail server >and add a disclaimer/signature block to all outbound messages like it >does for inbound scanned messages? I've gotta ask.. Why? I know of no anti-virus program that looks for "This message was scanned and found to be clean" and then ignores scanning the message. What's the point? I've seen spam with a EXE virus attached ("Microsoft Security Patch! INSTALL NOW!") with a "This message was found to be virus clean." From ssilva at sgvwater.com Wed Nov 1 20:43:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 20:44:21 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> <4548E7FD.9010205@pixelhammer.com> Message-ID: DAve spake the following on 11/1/2006 10:31 AM: > Denis Beauchemin wrote: >> DAve a ?crit : >>> Denis Beauchemin wrote: >>>> Andoni Auzmendi a ?crit : >>>>> Experiencing the recent increase in spam from botnets, is there a >>>>> way to >>>>> reject (or discard) connections coming from servers containing >>>>> their ip >>>>> address within the hostname? I can see lots of connections from >>>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>>> they resend the messages several times. We use Sendmail here and I >>>>> guess >>>>> there must be a milter which is capable of doing that. >>>>> >>>>> Andoni Auzmendi >>>>> >>>> Andoni, >>>> >>>> This saved us: >>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>> >>> What list is this? I don't see it on the sorbs.net website. >> >> Dave, >> >> It's an aggregate of: >> >> http.dnsbl.sorbs.net >> socks.dnsbl.sorbs.net >> misc.dnsbl.sorbs.net >> smtp.dnsbl.sorbs.net >> new.spam.dnsbl.sorbs.net >> web.dnsbl.sorbs.net >> block.dnsbl.sorbs.net >> zombie.dnsbl.sorbs.net >> dul.dnsbl.sorbs.net >> >> >> I really needed to block them at the MTA level because our hw wasn't >> able to cope with the big increase of spam we saw in the last weeks. >> Even though I had 3 equal priority MX servers, one was receiving twice >> as much as the other 2 combined. >> >> Denis >> > > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold > on and keep my pager batteries fresh. > > DAve > > Here are the other aggregate lists they have. A few don't include the dul list. SORBS also provides other aggregate zones as follows: Zone Name Zones Included ========= ============== dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net recent.spam.dnsbl.sorbs.net escalations.dnsbl.sorbs.net web.dnsbl.sorbs.net dul.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net safe.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net dul.dnsbl.sorbs.net problems.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net recent.spam.dnsbl.sorbs.net old.spam.dnsbl.sorbs.net escalations.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net relays.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net proxies.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Nov 1 20:50:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 20:51:31 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548FE66.7010702@USherbrooke.ca> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> Message-ID: Denis Beauchemin spake the following on 11/1/2006 12:07 PM: > Rick Cooper a ?crit : >> >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve >>> Sent: Wednesday, November 01, 2006 1:31 PM >>> To: MailScanner discussion >>> Subject: Re: rejecting botnets with sendmail >>> >>> >> [...] >> >>>>>> This saved us: >>>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>>>>> >>>>> What list is this? I don't see it on the sorbs.net website. >>>>> >>>> Dave, >>>> >>>> It's an aggregate of: >>>> >>>> http.dnsbl.sorbs.net >>>> socks.dnsbl.sorbs.net >>>> misc.dnsbl.sorbs.net >>>> smtp.dnsbl.sorbs.net >>>> new.spam.dnsbl.sorbs.net >>>> web.dnsbl.sorbs.net >>>> block.dnsbl.sorbs.net >>>> zombie.dnsbl.sorbs.net >>>> dul.dnsbl.sorbs.net >>>> >>>> >>>> >> >> [...] >> >> >>> Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just >>> hold on and keep my pager batteries fresh. >>> >>> DAve >>> >>> >>> >> >> I use exim and it allows you to reject based on specific returns (such as >> 127.0.0.10) or anything but a specific return for rbls that return >> more than >> one possible address. I figured this is such a good idea perhaps sendmail >> had something similar so I hit google and found enhdnsbl, did a quick >> google >> on FEATURE(enhdnsbl, and found you could use something like >> >> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"', >> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', >> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') >> >> Which would reject on all the lists except dul. Or you could have >> multiple >> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use >> (there >> are more too). Of course the single call and choose your reject >> addresses, >> would be more economical I would think. >> >> Rick >> > Rick, > > This is really interesting! My stats for yesterday are: > 127.0.0.2 : 929 > 127.0.0.3 : 608 > 127.0.0.4 : 46 > 127.0.0.5 : 5 > 127.0.0.6 : 539 > 127.0.0.7 : 12587 > 127.0.0.9 : 2 > 127.0.0.10 : 97940 > > So if I omit dul.dnsbl.sorbs.net I will not block much... > > Any ideas on how I could whitelist some IP addresses or domain names if > needed? > > Thanks! > > Denis > You can add whitelisted entries in the access file if you use feature_delay_checks in sendmail. http://www.technoids.org/ Has a lot of good sendmail stuff. Are you using the new stuff in sendmail like greetpause, conncontrol, and ratecontrol? http://www.technoids.org/dossed.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Wed Nov 1 21:24:49 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 21:26:30 2006 Subject: MS Config Question - outbound In-Reply-To: <200611012022.MAA22346@partners7.yack.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> <200611012022.MAA22346@partners7.yack.com> Message-ID: <454910A1.6000805@nkpanama.com> You must remember there still are (and will be for a long time) bosses like Dilbert's (or the boss in "The Office", UK or US, take your pick) that *require* these useless bits of fluff. Evan Platt wrote: > At 11:56 AM 11/1/2006, you wrote: >> I'm currently using mailscanner to scan all inbound mail and that works >> great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was scanned > and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > From ssilva at sgvwater.com Wed Nov 1 22:25:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 22:26:54 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 11:40 AM: > I never was aware of people have some issues back in August with flock > and posix with sendmail 8.13.x and MailScanner. > > I have looked through the archives regarding this issue, after seeing > mention of it in a recent posting. I have found people telling others > to change it to Posix for fixing problem X. I have found at least 1 post > where a person says we have no issues, but is told turn it to Posix or > you will. > > We run Linux, we use Sendmail 8.13.x on 3 servers and MailScanner + > SpamAssasin etc.. We dot NOT have anything specified in the > > Mailscanner.conf file regarding lock type. > > Based on the comments in the Mailscanner.conf it says it will default to > using POSIX on Sendmail. (but says to change it to Posix if running > 8.13.x Does that mean it ONLY auto detects and works properly with > Sendmail 8.12.x and below? Because mine is defaulting to supposedly > using flock. > > When I look in the maillog logs, it says it is using flock. > > When I run the command: sendmail -d0.1 -d0.4 -bt > I DO NOT see flock in the compiled with field on ANY of my servers. > > I have not had any issues that I am aware of with any of my servers. We > have been using 8.13.x for awhile now, I would guess that > My primary server has probably passed close to 200 million messages with > flock on. The other 2 servers 5-10% percent of that. > > So I am hesitant to switch my settings to POSIX. > > > Are there any risks to Switching to Posix if I am not having any issues > with FLOCK? > > Thanks for any info. Posix is a "safer" method of locking, so you shouldn't have problems switching. There are risks of NOT switching to posix. There have been symptoms as benign as mail delivered more than once, to unmatched qf/df files being left behind. You have been lucky what you have not had any problem with flock, and you should not depend on MailScanner detecting the proper setting. In the current versions of MailScanner.conf you have the following comment; # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = It does not mention any type of auto detection, I believe because Julian had too many problems with its function. Change it to posix with sendmail 8.13. MailScanner --lint will tell you what is currently running. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Wed Nov 1 22:29:10 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:29:22 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Message-ID: On Wed, 1 Nov 2006, Andoni Auzmendi wrote: > dnsbl.njabl.org. I'd change this to combined.njabl.org ...far greater protection. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From MailScanner at ecs.soton.ac.uk Wed Nov 1 22:27:42 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 22:30:18 2006 Subject: Spam Detection Around 55% In-Reply-To: <4548F7E8.7090107@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> Message-ID: <45491F5E.2030200@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > > > >> But if you read the instructions printed at the end of the install, it >> tells you to uncomment the DCC statement in init.pre. It doesn't do it >> automatically as this would break the licence. >> > > You mean we're supposed to read the 6 miles of text spit out by your installer? :) > No, just the last bit. Mind you, the whole point of all my "sleep" statements in the installer is to give you a chance to read at least the end of what it just printed. Rather better than most autoconf installers which just spew out unintelligible text faster than you can see. At that rate, why bother printing it at all? > That said, what if they don't have DCC at all on their system? Make em load the > plugin anyway? > The end of the installer tells them where to get DCC, as they indeed won't have DCC on their system at that point. At that point, if they bother to read the licence and realise they can't use it without paying, I assume they have the brainpower to realise they don't want to enable support for it if they can't use it. > Any chance you might consider adding an ifplugin statement to frame the dcc_path > command? > > ifplugin Mail::SpamAssassin::Plugin::DCC > dcc_path > endif > As above, they won't have DCC installed yet. That's what reading the instructions tells them to do: go and install it. > That might cause DCC to break for someone making a new setup using SA 3.0.x and > the latest MailScanner, but who's going to get the latest MailScanner while > using an old version of SA? > But it's an installer for the latest version of SA. If they are running it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. If they managed to run the whole installer and end up with 3.0.x installed, I would dearly like to know how, seeing as it installs 3.1.x !! > >>>> Which is of course, what triggered my reply in the first place. The dcc_path >>>> statement was causing parse errors. That's bad. It breaks RDJ. >>>> >>>> >> And, as the RDJ setup instructions from www.fsl.com/support tell you to >> do, you should run the RDJ once by hand to get the initial rulesets and >> check everything's okay. >> > > Really? where? Inside the installer tarball? > Ok, you got me there, I don't tell them to go and fetch RDJ from fsl.com. But other bits of the wiki etc do. I must add an instruction to the Clam+SA installer to fetch RDJ from fsl.com. > And what about the folks that don't go the the fsl.com website? > They will when I tell them to... > I'm not a FSL user. I'm a MailScanner user. I don't go to fsl.com/support. I go > to mailscanner.info/support.html > > Perhaps you might consider adding a link to fsl.com/support to that page? Right > now it mentions FSL, but only as a commercial support option. It might be worth > pointing to all the free good FAQs fsl has created from the MailScanner website. > Agreed. I have just added a line to the ClamAV+SA installer to go and install RDJ from fsl.com. I should add a link on support.html to point them to fsl.com/support as well. > > >> If you didn't follow the earlier instructions, >> this will highlight the dcc_path error for you, allowing you to either >> comment out the dcc_path line or re-read the earlier instruction >> printing by my install script. >> >> Maybe we should have a wiki page that lists all the things that you and >> I disagree on :-) >> Just I've never had a complaint sent to me by a user who's really had >> problems figuring out my instructions and has been badly bitten by all >> these things. >> > > Ok... I'd agree none have mentioned being badly bitten. However, some HAVE been > bitten. After all, that's how this conversation started. Someone got bit by the > dcc_path bit. > > I just put my feet in the shoes of a particular kind of > >> user, one that barely knows what they are doing, who runs a little box >> for him/herself and a few customers/friends and who loves to have >> instructions telling them what to do. >> > > I'd agree. It's just my perspective while in these shoes is a bit different. > When I put my feet in those shoes, I think "what can I do to make this work for > the broadest variety of scenarios?" ie: "works no matter what". You appear to > think "What can I do to make this work best for the most common scenario?" ie: > maximal performance and ease for the typical small-box user. > > Neither of these views is outright incorrect, it's just a different approach to > what's important when dealing with the "less knowledgeable" > Agreed. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSR/uEfZZRxQVtlQRAvX+AJwMiSxoJOkyqEwYbhYwAHY93QXR6wCgytCR 0EgnFhejXvApaAHXfuUBq/Q= =l0wQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From res at ausics.net Wed Nov 1 22:30:27 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:30:36 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E597.7060009@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> Message-ID: On Wed, 1 Nov 2006, Denis Beauchemin wrote: > DAve a écrit : >> Denis Beauchemin wrote: >>> Andoni Auzmendi a écrit : >>>> Experiencing the recent increase in spam from botnets, is there a way to >>>> reject (or discard) connections coming from servers containing their ip >>>> address within the hostname? I can see lots of connections from >>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>> they resend the messages several times. We use Sendmail here and I guess >>>> there must be a milter which is capable of doing that. >>>> >>>> Andoni Auzmendi >>>> >>> Andoni, >>> >>> This saved us: >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " >>> found in safe.dnsbl.sorbs.net"')dnl >> >> What list is this? I don't see it on the sorbs.net website. > > Dave, > > It's an aggregate of: its equivelant to just using "dnsbl.sorbs.net" > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Nov 1 22:33:30 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:33:37 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> <4548E7FD.9010205@pixelhammer.com> Message-ID: On Wed, 1 Nov 2006, DAve wrote: > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold on > and keep my pager batteries fresh. I would, reduced spam by a further %30 here. If you are a business on a static IP, most ISP's will ask the RBL to remove affected IP, and I've never known any of them to be unjustly denied. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Nov 1 22:39:18 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:39:31 2006 Subject: rejecting botnets with sendmail In-Reply-To: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> Message-ID: On Wed, 1 Nov 2006, Rick Cooper wrote: > > I use exim and it allows you to reject based on specific returns (such as > 127.0.0.10) or anything but a specific return for rbls that return more than > one possible address. I figured this is such a good idea perhaps sendmail > had something similar so I hit google and found enhdnsbl, did a quick google > on FEATURE(enhdnsbl, and found you could use something like > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > Which would reject on all the lists except dul. Or you could have multiple > FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there > are more too). Of course the single call and choose your reject addresses, > would be more economical I would think. Sendmail works the identical way, its an "enhanced dnsbl" feature -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pete at enitech.com.au Wed Nov 1 22:49:22 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Nov 1 22:50:12 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <45492472.6010801@enitech.com.au> Sven De Troch wrote: > Hello, > > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? > > I have the impression that it takes longtime to process queues of 100 > messages (about 1 minute, av scanning with clamav and bitdefender > included). > > In my MailScanner.conf: > Max Children = 10 > > MTA: sendmail > Server: MS Virtual Machine 2GB Ram, 1cpu 2GHz > Network: 100mbps to the internet (not congested) > > Thanks for some mini tuning tips ;-) > > kind regards, > Sven > Is this in the wiki? It might be. Its certainly documented int he first 3rd of your MailScanner.conf file. Read that file, from start to finish, its choc a block with information on MailScanner settings. From mkettler at evi-inc.com Wed Nov 1 23:15:22 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 1 23:15:41 2006 Subject: Spam Detection Around 55% In-Reply-To: <45491F5E.2030200@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> Message-ID: <45492A8A.3080901@evi-inc.com> Julian Field wrote: > >>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>> command? >>> >>> ifplugin Mail::SpamAssassin::Plugin::DCC >>> dcc_path >>> endif >>> > As above, they won't have DCC installed yet. That's what reading the > instructions tells them to do: go and install it. Yes, which is *EXACTLY* why you want the ifplugin. >>> That might cause DCC to break for someone making a new setup using SA 3.0.x and >>> the latest MailScanner, but who's going to get the latest MailScanner while >>> using an old version of SA? >>> > But it's an installer for the latest version of SA. If they are running > it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. > If they managed to run the whole installer and end up with 3.0.x > installed, I would dearly like to know how, seeing as it installs 3.1.x !! What??? Look. Julian. We're clearly on a different page here. I'm talking about MailScanner here. So I'm talking about the MailScanner install process. I am not talking about your optional clamav/sa bundle pack. ie: http://www.mailscanner.info/files/4/rpm/MailScanner-4.56.8-1.rpm.tar.gz That does NOT install spamassassin as far as I know. So does the MailScanner install process even tell users to modify their v310.pre? From brian.duncan at kattenlaw.com Wed Nov 1 23:33:29 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Nov 1 23:33:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> > Posix is a "safer" method of locking, so you shouldn't have > problems switching. There are risks of NOT switching to > posix. There have been symptoms as benign as mail delivered > more than once, to unmatched qf/df files being left behind. > You have been lucky what you have not had any problem with > flock, and you should not depend on MailScanner detecting the > proper setting. In the current versions of MailScanner.conf > you have the following comment; OK Thanks, I am not familiar with different types of locking files under Unix/Linux. > > # How to lock spool files. > # Don't set this unless you *know* you need to. > # For sendmail, it defaults to "posix". > # For sendmail 8.12 and older, you will probably need to > change it to flock, # particularly on Linux systems. > # For Exim, it defaults to "posix". > # No other type is implemented. > Lock Type = > > It does not mention any type of auto detection, I believe > because Julian had too many problems with its function. > Change it to posix with sendmail 8.13. > MailScanner --lint will tell you what is currently running. I figured it was "auto detect" based on the For sendmail, it defaults to posix comment above. (Mine are using Sendmail, and it's blank it is defaulting to flock) I will be setting them all to Posix then specifically. Thanks > > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From mike at vesol.com Wed Nov 1 23:36:01 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Nov 1 23:37:07 2006 Subject: out of curiosity: reload and restart In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > Hello, > > no problem, but something I'd like to know ;) > > Are there any reasons to restart MS with > /etc/init.d/MailScanner restart (and not reload to read the > configfiles again)? > > i.e. if I change my sendmail access file, recompile it for > sendmail and 'reload' MS, eveything is working fine, ..., so > I wonder in which case a reload is not sufficient for > MailScanner and a restart is needed (I'm not talking about > Linux in general, but for MS specific)? > You only reload MS so that MS will read its config files again. You do not have to reload or restart MS (sendmail) after making changes to the access, virtusertable or mailertable. If you change your sendmail.mc/cf, you need to RESTART MS, but only because that will restart the sendmail processes. Mike From ssilva at sgvwater.com Thu Nov 2 00:18:43 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:18:54 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 3:33 PM: >> Posix is a "safer" method of locking, so you shouldn't have > >> problems switching. There are risks of NOT switching to > >> posix. There have been symptoms as benign as mail delivered > >> more than once, to unmatched qf/df files being left behind. > >> You have been lucky what you have not had any problem with > >> flock, and you should not depend on MailScanner detecting the > >> proper setting. In the current versions of MailScanner.conf > >> you have the following comment; > > OK Thanks, I am not familiar with different types of locking files under > Unix/Linux. > > > >> # How to lock spool files. >> # Don't set this unless you *know* you need to. >> # For sendmail, it defaults to "posix". >> # For sendmail 8.12 and older, you will probably need to > >> change it to flock, # particularly on Linux systems. >> # For Exim, it defaults to "posix". >> # No other type is implemented. >> Lock Type = >> > >> It does not mention any type of auto detection, I believe > >> because Julian had too many problems with its function. > >> Change it to posix with sendmail 8.13. >> MailScanner --lint will tell you what is currently running. > > I figured it was "auto detect" based on the For sendmail, it defaults to > posix comment above. (Mine are using Sendmail, and it's blank it is > defaulting to flock) > > I will be setting them all to Posix then specifically. > > Thanks That default changed in 4.50.15-1. Are you running something older? Does MailScanner -V work? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 00:26:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:26:34 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: Sven De Troch spake the following on 11/1/2006 2:24 PM: > Hello, > > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? > > I have the impression that it takes longtime to process queues of 100 > messages (about 1 minute, av scanning with clamav and bitdefender > included). > > In my MailScanner.conf: > Max Children = 10 > > MTA: sendmail > Server: MS Virtual Machine 2GB Ram, 1cpu 2GHz > Network: 100mbps to the internet (not congested) > > Thanks for some mini tuning tips ;-) > > kind regards, > Sven > There is a setting in the conf file for max messages per batch, but MailScanner will not sit and wait for messages to pile up. If you are running 10 children, and mailscanner is set to check the queue every 30 seconds, then you would have to get something like 600 messages per minute to fill the default batch size of 30. If you are getting 10 to 20 messages a minute, you will never even break a sweat with 10 children. That would be around 1-4 messages per batch. You could lower your max children and see if the system keeps up. The recommendation is for 5 children per REAL cpu ( not hyperthreaded cpu) and 1 gig per cpu. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rcooper at dwford.com Thu Nov 2 00:48:53 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 00:49:13 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548FE66.7010702@USherbrooke.ca> Message-ID: <002f01c6fe18$ac133d10$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Denis Beauchemin > Sent: Wednesday, November 01, 2006 3:07 PM > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail [...] > > I use exim and it allows you to reject based on specific > returns (such as > > 127.0.0.10) or anything but a specific return for rbls that > return more than > > one possible address. I figured this is such a good idea > perhaps sendmail > > had something similar so I hit google and found enhdnsbl, > did a quick google > > on FEATURE(enhdnsbl, and found you could use something like > > > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , > `127.0.0.6.', > > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > [...] > This is really interesting! My stats for yesterday are: > 127.0.0.2 : 929 > 127.0.0.3 : 608 > 127.0.0.4 : 46 > 127.0.0.5 : 5 > 127.0.0.6 : 539 > 127.0.0.7 : 12587 > 127.0.0.9 : 2 > 127.0.0.10 : 97940 > > So if I omit dul.dnsbl.sorbs.net I will not block much... > > Any ideas on how I could whitelist some IP addresses or > domain names if > needed? > > Thanks! > > Denis I have not a clue how to do it with sendmail. An exim acl is pretty easy, I actually have whitelists that exclude some hosts from just about every part of the smtp process (most are news papers, ad agencies, etc). But I am sure a sendmail person on this list could certainly help you out. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 2 00:54:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:54:57 2006 Subject: out of curiosity: reload and restart In-Reply-To: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: Sven De Troch spake the following on 11/1/2006 4:37 PM: > On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" > wrote: > >> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >> >> You do not have to reload or restart MS (sendmail) after making changes >> to the access, virtusertable or mailertable. If you change your >> sendmail.mc/cf, you need to RESTART MS, but only because that will >> restart the sendmail processes. > > Mike, > > I thought as well that reloading MS is not sufficient to read new > sendmail configs (i.e. access file), but this seems to be working for > me and I don't find it logic neither (and because of this I raised my > question here). > > With only reloading MS, my MTA is accepting the new acces config (To: > domain RELAY) are am I dreaming ;-) > > If you are rebuilding the access file (makemap) sendmail will read it. It only seems to need a restart if you rebuild the cf file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Thu Nov 2 00:56:16 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 00:56:21 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> > That default changed in 4.50.15-1. Are you running something older? > Does MailScanner -V work? > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner 4.54.6-1 boxes: Does anything look off? Running on Linux venus 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux This is Fedora Core release 4 (Stentz) This is Perl version 5.008006 (5.8.6) This is MailScanner version 4.54.6 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.74 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 0.08 Sys::Syslog 1.65 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.810 DB_File 1.11 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001006 Mail::SpamAssassin 1.997 Mail::SPF::Query 0.15 Net::CIDR::Lite 1.24 Net::IP 0.49 Net::DNS 0.33 Net::LDAP missing Parse::RecDescent missing SAVI 1.2 Sys::Hostname::Long 2.42 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From rcooper at dwford.com Thu Nov 2 01:04:25 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 01:04:37 2006 Subject: rejecting botnets with sendmail In-Reply-To: Message-ID: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Wednesday, November 01, 2006 5:39 PM > To: MailScanner discussion > Subject: RE: rejecting botnets with sendmail > > On Wed, 1 Nov 2006, Rick Cooper wrote: > [...] > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , > `127.0.0.6.', > > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > > > Which would reject on all the lists except dul. Or you > could have multiple > > FEATURE(`dnsbl', entries, one for each of the lists you > wanted to use (there > > are more too). Of course the single call and choose your > reject addresses, > > would be more economical I would think. > > > Sendmail works the identical way, its an "enhanced dnsbl" feature That which I listed above (hopefully correct syntax) was from sendmail. In my exim configuration it looks like deny message = rejected because $sender_host_address is in a black list \ at $dnslist_domain $dnslist_text hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts senders = !/somedir/Mail_sender_white_list.conf dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} Which says, basically, if the host is *not* in my local network list, and it's not a host I relay for and the sender is not in a special whitelist, then submit to the rbls listed in /somedir/mail_rbl_lists. If the host is already excluded the call is never made (wasted). The lists can be changed without having to do anything with exim, if the file changes exim reads it again, otherwise it's cached. /somedir/mail_rbl_lists contains entries like (several more than listed): safe.dnsbl.sorbs.net combined-HIB.dnsiplists.completewhois.com=127.0.0.2,127.0.0.3 Which says deny any thing returned from safe.dnsbl.sorbs.net, but only deny 127.0.0.2 or 127.0.0.3 from combined-HIB.dnsiplists.completewhois.com This would basically accomplish what Denis wanted but I have no clue as to how to do it with SendMail Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brian.duncan at kattenlaw.com Thu Nov 2 01:10:15 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 01:10:22 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x andMailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> One other question, is it normal when using posix for it to note: Creating hardcoded struct_flock subroutine for linux (Linux-type) Every time after it says it's using posix as the locking method? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Duncan, Brian M. > Sent: Wednesday, November 01, 2006 6:56 PM > To: MailScanner discussion > Subject: RE: Question regarding FLOCK or POSIX with Sendmail > 8.13.x andMailScanner. > > > > That default changed in 4.50.15-1. Are you running something older? > > Does MailScanner -V work? > > > > > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner > 4.54.6-1 boxes: > > Does anything look off? > > Running on > Linux venus 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 > i686 i686 i386 GNU/Linux > This is Fedora Core release 4 (Stentz) > This is Perl version 5.008006 (5.8.6) > > This is MailScanner version 4.54.6 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.74 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 0.08 Sys::Syslog > 1.65 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.810 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 3.001006 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.49 Net::DNS > 0.33 Net::LDAP > missing Parse::RecDescent > missing SAVI > 1.2 Sys::Hostname::Long > 2.42 Test::Harness > 0.47 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing > Practice Before the Internal Revenue Service, any tax advice > contained herein is not intended or written to be used and > cannot be used by a taxpayer for the purpose of avoiding tax > penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain > information intended for the exclusive use of the individual > or entity to whom it is addressed and may contain information > that is proprietary, privileged, confidential and/or exempt > from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any viewing, > copying, disclosure or distribution of this information may > be subject to legal restriction or sanction. Please notify > the sender, by electronic mail or telephone, of any > unintended recipients and delete the original message without > making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois > limited liability partnership that has elected to be governed > by the Illinois Uniform Partnership Act (1997). > =========================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From max at assuredata.com Thu Nov 2 01:39:35 2006 From: max at assuredata.com (Max Kipness) Date: Thu Nov 2 01:39:44 2006 Subject: Stocks and P-R-O-F-I-T Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D6A@addc01.assuredata.local> > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. >>My question is what kind of stock spams are they? >>Are they image based, or text based? >>If it's image, bayes won't help you much, as bayes doesn't understand >>images. > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. >>for image spams, try adding the SARE stocks ruleset. Yes, they are partially or sometimes full images. I have the SARE Stock ruleset installed, the problem is that whether or not this ruleset is being triggered, bayes is sometimes giving a negative score. Are you saying bayes cannot be trained to score high on messages that have images? I would think it would examine the fact that it's an image and header information, but maybe I'm wrong. Thanks, Max From rich at mail.wvnet.edu Thu Nov 2 01:46:00 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Nov 2 01:46:16 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV - fixed, but still too slow In-Reply-To: <45460BAB.8030103@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> <4543B3A8.5030600@tulsaconnect.com> <4543B518.9030001@tulsaconnect.com> <45460BAB.8030103@tulsaconnect.com> Message-ID: <45494DD8.90908@mail.wvnet.edu> TCIS List Acct wrote: > > > TCIS List Acct wrote: > >> The performance difference after just a few minutes is _very_ >> noticeable. It looks like the Mail::ClamAV module solved my >> performance issue with ClamAV. yay! >> >> I'll notify Jan-Peter Koopmann (the port maintainer) about the >> required fix to get the module to compile. >> > > I guess I spoke too soon. Even using the clamavmodule, ClamAV simply > can't keep up with the load on my boxes. I tried disabling f-prot and > using just clamavmodule, but over time the queue starts to pile up > much more noticeably that when I just have f-prot running. Oh well. > I think you've got something there. I've been struggling with the load on my MS boxes too. Until now, I was running with both F-Prot and ClamAV. The idea being that if one scanner was slow with a new virus update the other would catch it. After reading your message I turned off ClamAV. Today the queues were really short and keeping up with the load was easy. We process approx one million messages/day. Thanks for the tip! It was not apparent to me while monitoring the system that it was the virus scanning that was causing the delay. ~rich -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/f8fb871f/rich.vcf From mike at vesol.com Thu Nov 2 02:07:15 2006 From: mike at vesol.com (Mike Kercher) Date: Thu Nov 2 02:08:05 2006 Subject: out of curiosity: reload and restart In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > On Wed, 01 Nov 2006 16:54:42 -0800, Scott Silva > wrote: > > >>> With only reloading MS, my MTA is accepting the new acces > config (To: >>> domain RELAY) are am I dreaming ;-) >>> >>> >> If you are rebuilding the access file (makemap) sendmail > will read it. >> It only seems to need a restart if you rebuild the cf file. > > So if I understand you well, if I modify the access file > (something I need to do very often) and I do a 'make -C > /etc/mail' afterwards, I wouldn't have to restart sendmail > (and thus not MailScanner neither)? > > > -- > Met vriendelijke groeten, > Sven De Troch > > ----- Nood aan een degelijke hosting partner? ----- > -- Meer info op http://www.sitehosting.be -- That is correct. I modify my access file all the time and don't restart anything. Mike From res at ausics.net Thu Nov 2 05:02:17 2006 From: res at ausics.net (Res) Date: Thu Nov 2 05:02:28 2006 Subject: rejecting botnets with sendmail In-Reply-To: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> References: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> Message-ID: On Wed, 1 Nov 2006, Rick Cooper wrote: >> Sendmail works the identical way, its an "enhanced dnsbl" feature > > That which I listed above (hopefully correct syntax) was from sendmail. In > my exim configuration it looks like > > deny message = rejected because $sender_host_address is in a black list \ > at $dnslist_domain $dnslist_text > hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts > senders = !/somedir/Mail_sender_white_list.conf > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} > > Which says, basically, if the host is *not* in my local network list, and > it's not a host I relay for and the sender is not in a special whitelist, > then submit to the rbls listed in /somedir/mail_rbl_lists. If the host is > already excluded the call is never made (wasted). The lists can be changed > without having to do anything with exim, if the file changes exim reads it > again, otherwise it's cached. > 4 lines for what sendmail does by default compilation, whoa -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From daniel at danielf.ch Thu Nov 2 07:30:54 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Thu Nov 2 07:31:01 2006 Subject: AW: MCP Rules In-Reply-To: <4548C723.6080005@ecs.soton.ac.uk> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F244672@idefix.danielf.local> Hi Julian Thanks fort he answer. It's not so important. It was just a question from my boss. Thanks Daniel Julian Field wrote: > You cannot do this yet, but when I get time I will work on solving this > problem completely. > Matt Hampton ---- Please can you re-send me your contributions for > solving this? > Daniel Fuhrer wrote: >> >> Hi all >> >> Is it possible that each user uses some default MPC rule sets and has >> an own rule set? >> >> Something like this. >> >> User1@domain.com uses "mcp.default.rule" & >> "mcp.user1.rule" >> >> User2@domain.com uses "mcp.default.rule" & >> "mcp.user2.rule" >> >> But the users doesent exist on mailscanner box. So he has no home >> directory. The own rule sets can be different files and don't has to >> correspondent with the username in the email address. >> >> If so, can someone give me an example? >> >> Thanks for your help. >> >> Cheers Daniel >> > Jules > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Thu Nov 2 08:17:10 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Nov 2 08:18:23 2006 Subject: rejecting botnets with sendmail In-Reply-To: References: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> Message-ID: <4549A986.7010502@pronet.co.nz> >> >> >> Which says, basically, if the host is *not* in my local network list, >> and >> it's not a host I relay for and the sender is not in a special >> whitelist, >> then submit to the rbls listed in /somedir/mail_rbl_lists. If the >> host is >> already excluded the call is never made (wasted). The lists can be >> changed >> without having to do anything with exim, if the file changes exim >> reads it >> again, otherwise it's cached. >> > > 4 lines for what sendmail does by default compilation, whoa > > > Swings both ways that does. Exim does things by default, that you need to run milter-ahead for with sendmail. Each to their own. From t.d.lee at durham.ac.uk Thu Nov 2 10:07:20 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 2 10:07:33 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> Message-ID: On Wed, 1 Nov 2006, Duncan, Brian M. wrote: > > > That default changed in 4.50.15-1. Are you running something older? > > Does MailScanner -V work? > > > > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner > 4.54.6-1 boxes: > > Does anything look off? Yes, I think there is a problem... > [...] > This is MailScanner version 4.54.6 > [...] Earlier this year, there was an internal inconsistency within MS which I spotted at 4.54.6 . In "MailScanner.conf" the comments describing the default "Lock Type" (i.e. left blank) behaviour said 'it defaults to "posix"', but the actual behaviour (when left blank) was to set it to "flock". That is, the comments said MS would behave one way but its actual behaviour was the opposite. See threads starting at: http://lists.mailscanner.info/pipermail/mailscanner/2006-June/061887.html and Julian's acknowledgement and fix at: http://lists.mailscanner.info/pipermail/mailscanner/2006-June/061974.html So either upgrade to a more recent version (than 4.54.6) or if you need to stay back at 4.54.6 then explicitly state which lock type you want. Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From bgmahesh at gmail.com Thu Nov 2 11:19:03 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Thu Nov 2 11:19:05 2006 Subject: False alarm on possible fraud Message-ID: <5227ac5c0611020319p5d888fa1w7173a27f387806c5@mail.gmail.com> hi In the email we are using http://explore.oneindia.in/suggest.php MS is suspecting it to be a fraud.. --- If you have a link that you want listed, please submit it at http://explore.oneindia.in/suggest.php*MailScanner has detected a possible fraud attempt from "ex" claiming to be* ----- What could be wrong in that URL/sentence? -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/004a975c/attachment.html From t.d.lee at durham.ac.uk Thu Nov 2 12:22:04 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 2 12:22:17 2006 Subject: MS/SA: SA problem Message-ID: We've been running MS/SA on Fedora machines for a few years. Earlier this week, I set up yet another machine, expecting it to be straightforward. Clean OS install (FC5), clean install of MS (4.56.8) etc. All seems well, including "spamassassin --lint --debug". But when it starts to try to process email, MailScanner seems to take a very long time. Running it in debug mode shows: Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. and lots more similar lines (although the " line yy" varies). Any thoughts on this? Over the last couple of days I've tried various versions of SA (the above details are from 3.1.3) installed in various different ways, but all giving this set of errors. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From amsc at k1k2.com Thu Nov 2 12:32:37 2006 From: amsc at k1k2.com (Andrew) Date: Thu Nov 2 12:33:40 2006 Subject: Overriding SBL+XBL on a DHCP address Message-ID: <1162470757.30908.154.camel@and64.paige> Hi, I have a DHCP address at home (with a dns name I update if it changes ... using my own script ...) My server running MailScanner has a fixed IP so it's no problem. (I also have an auto update process running at home, on the server sendmail access file) What happened recently (and I need to get a new lease to fix) is that my DHCP IP address showed up in SBL+XBL My home server does smart forwarding to my mail server Because of this, all my email was being dumped by the spam filter. I guess there is a simple solution to this problem? How can I whitelist my DHCP IP address? I did try whitelisting the name, but couldn't seem to get it to work without specifying the IP address by number (which is of course not much use) I tried listing my internal IP subnet first but that didn't work coz the spam filter seems to only check the previous IP address in the path list? Also, I'm using an old version of MailScanner: 4.38.10 Here's the edited whitelist file. It didn't work until the last line was added. spam.whitelist.rules -------------------- # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. FromOrTo: default no From: /^192\.168\.ccc\./ yes From: nam1.nam2.nam3.com yes From: /^aaa\.bbb\.xxx\.yyy/ yes -Thanks for any help From res at ausics.net Thu Nov 2 13:02:43 2006 From: res at ausics.net (Res) Date: Thu Nov 2 13:02:53 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: On Thu, 2 Nov 2006, David Lee wrote: > But when it starts to try to process email, MailScanner seems to take a > > Any thoughts on this? > have you enabled the log speed issue to see where it might be delaying? I was seeing this a while back, it was dcc, disabled it and everything fine since -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solidstatelogic.com Thu Nov 2 13:05:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 2 13:05:48 2006 Subject: Stocks and P-R-O-F-I-T In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Message-ID: <4549ED09.7020909@solidstatelogic.com> Max Kipness wrote: > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. > > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. > > Thanks, > Max > Max besides the SARE_Stock rules what others have you got. Also the SARE-stock got updated a couple of a weeks ago to help with this. Have a look at some of fred's and Jennifers rules listed in www.rulesemporium.com/other-rules.htm -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From marc at marcsnet.com Thu Nov 2 13:17:00 2006 From: marc at marcsnet.com (Marc Lucke) Date: Thu Nov 2 13:17:33 2006 Subject: MailScanner as mail proxy In-Reply-To: References: Message-ID: <4549EFCC.1090902@marcsnet.com> Jim Holland wrote: > On Tue, 31 Oct 2006, David Lee wrote: > > >> Date: Tue, 31 Oct 2006 11:47:35 +0000 (GMT) >> From: David Lee >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: MailScanner as mail proxy >> >> On Tue, 31 Oct 2006, Marc Lucke wrote: >> >> >>> I know this is getting off topic. I know enough about sendmail to be >>> 99% sure that this question should be on their list. But any help, >>> ideas or feedback would be welcome. I'm guessing the MailScanner >>> community would have come across my problem on more than 1 occasion. >>> >>> I run MailScanner on a remote machine to my actual mailserver. In other >>> words all mail is relayed via the Mailscanner box. This is to stop >>> viruses and spam on the mailserver I have to run which is very limited >>> in such defenses. It all works great, apart from one annoying problem: >>> if someone sends to an unknown email account (as oft occurs) the >>> MailScanner proxy (for want of a better way to describe it as I'm using >>> it) first accepts the email, attempts delivery, cannot deliver and then >>> tries to notify the sender who doesn't exist. So I'm lumbered with a >>> billion postmaster non-delivery emails. I'm keeping up with this quite >>> well, but I'm scared I'll miss a legitimate message because it's buried >>> in garbage. >>> >>> Is there anything I can do to get anything in MailScanner to check with >>> my destination email server that the actual account exists before >>> accepting the email in the first place? >>> >> Even MailScanner would be too late: your overall email system has already >> accepted the email. To confirm your last paragraph, for unknown >> usernames, you really need to refuse to accept the email in the first >> place. >> >> You need to do your "refuse to accept" on your Internet boundary: on the >> sendmail listener that runs on your remote (MailScanner) box. A route you >> probably want to investigate is the "virtuser" table in that remote >> sendmail listener, and having a maintenance procedure that regularly >> populates that table with the valid usernames (and other possible valid >> addresses) on your user-mailserver. >> > > That is the method that I used to use on MANGO, with a script to mail the > updated virtusertable to the gateway machine and then have it processed by > another script on arrival. It works, but is a rather messy approach. In > particular, the virtusertable entries redirect mail from one address to > another address, so you have to change the domain names and then have a > mailertable entry for the new domain. However I don't think that sendmail > itself offers any alternative approach to this problem. > > As Steve Freegard wrote: > > >> You can do this using a sendmail milter . . . >> there is a free alternative (I've never tried it though, so I can't >> comment on it's features) at http://smfs.sourceforge.net/smf-sav.html. >> > > I highly recommend it in its latest version, smf-sav v1.4.0. Not only can > it be used for recipient verification, it can also do sender verification. > Earlier versions had some significant drawbacks, but I now run this > version on a production server and find it extremely useful for SAV and > RAV. If you want any help offline, please feel free to contact me. The > developer, Eugene Kurmanin, is also extremely helpful and responsive (even > helping me get it running on an ancient RedHat 6.1 box that it was never > intended to be compiled on). > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > I just have to say, Jim - smf-sav kicks ass. I've got it running on 2 Linux servers now & it saves SO much time in postmaster messages and spam - it's really incredible. It's given me a whole chunk of my life back. Thank you to all on list with suggestions. Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/37706c21/attachment.html From brian.duncan at kattenlaw.com Thu Nov 2 14:05:32 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 14:05:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> > Earlier this year, there was an internal inconsistency within > MS which I spotted at 4.54.6 . > > In "MailScanner.conf" the comments describing the default "Lock Type" > (i.e. left blank) behaviour said 'it defaults to "posix"', > but the actual behaviour (when left blank) was to set it to "flock". > > That is, the comments said MS would behave one way but its > actual behaviour was the opposite. > > See threads starting at: > > http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ > 061887.html > and Julian's acknowledgement and fix at: > > http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ > 061974.html > > > So either upgrade to a more recent version (than 4.54.6) or > if you need to stay back at 4.54.6 then explicitly state > which lock type you want. > > Hope that helps. Thank you for the information. I found those this morning when doing further searches. I am hesitant to turn posix on, on my main server that has been using Sendmail 8.13.x and flock for months now without issue. I am starting with a lower load box first. I am afraid that it will cause a duplication issue. It seems to with some sendmail 8.12.x users, and when they show their compiled options I don't see flock listed. Here is one posting from a recent person with the duplicating message issue that was using Sendmail 8.12.11: >Yes I'm using sendmail. > >8.12.11-4.6 > ># sendmail -d0.1 >Version 8.12.11 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT >Duncan Since he does not have FLOCK shown in his compiled options, shouldn't of Posix worked for him? (Everything was ok when he switched to flock) - I looked at an older box I have here with sendmail 8.12 on it and I don't have flock shown as a compiled option. I thought it was supposed to show you if flock support is compiled into sendmail. Can someone please explain to me how it is determined that with Sendmail 8.13.x + versions you have to use posix? Is there any way to determine 100% that your sendmail compile is already using Posix and NOT flock? Looking for flock in the compiled options does not look to be accurate based on the above post I included. (He had to switch to flock to make his work, yet flock does NOT show up in his compiled options) Thanks =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Denis.Beauchemin at USherbrooke.ca Thu Nov 2 14:21:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 2 14:21:30 2006 Subject: rejecting botnets with sendmail In-Reply-To: References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> Message-ID: <4549FECE.9020503@USherbrooke.ca> Scott Silva a ?crit : >>> I use exim and it allows you to reject based on specific returns >>> (such as >>> 127.0.0.10) or anything but a specific return for rbls that return >>> more than >>> one possible address. I figured this is such a good idea perhaps sendmail >>> had something similar so I hit google and found enhdnsbl, did a quick >>> google >>> on FEATURE(enhdnsbl, and found you could use something like >>> >>> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"', >>> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', >>> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') >>> >>> Which would reject on all the lists except dul. Or you could have >>> multiple >>> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use >>> (there >>> are more too). Of course the single call and choose your reject >>> addresses, >>> would be more economical I would think. >>> >>> Rick >>> >>> >> Rick, >> >> This is really interesting! My stats for yesterday are: >> 127.0.0.2 : 929 >> 127.0.0.3 : 608 >> 127.0.0.4 : 46 >> 127.0.0.5 : 5 >> 127.0.0.6 : 539 >> 127.0.0.7 : 12587 >> 127.0.0.9 : 2 >> 127.0.0.10 : 97940 >> >> So if I omit dul.dnsbl.sorbs.net I will not block much... >> >> Any ideas on how I could whitelist some IP addresses or domain names if >> needed? >> >> Thanks! >> >> Denis >> >> > You can add whitelisted entries in the access file if you use > feature_delay_checks in sendmail. > http://www.technoids.org/ > Has a lot of good sendmail stuff. > Are you using the new stuff in sendmail like greetpause, conncontrol, and > ratecontrol? > http://www.technoids.org/dossed.html > Yes, I am using greetpause, conncontrol, and ratecontrol but they're not enough. I knew about http://www.technoids.org/dossed but not the rest of the site. It's quite interesting. However I'm not sure how to whitelist a remote site that appears on safe.dnsbl.sorbs.net. The examples I saw referred to email addresses... After some more reading on sendmail.org, I think I need the following in my access file: ip.of.remote.host: OK OK: "Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable. "Accept" does not mean "relay", but at most acceptance for local recipients. That is, OK allows less than RELAY." Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/c72d9722/smime.bin From rcooper at dwford.com Thu Nov 2 14:23:51 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 14:24:00 2006 Subject: rejecting botnets with sendmail In-Reply-To: Message-ID: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Thursday, November 02, 2006 12:02 AM > To: MailScanner discussion > Subject: RE: rejecting botnets with sendmail > > On Wed, 1 Nov 2006, Rick Cooper wrote: > > >> Sendmail works the identical way, its an "enhanced dnsbl" feature > > > > That which I listed above (hopefully correct syntax) was > from sendmail. In > > my exim configuration it looks like > > > > deny message = rejected because $sender_host_address is > in a black list \ > > at $dnslist_domain $dnslist_text > > hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts > > senders = !/somedir/Mail_sender_white_list.conf > > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} > > > > Which says, basically, if the host is *not* in my local > network list, and > > it's not a host I relay for and the sender is not in a > special whitelist, > > then submit to the rbls listed in /somedir/mail_rbl_lists. > If the host is > > already excluded the call is never made (wasted). The lists > can be changed > > without having to do anything with exim, if the file > changes exim reads it > > again, otherwise it's cached. > > > > 4 lines for what sendmail does by default compilation, whoa > That is inaccurate, I believe. If I just wanted to run the rbl it would be dnslists = ${readfile{/somedir/mail_rbl_lists}{:}}. And the rbl processing in sendmail is not default, anymore than it is in exim. The default config for exim doesn't assume you want rbl processing or what rbl you would like to use, niether does sendmail. And I don't have to use a separate file for the actual rbls and returned items either, it could be a list on one line with the same info. I choose to use the file because if I want to add, or change something I can do so without having to hup exim, or interrupt the mail for even a second. The additional lines are prefaces to the actual RBL. If mail is from a whitelisted host or sender why waste the resources to run the rbls when those hosts/senders are going to pass anyway? I do not believe, but I could be wrong, that sendmail by default makes assumptions as to what hosts, or senders have what action applied to them. And of course the deny/message line could be one line instead of wrapped for legibility in say, vi. It's not a knock against sendmail or people who use it but one reason I use exim is because there is (probably) nothing 3d party required to do anything. Virus scanning, SpamAssassin processing, virtually any method of storage for anything, any kind of verification. And I *never* have to so much as hup the daemon if I change something that would be internal to most mailers (I have tried sendmail, postfix, qmail, courier). You can , of course, use a monolithic config file, or break out any part of the config. You can specify lists within the config(s), which require a hup if you change them, or via external files which do not. Exim is virtually a smtp programming language and I have yet to find something I wanted it to do that could not be done. Heck you can even embed perl functions within the exim objects and extremely complex processing on what ever distinct item you wish, within any portion of the smtp process you wish from connection to delivery. In any event, if I wanted static rbls, which just run against every message from everyone on every host one short line would accomplish that. However by requirements are more flexible thus the additional lines. I used to actually use a configuration for one location that ran a different set of rbls based on the network from whence the host originated. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Thu Nov 2 14:31:58 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 14:32:01 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> Why? Because the customer asked that a default disclaimer/signature block be added to all his outbound emails. I figured using my mailscanner box as a smarthost and then using the rules to sign outbound messages would be easiest. All I was missing was the architecture of the rules to "sign" just the outbound messages from his domain. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Evan Platt Sent: Wednesday, November 01, 2006 3:40 PM To: MailScanner discussion Subject: Re: MS Config Question - outbound At 11:56 AM 11/1/2006, you wrote: >I'm currently using mailscanner to scan all inbound mail and that works >great. > >Is there a way to use mailscanner to also be the outbound mail server >and add a disclaimer/signature block to all outbound messages like it >does for inbound scanned messages? I've gotta ask.. Why? I know of no anti-virus program that looks for "This message was scanned and found to be clean" and then ignores scanning the message. What's the point? I've seen spam with a EXE virus attached ("Microsoft Security Patch! INSTALL NOW!") with a "This message was found to be virus clean." -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Thu Nov 2 14:33:13 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 14:33:17 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> In my field, we call them customers. Personally, I think the signature blocks are a waste, but the customer sends me money when I do work, so.... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, November 01, 2006 4:25 PM To: MailScanner discussion Subject: Re: MS Config Question - outbound You must remember there still are (and will be for a long time) bosses like Dilbert's (or the boss in "The Office", UK or US, take your pick) that *require* these useless bits of fluff. Evan Platt wrote: > At 11:56 AM 11/1/2006, you wrote: >> I'm currently using mailscanner to scan all inbound mail and that >> works great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was > scanned and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From housey at sme-ecom.co.uk Thu Nov 2 14:57:01 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Thu Nov 2 14:57:06 2006 Subject: Could not analyze message Message-ID: Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul From bpumphrey at woodmclaw.com Thu Nov 2 15:09:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 2 15:09:39 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C1403E@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of sandrews@andrewscompanies.com > Sent: Wednesday, November 01, 2006 2:56 PM > To: mailscanner@lists.mailscanner.info > Subject: MS Config Question - outbound > > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve > -- To answer your question, yes. I just set mine up. I think I did it just for fun or something more than a need for it. Tracking is probably the reason I did it. My boss always ask me for email traces. Any way.. I use a exchange server and all that I had to do was have the exchange server forward outbound mail to the MailScanner machine. I believe in my setup I did not have to alter the MailScanner machine at all, not to say you will not have to. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Thu Nov 2 15:09:34 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:10:37 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <454A0A2E.50006@nkpanama.com> You can also increase the "queue scan interval", specially on lower-spec machines, to something higher. In that case your queues might actually fill up enough so that the 30-msg-per-batch default makes MailScanner pick up 30 messages out of, say, 100. On very low volume mail servers, you can even decrease that (I've set it to "1" on mine) so that processing is virtually instantaneous. Sven De Troch spake the following on 11/1/2006 2:24 PM: There is a setting in the conf file for max messages per batch, but MailScanner will not sit and wait for messages to pile up. If you are running 10 children, and mailscanner is set to check the queue every 30 seconds, then you would have to get something like 600 messages per minute to fill the default batch size of 30. If you are getting 10 to 20 messages a minute, you will never even break a sweat with 10 children. That would be around 1-4 messages per batch. You could lower your max children and see if the system keeps up. From alex at nkpanama.com Thu Nov 2 15:14:07 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:14:52 2006 Subject: out of curiosity: reload and restart In-Reply-To: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: <454A0B3F.6090803@nkpanama.com> Sven De Troch wrote: > On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" > wrote: > >> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >> >> You do not have to reload or restart MS (sendmail) after making changes >> to the access, virtusertable or mailertable. If you change your >> sendmail.mc/cf, you need to RESTART MS, but only because that will >> restart the sendmail processes. > > Mike, > > I thought as well that reloading MS is not sufficient to read new > sendmail configs (i.e. access file), but this seems to be working for > me and I don't find it logic neither (and because of this I raised my > question here). > > With only reloading MS, my MTA is accepting the new acces config (To: > domain RELAY) are am I dreaming ;-) > > Sendmail doesn't need to be restarted for changes to the access file to "stick". Adding a milter or an rbl (or some other parameter) to sendmail.mc and recompiling sendmail.cf *does* require a restart (as opposed to a "reload"), although I don't know if it could be accomplished with a "killall -HUP sendmail" (haven't tried). From alex at nkpanama.com Thu Nov 2 15:20:51 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:21:28 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> Message-ID: <454A0CD3.5050009@nkpanama.com> I know... I have those too. You should try educating them. Educated customers are more efficient for you in the long run, since you can make more money off of them using less resources. It's almost like the difference between house training puppies and herding cats. sandrews@andrewscompanies.com wrote: > In my field, we call them customers. Personally, I think the signature > blocks are a waste, but the customer sends me money when I do work, > so.... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, November 01, 2006 4:25 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > You must remember there still are (and will be for a long time) bosses > like Dilbert's (or the boss in "The Office", UK or US, take your pick) > that *require* these useless bits of fluff. > > Evan Platt wrote: >> At 11:56 AM 11/1/2006, you wrote: >>> I'm currently using mailscanner to scan all inbound mail and that >>> works great. >>> >>> Is there a way to use mailscanner to also be the outbound mail server > >>> and add a disclaimer/signature block to all outbound messages like it > >>> does for inbound scanned messages? >> >> I've gotta ask.. >> >> Why? >> >> I know of no anti-virus program that looks for "This message was >> scanned and found to be clean" and then ignores scanning the message. >> >> What's the point? >> >> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >> INSTALL NOW!") with a "This message was found to be virus clean." >> >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ugob at camo-route.com Thu Nov 2 15:30:39 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 2 15:31:59 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4549FECE.9020503@USherbrooke.ca> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> <4549FECE.9020503@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Scott Silva a ?crit : >>> >> You can add whitelisted entries in the access file if you use >> feature_delay_checks in sendmail. >> http://www.technoids.org/ >> Has a lot of good sendmail stuff. >> Are you using the new stuff in sendmail like greetpause, conncontrol, and >> ratecontrol? >> http://www.technoids.org/dossed.html >> > Yes, I am using greetpause, conncontrol, and ratecontrol but they're not > enough. > > I knew about http://www.technoids.org/dossed but not the rest of the > site. It's quite interesting. However I'm not sure how to whitelist a > remote site that appears on safe.dnsbl.sorbs.net. The examples I saw > referred to email addresses... > > After some more reading on sendmail.org, I think I need the following in > my access file: > ip.of.remote.host: OK > > OK: "Accept mail even if other rules in the running ruleset would reject > it, for example, if the domain name is unresolvable. "Accept" does not > mean "relay", but at most acceptance for local recipients. That is, OK > allows less than RELAY." > > Denis > Here is what I use: # Temporary measure - skip relay tests for this server connect:**.110.223.185 OK connect:**.110.235.244 OK From sandrews at andrewscompanies.com Thu Nov 2 15:48:56 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 15:48:59 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297E6@winchester.andrewscompanies.com> The only thing outside of this I had to do was allow relay on the mailscanner from exchange. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey Sent: Thursday, November 02, 2006 10:09 AM To: MailScanner discussion Subject: RE: MS Config Question - outbound > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of sandrews@andrewscompanies.com > Sent: Wednesday, November 01, 2006 2:56 PM > To: mailscanner@lists.mailscanner.info > Subject: MS Config Question - outbound > > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve > -- To answer your question, yes. I just set mine up. I think I did it just for fun or something more than a need for it. Tracking is probably the reason I did it. My boss always ask me for email traces. Any way.. I use a exchange server and all that I had to do was have the exchange server forward outbound mail to the MailScanner machine. I believe in my setup I did not have to alter the MailScanner machine at all, not to say you will not have to. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Thu Nov 2 15:50:29 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 15:50:38 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> I did educate them; but the boss' daughter is into "marketing" and she assured everyone that this was necessary. I know what fights to pick. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, November 02, 2006 10:21 AM To: MailScanner discussion Subject: Re: MS Config Question - outbound I know... I have those too. You should try educating them. Educated customers are more efficient for you in the long run, since you can make more money off of them using less resources. It's almost like the difference between house training puppies and herding cats. sandrews@andrewscompanies.com wrote: > In my field, we call them customers. Personally, I think the > signature blocks are a waste, but the customer sends me money when I > do work, so.... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, November 01, 2006 4:25 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > You must remember there still are (and will be for a long time) bosses > like Dilbert's (or the boss in "The Office", UK or US, take your pick) > that *require* these useless bits of fluff. > > Evan Platt wrote: >> At 11:56 AM 11/1/2006, you wrote: >>> I'm currently using mailscanner to scan all inbound mail and that >>> works great. >>> >>> Is there a way to use mailscanner to also be the outbound mail >>> server > >>> and add a disclaimer/signature block to all outbound messages like >>> it > >>> does for inbound scanned messages? >> >> I've gotta ask.. >> >> Why? >> >> I know of no anti-virus program that looks for "This message was >> scanned and found to be clean" and then ignores scanning the message. >> >> What's the point? >> >> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >> INSTALL NOW!") with a "This message was found to be virus clean." >> >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at vesol.com Thu Nov 2 15:58:00 2006 From: mike at vesol.com (Mike Kercher) Date: Thu Nov 2 15:58:55 2006 Subject: Could not analyze message In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > Hi > > I have a customer who cant recieve an email from a certain > domain, the message is quarantined with a quarantine report > showing "Could not analyze message". > > The email is very basic, plain text with no attachments. > > I tried to get around this by using the Scan Messages ruleset > > Scan Messages = %rule-dir%/scan.messages.rules > > and set the following in scan.messages.rules > > FromOrTo: default no > From: domaina.com no > FromTo: mycustomer.com yes > > where domaina.com is the domain sending the email being > blocked and mycustomer.com is the domain recieving. However > the message is still being quarantined. > > Can anyone advise what can cause the "Could not analyze > message"? or why my ruleset setup is not working? > > Kind Regards > > Paul Your ruleset should look like this: From: domaina.com no FromTo: mycustomer.com no FromOrTo: default yes The way your ruleset is currently, it is matching on the default entry FIRST Mike From alex at nkpanama.com Thu Nov 2 16:07:32 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 16:09:05 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> Message-ID: <454A17C4.1000909@nkpanama.com> I'm sure the boss's daughter is "into marketing" as are a few people "into firearms" or "into explosives"... ;) sandrews@andrewscompanies.com wrote: > I did educate them; but the boss' daughter is into "marketing" and she > assured everyone that this was necessary. I know what fights to pick. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Thursday, November 02, 2006 10:21 AM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > I know... I have those too. You should try educating them. Educated > customers are more efficient for you in the long run, since you can make > more money off of them using less resources. It's almost like the > difference between house training puppies and herding cats. > > sandrews@andrewscompanies.com wrote: >> In my field, we call them customers. Personally, I think the >> signature blocks are a waste, but the customer sends me money when I >> do work, so.... >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex >> Neuman van der Hans >> Sent: Wednesday, November 01, 2006 4:25 PM >> To: MailScanner discussion >> Subject: Re: MS Config Question - outbound >> >> You must remember there still are (and will be for a long time) bosses > >> like Dilbert's (or the boss in "The Office", UK or US, take your pick) > >> that *require* these useless bits of fluff. >> >> Evan Platt wrote: >>> At 11:56 AM 11/1/2006, you wrote: >>>> I'm currently using mailscanner to scan all inbound mail and that >>>> works great. >>>> >>>> Is there a way to use mailscanner to also be the outbound mail >>>> server >>>> and add a disclaimer/signature block to all outbound messages like >>>> it >>>> does for inbound scanned messages? >>> I've gotta ask.. >>> >>> Why? >>> >>> I know of no anti-virus program that looks for "This message was >>> scanned and found to be clean" and then ignores scanning the message. >>> >>> What's the point? >>> >>> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >>> INSTALL NOW!") with a "This message was found to be virus clean." >>> >>> >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From cobalt-users1 at fishnet.co.uk Thu Nov 2 16:15:27 2006 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Thu Nov 2 16:15:32 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> Message-ID: <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > I did educate them; but the boss' daughter is into "marketing" and she > assured everyone that this was necessary. I know what fights to pick. See if you can sneak this one in... it appeared in another mailling list and I use it in reply to anyone who sends me one. IMPORTANT: This email is intended for the use of the individual addressee (s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self- esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an Irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the cat next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please place it in a warm oven for 40 minutes and add some nutmeg and egg whites. Whisk briefly and let it stand for 2 hours before icing. Ian -- From ssilva at sgvwater.com Thu Nov 2 17:10:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:12:02 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/2/2006 6:05 AM: >> Earlier this year, there was an internal inconsistency within > >> MS which I spotted at 4.54.6 . >> > >> In "MailScanner.conf" the comments describing the default "Lock Type" >> (i.e. left blank) behaviour said 'it defaults to "posix"', > >> but the actual behaviour (when left blank) was to set it to "flock". >> > >> That is, the comments said MS would behave one way but its > >> actual behaviour was the opposite. >> > >> See threads starting at: >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >> 061887.html >> and Julian's acknowledgement and fix at: >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >> 061974.html >> > > >> So either upgrade to a more recent version (than 4.54.6) or > >> if you need to stay back at 4.54.6 then explicitly state > >> which lock type you want. >> > >> Hope that helps. > > Thank you for the information. I found those this morning when doing > further searches. > > I am hesitant to turn posix on, on my main server that has been using > Sendmail 8.13.x and flock for months now without issue. > > I am starting with a lower load box first. I am afraid that it will > cause a duplication issue. It seems to with some sendmail 8.12.x users, > and when they show their compiled options I don't see flock listed. > > Here is one posting from a recent person with the duplicating message > issue that was using Sendmail 8.12.11: > >> Yes I'm using sendmail. >> >> 8.12.11-4.6 >> >> # sendmail -d0.1 >> Version 8.12.11 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS > USERDB USE_LDAP_INIT >> Duncan > > > Since he does not have FLOCK shown in his compiled options, shouldn't of > Posix worked for him? (Everything was ok when he switched to flock) - I > looked at an older box I have here with sendmail 8.12 on it and I don't > have flock shown as a compiled option. I thought it was supposed to > show you if flock support is compiled into sendmail. > > Can someone please explain to me how it is determined that with Sendmail > 8.13.x + versions you have to use posix? Is there any way to determine > 100% that your sendmail compile is already using Posix and NOT flock? > Looking for flock in the compiled options does not look to be accurate > based on the above post I included. (He had to switch to flock to make > his work, yet flock does NOT show up in his compiled options) > > Thanks This note was posted with sendmail 8.12.5 in the announce; NOTE: Linux appears to have broken flock() again. Unless the bug is fixed before sendmail 8.13 is shipped, 8.13 will change the default locking method to fcntl() for Linux kernel 2.4 and later. You may want to do this in 8.12 by compiling with -DHASFLOCK=0. Be sure to update other sendmail related programs to match locking techniques. ( see http://www.sendmail.org/releases/8.12.5.html) I can't tell you why your version is different, maybe a custom compiled version to get around the Flock exploit that was posted about the time 8.12.11 came out. The consensus so far has been ; Linux and sendmail 8.12 = flock Linux and sendmail 8.13 = posix Also note that there have been some problems with dovecot if it is set to a different locking. I am still curious as to how you have been so lucky with no problems! Are you running on a filesystem other than ext2/ext3? Maybe Core 4 has a kernel that doesn't have the locking problem that the enterprise distros lack because of the conservative patching that is done. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:16:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:20:16 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x andMailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 5:10 PM: > One other question, is it normal when using posix for it to note: > > Creating hardcoded struct_flock subroutine for linux (Linux-type) > > Every time after it says it's using posix as the locking method? > > Yes. That is just the normal kernel noise from the posix locking; Nov 2 09:14:42 xxxx MailScanner[11571]: Using locktype = posix Nov 2 09:14:42 xxxx MailScanner[11571]: Creating hardcoded struct_flock subroutine for linux (Linux-type) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:19:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:25:24 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: David Lee spake the following on 11/2/2006 4:22 AM: > We've been running MS/SA on Fedora machines for a few years. Earlier this > week, I set up yet another machine, expecting it to be straightforward. > Clean OS install (FC5), clean install of MS (4.56.8) etc. > > All seems well, including "spamassassin --lint --debug". > > But when it starts to try to process email, MailScanner seems to take a > very long time. Running it in debug mode shows: > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > and lots more similar lines (although the " line yy" varies). > > Any thoughts on this? > > Over the last couple of days I've tried various versions of SA (the above > details are from 3.1.3) installed in various different ways, but all > giving this set of errors. > > Did you try Julians install script for spamassassin and clam? It might toss in any perl modules that are lacking. And maybe remove the spamassassin rpm in core before you try. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:27:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:30:15 2006 Subject: Overriding SBL+XBL on a DHCP address In-Reply-To: <1162470757.30908.154.camel@and64.paige> References: <1162470757.30908.154.camel@and64.paige> Message-ID: Andrew spake the following on 11/2/2006 4:32 AM: > Hi, > I have a DHCP address at home (with a dns name I update > if it changes ... using my own script ...) > My server running MailScanner has a fixed IP so it's no > problem. > (I also have an auto update process running at home, on > the server sendmail access file) > What happened recently (and I need to get a new lease to fix) > is that my DHCP IP address showed up in SBL+XBL > My home server does smart forwarding to my mail server > Because of this, all my email was being dumped by the spam > filter. > I guess there is a simple solution to this problem? > How can I whitelist my DHCP IP address? > I did try whitelisting the name, but couldn't seem to get it > to work without specifying the IP address by number (which is > of course not much use) > I tried listing my internal IP subnet first but that didn't > work coz the spam filter seems to only check the previous > IP address in the path list? > Also, I'm using an old version of MailScanner: 4.38.10 > > Here's the edited whitelist file. > It didn't work until the last line was added. > > spam.whitelist.rules > -------------------- > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > FromOrTo: default no > From: /^192\.168\.ccc\./ yes > From: nam1.nam2.nam3.com yes > From: /^aaa\.bbb\.xxx\.yyy/ yes > > > -Thanks for any help > Where are you using the blacklist? In MailScanner, spamassassin or the MTA. You could also use some magic with sed to change the ip address in the whitelist.rules and force a reload whenever the ip address changes. Or have your server come in on a different port that doesn't have MailScanner running. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:31:30 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:35:28 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: Sven De Troch spake the following on 11/1/2006 5:23 PM: > On Wed, 01 Nov 2006 16:54:42 -0800, Scott Silva > wrote: > > >>> With only reloading MS, my MTA is accepting the new acces config (To: >>> domain RELAY) are am I dreaming ;-) >>> >>> >> If you are rebuilding the access file (makemap) sendmail will read it. It only >> seems to need a restart if you rebuild the cf file. > > So if I understand you well, if I modify the access file (something I > need to do very often) and I do a 'make -C /etc/mail' afterwards, I > wouldn't have to restart sendmail (and thus not MailScanner neither)? > > The access file is a db lookup, and not cached. So if the makemap is done, sendmail will see it on the next fork. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Thu Nov 2 17:39:19 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 17:39:38 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> > > I can't tell you why your version is different, maybe a > custom compiled version to get around the Flock exploit that > was posted about the time 8.12.11 came out. The consensus so > far has been ; Linux and sendmail 8.12 = flock Linux and > sendmail 8.13 = posix Also note that there have been some > problems with dovecot if it is set to a different locking. > > I am still curious as to how you have been so lucky with no problems! > Are you running on a filesystem other than ext2/ext3? > Maybe Core 4 has a kernel that doesn't have the locking > problem that the enterprise distros lack because of the > conservative patching that is done. > > I use Ext3 on all of my mail boxes. Maybe it is due to the kernel somehow, or the sendmail RPM's that I used. I am using the Fedora compiled kernels. I switched over to posix earlier on my servers and have not noticed any differences Yet. I have been keeping a close eye on the /var/spool/mqueue folders. I was more worried about having trouble switching to posix, since this one box has passed probably close to 200 million messages without issues with flock on. I was feeling like if it's not broke don't fix it type situation. Yet I see allot of people running into this problem. I have been trying to find a way to 100% determine what lock method sendmail uses. From scanning the mailing lists and searching allot of people tell others to check with sendmail -d0.1 -d0.4 -bt References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> Message-ID: <454A2C63.4000102@nkpanama.com> Scott Silva wrote: > Duncan, Brian M. spake the following on 11/2/2006 6:05 AM: >>> Earlier this year, there was an internal inconsistency within >>> MS which I spotted at 4.54.6 . >>> >>> In "MailScanner.conf" the comments describing the default "Lock Type" >>> (i.e. left blank) behaviour said 'it defaults to "posix"', >>> but the actual behaviour (when left blank) was to set it to "flock". >>> >>> That is, the comments said MS would behave one way but its >>> actual behaviour was the opposite. >>> >>> See threads starting at: >>> >>> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >>> 061887.html >>> and Julian's acknowledgement and fix at: >>> >>> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >>> 061974.html >>> >> >>> So either upgrade to a more recent version (than 4.54.6) or >>> if you need to stay back at 4.54.6 then explicitly state >>> which lock type you want. >>> >>> Hope that helps. >> Thank you for the information. I found those this morning when doing >> further searches. >> >> I am hesitant to turn posix on, on my main server that has been using >> Sendmail 8.13.x and flock for months now without issue. >> >> I am starting with a lower load box first. I am afraid that it will >> cause a duplication issue. It seems to with some sendmail 8.12.x users, >> and when they show their compiled options I don't see flock listed. >> >> Here is one posting from a recent person with the duplicating message >> issue that was using Sendmail 8.12.11: >> >>> Yes I'm using sendmail. >>> >>> 8.12.11-4.6 >>> >>> # sendmail -d0.1 >>> Version 8.12.11 >>> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >>> NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS >> USERDB USE_LDAP_INIT >>> Duncan >> >> Since he does not have FLOCK shown in his compiled options, shouldn't of >> Posix worked for him? (Everything was ok when he switched to flock) - I >> looked at an older box I have here with sendmail 8.12 on it and I don't >> have flock shown as a compiled option. I thought it was supposed to >> show you if flock support is compiled into sendmail. >> >> Can someone please explain to me how it is determined that with Sendmail >> 8.13.x + versions you have to use posix? Is there any way to determine >> 100% that your sendmail compile is already using Posix and NOT flock? >> Looking for flock in the compiled options does not look to be accurate >> based on the above post I included. (He had to switch to flock to make >> his work, yet flock does NOT show up in his compiled options) >> >> Thanks > This note was posted with sendmail 8.12.5 in the announce; > NOTE: Linux appears to have broken flock() again. Unless > the bug is fixed before sendmail 8.13 is shipped, > 8.13 will change the default locking method to > fcntl() for Linux kernel 2.4 and later. You may > want to do this in 8.12 by compiling with > -DHASFLOCK=0. Be sure to update other sendmail > related programs to match locking techniques. > ( see http://www.sendmail.org/releases/8.12.5.html) > > I can't tell you why your version is different, maybe a custom compiled > version to get around the Flock exploit that was posted about the time 8.12.11 > came out. The consensus so far has been ; > Linux and sendmail 8.12 = flock > Linux and sendmail 8.13 = posix > Also note that there have been some problems with dovecot if it is set to a > different locking. Can dovecot use posix? > > I am still curious as to how you have been so lucky with no problems! > Are you running on a filesystem other than ext2/ext3? > Maybe Core 4 has a kernel that doesn't have the locking problem that the > enterprise distros lack because of the conservative patching that is done. > > > From hkeasytech at gmail.com Thu Nov 2 17:44:06 2006 From: hkeasytech at gmail.com (Barry Kwok) Date: Thu Nov 2 17:44:17 2006 Subject: defendermx question Message-ID: <9d2057cc0611020944g12631e96sa51a6ae2953421e7@mail.gmail.com> Hi, I am testing the defendermx. Where can I change the "Required SpamAssassin Score" conf. I can't find it in the web interface nor in configuration stored in ldap. Regards, Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/c862a2d0/attachment.html From ssilva at sgvwater.com Thu Nov 2 17:33:05 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:45:39 2006 Subject: out of curiosity: reload and restart In-Reply-To: <454A0B3F.6090803@nkpanama.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> <454A0B3F.6090803@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 11/2/2006 7:14 AM: > Sven De Troch wrote: >> On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" >> wrote: >> >>> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >>> >>> You do not have to reload or restart MS (sendmail) after making changes >>> to the access, virtusertable or mailertable. If you change your >>> sendmail.mc/cf, you need to RESTART MS, but only because that will >>> restart the sendmail processes. >> >> Mike, >> >> I thought as well that reloading MS is not sufficient to read new >> sendmail configs (i.e. access file), but this seems to be working for >> me and I don't find it logic neither (and because of this I raised my >> question here). >> >> With only reloading MS, my MTA is accepting the new acces config (To: >> domain RELAY) are am I dreaming ;-) >> >> > Sendmail doesn't need to be restarted for changes to the access file to > "stick". Adding a milter or an rbl (or some other parameter) to > sendmail.mc and recompiling sendmail.cf *does* require a restart (as > opposed to a "reload"), although I don't know if it could be > accomplished with a "killall -HUP sendmail" (haven't tried). To further clarify, it only needs a restart if you want to see the changes immediately. If you don't care, it will be re-read when MailScanner does its restart every xxx code. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Thu Nov 2 18:36:23 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 18:41:15 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: Message-ID: <454A3AA7.3020605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven De Troch wrote: > Hello, > > no problem, but something I'd like to know ;) > > Are there any reasons to restart MS with /etc/init.d/MailScanner > restart (and not reload to read the configfiles again)? > > i.e. if I change my sendmail access file, recompile it for sendmail > and 'reload' MS, eveything is working fine, ..., so I wonder in which > case a reload is not sufficient for MailScanner and a restart is > needed (I'm not talking about Linux in general, but for MS specific)? > One situation where you definitely need to restart is when you change the spam.assassin.prefs.conf or change the rules/settings you have in any other SpamAssassin *.cf or init.pre files (and its brethren of course). This is because it needs to recompile all the SpamAssassin rules, which can't be done without a MailScanner restart. There was also a bug in versions of MailScanner prior to 4.55.9 in which a reload would not have all the intended effects, so I would use restart if your MailScanner is older than 4.55.9 1st August 2006. Also, on a connected subject, I am going to speed up the re-spawning of the child processes as 11 seconds per child appears to be too long on systems with large numbers of child processes. 5 seconds should work okay, you won't get any overlap of timings until you have launched 12 children, so in reality this should not cause any harm. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSju/EfZZRxQVtlQRAtISAKCxgIXkwXGQ+QSG8C1jaYa5jUeISwCeJPL5 mgWEr/5Jrv3Uo6KOXna6BEc= =ax3W -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Thu Nov 2 18:54:18 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Nov 2 18:54:25 2006 Subject: defendermx question In-Reply-To: <9d2057cc0611020944g12631e96sa51a6ae2953421e7@mail.gmail.com> Message-ID: <001201c6feb0$4ce12300$287ba8c0@office.fsl> Barry, Please send support requests for DefenderMX to support@fsl.com. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Barry Kwok Sent: Thursday, November 02, 2006 12:44 PM To: mailscanner@lists.mailscanner.info Subject: defendermx question Hi, I am testing the defendermx. Where can I change the "Required SpamAssassin Score" ?conf. I can't find it in the web interface nor in configuration stored in ldap. Regards, Barry From MailScanner at ecs.soton.ac.uk Thu Nov 2 18:57:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:01:15 2006 Subject: Spam Detection Around 55% In-Reply-To: <45492A8A.3080901@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> <45492A8A.3080901@evi-inc.com> Message-ID: <454A3F81.5070909@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > >>>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>>> command? >>>> >>>> ifplugin Mail::SpamAssassin::Plugin::DCC >>>> dcc_path >>>> endif >>>> >>>> >> As above, they won't have DCC installed yet. That's what reading the >> instructions tells them to do: go and install it. >> > > Yes, which is *EXACTLY* why you want the ifplugin. > Ah, I thought the "ifplugin" was some pseudo-code you were using to try to explain the problem. I didn't realise that "ifplugin" was a real piece of allowable syntax. I have added it to the DCC and Pyzor config lines. > > >>>> That might cause DCC to break for someone making a new setup using SA 3.0.x and >>>> the latest MailScanner, but who's going to get the latest MailScanner while >>>> using an old version of SA? >>>> >>>> >> But it's an installer for the latest version of SA. If they are running >> it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. >> If they managed to run the whole installer and end up with 3.0.x >> installed, I would dearly like to know how, seeing as it installs 3.1.x !! >> > > What??? > > Look. Julian. We're clearly on a different page here. > > I'm talking about MailScanner here. So I'm talking about the MailScanner install > process. I am not talking about your optional clamav/sa bundle pack. > > ie: http://www.mailscanner.info/files/4/rpm/MailScanner-4.56.8-1.rpm.tar.gz > > That does NOT install spamassassin as far as I know. > > So does the MailScanner install process even tell users to modify their v310.pre? > No, it doesn't. The MailScanner process doesn't mention SpamAssassin in any of its output. Given that I think we both agree (for once! :-) what was it that you wanted me to do? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkBvEfZZRxQVtlQRArnfAJ9IpRQdp8j5T/PTGALUKqUhg6MLtQCdH99a zSBMCNm6jZdyBSznC8PztMs= =FoxS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rpoe at plattesheriff.org Thu Nov 2 19:20:51 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Nov 2 19:21:43 2006 Subject: OT : need to find some rack space In-Reply-To: <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> Message-ID: <4549F0B6.65ED.00A2.0@plattesheriff.org> I use NetStandard for my co-location needs. They have Data Centers in Kansas City and Chicago. http://netstandard.net/collocation.htm Super guys to work with, I'm not affiliated with them - just a happy customer. >>> "Colocation Colocation" 10/24/2006 6:55 AM >>> Rackspace are super-awesome, however they do not provide colocation, just managed dedicated servers. I have a couple of servers with them and i have not had a problem in two years, not one! On 24/10/06, Dave Strydom wrote: > > You serious? > > I've always found them to have the most awesome support levels i've > ever seen, and not many providers can brag about a 100% uptime. > > Dave > > On 10/23/06, Res wrote: > > On Mon, 23 Oct 2006, Dave Strydom wrote: > > > > > www.rackspace.com > > so long as u dont want urgent rectification of faults > > > > > the best there is in the world. > > lol countless would disagree > > > > -- > > Cheers > > Res > > > > "Just a world that we all must share, it's not enough just to stand and > > stare, is it only a dream that there'll be no more turning away" - Floyd > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Thu Nov 2 19:38:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 2 19:38:35 2006 Subject: Spam Detection Around 55% In-Reply-To: <454A3F81.5070909@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> <45492A8A.3080901@evi-inc.com> <454A3F81.5070909@ecs.soton.ac.uk> Message-ID: <454A492A.9050008@evi-inc.com> Julian Field wrote: > > > Matt Kettler wrote: >>> Julian Field wrote: >>> >>>>>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>>>>> command? >>>>>> >>>>>> ifplugin Mail::SpamAssassin::Plugin::DCC >>>>>> dcc_path >>>>>> endif >>>>>> >>>>>> >>>> As above, they won't have DCC installed yet. That's what reading the >>>> instructions tells them to do: go and install it. >>>> >>> Yes, which is *EXACTLY* why you want the ifplugin. >>> > Ah, I thought the "ifplugin" was some pseudo-code you were using to try > to explain the problem. I didn't realise that "ifplugin" was a real > piece of allowable syntax. I have added it to the DCC and Pyzor config > lines. > Given that I think we both agree (for once! :-) what was it that you > wanted me to do? Yes! Thanks J. From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:42:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:46:13 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> Message-ID: <454A4A17.3080109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sign Clean Messages = %rules-dir%/sign.clean.rules In /etc/MailScanner/rules/sign.clean.rules, put something like this: From: hisdomain.com yes FromOrTo: default no And then if you want to vary the signature per-domain for example, use this Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text Signature = %rules-dir%/text.sig.rules and then in ..../rules/html.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html and in ..../rules/text.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt That should be enough to get you started. sandrews@andrewscompanies.com wrote: > Why? Because the customer asked that a default disclaimer/signature > block be added to all his outbound emails. I figured using my > mailscanner box as a smarthost and then using the rules to sign outbound > messages would be easiest. > > All I was missing was the architecture of the rules to "sign" just the > outbound messages from his domain. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Evan > Platt > Sent: Wednesday, November 01, 2006 3:40 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > At 11:56 AM 11/1/2006, you wrote: > >> I'm currently using mailscanner to scan all inbound mail and that works >> > > >> great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? >> > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was scanned > and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkr7EfZZRxQVtlQRAsjNAKD8N7APMfj/CBEpZvSu49ln77z9ygCg1bGq nj1kQu0GMaN0XeYBlsr63IA= =YKJP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:46:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:51:14 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <454A4B25.5030009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >> Hi >> >> I have a customer who cant recieve an email from a certain >> domain, the message is quarantined with a quarantine report >> showing "Could not analyze message". >> >> The email is very basic, plain text with no attachments. >> >> I tried to get around this by using the Scan Messages ruleset >> >> Scan Messages = %rule-dir%/scan.messages.rules >> >> and set the following in scan.messages.rules >> >> FromOrTo: default no >> From: domaina.com no >> FromTo: mycustomer.com yes >> >> where domaina.com is the domain sending the email being >> blocked and mycustomer.com is the domain recieving. However >> the message is still being quarantined. >> >> Can anyone advise what can cause the "Could not analyze >> message"? or why my ruleset setup is not working? >> >> Kind Regards >> >> Paul >> > > Your ruleset should look like this: > > From: domaina.com no > FromTo: mycustomer.com no > FromOrTo: default yes > > The way your ruleset is currently, it is matching on the default entry > FIRST > That won't help, it doesn't matter where the "default" rule is. I would suspect that the envelope sender address is something.domaina.com and not just domaina.com. Use the "Add Envelope From Header" and "Add Envelope To Header" to check the real sender and recipient addresses. You can't just use the From: and To: headers, as they often aren't the same as the real envelope details at all. > Mike > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkwnEfZZRxQVtlQRAnFoAJwJbGsliEOvSB6L4IZuV8ippJeqRwCfecoB r1SE+3sBCnd+JKONa1yrSjA= =1kMM -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:49:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:51:25 2006 Subject: # of messages per batch In-Reply-To: <454A0A2E.50006@nkpanama.com> References: <454A0A2E.50006@nkpanama.com> Message-ID: <454A4BC9.3080106@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > You can also increase the "queue scan interval", specially on > lower-spec machines, to something higher. In that case your queues > might actually fill up enough so that the 30-msg-per-batch default > makes MailScanner pick up 30 messages out of, say, 100. > > On very low volume mail servers, you can even decrease that (I've set > it to "1" on mine) so that processing is virtually instantaneous. Don't forget that this is a per-child scan interval. If you set it to 1 and have 5 children, then the queue will get checked, when the machine is quiet, every 0.2 seconds. Which is pretty frequent! > > Sven De Troch spake the following on 11/1/2006 2:24 PM: > There is a setting in the conf file for max messages per batch, but > MailScanner will not sit and wait for messages to pile up. If you are > running > 10 children, and mailscanner is set to check the queue every 30 > seconds, then > you would have to get something like 600 messages per minute to fill the > default batch size of 30. If you are getting 10 to 20 messages a > minute, you > will never even break a sweat with 10 children. That would be around 1-4 > messages per batch. You could lower your max children and see if the > system > keeps up. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkwoEfZZRxQVtlQRAq+LAKCHgFqWFGizrb7maCMKd5yHLgqoTQCfceYj q4Yk7IhTMoX6Ym587jiKykQ= =JTjH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Thu Nov 2 20:23:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:24:05 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <454A2C63.4000102@nkpanama.com> References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> <454A2C63.4000102@nkpanama.com> Message-ID: >> 8.12.11 >> came out. The consensus so far has been ; >> Linux and sendmail 8.12 = flock >> Linux and sendmail 8.13 = posix >> Also note that there have been some problems with dovecot if it is set >> to a >> different locking. > Can dovecot use posix? Yes. It is called by fcntl in dovecot. > >> >> I am still curious as to how you have been so lucky with no problems! >> Are you running on a filesystem other than ext2/ext3? >> Maybe Core 4 has a kernel that doesn't have the locking problem that the >> enterprise distros lack because of the conservative patching that is >> done. >> >> >> > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 20:29:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:30:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/2/2006 9:39 AM: > > > >> I can't tell you why your version is different, maybe a > >> custom compiled version to get around the Flock exploit that > >> was posted about the time 8.12.11 came out. The consensus so > >> far has been ; Linux and sendmail 8.12 = flock Linux and > >> sendmail 8.13 = posix Also note that there have been some > >> problems with dovecot if it is set to a different locking. >> > >> I am still curious as to how you have been so lucky with no problems! >> Are you running on a filesystem other than ext2/ext3? >> Maybe Core 4 has a kernel that doesn't have the locking > >> problem that the enterprise distros lack because of the > >> conservative patching that is done. >> > > > > I use Ext3 on all of my mail boxes. Maybe it is due to the kernel > somehow, or the sendmail RPM's that I used. I am using the Fedora > compiled kernels. I switched over to posix earlier on my servers and > have not noticed any differences Yet. I have been keeping a close eye > on the /var/spool/mqueue folders. > > I was more worried about having trouble switching to posix, since this > one box has passed probably close to 200 million messages without issues > with flock on. I was feeling like if it's not broke don't fix it type > situation. Yet I see allot of people running into this problem. > > > I have been trying to find a way to 100% determine what lock method > sendmail uses. From scanning the mailing lists and searching allot of > people tell others to check with sendmail -d0.1 -d0.4 -bt > If it lists flock in the compiled options then it's using flock. I have > NOT been able to confirm this. > > Here is one host of ours that just rejects messages. (It is a Sendmail > 8.12.x box, so it SHOULD be using flock from what I understand) > > It was compiled from RPM on 03/08/06, I checked the SPEC file and see > nothing specifying lock type. The only reason I updated this one was > due to an exploit at the time if I recall correctly. > > Version 8.12.11.20060308 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET > NETINET6 > NETUNIX NEWDB NIS PIPELINING SASL SCANF TCPWRAPPERS > USERDB > USE_LDAP_INIT > > > This is my 8.13 boxes: (same on all of them) > > Version 8.13.8 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET > NETINET6 > NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP > STARTTLS > TCPWRAPPERS USERDB USE_LDAP_INIT Definately not there or you would see HASFLOCK. Flock in sendmail is a compile-time option, and RedHat always seemed to turn it on in 8.12. It is a faster lock, but not safer. Your rpm must have been compiled without it, or compiled with "-DHASFLOCK=0" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 20:38:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:39:19 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> Message-ID: Ian spake the following on 11/2/2006 8:15 AM: > On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > >> I did educate them; but the boss' daughter is into "marketing" and she >> assured everyone that this was necessary. I know what fights to pick. > > See if you can sneak this one in... it appeared in another mailling list and I use it in reply to > anyone who sends me one. > > IMPORTANT: > This email is intended for the use of the individual addressee (s) > named above and may contain information that is confidential, > privileged or unsuitable for overly sensitive persons with low self- > esteem, no sense of humour or irrational religious beliefs. If you > are not the intended recipient, any dissemination, distribution or > copying of this email is not authorised (either explicitly or > implicitly) and constitutes an Irritating social faux pas. Unless the > word absquatulation has been used in its correct context somewhere > other than in this warning, it does not have any legal or grammatical > use and may be ignored. No animals were harmed in the transmission of > this email, although the cat next door is living on borrowed time, > let me tell you. Those of you with an overwhelming fear of the > unknown will be gratified to learn that there is no hidden message > revealed by reading this warning backwards, so just ignore that Alert > Notice from Microsoft. However, by pouring a complete circle of salt > around yourself and your computer you can ensure that no harm befalls > you and your pets. If you have received this email in error, please > place it in a warm oven for 40 minutes and add some nutmeg and egg > whites. Whisk briefly and let it stand for 2 hours before icing. > > Ian Finally! A useful disclaimer! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From daniel.maher at ubisoft.com Thu Nov 2 20:54:52 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Nov 2 20:54:57 2006 Subject: ImageInfo config Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20396BD53@UBIMAIL1.ubisoft.org> Hello all, For those of you that are using ImageInfo, I thought that it might be interesting to share configs - what sorts of modifications have you made to the default config that have helped in your organisation? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/97269195/attachment.html From alex at nkpanama.com Thu Nov 2 20:56:40 2006 From: alex at nkpanama.com (Alex Neuman) Date: Thu Nov 2 21:11:25 2006 Subject: # of messages per batch In-Reply-To: <454A4BC9.3080106@ecs.soton.ac.uk> References: <454A0A2E.50006@nkpanama.com> <454A4BC9.3080106@ecs.soton.ac.uk> Message-ID: <454A5B88.4050908@nkpanama.com> Julian Field escribi?: > > Don't forget that this is a per-child scan interval. If you set it to 1 > and have 5 children, then the queue will get checked, when the machine > is quiet, every 0.2 seconds. Which is pretty frequent! > I have only one child running, which is perfect for me (low volume). From ralloway at winbeam.com Thu Nov 2 21:08:49 2006 From: ralloway at winbeam.com (Richard D Alloway) Date: Thu Nov 2 21:24:50 2006 Subject: Non-spam MailScanner score logging? Message-ID: Hi! I'd like MailScanner to log the SpamAssassin scores for messages that don't score above the "Required SpamAssassin Score" or "High SpamAssassin Score". An example: Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) I'd like to see the same report for non-spam emails. Since only about 10% of our incoming email is legit, this should only incur a very slight increase in total system load. I've looked through the MailScanner.conf file and can't find a way to turn it on... am I missing something or is this a feature than can be added on a future release? Thanks! -Richard D Alloway Chief Technical Officer Winbeam Inc, A ClearWire Company From res at ausics.net Thu Nov 2 21:26:49 2006 From: res at ausics.net (Res) Date: Thu Nov 2 21:26:56 2006 Subject: rejecting botnets with sendmail In-Reply-To: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> Message-ID: On Thu, 2 Nov 2006, Rick Cooper wrote: >>> >>> deny message = rejected because $sender_host_address is >> in a black list \ >>> at $dnslist_domain $dnslist_text >>> hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts >>> senders = !/somedir/Mail_sender_white_list.conf >>> dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} >>> >>> Which says, basically, if the host is *not* in my local >> network list, and >>> it's not a host I relay for and the sender is not in a >> special whitelist, >>> then submit to the rbls listed in /somedir/mail_rbl_lists. >> If the host is >>> already excluded the call is never made (wasted). The lists >> can be changed >>> without having to do anything with exim, if the file >> changes exim reads it >>> again, otherwise it's cached. >>> >> >> 4 lines for what sendmail does by default compilation, whoa >> > > That is inaccurate, I believe. If I just wanted to run the rbl it would be > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}}. And the rbl processing we wernt talking about just RBL, we wer talkng filenames of exclusions as well, each to their own i guess -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Nov 2 21:34:18 2006 From: res at ausics.net (Res) Date: Thu Nov 2 21:34:36 2006 Subject: out of curiosity: reload and restart In-Reply-To: <454A3AA7.3020605@ecs.soton.ac.uk> References: <454A3AA7.3020605@ecs.soton.ac.uk> Message-ID: On Thu, 2 Nov 2006, Julian Field wrote: > the child processes as 11 seconds per child appears to be too long on > systems with large numbers of child processes. 5 seconds should work > okay, you won't get any overlap of timings until you have launched 12 > children, so in reality this should not cause any harm. Jules, been running 5 seconds on ours for a long time, both sendmail and qmail servers with no problems, 10 processes and even 20 processes we saw no problems > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFSju/EfZZRxQVtlQRAtISAKCxgIXkwXGQ+QSG8C1jaYa5jUeISwCeJPL5 > mgWEr/5Jrv3Uo6KOXna6BEc= > =ax3W > -----END PGP SIGNATURE----- > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mkettler at evi-inc.com Thu Nov 2 21:35:44 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 2 21:35:54 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: References: Message-ID: <454A64B0.2090908@evi-inc.com> Richard D Alloway wrote: > > Hi! > > I'd like MailScanner to log the SpamAssassin scores for messages that > don't score above the "Required SpamAssassin Score" or "High > SpamAssassin Score". > > An example: > > Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 > from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin > (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, > MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER > 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) > > I'd like to see the same report for non-spam emails. In MailScanner.conf find the "Log Non Spam" entry and change it to "yes". > Since only about 10% of our incoming email is legit, this should only > incur a very slight increase in total system load. Agree.. I keep it on myself. > I've looked through the MailScanner.conf file and can't find a way to > turn it on... am I missing something or is this a feature than can be > added on a future release? It's there, you just missed it. From bpumphrey at woodmclaw.com Thu Nov 2 21:45:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 2 21:45:39 2006 Subject: ImageInfo config In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20396BD53@UBIMAIL1.ubisoft.org> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C1405C@woodenex.woodmaclaw.local> I have not changed anything on it. Billy Pumphrey IT Manager Wooden & McLaughlin ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Maher Sent: Thursday, November 02, 2006 3:55 PM To: MailScanner discussion Subject: ImageInfo config Hello all, For those of you that are using ImageInfo, I thought that it might be interesting to share configs - what sorts of modifications have you made to the default config that have helped in your organisation? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/3ba05aaf/attachment.html From pete at enitech.com.au Fri Nov 3 03:28:14 2006 From: pete at enitech.com.au (Peter Russell) Date: Fri Nov 3 03:28:24 2006 Subject: Python Script help (Harvesting Spam from Exchange) Message-ID: <454AB74E.5020003@enitech.com.au> Some one else on this list (i am sorry i dont recall who) let me use the attached python script to learn from spam (then delete it) from an Exchange public folder. I was going to add it all to the wiki but after some more thorough testing i notice the script doesnt always learn and delete all of the spam in the public folder on a single run - the script must be re run several times before all of the spam is learned and deleted. Is anyone here python proficient enough to have a look and see if there is a way of getting it to run a little more reliably? Once this is worked out i will write wiki doc on setting up exchange and the script. Many thanks in advance if anyone is able to help Pete -------------- next part -------------- #!/usr/bin/env python import commands, os, time import imaplib import sys, re import string, random import StringIO, rfc822 # Set required variables PREFS = "/etc/MailScanner/spam.assassin.prefs.conf" TMPFILE = "/var/tmp/salearn.tmp" SALEARN = "/usr/bin/sa-learn" SERVER = "x.x.x.x" USER = "someuserwithaccesstopublicfolder" PASSWORD = "somepassword" LOGFILE = "/var/log/learn.spam.log" log = file(LOGFILE, 'a+') log.write("\n\nTraining SpamAssassin on %s at %s\n" % (time.strftime("%Y-%m-%d"), time.strftime("%H:%M:%S"))) # connect to server server = imaplib.IMAP4(SERVER) # login server.login(USER, PASSWORD) server.select("Public Folders/Spam") # Get messages typ, data = server.search(None, 'ALL') for num in data[0].split(): typ, data = server.fetch(num, '(RFC822)') tmp = file(TMPFILE, 'w+') tmp.write(data[0][1]) tmp.close() log.write(commands.getoutput("%s --prefs-file=%s --spam %s" % \ (SALEARN, PREFS, TMPFILE))) log.write("\n") # Mark learned spam as "Deleted" server.store(num, '+FLAGS', '\\Deleted') # Delete messages marked as "Deleted" from server server.expunge() server.logout From jon.bates at summitmotors.com.au Fri Nov 3 05:29:03 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Fri Nov 3 05:29:28 2006 Subject: Not detecting some instances of viruses Message-ID: <200611030529.kA35TDic014240@summitmotors.com.au> I'm having trouble whereby only SOME instances of the same virus are being identified by ClamAV. The virus is exactly the same type every time, but only some get detected - the rest are sent on to the user! There is no pattern that I can see - Zip files (containing infected exe), and plain exe files have been allowed through. I've subsequently scanned the users mailbox on the server using clamscan, and it DOES detect the email! For some reason, when it is scanned when the message is received, it's not detected. Any help would be appreciated! - Jon Bates From glenn.steen at gmail.com Fri Nov 3 07:57:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 07:57:09 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> Message-ID: <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> On 02/11/06, Cheng Bruce wrote: > Hi, > Thank you for your always kind help. > > By the way, would you please advise me how to cache the non-SPAM > messages in mailwatch ( Quarantine ) like SPAM messages ? due to a lot > of SPAMs treat as no-SPAM, I need more messages to block. > > Thank you again. If I read you right, you just need to add "store" to your "Non Spam Actions" (http://www.mailscanner.info/MailScanner.conf.index.html#Non%20Spam%20Actions). So if you have Non Spam Actions = deliver header "X-Spam-Status: No" in /etc/MailScanner/MailScanner.conf, you'd just change it to Non Spam Actions = store deliver header "X-Spam-Status: No" ... That way all messages will end up in the quarantine (in a "non-spam" subdirectory). You'll need make a script or somesuch that clears out this, after a few days, so that you don't fill your disks too fast:-), at least if you want this to be a permanent solution. If it is just a few hours (to actually get to look at the false negatives, and decide what to do about them....), you could just do that manually;-). If these are mostly image spam, look for the ImageInfo spamassassin plugin from www.rulesemporium.com ... It made a world of difference for me! (hope you don't mind me redirecting this back to the list, since this is actually "on-topic";-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tgc at statsbiblioteket.dk Fri Nov 3 08:34:30 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Fri Nov 3 08:34:35 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: References: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> Message-ID: <454AFF16.8060009@statsbiblioteket.dk> Scott Silva wrote: > Duncan, Brian M. spake the following on 11/2/2006 9:39 AM: >> >> >>> I can't tell you why your version is different, maybe a >>> custom compiled version to get around the Flock exploit that >>> was posted about the time 8.12.11 came out. The consensus so >>> far has been ; Linux and sendmail 8.12 = flock Linux and >>> sendmail 8.13 = posix Also note that there have been some >>> problems with dovecot if it is set to a different locking. >>> >>> I am still curious as to how you have been so lucky with no problems! >>> Are you running on a filesystem other than ext2/ext3? >>> Maybe Core 4 has a kernel that doesn't have the locking >>> problem that the enterprise distros lack because of the >>> conservative patching that is done. >>> >> >> >> I use Ext3 on all of my mail boxes. Maybe it is due to the kernel >> somehow, or the sendmail RPM's that I used. I am using the Fedora >> compiled kernels. I switched over to posix earlier on my servers and >> have not noticed any differences Yet. I have been keeping a close eye >> on the /var/spool/mqueue folders. >> >> I was more worried about having trouble switching to posix, since this >> one box has passed probably close to 200 million messages without issues >> with flock on. I was feeling like if it's not broke don't fix it type >> situation. Yet I see allot of people running into this problem. >> >> >> I have been trying to find a way to 100% determine what lock method >> sendmail uses. From scanning the mailing lists and searching allot of >> people tell others to check with sendmail -d0.1 -d0.4 -bt > >> If it lists flock in the compiled options then it's using flock. I have >> NOT been able to confirm this. >> >> Here is one host of ours that just rejects messages. (It is a Sendmail >> 8.12.x box, so it SHOULD be using flock from what I understand) >> >> It was compiled from RPM on 03/08/06, I checked the SPEC file and see >> nothing specifying lock type. The only reason I updated this one was >> due to an exploit at the time if I recall correctly. >> >> Version 8.12.11.20060308 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 >> NETUNIX NEWDB NIS PIPELINING SASL SCANF TCPWRAPPERS >> USERDB >> USE_LDAP_INIT >> >> >> This is my 8.13 boxes: (same on all of them) >> >> Version 8.13.8 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 >> NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP >> STARTTLS >> TCPWRAPPERS USERDB USE_LDAP_INIT > Definately not there or you would see HASFLOCK. Flock in sendmail is a > compile-time option, and RedHat always seemed to turn it on in 8.12. It is a > faster lock, but not safer. Your rpm must have been compiled without it, or > compiled with "-DHASFLOCK=0" > I looked into the sendmail 8.12.11 source as delivered in the RHEL 3 src.rpm. It has this snippet in the Linux section of include/sm/conf.h: # ifndef HASFLOCK # if LINUX_VERSION_CODE < 66399 # define HASFLOCK 0 /* flock(2) is broken after 0.99.13 */ # else /* LINUX_VERSION_CODE < 66399 */ # define HASFLOCK 1 /* flock(2) fixed after 1.3.95 */ # endif /* LINUX_VERSION_CODE < 66399 */ # endif /* ! HASFLOCK */ A quick grep reveals that HASFLOCK is not defined anywhere outside of include/sm/conf.h so I take it this means flock is the default for Linux in sendmail 8.12.11. Also grep -i flock on /usr/lib/sendmail gives a match. This type of default define is apparently not added to the Compiled with: output. I've run MailScanner on RHEL 2.1 for a long time, first with sendmail 8.11 and now with 8.12 (from RH errata). I've always used flock and I haven't seen any issues with it. It's not that I get all that much mail but my primary mx do process about 10-14K mails a day. -tgc From glenn.steen at gmail.com Fri Nov 3 08:34:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 08:34:42 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> Message-ID: <223f97700611030034r13db9433n22f49ae09a40f1c8@mail.gmail.com> On 02/11/06, Scott Silva wrote: > Ian spake the following on 11/2/2006 8:15 AM: > > On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > > > >> I did educate them; but the boss' daughter is into "marketing" and she > >> assured everyone that this was necessary. I know what fights to pick. > > > > See if you can sneak this one in... it appeared in another mailling list and I use it in reply to > > anyone who sends me one. > > > > IMPORTANT: > > This email is intended for the use of the individual addressee (s) > > named above and may contain information that is confidential, > > privileged or unsuitable for overly sensitive persons with low self- > > esteem, no sense of humour or irrational religious beliefs. If you > > are not the intended recipient, any dissemination, distribution or > > copying of this email is not authorised (either explicitly or > > implicitly) and constitutes an Irritating social faux pas. Unless the > > word absquatulation has been used in its correct context somewhere > > other than in this warning, it does not have any legal or grammatical > > use and may be ignored. No animals were harmed in the transmission of > > this email, although the cat next door is living on borrowed time, > > let me tell you. Those of you with an overwhelming fear of the > > unknown will be gratified to learn that there is no hidden message > > revealed by reading this warning backwards, so just ignore that Alert > > Notice from Microsoft. However, by pouring a complete circle of salt > > around yourself and your computer you can ensure that no harm befalls > > you and your pets. If you have received this email in error, please > > place it in a warm oven for 40 minutes and add some nutmeg and egg > > whites. Whisk briefly and let it stand for 2 hours before icing. > > > > Ian > Finally! A useful disclaimer! > I wonder.... That reference to a salt circle.... Is that perhaps for the extra SLUG protection one needs so desperately?:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 3 08:50:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 08:50:51 2006 Subject: Python Script help (Harvesting Spam from Exchange) In-Reply-To: <454AB74E.5020003@enitech.com.au> References: <454AB74E.5020003@enitech.com.au> Message-ID: <223f97700611030050p7ec004d7vccc504fa299c2af9@mail.gmail.com> On 03/11/06, Peter Russell wrote: > Some one else on this list (i am sorry i dont recall who) let me use the > attached python script to learn from spam (then delete it) from an > Exchange public folder. > > I was going to add it all to the wiki but after some more thorough > testing i notice the script doesnt always learn and delete all of the > spam in the public folder on a single run - the script must be re run > several times before all of the spam is learned and deleted. > > Is anyone here python proficient enough to have a look and see if there > is a way of getting it to run a little more reliably? > > Once this is worked out i will write wiki doc on setting up exchange and > the script. > > Many thanks in advance if anyone is able to help > Pete > > > #!/usr/bin/env python > import commands, os, time > import imaplib > import sys, re > import string, random > import StringIO, rfc822 > > # Set required variables > PREFS = "/etc/MailScanner/spam.assassin.prefs.conf" > TMPFILE = "/var/tmp/salearn.tmp" > SALEARN = "/usr/bin/sa-learn" > SERVER = "x.x.x.x" > USER = "someuserwithaccesstopublicfolder" > PASSWORD = "somepassword" > LOGFILE = "/var/log/learn.spam.log" > log = file(LOGFILE, 'a+') > log.write("\n\nTraining SpamAssassin on %s at %s\n" % (time.strftime("%Y-%m-%d"), time.strftime("%H:%M:%S"))) > > # connect to server > server = imaplib.IMAP4(SERVER) > > # login > server.login(USER, PASSWORD) > server.select("Public Folders/Spam") > > # Get messages > typ, data = server.search(None, 'ALL') > for num in data[0].split(): > typ, data = server.fetch(num, '(RFC822)') > tmp = file(TMPFILE, 'w+') > tmp.write(data[0][1]) > tmp.close() > log.write(commands.getoutput("%s --prefs-file=%s --spam %s" % \ > (SALEARN, PREFS, TMPFILE))) > log.write("\n") > # Mark learned spam as "Deleted" > server.store(num, '+FLAGS', '\\Deleted') > # Delete messages marked as "Deleted" from server > server.expunge() > server.logout > Not sure about anything (not really proficient in python:-), but try moving the expunge out of the for loop, and see if that helps (you'd just do one big expunge after you're done, thus preserving the "order" for the for loop). Haven't tested anything either:-):-). Another thought would be if the M-Sexchange IMAP service had some foolery going on, like "pagination".... Not returning more than X heads for you to operate on... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gordon at itnt.co.za Fri Nov 3 09:12:46 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Nov 3 09:27:22 2006 Subject: Whitelist issue Message-ID: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> ITNT Banner Campaign This email got through the MailScanner classified as whitelisted. The user has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Return-Path: Received: from sentinal2.itnt.co.za (sentinal2.itnt.co.za [196.37.112.91]) by angel.itnt.co.za (8.13.1/8.13.1) with ESMTP id kA24PI6D015145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 2 Nov 2006 06:25:23 +0200 Received: from 190.40.232.116 ([190.40.232.116]) by sentinal2.itnt.co.za (8.13.4/8.13.4) with ESMTP id kA24O3vr027855 for ; Thu, 2 Nov 2006 06:24:14 +0200 Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) by 190.40.232.116 with smtp id 3LxQg-rQaO8kf3-p7 for sales@tcmwarehouse.com; Tue, 02 Nov 2004 23:23:53 -0500 Message-ID: <000a01c4c15c$e4c78710$01feaa58@ewregvtneyhik> From: "Roy Freeman" To: andreb@tcmwarehouse.com Subject: break away as a sorrowful hundred reluctantly How can it be classified as whitelisted if the from addres is yqhsj@sugartime.net? It score 26. Thanks Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From r.berber at computer.org Fri Nov 3 09:32:35 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Nov 3 09:33:47 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. Could be any of: 1. Timing. A virus signature that was just added to the DB. 2. Rules. If you have rules specifying what is virus scanned. 3. Size. Limits in MS configuration and also in the program/module doing the scanning. 4. Scan Parameters. clamscan has default parameters that are a little different that the perl module, for instance corrupt executable is detected by clamscan but I'm not sure if the module does detect it. 5. Encoding. There is a parameter in MS about scanning uuencoded parts, I'm not sure if this affects virus scanning. What does the log show? (does it say scanning for viruses ... clean ?) -- Ren? Berber From housey at sme-ecom.co.uk Fri Nov 3 09:58:33 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Fri Nov 3 09:58:44 2006 Subject: Could not analyze message Message-ID: Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul From t.d.lee at durham.ac.uk Fri Nov 3 10:35:35 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Nov 3 10:36:04 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: On Thu, 2 Nov 2006, Scott Silva wrote: > David Lee spake the following on 11/2/2006 4:22 AM: > > We've been running MS/SA on Fedora machines for a few years. Earlier this > > week, I set up yet another machine, expecting it to be straightforward. > > Clean OS install (FC5), clean install of MS (4.56.8) etc. > > > > All seems well, including "spamassassin --lint --debug". > > > > But when it starts to try to process email, MailScanner seems to take a > > very long time. Running it in debug mode shows: > > > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > > > and lots more similar lines (although the " line yy" varies). > > > > Any thoughts on this? > > > > Over the last couple of days I've tried various versions of SA (the above > > details are from 3.1.3) installed in various different ways, but all > > giving this set of errors. > > > > > Did you try Julians install script for spamassassin and clam? It might toss in > any perl modules that are lacking. And maybe remove the spamassassin rpm in > core before you try. Yes, that's one of the "installed in various different ways" that I tried. And what was worrying me is that this is the first time I had ever tried Julian's Clam/SA package and is the only time I've had this problem. Coincidence? Well, actually, yes, coincidence. Nothing more. I have just tracked down the problem, and it was a subtle difference of our own making in the OS install, completely outside of MS/SA-type things. (That is, all the email-y-type things are innocent.) For various local reasons our local OS re-install had included 127.0.0.1 as the first line in "/etc/resolv.conf" but didn't set a local DNS server running. (The hint was staring me in the face all along from the reported error messages... sigh!) Anyway, I have resolved this inconsistency between resolv.conf and lack of local DNS server, and all now seems well. Thanks to both Scott and Res for their replies and thoughts. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From res at ausics.net Fri Nov 3 11:33:08 2006 From: res at ausics.net (Res) Date: Fri Nov 3 11:33:16 2006 Subject: Whitelist issue In-Reply-To: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: On Fri, 3 Nov 2006, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Can you show uo how you have written the rules > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) I'd suggest you grab the bad_helo HACK and use it as well people with legitimate mail dont throw crap like that in helos > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. > Start using Envelope from in MailScanner -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From christo at it4africa.co.za Fri Nov 3 12:08:38 2006 From: christo at it4africa.co.za (Christo Bezuidenhout) Date: Fri Nov 3 12:02:11 2006 Subject: Could not analyze message {Virus Scanned} References: Message-ID: Move the Default phrase to the bottom. It reads it from the top. Christo ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Paul Houselander Sent: Fri 11/3/2006 11:58 AM To: MailScanner Mailing List Subject: Could not analyze message {Virus Scanned} Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Fri Nov 3 12:58:35 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Nov 3 13:04:13 2006 Subject: Whitelist issue References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Thanks, 1) The rule was applied by using the mailwatch interface written to mysql 2) Where can I find the bad_helo HACK? 3) I have implemented the Envelope from in MailScanner. Regards Gordon ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Friday, November 03, 2006 1:33 PM Subject: Re: Whitelist issue On Fri, 3 Nov 2006, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The > user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Can you show uo how you have written the rules > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) I'd suggest you grab the bad_helo HACK and use it as well people with legitimate mail dont throw crap like that in helos > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. > Start using Envelope from in MailScanner -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Fri Nov 3 13:09:17 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 13:09:20 2006 Subject: Whitelist issue In-Reply-To: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: <223f97700611030509p61ea8d2ai30e7193010d0eb47@mail.gmail.com> On 03/11/06, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. > > Return-Path: Hint #1... Pretty likely that this is actually the Envelope from (the address used in the SMTP conversation, which is the one MailScanner uses). > Received: from sentinal2.itnt.co.za (sentinal2.itnt.co.za [196.37.112.91]) > by angel.itnt.co.za (8.13.1/8.13.1) with ESMTP id kA24PI6D015145 > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) > for ; Thu, 2 Nov 2006 06:25:23 +0200 > Received: from 190.40.232.116 ([190.40.232.116]) > by sentinal2.itnt.co.za (8.13.4/8.13.4) with ESMTP id kA24O3vr027855 > for ; Thu, 2 Nov 2006 06:24:14 +0200 > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) > by 190.40.232.116 with smtp > id 3LxQg-rQaO8kf3-p7 > for sales@tcmwarehouse.com; Tue, 02 Nov 2004 23:23:53 -0500 > Message-ID: <000a01c4c15c$e4c78710$01feaa58@ewregvtneyhik> > From: "Roy Freeman" > To: andreb@tcmwarehouse.com As with most headers, those two are very easily "forged". You supply them during the DATA stage of SMTP, so they are never used for actual delivery... That is the "job" of the Envelope from and to ... ("MAIL FROM:" and "RCPT TO:" respectively). So.... > Subject: break away as a sorrowful hundred reluctantly > > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. As said, the headers From: and To: have little to no bearing on actual sender/recipient. You can instruct MailScanner to add those as "Envelope-From: ..." and "Envelope-To: ..." headers. The drawback with that is that you'd defeat BCC;-). If you use MailWatch, the reported From/To (on the details page, as well as the Recent Messages page) are the envelope ones, so ... it becomes very visible what the difference is between the two (er, four:-). Especially on the details page, since you'll see the headers there too (the envelope from/to are below the headers). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Nov 3 13:13:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:15:38 2006 Subject: Whitelist issue In-Reply-To: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: Gordon Colyn wrote: > Thanks, > > 1) The rule was applied by using the mailwatch interface written to mysql Using the headers from or the enveloppe from? MailScanner's white/black list features are based on enveloppe address. > 2) Where can I find the bad_helo HACK? > 3) I have implemented the Envelope from in MailScanner. > > Regards > > Gordon > > ----- Original Message ----- > From: "Res" > To: "MailScanner discussion" > Sent: Friday, November 03, 2006 1:33 PM > Subject: Re: Whitelist issue > > > On Fri, 3 Nov 2006, Gordon Colyn wrote: > >> ITNT Banner Campaign >> This email got through the MailScanner classified as whitelisted. The >> user >> has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. > > Can you show uo how you have written the rules > > >> Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) > > I'd suggest you grab the bad_helo HACK and use it as well > people with legitimate mail dont throw crap like that in helos > > >> How can it be classified as whitelisted if the from addres is >> yqhsj@sugartime.net? It score 26. >> > > Start using Envelope from in MailScanner > > From ugob at camo-route.com Fri Nov 3 13:28:01 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:29:00 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. Using the latest version of milter-greylist (3.0 RC6), you can impose greylisting based on DNSbl. If you're not ready to block at sendmail based on DNSbl, this might be a softer approach. Ugo From steve.swaney at fsl.com Fri Nov 3 13:28:55 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Nov 3 13:29:03 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <014601c6ff4c$02d94a70$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jon Bates > Sent: Friday, November 03, 2006 12:29 AM > To: mailscanner@lists.mailscanner.info > Subject: Not detecting some instances of viruses > > > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected > - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > And the version of ClamAV that you are using is? Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From itlist at gmail.com Fri Nov 3 13:36:24 2006 From: itlist at gmail.com (Cheng Bruce) Date: Fri Nov 3 13:36:29 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> Message-ID: Hi Glenn, Thank you so much. I thought it only can set one function (deliver or store or ...). Yes, I got a lot of spams. I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < corrupted-gif.eml" and get high scores more than 10, then do " spamassassin --lint" , restart mailscanner and run update SA in mailwatch (I can see the FuzzyOCR rules on screeen ). But it doesn't work, the spam with gif still comes through. I thought I need to add some words in FuzzyOcr.words, but I use that gif to test it by manual, my God, it got the 23.7 scores. I think there must be somewhere wrong in my Mailscanner.conf or spam.assassin.prefs.conf Would you please advise me how to solve it ? Please help me and thank you in advance. PS: I don't mind it, but this is my fault to send you not back to the list. 2006/11/3, Glenn Steen : > > On 02/11/06, Cheng Bruce wrote: > > Hi, > > Thank you for your always kind help. > > > > By the way, would you please advise me how to cache the non-SPAM > > messages in mailwatch ( Quarantine ) like SPAM messages ? due to a lot > > of SPAMs treat as no-SPAM, I need more messages to block. > > > > Thank you again. > > If I read you right, you just need to add "store" to your "Non Spam > Actions" ( > http://www.mailscanner.info/MailScanner.conf.index.html#Non%20Spam%20Actions > ). > So if you have > Non Spam Actions = deliver header "X-Spam-Status: No" > in /etc/MailScanner/MailScanner.conf, you'd just change it to > Non Spam Actions = store deliver header "X-Spam-Status: No" > ... That way all messages will end up in the quarantine (in a > "non-spam" subdirectory). > You'll need make a script or somesuch that clears out this, after a > few days, so that you don't fill your disks too fast:-), at least if > you want this to be a permanent solution. If it is just a few hours > (to actually get to look at the false negatives, and decide what to do > about them....), you could just do that manually;-). > > If these are mostly image spam, look for the ImageInfo spamassassin > plugin from www.rulesemporium.com ... It made a world of difference > for me! > > (hope you don't mind me redirecting this back to the list, since this > is actually "on-topic";-) > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/dba916ff/attachment.html From ugob at camo-route.com Fri Nov 3 13:38:48 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:39:36 2006 Subject: Remove SpamAssasin report in 'attachment deliver' Message-ID: Hi, I'd like to know how to not have the report details in the body when using the 'attachment' action for delivering. I know there is an "Always include SpamAssassin Report" option, but I'm affraid I won't have it in the headers if I disable it. Thanks, Ugo From ugob at camo-route.com Fri Nov 3 13:42:47 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:45:24 2006 Subject: from and to Message-ID: Hi, Sorry if this has been asked in the past, but I couldn't find the answers on the wiki or list. Is it possible to do a ruleset like this? From: toto@domain.com and To: domain.com yes Thanks, Ugo From brian.duncan at kattenlaw.com Fri Nov 3 13:52:51 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Nov 3 13:53:01 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B37@CHI-US-EXCH-01.us.kmz.com> > # ifndef HASFLOCK > # if LINUX_VERSION_CODE < 66399 > # define HASFLOCK 0 /* flock(2) is broken after 0.99.13 */ > # else /* LINUX_VERSION_CODE < 66399 */ > # define HASFLOCK 1 /* flock(2) fixed after 1.3.95 */ > # endif /* LINUX_VERSION_CODE < 66399 */ > # endif /* ! HASFLOCK */ > > A quick grep reveals that HASFLOCK is not defined anywhere > outside of include/sm/conf.h so I take it this means flock is > the default for Linux in sendmail 8.12.11. > Also grep -i flock on /usr/lib/sendmail gives a match. > This type of default define is apparently not added to the Compiled > with: output. > > I've run MailScanner on RHEL 2.1 for a long time, first with sendmail > 8.11 and now with 8.12 (from RH errata). I've always used > flock and I haven't seen any issues with it. > It's not that I get all that much mail but my primary mx do > process about 10-14K mails a day. > > -tgc I looked and my 8.12.x box DOES NOT show hasflock in the compiled options but in the binary for sendmail it is indeed present (flock, cannot flock, HASFLOCK strings were all there) . The 8.13.x boxes DO NOT have flock anywhere in the binary. I also checked another 8.12 box and it also does not show in the compiled options but all the flock strings I listed above are present in the Sendmail ELF binary. Thanks for the info, it's great to be able to confirm without a doubt which of my boxes I should have posix set on. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Denis.Beauchemin at USherbrooke.ca Fri Nov 3 14:07:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 3 14:08:15 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: References: Message-ID: <454B4D1B.2000807@USherbrooke.ca> Ugo Bellavance a ?crit : > Hi, > > I'd like to know how to not have the report details in the body > when using the 'attachment' action for delivering. I know there is an > "Always include SpamAssassin Report" option, but I'm affraid I won't > have it in the headers if I disable it. > > Thanks, > > Ugo > Hi Ugo, I guess you could use the folloging in your spam.assassin.prefs.conf to clear the default report (from "man Mail::SpamAssassin::Conf"): clear_report_template Clear the report template. report ...some text for a report... Set the report template which is attached to spam mail messages. See the "10_misc.cf" configu- ration file in "/usr/share/spamassassin" for an example. If you change this, try to keep it under 78 columns. Each "report" line appends to the existing template, so use "clear_report_template" to restart. Tags can be included as explained above. I use a French-localized version here with: lang fr clear-report-template lang fr report ------------------ D?but de Rapport SpamAssassin --------------------- Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/a53547b0/smime.bin From matt at coders.co.uk Fri Nov 3 14:22:59 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 3 14:23:28 2006 Subject: Rules query Message-ID: <454B50C3.10308@coders.co.uk> Seems to be the day for it! A domain I filter for has asked me to setup the following for them: Email from anywhere to allowedexes@domain.com is virus/spam scanned and then delivered on to the address (it is an addressable public folder on exchange). They want no file type/file name checks. That's not a problem - however they also want to be notified to a different address (the help desk) when a message arrives (You have received an email to allowedexes from wibble@sender.com). This should not have the attachments. They then want any other recipient of blocked content to receive a notification whilst the email is sent to a separate account (otherblocked@domain.com) with the attachments still present. Any ideas? I don't think you can do this with the current configuration options so it looks like a module needs writing..... matt From mailscanner at yeticomputers.com Fri Nov 3 15:05:23 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Nov 3 15:05:33 2006 Subject: Rules query In-Reply-To: <454B50C3.10308@coders.co.uk> References: <454B50C3.10308@coders.co.uk> Message-ID: <454B5AB3.6010101@yeticomputers.com> I admit to despising Exchange and avoiding it whenever possible, but I vaguely recall that Exchange itself can fire off messages according to rules when mail is received. The forwarding of the scanned stuff should be doable with Mailscanner, can you configure Exchange to send the notifications when mail hits the allowedexes and otherblocked mailboxes? Rick Matt Hampton wrote: > Seems to be the day for it! > > > A domain I filter for has asked me to setup the following for them: > > > Email from anywhere to allowedexes@domain.com is virus/spam scanned and > then delivered on to the address (it is an addressable public folder on > exchange). They want no file type/file name checks. > > That's not a problem - however they also want to be notified to a > different address (the help desk) when a message arrives (You have > received an email to allowedexes from wibble@sender.com). This should > not have the attachments. > > > They then want any other recipient of blocked content to receive a > notification whilst the email is sent to a separate account > (otherblocked@domain.com) with the attachments still present. > > > Any ideas? > > I don't think you can do this with the current configuration options so > it looks like a module needs writing..... > > > matt > > > From matt at coders.co.uk Fri Nov 3 15:20:58 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 3 15:21:24 2006 Subject: Rules query In-Reply-To: <454B5AB3.6010101@yeticomputers.com> References: <454B50C3.10308@coders.co.uk> <454B5AB3.6010101@yeticomputers.com> Message-ID: <454B5E5A.8090605@coders.co.uk> Rick Chadderdon wrote: > I admit to despising Exchange and avoiding it whenever possible. Join the large and friendly club :-) > , but I > vaguely recall that Exchange itself can fire off messages according to > rules when mail is received. The forwarding of the scanned stuff should > be doable with Mailscanner, can you configure Exchange to send the > notifications when mail hits the allowedexes and otherblocked mailboxes? Hadn't thought about that - that's a good idea. Thanks matt From jase at sensis.com Fri Nov 3 16:19:21 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 16:32:16 2006 Subject: DBD-SQLite install error? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> When I try to install MailScanner version 4.56.8 using the tar version, I get this: ============ Attempting to build and install DBD-SQLite-1.11 Unpacking perl-tar/DBD-SQLite-1.11.tar.gz Missing file perl-tar/DBD-SQLite-1.11.tar.gz . Are you in the right directory? Missing directory /tmp/DBD-SQLite-1.11 . Maybe it did not build correctly? ============ I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar directory. Perhaps the install scripts needs to try to install DBD-SQLite-1.12 instead of DBD-SQLite-1.11? Jase -- Jason Desai Network Administrator Sensis Corporation jase@sensis.com http://www.sensis.com (315) 445-5811 From JeremyBlonde at grant.k12.ca.us Fri Nov 3 16:39:34 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Fri Nov 3 16:56:37 2006 Subject: MailScanner 4.56.8 Message-ID: I've been running with AWL, Bayes, and Razor with 4.55.6. It's been running fine and it's tuned to the point that I'm not constantly keeping tabs on it. The other night I upgraded to 4.56.8 and the SpamAssassin scores were all over the place. I noticed that SpamAssassin was now adding a number of new flags (or perhaps that's due to MailScanner), but the scores were so divergent that I had to watch it at all times because it was catching a lot of false positives. Not all messages were getting an AWL score or Bayes score. The most problematic domains were yahoo.com, comcast.net, etc., any of the ones that have a mixture of legit and spam sources. I noticed that autolearn was working, I could see the message scores fluctuating as it learned but it was actually lowering the score on some messages that should have been learned as spam (although now that I think about it, I'll have to verify that it wasn't AWL that was lowering the score). Is there something I'm missing with the upgrade? Do I need to clear AWL or do some tweaking of the SpamAssassin scores in order to tune this? I haven't had to tweak the SpamAssassin scores very much in the past. Also, ALL_TRUSTED is turned off and I didn't run with Razor. Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union High School District "The purpose of education is to free individuals from their personal limitations." From ecasarero at gmail.com Fri Nov 3 16:58:38 2006 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Nov 3 16:58:39 2006 Subject: DBD-SQLite install error? In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> Message-ID: <7d9b3cf20611030858i185d1583v3be7b811ba8d583d@mail.gmail.com> after install.sh finish install dbdsqlite by hand, it works. ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# perl Makefile.PL :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make install regards. eduardo 2006/11/3, Desai, Jason : > > When I try to install MailScanner version 4.56.8 using the tar version, > I get this: > > ============ > Attempting to build and install DBD-SQLite-1.11 > Unpacking perl-tar/DBD-SQLite-1.11.tar.gz > Missing file perl-tar/DBD-SQLite-1.11.tar.gz . Are you in the right > directory? > > Missing directory /tmp/DBD-SQLite-1.11 . > Maybe it did not build correctly? > ============ > > I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar directory. > Perhaps the install scripts needs to try to install DBD-SQLite-1.12 > instead of DBD-SQLite-1.11? > > Jase > > -- > Jason Desai > Network Administrator > Sensis Corporation > jase@sensis.com > http://www.sensis.com > (315) 445-5811 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/43fe90c7/attachment.html From jase at sensis.com Fri Nov 3 18:06:07 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 18:07:06 2006 Subject: DBD-SQLite install error? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> Thanks for the info. I probably should have mentioned that I was able to unpack and install it manually. I just wanted to give Julian a heads up that the installer script may have a bug. Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Eduardo Casarero > Sent: Friday, November 03, 2006 11:59 AM > To: MailScanner discussion > Subject: Re: DBD-SQLite install error? > > after install.sh finish install dbdsqlite by hand, it works. > > > ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. 12# perl Makefile.PL > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. 12# make install > > regards. > > eduardo > > > 2006/11/3, Desai, Jason : > > When I try to install MailScanner version 4.56.8 using > the tar version, > I get this: > > ============ > Attempting to build and install DBD-SQLite-1.11 > Unpacking perl-tar/DBD-SQLite-1.11.tar.gz > Missing file perl-tar/DBD- SQLite-1.11.tar.gz . Are you > in the right > directory? > > Missing directory /tmp/DBD-SQLite-1.11 . > Maybe it did not build correctly? > ============ > > I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar > directory. > Perhaps the install scripts needs to try to install > DBD-SQLite-1.12 > instead of DBD-SQLite-1.11? > > Jase > > -- > Jason Desai > Network Administrator > Sensis Corporation > jase@sensis.com > http://www.sensis.com > (315) 445-5811 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > From glenn.steen at gmail.com Fri Nov 3 19:17:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:17:06 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> Message-ID: <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> On 03/11/06, Cheng Bruce wrote: > Hi Glenn, > > Thank you so much. > I thought it only can set one function (deliver or store or ...). > > Yes, I got a lot of spams. > I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < > corrupted-gif.eml" and get high scores more than 10, then do " spamassassin > --lint" , restart mailscanner and run update SA in mailwatch (I can see the > FuzzyOCR rules on screeen ). > > But it doesn't work, the spam with gif still comes through. I thought I need > to add some words in FuzzyOcr.words, but I use that gif to test it by > manual, my God, it got the 23.7 scores. > I think there must be somewhere wrong in my Mailscanner.conf or > spam.assassin.prefs.conf > > Would you please advise me how to solve it ? > > Please help me and thank you in advance. There are at least a couple of things to check when it comes to FuzzyOcr... First is the size of the snippet MailScanner sends to SpamAssassin... Make it rather large (somewhere around 350-400 KiB should do). The second is to check that FuzzyOcr actually works with the user you are running MailScanner as (mostly important for Postfix, which usually run as an unpriviledged user) ... "su - postfix -s /bin/bash" and run the test there... If you are running Postfix, that is:-). ISTR there being some debate about similar situations on the list in the last few weeks/month or so, so you might benefit from searching the list a bit (gmane is very good for this). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 3 19:22:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:22:49 2006 Subject: from and to In-Reply-To: References: Message-ID: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> On 03/11/06, Ugo Bellavance wrote: > Hi, > > Sorry if this has been asked in the past, but I couldn't find the > answers on the wiki or list. > > Is it possible to do a ruleset like this? > > From: toto@domain.com and To: domain.com yes > > Thanks, > > Ugo > Yep. Don't remember where it is documented (book, example file or what) but that would definitely work. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Fri Nov 3 19:35:28 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 3 19:33:21 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> Message-ID: <454B9A00.9040100@pacific.net> Glenn Steen wrote: > On 03/11/06, Cheng Bruce wrote: >> Hi Glenn, >> >> Thank you so much. >> I thought it only can set one function (deliver or store or ...). >> >> Yes, I got a lot of spams. >> I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < >> corrupted-gif.eml" and get high scores more than 10, then do " >> spamassassin >> --lint" , restart mailscanner and run update SA in mailwatch (I can >> see the >> FuzzyOCR rules on screeen ). >> >> But it doesn't work, the spam with gif still comes through. I thought >> I need >> to add some words in FuzzyOcr.words, but I use that gif to test it by >> manual, my God, it got the 23.7 scores. >> I think there must be somewhere wrong in my Mailscanner.conf or >> spam.assassin.prefs.conf >> >> Would you please advise me how to solve it ? >> >> Please help me and thank you in advance. > > There are at least a couple of things to check when it comes to > FuzzyOcr... First is the size of the snippet MailScanner sends to > SpamAssassin... Make it rather large (somewhere around 350-400 KiB > should do). Ouch! That sounds too high to me. I've never seen a spam image over 30 or 40k, add the text and html bits and maybe 200k for luck, then set "trackback" in MailScanner.conf Ken A Pacific.Net The second is to check that FuzzyOcr actually works with > the user you are running MailScanner as (mostly important for Postfix, > which usually run as an unpriviledged user) ... "su - postfix -s > /bin/bash" and run the test there... If you are running Postfix, that > is:-). > ISTR there being some debate about similar situations on the list in > the last few weeks/month or so, so you might benefit from searching > the list a bit (gmane is very good for this). > From rpoe at plattesheriff.org Fri Nov 3 19:44:50 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Nov 3 19:45:49 2006 Subject: Greylisting .. nice .. Message-ID: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> I've installed greylisting on 2 mail servers. On my own personal one (that was getting hit pretty hard) first for a test period, then on a client's server (as they were getting 690+ emails that made it through SA + greet pause + rbls + country blocking (they have no legitimate business in Europe or Asia). My thoughts so far are this: Why didn't I do this sooner. I've only received 3 pieces of spam since, and those three were through a trusted route (i.e. forward I get from another server for admin messages) that greylisting wouldn't catch anyway.. I used smf-grey and the install went very smoothly. Their mail volume is 1/4 of what it was, and looking at MailWatch, is either legitimate advertising (things not sent from a zombie, and were signed up for) or actual, legitimate ham email. From glenn.steen at gmail.com Fri Nov 3 19:48:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:48:16 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <454B9A00.9040100@pacific.net> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> <454B9A00.9040100@pacific.net> Message-ID: <223f97700611031148r673bb1b9r35d41de91cfc24d0@mail.gmail.com> On 03/11/06, Ken A wrote: '> Glenn Steen wrote: (snip) > > > > There are at least a couple of things to check when it comes to > > FuzzyOcr... First is the size of the snippet MailScanner sends to > > SpamAssassin... Make it rather large (somewhere around 350-400 KiB > > should do). > > Ouch! That sounds too high to me. I've never seen a spam image over 30 > or 40k, add the text and html bits and maybe 200k for luck, then set > "trackback" in MailScanner.conf > Ken A > Pacific.Net > I'll admit to being in my cups a bit (oh no, not again!:-), but the reason to be "silly-large" isn't _for the spams_, it is to make real images pass without truggering FuzzyOcr (and others) in error. Or perhaps I'm halucinating badly (shouldn't be, that was a nice Kiwi white ("Vicars choice", very nice, if a bit "fruity")). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ralloway at winbeam.com Fri Nov 3 21:27:16 2006 From: ralloway at winbeam.com (Richard D Alloway) Date: Fri Nov 3 21:29:51 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: <454A64B0.2090908@evi-inc.com> References: <454A64B0.2090908@evi-inc.com> Message-ID: Boy is my face red! :) Thanks for pointing out where the option is in MailScanner.conf, Matt! -Rich On Thu, 2 Nov 2006, Matt Kettler wrote: > Richard D Alloway wrote: >> >> Hi! >> >> I'd like MailScanner to log the SpamAssassin scores for messages that >> don't score above the "Required SpamAssassin Score" or "High >> SpamAssassin Score". >> >> An example: >> >> Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 >> from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin >> (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, >> MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER >> 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) >> >> I'd like to see the same report for non-spam emails. > > In MailScanner.conf find the "Log Non Spam" entry and change it to "yes". > > >> Since only about 10% of our incoming email is legit, this should only >> incur a very slight increase in total system load. > > Agree.. I keep it on myself. > > >> I've looked through the MailScanner.conf file and can't find a way to >> turn it on... am I missing something or is this a feature than can be >> added on a future release? > > It's there, you just missed it. > From mkettler at evi-inc.com Fri Nov 3 21:44:44 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 3 21:44:56 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: References: <454A64B0.2090908@evi-inc.com> Message-ID: <454BB84C.7010809@evi-inc.com> Richard D Alloway wrote: > > Boy is my face red! :) > > Thanks for pointing out where the option is in MailScanner.conf, Matt! > > -Rich Hey, that's an awfully big forest. It's not too shocking you missed one tree in there :) From jase at sensis.com Fri Nov 3 22:26:37 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 22:27:46 2006 Subject: MCP Issue Message-ID: <1951DC816E1A9F469307B05FA183F4385FF553@corpatsmail1.corp.sensis.com> > I'm running MS v 4.56.6 and just noticed a strange error > today. I have MCP setup to catch a few derogotary terms. More > for testing purposes then actually use. It rarely gets any > hits. But today it is consistently hitting one person. The > funny thing it is matching on rules in the spam rules and not > the MCP rules. The last message had the following from > MailWatch for Spam: [snip] > In the MCP section: > > MCP Score: 4.61 > MCP Report: Score Matching Rule Description > ALL_TRUSTED > FORGED_OUTLOOK_HTML > FORGED_OUTLOOK_TAGS > HTML_MESSAGE > MIME_HTML_ONLY > SUBJ_ALL_CAPS > > I'm confused how the MCP section is suddenly matching my SA > rules instead of the ones I created for MCP? I came across the same thing today. I think it has to do with sa-update and SpamAssassin Local State Dir setting. I did not have this problem until I ran sa-update. Running in debug mode, in the MCP section I see: [snip] [26038] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules pre files [26038] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [26038] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [26038] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [26038] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [26038] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules dir [26038] dbg: config: read file /opt/MailScanner/etc/mcp/10_example.cf [26038] dbg: config: using "/opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf" for user prefs file [26038] dbg: config: read file /opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf [26038] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre [snip] So it looks like the MCP SpamAssassin run is pulling rules from the sa-update rules. Julian, should there be a "MCP SpamAssassin Local State Dir" setting so that we can disable this, or force it to another directory? Or is there another work around? For the time being, I have renamed /var/lib/spamassassin/3.001007 and stopped running sa-update. Jase From gdoris at rogers.com Sat Nov 4 00:03:21 2006 From: gdoris at rogers.com (Gerry Doris) Date: Sat Nov 4 00:03:39 2006 Subject: mailscanner-mrtg graph labels Message-ID: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> I upgraded my system from Fedora Core 4 to 6 last weekend. Surprisingly it went quite well. I thought everything was working properly until I noticed that two of the mailscanner-mrtg graphs have their labels messed up. The data looks correct. The two messed up graphs are Mail Transferred and Memory. It is the top level as well as the detail graphs. The vertical legend for each is showing the number scale followed by the letters M,G,T,P spread out into the graph area for each number. This has been working perfectly for ages...I think? Has anyone else noticed this? I'm using 0.10.00. I upgraded to the unstable version 11 but it didn't make a difference. From imiller at bsd.uchicago.edu Sat Nov 4 01:34:41 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 01:34:49 2006 Subject: Solaris errors Message-ID: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest MailScanner and I received this error on start # ./MailScanner Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: /opt/MailScanner/lib /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . /opt/MailScanner/lib) at ./MailScanner line 67. BEGIN failed--compilation aborted at ./MailScanner line 67. Has anyone else run across this thanks -Ian This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From res at ausics.net Sat Nov 4 01:44:37 2006 From: res at ausics.net (Res) Date: Sat Nov 4 01:44:45 2006 Subject: Whitelist issue In-Reply-To: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: On Fri, 3 Nov 2006, Gordon Colyn wrote: > 1) The rule was applied by using the mailwatch interface written to mysql ok i cant help on this one dont use mailwatch > 2) Where can I find the bad_helo HACK? http://support.ausics.net/block_bad_helo.m4 > 3) I have implemented the Envelope from in MailScanner. OK, that sounds right, maybe thats what they were presenting. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 01:48:21 2006 From: res at ausics.net (Res) Date: Sat Nov 4 01:48:30 2006 Subject: Greylisting .. nice .. In-Reply-To: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: On Fri, 3 Nov 2006, Rob Poe wrote: > My thoughts so far are this: Why didn't I do this sooner. Its going to be pointless soon, problem is, as more and more people do this, it wont be long before the common garden variety spammers smtp engine will also retry on 4xx errors, id give it a year tops (if some of them are not already doing it) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From csweeney at osubucks.org Sat Nov 4 01:51:49 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sat Nov 4 01:52:03 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: <454BF235.3040406@osubucks.org> Yes but even when they do, it will still serve the purpose of slowing them down. They are only making good money sending millions of ads at a time, if we can make them wait, it puts a terrible burden on them. Res wrote: > On Fri, 3 Nov 2006, Rob Poe wrote: > >> My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp > engine > will also retry on 4xx errors, id give it a year tops (if some of them > are not already doing it) > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/68207824/smime.bin From itlist at gmail.com Sat Nov 4 03:59:58 2006 From: itlist at gmail.com (Cheng Bruce) Date: Sat Nov 4 04:00:00 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> Message-ID: Hi Glenn, Sorry. I figure out it. and it runs fine. I have checked it. Everything works after I configured "SpamAssassin Local State Dir =" and removed "SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf". Thank you for your always helping us. by the way, I don't see the FuzzyOcr.log generated by SA. Is there something wrong in setting ? I still can't understand these meanings, I will read the document again. I mis-understand these meaning as following SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = SpamAssassin Default Rules Dir = 2006/11/4, Cheng Bruce : > Hi Glenn, > > Sorry for sending to your private mailbox. > I know this is not right to send into your mailbox, but I really have > a big problem there, and I am still searching in Gname and Google. > > After I solve my problem, I will re-post what I did so that someone > meet the same problem like me could be solved. > > I have tried to increase the size into 100K, but before I did that, I > think that is not main reason, because I checked all spams with gif > (more than 2K messages in two days), the size belows under 30KB. From jrudd at ucsc.edu Sat Nov 4 05:12:54 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Nov 4 05:16:44 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: <454C2156.6010902@ucsc.edu> Res wrote: > On Fri, 3 Nov 2006, Rob Poe wrote: > >> My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp engine > will also retry on 4xx errors, id give it a year tops (if some of them > are not already doing it) > Defeating Greylisting is almost trivial. I even outlined how to do it on the SA list at one point (because I thought someone was trying to use it on me, even though I don't use greylisting). I'd be surprised if takes a full year to see it in the field. I'd be surprised if some botnets aren't already adapting to it. From jrudd at ucsc.edu Sat Nov 4 05:14:34 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Nov 4 05:20:29 2006 Subject: Greylisting .. nice .. In-Reply-To: <454BF235.3040406@osubucks.org> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454BF235.3040406@osubucks.org> Message-ID: <454C21BA.7000607@ucsc.edu> They don't really have to do that much waiting. Esp. for all of you who are setting your retry time to mere seconds. Chris Sweeney wrote: > Yes but even when they do, it will still serve the purpose of slowing > them down. They are only making good money sending millions of ads at a > time, if we can make them wait, it puts a terrible burden on them. > > Res wrote: >> On Fri, 3 Nov 2006, Rob Poe wrote: >> >>> My thoughts so far are this: Why didn't I do this sooner. >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine >> will also retry on 4xx errors, id give it a year tops (if some of them >> are not already doing it) >> >> >> From gordon at itnt.co.za Sat Nov 4 05:44:43 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Nov 4 05:50:12 2006 Subject: Whitelist issue References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon><086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: <00f101c6ffd4$55526290$0d02a8c0@Gordon> Excellent, thanks ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Saturday, November 04, 2006 3:44 AM Subject: Re: Whitelist issue On Fri, 3 Nov 2006, Gordon Colyn wrote: > 1) The rule was applied by using the mailwatch interface written to mysql ok i cant help on this one dont use mailwatch > 2) Where can I find the bad_helo HACK? http://support.ausics.net/block_bad_helo.m4 > 3) I have implemented the Envelope from in MailScanner. OK, that sounds right, maybe thats what they were presenting. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at mango.zw Sat Nov 4 06:53:19 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Nov 4 06:51:39 2006 Subject: Greylisting .. nice .. In-Reply-To: Message-ID: On Sat, 4 Nov 2006, Res wrote: > Date: Sat, 4 Nov 2006 11:48:21 +1000 (EST) > From: Res > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Greylisting .. nice .. > > On Fri, 3 Nov 2006, Rob Poe wrote: > > > My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp > engine will also retry on 4xx errors, id give it a year tops (if some of > them are not already doing it) My objection to it is not that it doesn't work, but that it makes all genuine mail servers work twice as hard to deliver mail. I like having an outgoing mail queue as clean as possible, and the greylisters mean multiple retry attempts before the mail can be delivered. The more people adopt it the harder it is going to get for the rest of us. And if the spammers adapt to it then we are all going to face a massive increase in the number of connection attempts they make on us to defeat greylisting, and Internet bandwidth will become even more congested than it is at the moment. It reminds me of the arguments for keeping a gun in the house - "I just want to make sure that I can protect my family against a dangerous world". But if everyone did just that the world would become an even more dangerous place. There are definitely no guns in my house. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at mango.zw Sat Nov 4 07:27:13 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Nov 4 07:25:33 2006 Subject: Greylisting .. nice .. In-Reply-To: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered. The more people > adopt it the harder it is going to get for the rest of us. And if the > spammers adapt to it then we are all going to face a massive increase in > the number of connection attempts they make on us to defeat greylisting, > and Internet bandwidth will become even more congested than it is at the > moment. > > It reminds me of the arguments for keeping a gun in the house - "I just > want to make sure that I can protect my family against a dangerous world". > But if everyone did just that the world would become an even more > dangerous place. > > There are definitely no guns in my house. I forgot to mention - we do have: Guards in the street outside (but no guns) A high wall protected by thorns An electric gate Guards inside the grounds (but no guns) Burglar bars on the windows Security grilles on the doors Motion sensors etc in critical places A siren in the roof A radio alarm connected to a security firm and A bullet hole in our front window from a raid by state security chasing my politically active wife But this is Zimbabwe after all . . . Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From r.berber at computer.org Sat Nov 4 08:58:44 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Nov 4 08:59:00 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: Jim Holland wrote: [snip] > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered.[snip] You are wrong, it is not twice as much work, not even near. Worst case is that you get greylisted once per recipient/sender pair, that's it. With milter-gris I use the option of only greylisting dynamic IPs and those that don't have a valid reverse. And bottom line: about 90% of the spam just disappeared. -- Ren? Berber From martinh at solidstatelogic.com Sat Nov 4 09:27:31 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 09:27:48 2006 Subject: MailScanner 4.56.8 In-Reply-To: References: Message-ID: <454C5D03.9020703@solidstatelogic.com> Jeremy Blonde wrote: > I've been running with AWL, Bayes, and Razor with 4.55.6. It's been > running fine and it's tuned to the point that I'm not constantly keeping > tabs on it. > > The other night I upgraded to 4.56.8 and the SpamAssassin scores were > all over the place. I noticed that SpamAssassin was now adding a number > of new flags (or perhaps that's due to MailScanner), but the scores were > so divergent that I had to watch it at all times because it was catching > a lot of false positives. Not all messages were getting an AWL score or > Bayes score. The most problematic domains were yahoo.com, comcast.net, > etc., any of the ones that have a mixture of legit and spam sources. I > noticed that autolearn was working, I could see the message scores > fluctuating as it learned but it was actually lowering the score on some > messages that should have been learned as spam (although now that I > think about it, I'll have to verify that it wasn't AWL that was lowering > the score). > > Is there something I'm missing with the upgrade? Do I need to clear AWL > or do some tweaking of the SpamAssassin scores in order to tune this? I > haven't had to tweak the SpamAssassin scores very much in the past. > Also, ALL_TRUSTED is turned off and I didn't run with Razor. > > Thanks, > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union High School District > > > > > "The purpose of education is to free individuals from their personal limitations." Jeremy personnaly I find AWL a was of time and often leads to SA not spotting spam. Others find it works, but alot of people (like me) find it's only useful for small end-user populations (less than 10). I turn of off by disabling the plugin on init.pre. I'd check you're trusted_networks etc in spam.assassin.prefs.conf is OK, as that seems to be the cause of lots of AWL problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Sat Nov 4 09:28:28 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 09:28:36 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <454C5D3C.6090109@solidstatelogic.com> Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > Jon do you 'archive' or quarantine these emails so you can replay then at a later date. If not I'd start doing this, so you can debug. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at ausics.net Sat Nov 4 10:23:05 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:23:13 2006 Subject: Greylisting .. nice .. In-Reply-To: <454C2156.6010902@ucsc.edu> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> Message-ID: On Fri, 3 Nov 2006, John Rudd wrote: > Defeating Greylisting is almost trivial. I even outlined how to do it on the > SA list at one point (because I thought someone was trying to use it on me, > even though I don't use greylisting). I'd be surprised if takes a full year > to see it in the field. I'd be surprised if some botnets aren't already > adapting to it. Exactly, which is why I honestly can not see the hype of it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 10:30:04 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:30:10 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean This is the biggest point of it, the people trying to get everyone using greylisting obviously dont see much mail or don't have impatient whinging @!#$@#$'s as customers It seems to be a big thing with the postmix (intended pun) users for some reason. > multiple retry attempts before the mail can be delivered. The more people I also still see hotmail not resending on a 4xx errors as well. > There are definitely no guns in my house. nor here, just an attack trained anti social rottweiler :P -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 10:31:06 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:31:11 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > I forgot to mention - we do have: > > Guards in the street outside (but no guns) > A high wall protected by thorns > An electric gate > Guards inside the grounds (but no guns) > Burglar bars on the windows > Security grilles on the doors > Motion sensors etc in critical places > A siren in the roof > A radio alarm connected to a security firm > and > A bullet hole in our front window from a raid by state security > chasing my politically active wife > > But this is Zimbabwe after all . . . lol, looks ilke you got everything else BUT the guns :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From robert at ml.erje.net Sat Nov 4 10:42:49 2006 From: robert at ml.erje.net (Robert Joosten) Date: Sat Nov 4 10:43:46 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> Message-ID: <20061104104249.GA1082@iphouse.com> Hi, > >Defeating Greylisting is almost trivial. > >I'd be surprised if some botnets aren't already adapting to it. > Exactly, which is why I honestly can not see the hype of it. It's not a hype, it just works. Spamfighters develop one method, they counteract.... simple huh ? It goes on and on and on and on and ... Cheers, Robert From dhawal at netmagicsolutions.com Sat Nov 4 10:48:24 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Sat Nov 4 10:48:47 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: <454C6FF8.9000300@netmagicsolutions.com> Res wrote: > On Sat, 4 Nov 2006, Jim Holland wrote: > >> My objection to it is not that it doesn't work, but that it makes all >> genuine mail servers work twice as hard to deliver mail. I like >> having an >> outgoing mail queue as clean as possible, and the greylisters mean > > This is the biggest point of it, the people trying to get everyone using > greylisting obviously dont see much mail or don't have impatient > whinging @!#$@#$'s as customers > > It seems to be a big thing with the postmix (intended pun) users > for some reason. Us postmix users use selective greylisting ;-) See http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml I kinda agree that simply greylisting is not as effective as before. However a combination of policyd-weight (rbl+rhsbl scoring) + selective greylisting still works wonders in my setup.. i would suggest separating out the incoming from the outgoing (logically if not physically) and add p0f support at the incoming iptables level to reject desktop OSes (thereby taking care of most botnets). See below links for a hint. http://www.snertsoft.com/sendmail/milter-p0f/ http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ - dhawal From res at ausics.net Sat Nov 4 12:32:33 2006 From: res at ausics.net (Res) Date: Sat Nov 4 12:32:42 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061104104249.GA1082@iphouse.com> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> <20061104104249.GA1082@iphouse.com> Message-ID: On Sat, 4 Nov 2006, Robert Joosten wrote: > Hi, > >>> Defeating Greylisting is almost trivial. >>> I'd be surprised if some botnets aren't already adapting to it. >> Exactly, which is why I honestly can not see the hype of it. > > It's not a hype, it just works. > > Spamfighters develop one method, they counteract.... simple huh ? It goes > on and on and on and on and ... exactly my point, its all crud and not worth it, grey listing is hardly anti spam its just a nuisance delay for those whos servers already work their butts off -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 12:34:51 2006 From: res at ausics.net (Res) Date: Sat Nov 4 12:34:57 2006 Subject: Greylisting .. nice .. In-Reply-To: <454C6FF8.9000300@netmagicsolutions.com> References: <454C6FF8.9000300@netmagicsolutions.com> Message-ID: On Sat, 4 Nov 2006, Dhawal Doshy wrote: > Res wrote: >> On Sat, 4 Nov 2006, Jim Holland wrote: >> >>> My objection to it is not that it doesn't work, but that it makes all >>> genuine mail servers work twice as hard to deliver mail. I like having an >>> outgoing mail queue as clean as possible, and the greylisters mean >> >> This is the biggest point of it, the people trying to get everyone using >> greylisting obviously dont see much mail or don't have impatient whinging >> @!#$@#$'s as customers >> >> It seems to be a big thing with the postmix (intended pun) users >> for some reason. > > Us postmix users use selective greylisting ;-) See > http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml > > I kinda agree that simply greylisting is not as effective as before. However > a combination of policyd-weight (rbl+rhsbl scoring) + selective greylisting > still works wonders in my setup.. I use RBL's in MTA rather than score them, if its trash the less resource sof mine I allow them to use the better :) > > i would suggest separating out the incoming from the outgoing (logically if > not physically) and add p0f support at the incoming iptables level to reject > desktop OSes (thereby taking care of most botnets). See below links for a > hint. > http://www.snertsoft.com/sendmail/milter-p0f/ > http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ > > - dhawal > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From tenderby at mailwash.com.au Sat Nov 4 13:17:13 2006 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sat Nov 4 13:17:48 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: Message-ID: <454C92D9.5070308@mailwash.com.au> Sven De Troch wrote: >On Wed, 1 Nov 2006 20:07:15 -0600, "Mike Kercher" >wrote: > > > >>>So if I understand you well, if I modify the access file >>>(something I need to do very often) and I do a 'make -C >>>/etc/mail' afterwards, I wouldn't have to restart sendmail >>>(and thus not MailScanner neither)? >>> >>> >>>-- >>>Met vriendelijke groeten, >>>Sven De Troch >>> >>>----- Nood aan een degelijke hosting partner? ----- >>> -- Meer info op http://www.sitehosting.be -- >>> >>> >>That is correct. I modify my access file all the time and don't restart >>anything. >> >>Mike >> >> > >Thanks for all answers! >A little extra question for the people using the access file on a >daily base. > >We need to add domains to this file almost every day and I'd like to >give this task to people without ssh access to the server. I would >like to give them some kind of webinterface where they can add (or >remove) a line in the access file. Anyone has already build something >like this (I'm not a developper myself) of is there something freely >available somewhere? > > > http://www.webmin.com/ Has a sendmail module with web frontend for the access.db file. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From alex at nkpanama.com Sat Nov 4 14:21:12 2006 From: alex at nkpanama.com (Alex Neuman) Date: Sat Nov 4 14:21:56 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <454CA1D8.3080004@nkpanama.com> Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > > You shouldn't be allowing EXEs in the first place, I think. From martinh at solidstatelogic.com Sat Nov 4 16:04:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 16:04:20 2006 Subject: Not detecting some instances of viruses In-Reply-To: <454CA1D8.3080004@nkpanama.com> References: <200611030529.kA35TDic014240@summitmotors.com.au> <454CA1D8.3080004@nkpanama.com> Message-ID: <454CB9F2.60505@solidstatelogic.com> Alex Neuman wrote: > Jon Bates wrote: >> I'm having trouble whereby only SOME instances of the same virus are >> being >> identified by ClamAV. >> >> The virus is exactly the same type every time, but only some get >> detected - >> the rest are sent on to the user! >> >> There is no pattern that I can see - Zip files (containing infected exe), >> and plain exe files have been allowed through. >> >> I've subsequently scanned the users mailbox on the server using clamscan, >> and it DOES detect the email! For some reason, when it is scanned when >> the >> message is received, it's not detected. >> Any help would be appreciated! >> >> - Jon Bates >> >> > You shouldn't be allowing EXEs in the first place, I think. if you work with Windows developers then I'm afraid you have to! We do this selectively of course! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From imiller at bsd.uchicago.edu Sat Nov 4 16:58:20 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 16:58:39 2006 Subject: Solaris errors In-Reply-To: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> Message-ID: <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Does anyone have any insight into this error? I have three sendmail/solaris 9 systems that need upgrading and I need some kind of solution .. I am willing to work with someone on the problem... (give them ssh access on a test system) just to work it out. Please help if time permits .. thanks -i Quoting Ian Miller : > I am running solaris 9 with perl 5.8.8 and just upgraded to the latest > MailScanner and I received this error on start > > # ./MailScanner > Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: > /opt/MailScanner/lib > /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 > /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris > /usr/local/lib/perl5/site_perl/5.8.8 > /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris > /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . > /opt/MailScanner/lib) at ./MailScanner line 67. > BEGIN failed--compilation aborted at ./MailScanner line 67. > > Has anyone else run across this > thanks > -Ian > > > > This e-mail and any attachments may contain privileged and > confidential information for use only by the intended recipient. If > you have received this e-mail in error, please delete the e-mail and > all copies thereof and notify us by e-mail or a collect call to our > office; do not forward the e-mail. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ian Miller Sr. Systems Engineer University of Chicago 929 E 57th St. W342 Chicago, IL 60637 773-834-3191 imiller@bsd.uchicago.edu This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From ugob at camo-route.com Sat Nov 4 17:54:59 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Nov 4 17:55:17 2006 Subject: Solaris errors In-Reply-To: <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Message-ID: Ian Miller wrote: > Does anyone have any insight into this error? I have three sendmail/solaris 9 > systems that need upgrading and I need some kind of solution .. > I am willing to work with someone on the problem... > (give them ssh access on a test system) just to work it out. > Please help if time permits .. > thanks > -i > Quoting Ian Miller : > >> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest >> MailScanner and I received this error on start >> >> # ./MailScanner >> Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: >> /opt/MailScanner/lib >> /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 >> /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris >> /usr/local/lib/perl5/site_perl/5.8.8 >> /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris >> /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . >> /opt/MailScanner/lib) at ./MailScanner line 67. >> BEGIN failed--compilation aborted at ./MailScanner line 67. This probably means that the perl module Sys::Hostname::Long is not installed. From develop at in-tech.us Sat Nov 4 18:37:45 2006 From: develop at in-tech.us (Integrated Technologies) Date: Sat Nov 4 18:32:09 2006 Subject: Mail Log Error Message Message-ID: <000001c70040$57b62410$c8fea8c0@intech.us> My complete install was going fine.no errors, no snags. I check my logs this morning and received the following error (I had a power failure and it rebooted)r: MailScanner[2906]: MailScanner E-Mail Virus Scanner version 4.56.8 starting. MailScanner[2906]: Syntax error(s) in configuration file: MailScanner[2906]: Unrecognized keyword "spamassassinprefsfile" at line 2213 MailScanner[2906]: Aborting due to syntax errors in /etc/MailScanner/NailScanner.conf I went to my MailScanner.conf configuration file and these are the lines before and after line 2213 (this is actually the very last line in my MailScanner.conf file): 2209 # READ and UNDERSTAND the above text BEFORE changing this. 2210 # 2211 Minimum Code Status = supported 2212 2213 SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf 2214 There is NOTHING that I have touched within these last few lines..and ideas? My gratitude ahead of time for your patience and assistance SRB, Integrated Technologies Owner/Senior Developer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061104/73a2f8ab/attachment.html From imiller at bsd.uchicago.edu Sat Nov 4 19:07:15 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 19:07:44 2006 Subject: Solaris errors In-Reply-To: References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Message-ID: <1162667235.454ce4e39f058@webemail.bsd.uchicago.edu> That was it I had to manually install it and now it works thanks Quoting Ugo Bellavance : > Ian Miller wrote: > > Does anyone have any insight into this error? I have three sendmail/solaris > 9 > > systems that need upgrading and I need some kind of solution .. > > I am willing to work with someone on the problem... > > (give them ssh access on a test system) just to work it out. > > Please help if time permits .. > > thanks > > -i > > Quoting Ian Miller : > > > >> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest > >> MailScanner and I received this error on start > >> > >> # ./MailScanner > >> Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: > >> /opt/MailScanner/lib > >> /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 > >> /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris > >> /usr/local/lib/perl5/site_perl/5.8.8 > >> /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris > >> /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . > >> /opt/MailScanner/lib) at ./MailScanner line 67. > >> BEGIN failed--compilation aborted at ./MailScanner line 67. > > This probably means that the perl module Sys::Hostname::Long is not > installed. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ian Miller Sr. Systems Engineer University of Chicago 929 E 57th St. W342 Chicago, IL 60637 773-834-3191 imiller@bsd.uchicago.edu This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From ssilva at sgvwater.com Sat Nov 4 19:22:07 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:22:35 2006 Subject: Not detecting some instances of viruses In-Reply-To: <454CB9F2.60505@solidstatelogic.com> References: <200611030529.kA35TDic014240@summitmotors.com.au> <454CA1D8.3080004@nkpanama.com> <454CB9F2.60505@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 11/4/2006 8:04 AM: > Alex Neuman wrote: >> Jon Bates wrote: >>> I'm having trouble whereby only SOME instances of the same virus are >>> being >>> identified by ClamAV. >>> >>> The virus is exactly the same type every time, but only some get >>> detected - >>> the rest are sent on to the user! >>> >>> There is no pattern that I can see - Zip files (containing infected >>> exe), >>> and plain exe files have been allowed through. >>> >>> I've subsequently scanned the users mailbox on the server using >>> clamscan, >>> and it DOES detect the email! For some reason, when it is scanned >>> when the >>> message is received, it's not detected. >>> Any help would be appreciated! >>> >>> - Jon Bates >>> >>> >> You shouldn't be allowing EXEs in the first place, I think. > > if you work with Windows developers then I'm afraid you have to! We do > this selectively of course! > Even Windows developers can learn to zip up an exe! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 4 19:39:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:39:43 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: Jim Holland spake the following on 11/3/2006 10:53 PM: > On Sat, 4 Nov 2006, Res wrote: > >> Date: Sat, 4 Nov 2006 11:48:21 +1000 (EST) >> From: Res >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: Greylisting .. nice .. >> >> On Fri, 3 Nov 2006, Rob Poe wrote: >> >>> My thoughts so far are this: Why didn't I do this sooner. >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine will also retry on 4xx errors, id give it a year tops (if some of >> them are not already doing it) > > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered. The more people > adopt it the harder it is going to get for the rest of us. And if the > spammers adapt to it then we are all going to face a massive increase in > the number of connection attempts they make on us to defeat greylisting, > and Internet bandwidth will become even more congested than it is at the > moment. > > It reminds me of the arguments for keeping a gun in the house - "I just > want to make sure that I can protect my family against a dangerous world". > But if everyone did just that the world would become an even more > dangerous place. > > There are definitely no guns in my house. I sure don't want to get into the gun/no gun debate! Probably more heated then the postfix/sendmail/exim debate! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 4 19:41:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:45:09 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454C6FF8.9000300@netmagicsolutions.com> Message-ID: Res spake the following on 11/4/2006 4:34 AM: > On Sat, 4 Nov 2006, Dhawal Doshy wrote: > >> Res wrote: >>> On Sat, 4 Nov 2006, Jim Holland wrote: >>> >>>> My objection to it is not that it doesn't work, but that it makes all >>>> genuine mail servers work twice as hard to deliver mail. I like >>>> having an >>>> outgoing mail queue as clean as possible, and the greylisters mean >>> >>> This is the biggest point of it, the people trying to get everyone >>> using greylisting obviously dont see much mail or don't have >>> impatient whinging @!#$@#$'s as customers >>> >>> It seems to be a big thing with the postmix (intended pun) users >>> for some reason. >> >> Us postmix users use selective greylisting ;-) See >> http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml >> >> I kinda agree that simply greylisting is not as effective as before. >> However a combination of policyd-weight (rbl+rhsbl scoring) + >> selective greylisting still works wonders in my setup.. > > I use RBL's in MTA rather than score them, if its trash the less > resource sof mine I allow them to use the better :) > I like scoring the more aggressive ones first. Then if I see no false positives over a period of time, I can move them to the MTA. I am preparing moving the njabl_dul to the MTA because I have had a 100% spam rate with its hits. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ajos1 at onion.demon.co.uk Sun Nov 5 00:53:03 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sun Nov 5 00:53:19 2006 Subject: MS - MailWatch Question... Message-ID: - I am installing the MailWatch web package... and I have a question... ---------- In /etc/MailScanner/MailScanner.conf it has the line: Quarantine Whole Messages As Queue Files = no ---------- ---------- In "http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install" it says i need: Quarantine Whole Message As Queue Files = no ---------- Which one is right... "Messages" or "Message" ? From ssilva at sgvwater.com Sun Nov 5 05:14:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 5 05:14:23 2006 Subject: MS - MailWatch Question... In-Reply-To: References: Message-ID: ajos1@onion.demon.co.uk spake the following on 11/4/2006 4:53 PM: > - > > I am installing the MailWatch web package... and I have a question... > > ---------- > In /etc/MailScanner/MailScanner.conf it has the line: > > Quarantine Whole Messages As Queue Files = no > ---------- > > ---------- > In "http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install" it says i need: > > Quarantine Whole Message As Queue Files = no > ---------- > > Which one is right... "Messages" or "Message" ? Don't change the option names in the conf file. You just need to change the "yes"'s to "no"s and vice versa. If it says messages in the conf file, assume that the Mailwatch docs have a typo. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From james at grayonline.id.au Sun Nov 5 10:40:27 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 10:41:00 2006 Subject: ClamAV Problem Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As of yesterday, I've started seeing the following in the mail log, being dumped by MailScanner: ClamAVModule::LibClamAV Warning: ******************************************************** ClamAVModule::LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// www.clamav.net/faq.html *** ClamAVModule::LibClamAV Warning: ******************************************************** Virus Scanning: ClamAV Module found 4 infections Virus Scanning: Found 4 viruses However, running "freshclam" says: ClamAV update process started at Sun Nov 5 21:33:52 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 9, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, builder: arnaud) So at least THAT bit jives with MailScanner's interpretation of the situation. Now to the weird part: $ clamscan --version ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build available for ClamAV. So how do I fix this? It's seriously playing havoc with my stats and the logs are as messy as hell :( Any help appreciated :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU cu9p/t/iOvkR6NkBiMzRu9c= =W7iG -----END PGP SIGNATURE----- From raymond at prolocation.net Sun Nov 5 11:06:25 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Nov 5 11:06:26 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: Hi! > Now to the weird part: > > $ clamscan --version > ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 And you are suer you dont have multiple instances of clam installed? Bye, Raymond. From arturs at netvision.net.il Sun Nov 5 11:16:45 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sun Nov 5 11:19:12 2006 Subject: ClamAV Problem In-Reply-To: Message-ID: <009401c700cb$e14735d0$3701a8c0@lapxp> There is a thread in ClamAV ML reg. this. Devs say sorry: one of mirrors outdated/broken Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of James Gray > Sent: Sunday, November 05, 2006 12:40 PM > To: MailScanner Discussion List > Subject: ClamAV Problem > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > As of yesterday, I've started seeing the following in the mail log, > being dumped by MailScanner: > > ClamAVModule::LibClamAV Warning: > ******************************************************** > ClamAVModule::LibClamAV Warning: *** This version of the ClamAV > engine is outdated. *** > ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// > www.clamav.net/faq.html *** > ClamAVModule::LibClamAV Warning: > ******************************************************** > Virus Scanning: ClamAV Module found 4 infections > Virus Scanning: Found 4 viruses > > However, running "freshclam" says: > > ClamAV update process started at Sun Nov 5 21:33:52 2006 > main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, > builder: tkojm) > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 9, recommended = 10 > DON'T PANIC! Read http://www.clamav.net/faq.html > daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, > builder: arnaud) > > So at least THAT bit jives with MailScanner's interpretation of the > situation. > > Now to the weird part: > > $ clamscan --version > ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build > available for > ClamAV. So how do I fix this? It's seriously playing havoc with my > stats and the logs are as messy as hell :( > > Any help appreciated :) > > Cheers, > > James > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (Darwin) > > iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU > cu9p/t/iOvkR6NkBiMzRu9c= > =W7iG > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From james at grayonline.id.au Sun Nov 5 11:52:16 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 11:52:37 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: <750F557A-FCDC-4CA4-8900-7E1058AA30DD@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/11/2006, at 10:06 PM, Raymond Dijkxhoorn wrote: > Hi! > >> Now to the weird part: >> >> $ clamscan --version >> ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > And you are suer you dont have multiple instances of clam installed? Hi Ray, Yup - absolutely positive. Did a sudo find / -name "*clam*" -type f ...and sure enough, only the stuff in /usr/local was returned. So only one instance :P Thanks for the suggestio though, it was a good check. My MailScanner runs on Mac OSX machine and at one point I had ClamAV installed from "fink" but removed it in favour of Julian's ClamAV+SpamAssassin bundle. I did some fink updates the other day and didn't pay that much attention...so ClamAV could very well have been installed twice, as fink puts all it's fru-fru under /sw. Thanks for the pointer! :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTdBzwBHpdJO7b9ERAmeZAKCYSAv2aMTb2gw2NI0q4scNs8ekPwCgrybp Dd2AGXiuK2SDFqJeubatuxE= =Qivf -----END PGP SIGNATURE----- From james at grayonline.id.au Sun Nov 5 12:05:56 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 12:06:13 2006 Subject: ClamAV Problem In-Reply-To: <009401c700cb$e14735d0$3701a8c0@lapxp> References: <009401c700cb$e14735d0$3701a8c0@lapxp> Message-ID: <16C22854-6F0A-4489-8678-EA12DA6EED7C@grayonline.id.au> On 05/11/2006, at 10:16 PM, Arthur Sherman wrote: > There is a thread in ClamAV ML reg. this. > Devs say sorry: one of mirrors outdated/broken Thanks Arthur - I really should subscribe to that list shouldn't I? :P For the others here, the thread on the ClamAV Users List is available here: http://lurker.clamav.net/thread/20061103.221240.b49f234b.en.html Cheers, James From ugob at camo-route.com Sun Nov 5 14:36:50 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sun Nov 5 14:40:48 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: <454B4D1B.2000807@USherbrooke.ca> References: <454B4D1B.2000807@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Ugo Bellavance a ?crit : >> Hi, >> >> I'd like to know how to not have the report details in the body >> when using the 'attachment' action for delivering. I know there is an >> "Always include SpamAssassin Report" option, but I'm affraid I won't >> have it in the headers if I disable it. >> >> Thanks, >> >> Ugo >> > Hi Ugo, > > I guess you could use the folloging in your spam.assassin.prefs.conf to > clear the default report (from "man Mail::SpamAssassin::Conf"): > clear_report_template > Clear the report template. > report ...some text for a report... > Set the report template which is attached to spam mail > messages. See the "10_misc.cf" configu- > ration file in "/usr/share/spamassassin" for an example. > > If you change this, try to keep it under 78 columns. Each > "report" line appends to the existing > template, so use "clear_report_template" to restart. > > Tags can be included as explained above. > > I use a French-localized version here with: > lang fr clear-report-template > lang fr report ------------------ D?but de Rapport SpamAssassin > --------------------- I don't want to change it, I only want it to be blank, nothing... is is sufficient to just put 'clear_report_template' into the spam.assassin.prefs.conf? Thanks From prandal at herefordshire.gov.uk Sun Nov 5 14:53:36 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 5 14:53:58 2006 Subject: ClamAV Problem Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D6@isabella.herefordshire.gov.uk> It looks like the main.cvd file has one or more level 10 signatures in it. The ClamAV team are aware of it, and working on it. I guess they're going to have to rebuild main.cvd and reissue it. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James Gray Sent: Sunday, November 05, 2006 10:40 AM To: MailScanner Discussion List Subject: ClamAV Problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As of yesterday, I've started seeing the following in the mail log, being dumped by MailScanner: ClamAVModule::LibClamAV Warning: ******************************************************** ClamAVModule::LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// www.clamav.net/faq.html *** ClamAVModule::LibClamAV Warning: ******************************************************** Virus Scanning: ClamAV Module found 4 infections Virus Scanning: Found 4 viruses However, running "freshclam" says: ClamAV update process started at Sun Nov 5 21:33:52 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 9, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, builder: arnaud) So at least THAT bit jives with MailScanner's interpretation of the situation. Now to the weird part: $ clamscan --version ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build available for ClamAV. So how do I fix this? It's seriously playing havoc with my stats and the logs are as messy as hell :( Any help appreciated :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU cu9p/t/iOvkR6NkBiMzRu9c= =W7iG -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sun Nov 5 15:57:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 5 15:57:40 2006 Subject: Mail Log Error Message In-Reply-To: <000001c70040$57b62410$c8fea8c0@intech.us> References: <000001c70040$57b62410$c8fea8c0@intech.us> Message-ID: <223f97700611050757x2d17c791v1fa1499a96bb9a9@mail.gmail.com> On 04/11/06, Integrated Technologies wrote: > > > > > My complete install was going fine?no errors, no snags. I check my logs this > morning and received the following error (I had a power failure and it > rebooted)r: > > > > MailScanner[2906]: MailScanner E-Mail Virus Scanner version 4.56.8 starting? > > MailScanner[2906]: Syntax error(s) in configuration file: > > MailScanner[2906]: Unrecognized keyword "spamassassinprefsfile" at line 2213 > > MailScanner[2906]: Aborting due to syntax errors in > /etc/MailScanner/NailScanner.conf > > > > I went to my MailScanner.conf configuration file and these are the lines > before and after line 2213 (this is actually the very last line in my > MailScanner.conf file): > > > > 2209 # READ and UNDERSTAND the above text BEFORE changing this. > > 2210 # > > 2211 Minimum Code Status = supported > > 2212 > > 2213 SpamAssassin Prefs File = > /etc/MailScanner/spam.assassin.prefs.conf > > 2214 > > > > There is NOTHING that I have touched within these last few lines?.and ideas? > > > > My gratitude ahead of time for your patience and assistance > > > > SRB, Integrated Technologies > > Owner/Senior Developer > Was this an update or a fresh install? If the former, I suspect you forgot to run upgrade_MailScanner_conf (just run it wothout any arguments to get some intructions on how to use it). If not, then well... Try just commenting that line out. ISTR that one "going out the window" some versions back. Use MailScanner --lint and MailScanner --changed as well as MailScanner --debug to determine that all is well (after appropriate changes:-). HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From raymond at prolocation.net Sun Nov 5 18:57:20 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Nov 5 18:57:18 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: Hi! >> Now to the weird part: >> >> $ clamscan --version >> ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > And you are suer you dont have multiple instances of clam installed? [Clamav-announce] announcing ClamAV 0.88.6 You can fix it now ;) Bye, Raymond. From MailScanner at ecs.soton.ac.uk Sun Nov 5 19:19:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 5 19:22:43 2006 Subject: DBD-SQLite install error? In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> Message-ID: <454E3957.6060506@ecs.soton.ac.uk> Thanks for that. The installer now point to 1.12, which should be right. Desai, Jason wrote: > Thanks for the info. I probably should have mentioned that I was able to > unpack and install it manually. I just wanted to give Julian a heads up > that the installer script may have a bug. > > Jase > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Eduardo Casarero >> Sent: Friday, November 03, 2006 11:59 AM >> To: MailScanner discussion >> Subject: Re: DBD-SQLite install error? >> >> after install.sh finish install dbdsqlite by hand, it works. >> >> >> ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# >> >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. >> > 12# perl Makefile.PL > >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make >> >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. >> > 12# make install > >> regards. >> >> eduardo >> >> >> 2006/11/3, Desai, Jason : >> >> When I try to install MailScanner version 4.56.8 using >> the tar version, >> I get this: >> >> ============ >> Attempting to build and install DBD-SQLite-1.11 >> Unpacking perl-tar/DBD-SQLite-1.11.tar.gz >> Missing file perl-tar/DBD- SQLite-1.11.tar.gz . Are you >> in the right >> directory? >> >> Missing directory /tmp/DBD-SQLite-1.11 . >> Maybe it did not build correctly? >> ============ >> >> I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar >> directory. >> Perhaps the install scripts needs to try to install >> DBD-SQLite-1.12 >> instead of DBD-SQLite-1.11? >> >> Jase >> >> -- >> Jason Desai >> Network Administrator >> Sensis Corporation >> jase@sensis.com >> http://www.sensis.com >> (315) 445-5811 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Sun Nov 5 20:48:17 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 5 20:48:34 2006 Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D7@isabella.herefordshire.gov.uk> FYI -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Sunday, November 05, 2006 6:34 PM To: ClamAV Announce Subject: [Clamav-announce] announcing ClamAV 0.88.6 Dear ClamAV users, Changes in this release include better handling of network problems in freshclam and other minor bugfixes. The ClamAV developers encourage all users to give a try to the latest beta version of 0.90! -- The ClamAV team (http://www.clamav.net/team.html) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce From develop at in-tech.us Sun Nov 5 21:19:11 2006 From: develop at in-tech.us (Integrated Technologies) Date: Sun Nov 5 21:13:58 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681D7@isabella.herefordshire.gov.uk> Message-ID: <000301c70120$0ff76040$c8fea8c0@intech.us> Funny thing is, on the downloads page of ClamAV, of you click on the latest stable (0.8x.x or something) it takes you to the 0.90rc2 download on SourceForge... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 05, 2006 2:48 PM To: MailScanner (mailscanner@lists.mailscanner.info) Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 FYI -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Sunday, November 05, 2006 6:34 PM To: ClamAV Announce Subject: [Clamav-announce] announcing ClamAV 0.88.6 Dear ClamAV users, Changes in this release include better handling of network problems in freshclam and other minor bugfixes. The ClamAV developers encourage all users to give a try to the latest beta version of 0.90! -- The ClamAV team (http://www.clamav.net/team.html) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. From develop at in-tech.us Mon Nov 6 05:29:35 2006 From: develop at in-tech.us (Integrated Technologies) Date: Mon Nov 6 05:24:16 2006 Subject: MailScanner.conf parameter question Message-ID: <000001c70164$918d1c50$c8fea8c0@intech.us> Just a little confused on one setting in the MailScanner.conf file: Sign Message Already Processed = yes If I set the above to "no", will it still scan a reply returned to me and just not append it with another footer sig? Or will this completely allow the returned message to bypass MailScanner altogether? I can see the value of not signing the message numerous times; especially if it was a business email (for example) that requires multiple replies.But then again, if this allows the replied to message to completely bypass MailScanner then I'll have to rethink my strategy. Please advise. My gratitude for your time and patience SRB, Integrated Technologies Owner/Senior Developer -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061105/5ac2591d/attachment.html From jon.bates at summitmotors.com.au Mon Nov 6 06:10:30 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Mon Nov 6 06:10:57 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611031200.kA3C0Hht010238@bkserver.blacknight.ie> Message-ID: <200611060610.kA66AeXw006899@summitmotors.com.au> Reni Berber Wrote: > Could be any of: > 1. Timing. A virus signature that was just added to the DB. > 2. Rules. If you have rules specifying what is virus scanned. > 3. Size. Limits in MS configuration and also in the program/module doing the > scanning. > 4. Scan Parameters. clamscan has default parameters that are a little different > that the perl module, for instance corrupt executable is detected by clamscan > but I'm not sure if the module does detect it. > 5. Encoding. There is a parameter in MS about scanning uuencoded parts, I'm not > sure if this affects virus scanning. > What does the log show? (does it say scanning for viruses ... clean ?) > -- > Reni Berber First of all, thanks to those others who replied to my initial email - I think I've found a resolution (see below). Martin, Yes, I quarantine a copy of every email that comes through, this helped me diagnose the issue - Thanks! Reni, 1. Timing - I think this is the cause of the issue; attempts to release the email from the quarantine showed that the infected email was being caught straight away! This would lead me to believe that ClamAV simply didn't know about the type of virus when the initial copy of it came through. I didn't realise previously, but they werent all exactly the same virus. They were the same subject and size, but different variants of the same virus kept coming through! (Worm.Stration.XX - in case you're interested!) I havent got the log from when it came through initially, but I assume that it would have been scanned and deemed "clean" as I havent seen any other errors in there at all that would lead to some sort of scanning error. Luckily my spam countermeasures are trained pretty well so nearly all instances of the virus were actually quarantined as spam, and the rest under content filtering (no exe files allowed). The only users who actually received the virus were power users who are allowed to receive executable files - Luckily they were smart enough not to be tempted to "increase the size of their wang" by opening an exe file - lol ---- I checked your other points anyway: 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a ruleset on Dangerous Content Scanning, but as I understand that this doesn't exclude Virus scanning for it's matches anyway. I cant see any other rulesets that could cause this behaviour. 3. Size - The emails are all roughly 30kb in size. 4. Scan Parameters - Is there a way that you know of that I can test scanning mbox files with the perl module instead? Sorry I'm relatively new to linux so I didn't bother with this one :P 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes to be safe. From glenn.steen at gmail.com Mon Nov 6 11:53:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 6 11:53:24 2006 Subject: MailScanner.conf parameter question In-Reply-To: <000001c70164$918d1c50$c8fea8c0@intech.us> References: <000001c70164$918d1c50$c8fea8c0@intech.us> Message-ID: <223f97700611060353y5d227b2dm5d4d6fcb7ca6b4ed@mail.gmail.com> On 06/11/06, Integrated Technologies wrote: > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to "no", will it still scan a reply returned to me and > just not append it with another footer sig? Or will this completely allow > the returned message to bypass MailScanner altogether? > > I can see the value of not signing the message numerous times; especially if > it was a business email (for example) that requires multiple replies?But > then again, if this allows the replied to message to completely bypass > MailScanner then I'll have to rethink my strategy? > > Please advise. > > My gratitude for your time and patience > IIRC, this does exactly what it says on the tin... It will prevent the signing of a message detected to have passed through MS already (on another host), so that if you have several MailScanners "chained together" (think secondary MX palming things off to a primary MX after a stop, type of things) only the first get to leave a visible mark in the body. AFAIR that is it... Both instances will scan as normal. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pascal.maes at elec.ucl.ac.be Mon Nov 6 14:40:26 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Mon Nov 6 14:40:29 2006 Subject: Problem with SORBS-SPAM ? Message-ID: Hello, Today, from 14h11 until I suppress SORPBS-SPAM from the RBL list, we have seen the following lines in our maillog file: Nov 6 14:11:27 smtp-3 MailScanner[23222]: RBL checks: AFAA613E46.CAEC5 found in SORBS-SPAM Nov 6 14:11:31 smtp-3 MailScanner[22778]: RBL checks: 53CF913F42.84D1B found in SORBS-SPAM Nov 6 14:11:34 smtp-3 MailScanner[25704]: RBL checks: 78BE513F42.B7EB5 found in SORBS-SPAM Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E found in SORBS-SPAM And some details for the last one : Nov 6 14:11:37 smtp-3 postfix/smtpd[28567]: 0313713E60: client=linux1.sia.ucl.ac.be[130.104.1.142] Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E found in SORBS-SPAM Nov 6 14:11:39 smtp-3 MailScanner[25704]: Message 0313713E60.D1B8E from 127.0.0.1 (from_address) to to_domain_address is - we are using Postfix 2.3.3 - 130.104.1.142 is not on the Black list - the RBL checks come after an HOLD with postfix. So, it seems to come from 127.0.0.1 - the message from MailScannet is truncated. Why ? Any idea of the problem ? Thanks -- Pascal From hooperism at gmail.com Mon Nov 6 15:57:31 2006 From: hooperism at gmail.com (Alex Hooper) Date: Mon Nov 6 15:57:36 2006 Subject: f-prot output problem Message-ID: Hi, Ive been running MailScanner on my linux gateway at home for over two years without problem. A couple of days ago, though, I started seeing this in the logs: Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug in MailSc anner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN l". Please mail the author of MailScanner I don't believe anything has changed on my machine. I've now got over 10K messages waiting to scan... Has anyone any idea how I might resolve this? Cheers, -- Alex Hooper From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:44:06 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:24 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <000301c70120$0ff76040$c8fea8c0@intech.us> References: <000301c70120$0ff76040$c8fea8c0@intech.us> Message-ID: <454F8276.4060103@ecs.soton.ac.uk> Can someone let me know when they fix this distribution bug please? I can't update a "production" system to a Release Candidate. Integrated Technologies wrote: > Funny thing is, on the downloads page of ClamAV, of you click on the latest > stable (0.8x.x or something) it takes you to the 0.90rc2 download on > SourceForge... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, > Phil > Sent: Sunday, November 05, 2006 2:48 PM > To: MailScanner (mailscanner@lists.mailscanner.info) > Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 > > FYI > > -----Original Message----- > From: clamav-announce-bounces@lists.clamav.net > [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca > Gibelli > Sent: Sunday, November 05, 2006 6:34 PM > To: ClamAV Announce > Subject: [Clamav-announce] announcing ClamAV 0.88.6 > > Dear ClamAV users, > > Changes in this release include better handling of network problems in > freshclam and other minor bugfixes. > > The ClamAV developers encourage all users to give a try to the latest > beta version of 0.90! > > -- > The ClamAV team (http://www.clamav.net/team.html) > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:47:10 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:30 2006 Subject: f-prot output problem In-Reply-To: References: Message-ID: <454F832E.8090805@ecs.soton.ac.uk> I would suspect your F-Prot edition has been updated. Alex Hooper wrote: > Hi, > > Ive been running MailScanner on my linux gateway at home for over two > years without problem. A couple of days ago, though, I started seeing > this in the logs: > > Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug > in MailSc > anner's F-Prot output parser, or F-Prot's output format has changed! > F-Prot said > this > "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN > > l". Please mail the author of MailScanner > > I don't believe anything has changed on my machine. I've now got over > 10K messages waiting to scan... Has anyone any idea how I might > resolve this? > > Cheers, Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:45:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:34 2006 Subject: MailScanner.conf parameter question In-Reply-To: <000001c70164$918d1c50$c8fea8c0@intech.us> References: <000001c70164$918d1c50$c8fea8c0@intech.us> Message-ID: <454F82B1.3030609@ecs.soton.ac.uk> Integrated Technologies wrote: > > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to ?no?, will it still scan a reply returned to me > and just not append it with another footer sig? Or will this > completely allow the returned message to bypass MailScanner altogether? > No, it does exactly what it says. It will still scan it, I ain't that dumb :-) > I can see the value of not signing the message numerous times; > especially if it was a business email (for example) that requires > multiple replies?But then again, if this allows the replied to message > to completely bypass MailScanner then I?ll have to rethink my strategy? > > Please advise. > > My gratitude for your time and patience > > SRB, Integrated Technologies > > Owner/Senior Developer > > > -------------------- > /Integrated Technologies/ has scanned this > message for viruses > with MailScanner and it is believed to be clean. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Mon Nov 6 18:59:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 6 18:59:52 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057B675@isabella.herefordshire.gov.uk> Works for me. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 06 November 2006 18:44 > To: MailScanner discussion > Subject: Re: [Clamav-announce] announcing ClamAV 0.88.6 > > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. > > Integrated Technologies wrote: > > Funny thing is, on the downloads page of ClamAV, of you > click on the latest > > stable (0.8x.x or something) it takes you to the 0.90rc2 download on > > SourceForge... > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Randal, > > Phil > > Sent: Sunday, November 05, 2006 2:48 PM > > To: MailScanner (mailscanner@lists.mailscanner.info) > > Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 > > > > FYI > > > > -----Original Message----- > > From: clamav-announce-bounces@lists.clamav.net > > [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca > > Gibelli > > Sent: Sunday, November 05, 2006 6:34 PM > > To: ClamAV Announce > > Subject: [Clamav-announce] announcing ClamAV 0.88.6 > > > > Dear ClamAV users, > > > > Changes in this release include better handling of network > problems in > > freshclam and other minor bugfixes. > > > > The ClamAV developers encourage all users to give a try to > the latest > > beta version of 0.90! > > > > -- > > The ClamAV team (http://www.clamav.net/team.html) > > > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Mon Nov 6 19:04:28 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 19:04:40 2006 Subject: Problem with SORBS-SPAM ? In-Reply-To: References: Message-ID: <454F873C.4030002@evi-inc.com> Pascal Maes wrote: > Hello, > > > Today, from 14h11 until I suppress SORPBS-SPAM from the RBL list, we > have seen the following lines in our maillog file: > > Nov 6 14:11:27 smtp-3 MailScanner[23222]: RBL checks: AFAA613E46.CAEC5 > found in SORBS-SPAM > Nov 6 14:11:31 smtp-3 MailScanner[22778]: RBL checks: 53CF913F42.84D1B > found in SORBS-SPAM > Nov 6 14:11:34 smtp-3 MailScanner[25704]: RBL checks: 78BE513F42.B7EB5 > found in SORBS-SPAM > Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E > found in SORBS-SPAM > > And some details for the last one : > > Nov 6 14:11:37 smtp-3 postfix/smtpd[28567]: 0313713E60: > client=linux1.sia.ucl.ac.be[130.104.1.142] > Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E > found in SORBS-SPAM > Nov 6 14:11:39 smtp-3 MailScanner[25704]: Message 0313713E60.D1B8E from > 127.0.0.1 (from_address) to to_domain_address is > > - we are using Postfix 2.3.3 > - 130.104.1.142 is not on the Black list > - the RBL checks come after an HOLD with postfix. > So, it seems to come from 127.0.0.1 > - the message from MailScannet is truncated. Why ? > > > Any idea of the problem ? Looks like 127.0.0.1 was listed in sorbs-spam recently, but has been pulled. From ssilva at sgvwater.com Mon Nov 6 18:55:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 19:29:28 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611060610.kA66AeXw006899@summitmotors.com.au> References: <200611031200.kA3C0Hht010238@bkserver.blacknight.ie> <200611060610.kA66AeXw006899@summitmotors.com.au> Message-ID: Jon Bates spake the following on 11/5/2006 10:10 PM: > Reni Berber Wrote: > >> Could be any of: > >> 1. Timing. A virus signature that was just added to the DB. > >> 2. Rules. If you have rules specifying what is virus scanned. > >> 3. Size. Limits in MS configuration and also in the program/module doing > the >> scanning. > >> 4. Scan Parameters. clamscan has default parameters that are a little > different >> that the perl module, for instance corrupt executable is detected by > clamscan >> but I'm not sure if the module does detect it. > >> 5. Encoding. There is a parameter in MS about scanning uuencoded parts, > I'm not >> sure if this affects virus scanning. > >> What does the log show? (does it say scanning for viruses ... clean ?) >> -- >> Reni Berber > > > First of all, thanks to those others who replied to my initial email - I > think I've found a resolution (see below). > > Martin, > > Yes, I quarantine a copy of every email that comes through, this helped me > diagnose the issue - Thanks! > > Reni, > > 1. Timing - I think this is the cause of the issue; attempts to release the > email from the quarantine showed that the infected email was being caught > straight away! This would lead me to believe that ClamAV simply didn't know > about the type of virus when the initial copy of it came through. I didn't > realise previously, but they werent all exactly the same virus. They were > the same subject and size, but different variants of the same virus kept > coming through! (Worm.Stration.XX - in case you're interested!) > I havent got the log from when it came through initially, but I assume that > it would have been scanned and deemed "clean" as I havent seen any other > errors in there at all that would lead to some sort of scanning error. > > Luckily my spam countermeasures are trained pretty well so nearly all > instances of the virus were actually quarantined as spam, and the rest under > content filtering (no exe files allowed). The only users who actually > received the virus were power users who are allowed to receive executable > files - Luckily they were smart enough not to be tempted to "increase the > size of their wang" by opening an exe file - lol > > ---- I checked your other points anyway: > > 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a > ruleset on Dangerous Content Scanning, but as I understand that this doesn't > exclude Virus scanning for it's matches anyway. I cant see any other > rulesets that could cause this behaviour. > > 3. Size - The emails are all roughly 30kb in size. > > 4. Scan Parameters - Is there a way that you know of that I can test > scanning mbox files with the perl module instead? Sorry I'm relatively new > to linux so I didn't bother with this one :P > > 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes > to be safe. > > > I have caught most 0day strains of Worm.Stration.XX with filetype checks when the signatures were behind. If you don't allow unzipped executables you will catch many 0day baddies. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From raymond at prolocation.net Mon Nov 6 19:43:34 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 6 19:43:32 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> References: <000301c70120$0ff76040$c8fea8c0@intech.us> <454F8276.4060103@ecs.soton.ac.uk> Message-ID: Hi! > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. This should be fixed in 88.6 Bye, Raymond. From ssilva at sgvwater.com Mon Nov 6 19:25:50 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 19:45:46 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> References: <000301c70120$0ff76040$c8fea8c0@intech.us> <454F8276.4060103@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 11/6/2006 10:44 AM: > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. > I had no problems, but it will depend on your local sourceforge mirror, and if it has synced. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jfagan at firstlightnetworks.com Mon Nov 6 20:08:05 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Nov 6 20:06:27 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> Message-ID: <59E4A3A1069C2640959AD0F7518C4812064D02@FLN1.fln.local> http://superb-west.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.t ar.gz Just installed this and seems to be fine. From max at assuredata.com Mon Nov 6 20:23:12 2006 From: max at assuredata.com (Max Kipness) Date: Mon Nov 6 20:23:20 2006 Subject: Rule for DNS MX Check Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Hello, I'm still having issues with receiving large image stock spam, which is not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others except the SARES gif attach. It gets a low bayes score that brings the score negative at times. One thing I have noticed is that even though the sender IP does resolve, it's usually to a dynamically generated host by a DSL company etc. Most of the time the sender address does not match this IP. So after doing some research I'm wondering if there is a way either through Sendmail, MailScanner or SpamAssassin to either check the MX record of the sender header or match the From and Sender headers. I'd prefer this to be a SpamAssassin rule so that I could release from quarantine if there turns out to be FPs. I have a customer that deals with a lot of foreign customers that might not have DNS setup. Here is an example of a spam header received today (with my server names/ips replaced with myserver.com). What I mean is that the From header shows from byerconsulting.com, but it was actually received from dsl.pipex.com. If you did an mx check on byerconsulting.com you definitely would not get the dsl.pipex.com IP address. But simply trying to match the Received domain to the sender domain would show something is wrong. Is there any way of scoring this stuff? --------------------------------------------------------------- Microsoft Mail Internet Headers Version 2.0 Received: from myserver.com ([192.168.1.4]) by myserver.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 08:02:29 -0600 Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240]) by myserver.com with ESMTP idkA6E235h002990 for ; Mon, 6 Nov 2006 08:02:14 -0600 Received: from 65.254.254.52 (HELO mail.byerconsulting.com) by myserver.com with esmtp (2ST5N97RVEZ G4NVD) id O7FKEF-XTPYT5-6N for mkipness@myserver.com; Mon, 6 Nov 2006 14:02:22 +0000 From: "Joel Lambert" To: Subject: hi Joel Date: Mon, 6 Nov 2006 14:02:22 +0000 Message-ID: <01c701ac$2e3fbc00$6c822ecf@deborahstoryhn> MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_000A_01C701AC.2E3FBC00" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 Thread-Index: Aca6Q0YSVIA1BXARN9IQGMR9L98LID== X-MailScanner-MailScanner-Information: Please email support@myserver.com for more information. X-MailScanner-MailScanner: Found to be clean X-MailScanner-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.752, required 5.5, BAYES_50 0.00, HTML_MESSAGE 0.00, SARE_GIF_ATTACH 0.75) X-MailScanner-MailScanner-From: deborahstoryhn@byerconsulting.com Return-Path: deborahstoryhn@byerconsulting.com X-OriginalArrivalTime: 06 Nov 2006 14:02:29.0968 (UTC) FILETIME=[32AEFD00:01C701AC] Thanks, Max From mkettler at evi-inc.com Mon Nov 6 20:40:32 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 20:40:54 2006 Subject: Rule for DNS MX Check In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Message-ID: <454F9DC0.5090108@evi-inc.com> Max Kipness wrote: > Hello, > > I'm still having issues with receiving large image stock spam, which is > not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others > except the SARES gif attach. It gets a low bayes score that brings the > score negative at times. > > One thing I have noticed is that even though the sender IP does resolve, > it's usually to a dynamically generated host by a DSL company etc. Most > of the time the sender address does not match this IP. > > So after doing some research I'm wondering if there is a way either > through Sendmail, MailScanner or SpamAssassin to either check the MX > record of the sender header or match the From and Sender headers. Yes, but that makes the bogus assumption the site uses the same server for outbound as inbound mail. An MX record is not a valid check as to what servers should be sending mail. It''s a list of inbound servers. Most larger sites have separate servers for outbound and inbound mail, mostly as a simple way of splitting the load. What you really want is SPF, something SA does support. That DOES list what severs are valid to send mail. And more to the point, byerconsulting.com does support SPF, but unfortunately posts their record with a ?all. That means the owners of byerconsulting.com are not willing to declare any IP addresses as invalid for their domain. > Received: from myserver.com ([192.168.1.4]) by myserver.com with > Microsoft SMTPSVC(6.0.3790.1830); > Mon, 6 Nov 2006 08:02:29 -0600 > Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240]) > by myserver.com with ESMTP idkA6E235h002990 > for ; Mon, 6 Nov 2006 08:02:14 -0600 > Received: from 65.254.254.52 (HELO mail.byerconsulting.com) > by myserver.com with esmtp (2ST5N97RVEZ G4NVD) Another thing you should do, based on the above, is to declare trusted_networks manually. Since your MX is NATed, SA will not be able to correctly detect what hosts are a part of your network on it's own. Finally, enable RBL checks in SpamAssassin. That message should have hit RCVD_IN_SORBS_DUL, since 81.179.145.240 is listed, and has been since October 2004. From ajos1 at onion.demon.co.uk Mon Nov 6 20:47:29 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Nov 6 20:47:38 2006 Subject: MailScanner.conf parameter question Message-ID: - Hmmm... another one to S or not S... My conf says: Sign Messages Already Processed = no You have "Message"... I assume you mean "Messages" Integrated Technologies wrote: > > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to “no”, will it still scan a reply returned to me > and just not append it with another footer sig? Or will this > completely allow the returned message to bypass MailScanner altogether? > From mkettler at evi-inc.com Mon Nov 6 21:01:15 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 21:01:40 2006 Subject: Rule for DNS MX Check In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Message-ID: <454FA29B.7080403@evi-inc.com> Side note for Max: While you're at it, you might want fix your own DNS records: Received: from mail.assuredata.com (assuredata.com [69.15.149.129] (may be forged)) 69.15.149.129 reverse DNS resolves as "assuredata.com", but that name has no forward resolution. This is strictly invalid, as all records returned by resolving a PTR MUST resolve back to the same IP. (note: this is different than making assuptions about HELO strings) # host 69.15.149.129 129.149.15.69.in-addr.arpa domain name pointer assuredata.com. 129.149.15.69.in-addr.arpa domain name pointer writeontime.us. # host assuredata.com # Furthermore, the other record does resolve, but to a different IP address: # host writeontime.us writeontime.us has address 216.21.229.197 Ouch. See RFC 1912 section 2.1 http://www.ietf.org/rfc/rfc1912.txt From gdoris at rogers.com Mon Nov 6 21:11:14 2006 From: gdoris at rogers.com (Gerry) Date: Mon Nov 6 21:11:48 2006 Subject: ClamAV messed up Message-ID: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> I upgraded from FC 4 to FC 6 a short time ago. I thought everything was working until I ran into problems with ClamAV and MailScanner: 1. MailScanner was continually restarting until I changed "clamavmodule" to "clamav" in MailScanner.conf 2. Running MailScanner --lint indicates that I have "clamav" in the conf file but MailScanner finds "clamavmodule" instead 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't have generic listed anywhere 4. Running MailScanner -v shows that Mail::ClamAv is installed 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing a forced install fails at the make Inspite of all this ClamAV is scanning messages. I'm using MailScanner 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same problem with 0.88.5 and thought I'd try something different. I haven't a clue where to start on this. From MailScanner at ecs.soton.ac.uk Mon Nov 6 21:28:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 21:31:02 2006 Subject: ClamAV+SA package upgrade Message-ID: <454FA8E1.2000006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just upgraded the ClamAV & SpamAssassin easy-to-install package to ClamAV 0.88.6 (NEW!) SpamAssassin 3.1.7 Download and install from www.mailscanner.info as usual. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFT6mJEfZZRxQVtlQRAp66AKCfVe1udkq8vJLBaimN/g/LKCpOugCdETSm ZBri8JfHlqYAD6Ia+myQiq8= =n0Jm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mike at vesol.com Mon Nov 6 21:35:23 2006 From: mike at vesol.com (Mike Kercher) Date: Mon Nov 6 21:36:23 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on Monday, November 06, 2006 3:11 PM: > I upgraded from FC 4 to FC 6 a short time ago. I thought > everything was working until I ran into problems with ClamAV > and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also > generic. I don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already > installed. Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but > I had the same problem with 0.88.5 and thought I'd try > something different. > > I haven't a clue where to start on this. I wouldn't say ClanAV messed up...why did you "fix what wasn't broken"? Personally, I use an enterprise class OS for servers rather than bleeding edge. Mike From gdoris at rogers.com Mon Nov 6 21:57:15 2006 From: gdoris at rogers.com (Gerry) Date: Mon Nov 6 21:58:08 2006 Subject: ClamAV messed up In-Reply-To: Message-ID: <000f01c701ee$883cd200$780a000a@northamerica.stortek.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: November 6, 2006 16:35 To: MailScanner discussion Subject: RE: ClamAV messed up mailscanner-bounces@lists.mailscanner.info <> scribbled on Monday, November 06, 2006 3:11 PM: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything > was working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I > don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. > Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the > same problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. I wouldn't say ClanAV messed up...why did you "fix what wasn't broken"? Personally, I use an enterprise class OS for servers rather than bleeding edge. Mike This a home server used for testing stuff. It's the place I try and figure out what works and what doesn't. As I mentioned, it is actually working but messed up. I can always reload the old image and start again if things really go bad. Perhaps "ClamAV messed up" is not what was I intended to say...my system is messed up. From derek at adcatanzaro.com Mon Nov 6 22:11:02 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Mon Nov 6 22:11:34 2006 Subject: OT: Commercial Content Filtering Products Message-ID: <454FB2F6.8060702@adcatanzaro.com> I'm trying to get an idea of the cost on commercial products that will basically do what MailScanner is doing for free. The reason is because some vp's would like to know the cost of the commercial products. Ultimately I think MailScanner does a great job with the proper configs and I would be willing to bet that it does a lot better job than a lot of the commercial products you have to pay for. Does anyone out there have any product names and annual costs they can provide? I've got roughly 3,000 mail users and we are getting about 100,000 emails per day. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Nov 6 23:40:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 23:41:42 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: Derek Catanzaro spake the following on 11/6/2006 2:11 PM: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is because > some vp's would like to know the cost of the commercial products. > Ultimately I think MailScanner does a great job with the proper configs > and I would be willing to bet that it does a lot better job than a lot > of the commercial products you have to pay for. Does anyone out there > have any product names and annual costs they can provide? I've got > roughly 3,000 mail users and we are getting about 100,000 emails per day. DefenderMX (www.fsl.com) They have what could be called the commercial big brother of mailscanner. It has more features, and comes in several versions, including an "appliance". You will have to contact them as to pricing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From prandal at herefordshire.gov.uk Tue Nov 7 00:33:52 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 7 00:34:14 2006 Subject: Commercial Content Filtering Products Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> I saw on another mailing list today someone boasting what a good job their Barracuda was doing - getting 87% of their incoming spam. I can probably get 87% by the use of sendmail's GreetPause, the zen.spamhaus.org RBL at MTA level, and milter-greylist 3.0rc greylisting a handful of RBLS, without even getting anywhere near spamassassin. MailScanner gets over 99% of all incoming spam here. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek Catanzaro Sent: Monday, November 06, 2006 10:11 PM To: MailScanner discussion Subject: OT: Commercial Content Filtering Products I'm trying to get an idea of the cost on commercial products that will basically do what MailScanner is doing for free. The reason is because some vp's would like to know the cost of the commercial products. Ultimately I think MailScanner does a great job with the proper configs and I would be willing to bet that it does a lot better job than a lot of the commercial products you have to pay for. Does anyone out there have any product names and annual costs they can provide? I've got roughly 3,000 mail users and we are getting about 100,000 emails per day. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Tue Nov 7 00:44:15 2006 From: res at ausics.net (Res) Date: Tue Nov 7 00:44:21 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: On Mon, 6 Nov 2006, Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. Seen this a trillion times in upgrades, its not related to Fedora, its RHES, suse, slackware and probably all others. It will be a perl version conflict problem. its ugly but run it all manually, can you paste the output where perl bails? -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Nov 7 00:51:44 2006 From: res at ausics.net (Res) Date: Tue Nov 7 00:51:54 2006 Subject: f-prot output problem In-Reply-To: References: Message-ID: On Mon, 6 Nov 2006, Alex Hooper wrote: > Hi, > > Ive been running MailScanner on my linux gateway at home for over two > years without problem. A couple of days ago, though, I started seeing > this in the logs: > > Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug in > MailSc > anner's F-Prot output parser, or F-Prot's output format has changed! F-Prot > said > this > "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN > l". Please mail the author of MailScanner > > I don't believe anything has changed on my machine. I've now got over > 10K messages waiting to scan... Has anyone any idea how I might > resolve this? Are you running engine 4.6.6? It's been out for a few months now so you probably are, does MailScanner --lint show anything more? Set debug on in the conf file for a whil;e, there was a simialr problem many months ago but it was related to sys::syslog and the MS wrapper was ammended so it wouldnt bail. > > Cheers, > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From gdoris at rogers.com Tue Nov 7 01:10:17 2006 From: gdoris at rogers.com (Gerry) Date: Tue Nov 7 01:11:00 2006 Subject: ClamAV messed up In-Reply-To: Message-ID: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: November 6, 2006 19:44 To: MailScanner discussion Subject: Re: ClamAV messed up On Mon, 6 Nov 2006, Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything > was working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the > conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I > don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. > Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the > same problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. Seen this a trillion times in upgrades, its not related to Fedora, its RHES, suse, slackware and probably all others. It will be a perl version conflict problem. its ugly but run it all manually, can you paste the output where perl bails? -- Cheers Res I got it working! I removed ClamAV rc0.99 totally including the libclamav files. I then installed the latest release 0.88.6. Once I had that installed I went back and tried to reinstall Mail::ClamAV. This time it worked. I have now enabled clamavmodule in MailScanner.conf and am back to normal...well, nearly. For some reason update_virus_scanners still thinks there is a generic virus scanner installed but I can live with that! From rcooper at dwford.com Tue Nov 7 04:03:22 2006 From: rcooper at dwford.com (Rick Cooper) Date: Tue Nov 7 04:03:49 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: <029801c70221$ac1852c0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gerry > Sent: Monday, November 06, 2006 4:11 PM > To: mailscanner@lists.mailscanner.info > Subject: ClamAV messed up > > I upgraded from FC 4 to FC 6 a short time ago. I thought > everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also > generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already > installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but > I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. > > I can tell you (posted this last week) that the 0.90rc2 version is not compatible with the Mail::ClamAV module. They took out some key rar related exports when they incorporated their own unrar engine (which seems to work great). Even if you uncomment the obvious problem (I believe it was CL-DISABLERAR) there are a couple of other items I just didn't have the time to track down. Just stick with the command line scanner until the author releases a compatible version, which took weeks the last time the clam developers messed around with the exports and did not retain backward compatible stubs. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Nov 7 08:57:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 7 08:57:12 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <223f97700611070057o2f48eae9nd2323790d291bae1@mail.gmail.com> On 06/11/06, Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is because > some vp's would like to know the cost of the commercial products. > Ultimately I think MailScanner does a great job with the proper configs > and I would be willing to bet that it does a lot better job than a lot > of the commercial products you have to pay for. Does anyone out there > have any product names and annual costs they can provide? I've got > roughly 3,000 mail users and we are getting about 100,000 emails per day. > IMO, the competition is a dime-a-dozen... And you get what you pay for:-). Seriously though: - Every AV company has their own product and/or appliance. These generally have the basic "flaw" that they only support one AV-scanner. Most have thrown in a more or less recognizable SpamAssassin too... But usually without more than the most basic "knobs" to turn. - There is a "healthy" market for this type of appliance (everything from firewall makers like WatchGuard and Fortinet to more specialized companies). Generally speaking, most of these appliances didn't start life as AV or spam-fighting tools, and as such aren't particularly good at it. - (Just to contradict my flippant first remark:-) Generally speaking, they're usually rather steeply priced. Compare that to the effectiveness (usually not that great), and you have ... an easy answer:-). If one wants to buy MailScanner (management often wants to put a pricetag on things like support:-), then DefenderMX is the thing (http://www.fsl.com). Last I looked (quite some time ago:-) it had some really nice featires (AD integration etc) that (although possible to achieve, to some extent) isn't part of a standard MailScanner/MailWatch combo. Since MailScanner is such a nice and configurable "product", I often find it hard to make real comparisions with commercial gear though. Most come off as toy cars compared to a LandCruiser;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Tue Nov 7 09:25:39 2006 From: res at ausics.net (Res) Date: Tue Nov 7 09:25:47 2006 Subject: ClamAV messed up In-Reply-To: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> References: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> Message-ID: On Mon, 6 Nov 2006, Gerry wrote: > > I got it working! > > I removed ClamAV rc0.99 totally including the libclamav files. I then > installed the latest release 0.88.6. Once I had that installed I went back > and tried to reinstall Mail::ClamAV. This time it worked. > > I have now enabled clamavmodule in MailScanner.conf and am back to > normal...well, nearly. For some reason update_virus_scanners still thinks > there is a generic virus scanner installed but I can live with that! This is OK, if it bothers you, in your mailscanner etc directory, virus_scanners.conf, just hash out generic :) > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solidstatelogic.com Tue Nov 7 09:29:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 09:29:32 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: <455051F5.4050304@solidstatelogic.com> Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. > > Gerry Known issue with mail::ClamAV and the 0.90 code, basically they are not compatible.... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Nov 7 11:39:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 7 11:41:31 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <45507059.9040105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try to sell them DefenderMX from Fort Systems Ltd. This is based around MailScanner, but with a very good management and reporting system attached, it's a lot more than just MailWatch. It is under constant active development, and is available with commercial support contracts so we can be sure you won't be left high and dry if anything goes bang in the night. And of course, if you decide to go with a straightforward standard version of MailScanner, I'm always available to install it for you :-) Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is > because some vp's would like to know the cost of the commercial > products. Ultimately I think MailScanner does a great job with the > proper configs and I would be willing to bet that it does a lot better > job than a lot of the commercial products you have to pay for. Does > anyone out there have any product names and annual costs they can > provide? I've got roughly 3,000 mail users and we are getting about > 100,000 emails per day. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFUHDDEfZZRxQVtlQRAgNUAJ9mdH3YxwqL9/IQMX8bTKWj2fsWlgCgwpP1 TEoLmn0sAGUSZIncWU8vLfc= =66D8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From matt at coders.co.uk Tue Nov 7 11:46:30 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Nov 7 11:47:34 2006 Subject: Commercial Content Filtering Products In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> Message-ID: <45507216.40206@coders.co.uk> Randal, Phil wrote: > I saw on another mailing list today someone boasting what a good job > their Barracuda was doing - getting 87% of their incoming spam. Upfront: I work for a reseller of a number of products including a managed MailScanner solution but this is my opinion. Barracuda are just SpamAssassin with RBLs. Which they do not provide licenses for use see http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#87 (the bottom section). An interesting one I have seen recently is I-Critical but that doesn't have all of the features that MailScanner has (although they are adding some new stuff in the near future but won't give the details). The offer a managed service, appliance or a CD but the offer remote management of all of the boxes. MIME-Sweeper (from Clearswift) is well known but people have historically had issues with the support. For the "Biggies" get a quote from MessageLabs (or Black Spider). What I will say is this - when you are comparing prices you need to take into account the proportion of your time to keep the system up to date. You will also need to account for when you aren't around - another person needs training. These take a significant chunk out of the high prices that appliances seem and can actually be more expensive. The flexibility that MailScanner (and from I have seen and heard about DefenderMX) far exceeds that of other commercial products. So the balance to consider is: MailScanner: Pros: Flexibility and you are in control Low set up cost and on going Cons: Your + another's time setting up and the ongoing managing and keeping it up to date. Appliance: Pros: It's a black box Someone else supports it Cons: It's a black box Someone else supports it Tied to feature set High Setup cost Recurring license costs Increased throughput requires new box Managed Service Pros: Someone else manages keeps it up to date It's a black box Per user fee so easily scalable Distributed facilities Cons: It's a black box Initial per user cost is high Tied feature set > I can probably get 87% by the use of sendmail's GreetPause, the > zen.spamhaus.org RBL at MTA level, and milter-greylist 3.0rc greylisting > a handful of RBLS, without even getting anywhere near spamassassin. I am getting slightly higher than this: I use smf-sav (for both sender and recipient verification), smf-grey (patched to only do grey listing on sending systems on 1 or more RBL's), GreetPause, IP->Host->IP checks on client IP and milter-link and milter-null. Of the mail that gets through this - 19% is tagged as spam of which just over half is marked as High Spam. I am getting about 0.01% False Negative rate from MailScanner/SpamAssassin and about 0.2% FP from the Client IP checks. I have had no reported FP from MailScanner/SpamAssassin since the beginning of the month. matt From martinh at solidstatelogic.com Tue Nov 7 12:55:27 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 12:55:39 2006 Subject: Commercial Content Filtering Products In-Reply-To: <45507216.40206@coders.co.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> <45507216.40206@coders.co.uk> Message-ID: <4550823F.4030504@solidstatelogic.com> Matt Hampton wrote: > Randal, Phil wrote: >> I saw on another mailing list today someone boasting what a good job >> their Barracuda was doing - getting 87% of their incoming spam. > > Upfront: I work for a reseller of a number of products including a > managed MailScanner solution but this is my opinion. > > Barracuda are just SpamAssassin with RBLs. Which they do not provide > licenses for use see > > http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#87 (the > bottom section). > > An interesting one I have seen recently is I-Critical but that doesn't > have all of the features that MailScanner has (although they are adding > some new stuff in the near future but won't give the details). The offer > a managed service, appliance or a CD but the offer remote management of > all of the boxes. > > MIME-Sweeper (from Clearswift) is well known but people have > historically had issues with the support. > eww no arg thud... I moved from Mimesweeper to MS due to too many false positives and a complete sod to support (tied up a complete PIII 933mhx 2GB ram, 100% cpui all the time - moved to mailScanner/mailwatch, no FP on a 600 mhz celeron 512mB ram and lots of free resource). Allegedly it's much better now, but I like MS too move away - ie it just works ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From housey at sme-ecom.co.uk Tue Nov 7 12:59:08 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 12:59:12 2006 Subject: Could not analyze message Message-ID: Hi I dont think my messages last week regarding this made it to the list, ive just noticed that they got flagged as spam on my system :-) I have a message being sent to one of my customers which keeps getting quarantined with "Could not analyze message", its a plain text email with no attachments. I tried setting up a ruleset so any messages from this paticular address did not get scanned (using the Scan Messages ruleset). Ive done this quite a few times before so am confident the syntax im using is correct. Despire this the message still gets quarantined, Julian mentioned the envelope from/to addresses might be different to the ones ive got in my ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" and was able to see from the headers that my ruleset addresses were correct. Ive also tried using using the Scan Messages ruleset to just not scan incomming email for this paticular email address - again the message still gets quarantined. Any hints/tips etc.. as to what can cause "Could not analyze message) the server processes plenty of other email exactly as I would expect and it only seems to be this one paticular message. Cheers Paul From martinh at solidstatelogic.com Tue Nov 7 13:26:58 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 13:27:18 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <455089A2.2070702@solidstatelogic.com> Paul Houselander wrote: > Hi > > I dont think my messages last week regarding this made it to the list, ive > just noticed that they got flagged as spam on my system :-) > If you're using Tim's Bogus virus rules for Spamassassin you need to zero score the mailScanner ones (from back in the day when mailScanner used to 'bounce' spam' and viruses by default) > I have a message being sent to one of my customers which keeps getting > quarantined with "Could not analyze message", its a plain text email with no > attachments. > I see you're using Outlook - could it be the TNEF expander isn't working properly... What I do is don't scan via SA for outgoing, only virus scan. I do this by the 'from' ip-address range which can't be spoofed quite as easily as the email address. > I tried setting up a ruleset so any messages from this paticular address did > not get scanned (using the Scan Messages ruleset). Ive done this quite a few > times before so am confident the syntax im using is correct. > > Despire this the message still gets quarantined, Julian mentioned the > envelope from/to addresses might be different to the ones ive got in my > ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" > and was able to see from the headers that my ruleset addresses were correct. > > Ive also tried using using the Scan Messages ruleset to just not scan > incomming email for this paticular email address - again the message still > gets quarantined. > > Any hints/tips etc.. as to what can cause "Could not analyze message) the > server processes plenty of other email exactly as I would expect and it only > seems to be this one paticular message. > > Cheers > > Paul > -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From housey at sme-ecom.co.uk Tue Nov 7 13:54:08 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 13:54:12 2006 Subject: Could not analyze message In-Reply-To: <455089A2.2070702@solidstatelogic.com> Message-ID: Hi Martin The situation is my customer has his incomming email scanned, the email which is being quarantined is comming from one of his suppliers (i.e. they dont smtp out via me). I dont really want to whitelist the IP as the email comes via BT. I was thinking along the lines of winmail.dat as the message comes via an MS Exchange server, but the message is all just plain text. Heres the headers (ive blanked out various addresses) Return-Path: Delivered-To: 2-xxxxxxxxxxxxx Received: (qmail 21307 invoked by uid 110); 3 Nov 2006 13:33:11 +0000 Delivered-To: 129-xxxxxxxxxxx Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 13:33:11 +0000 Received: from c2bthomr10.btconnect.com (c2bthomr10.btconnect.com [194.73.73.226]) by xxxxxxxxxxxxxxxxxx (8.13.1/8.13.1) with ESMTP id kA3DWXX9018872 for ; Fri, 3 Nov 2006 13:32:38 GMT Received: from xxxxxxxxxxxx (xxxxxxxxxxxxxxxx.in-addr.btopenworld.com [xxxxxxxx]) by xxxxxxxxxxxxxxxxx (MOS 3.7.4b-GA) with ESMTP id BVA31885; Fri, 3 Nov 2006 13:27:07 GMT Received: from goldmaster ([192.168.0.10]) by xxxxxxxxxxxxxxxxxx with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Nov 2006 13:32:29 +0000 From: "xxxxxxxxxxxxxxx" Subject: Proof of Delivery To: xxxxxxxxxxxxxxxx Content-type: text/plain; charset="ISO-8859-1" Date: Fri, 3 Nov 2006 13:32:29 +0000 Message-ID: X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] Any other ideals? Cheers Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 13:27 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi > > I dont think my messages last week regarding this made it to the list, ive > just noticed that they got flagged as spam on my system :-) > If you're using Tim's Bogus virus rules for Spamassassin you need to zero score the mailScanner ones (from back in the day when mailScanner used to 'bounce' spam' and viruses by default) > I have a message being sent to one of my customers which keeps getting > quarantined with "Could not analyze message", its a plain text email with no > attachments. > I see you're using Outlook - could it be the TNEF expander isn't working properly... What I do is don't scan via SA for outgoing, only virus scan. I do this by the 'from' ip-address range which can't be spoofed quite as easily as the email address. > I tried setting up a ruleset so any messages from this paticular address did > not get scanned (using the Scan Messages ruleset). Ive done this quite a few > times before so am confident the syntax im using is correct. > > Despire this the message still gets quarantined, Julian mentioned the > envelope from/to addresses might be different to the ones ive got in my > ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" > and was able to see from the headers that my ruleset addresses were correct. > > Ive also tried using using the Scan Messages ruleset to just not scan > incomming email for this paticular email address - again the message still > gets quarantined. > > Any hints/tips etc.. as to what can cause "Could not analyze message) the > server processes plenty of other email exactly as I would expect and it only > seems to be this one paticular message. > > Cheers > > Paul > -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Tue Nov 7 14:00:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 14:00:35 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <45509179.5060600@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > The situation is my customer has his incomming email scanned, the email > which is being quarantined is comming from one of his suppliers (i.e. they > dont smtp out via me). I dont really want to whitelist the IP as the email > comes via BT. > > I was thinking along the lines of winmail.dat as the message comes via an MS > Exchange server, but the message is all just plain text. Heres the headers > (ive blanked out various addresses) > > Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 > Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) > by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 > 13:33:11 +0000 encrypted SMTP!! and qmail....hmm I wonder if it's not decrypted before it's dropping into MailScanner????? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Denis.Beauchemin at USherbrooke.ca Tue Nov 7 14:38:06 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Nov 7 14:38:28 2006 Subject: mailscanner-mrtg graph labels In-Reply-To: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> References: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> Message-ID: <45509A4E.7090303@USherbrooke.ca> Gerry Doris a ?crit : > I upgraded my system from Fedora Core 4 to 6 last weekend. > Surprisingly it went quite well. I thought everything was working > properly until I noticed that two of the mailscanner-mrtg graphs have > their labels messed up. The data looks correct. > > The two messed up graphs are Mail Transferred and Memory. It is the > top level as well as the detail graphs. The vertical legend for each > is showing the number scale followed by the letters M,G,T,P spread out > into the graph area for each number. > > This has been working perfectly for ages...I think? Has anyone else > noticed this? I'm using 0.10.00. I upgraded to the unstable version > 11 but it didn't make a difference. Gerry, This looks more like an MRTG problem than a MailScanner-MRTG one because the 2 graphs that you are having problems with come from different sources: your log files for MTA and SNMP for memory. Are you sure you didn't mess up the /etc/mrtg/mailscanner-mrtg.cfg file for these 2 graphs? This is what I have for the MTA: YLegend[mailbytes]: Bytes ShortLegend[mailbytes]: bytes     Legend1[mailbytes]: Average Bytes Legend2[mailbytes]: Legend3[mailbytes]: Maximum Bytes Legend4[mailbytes]: LegendI[mailbytes]: : LegendO[mailbytes]: kilo[mailbytes]: 1024 kMG[mailbytes]: k,M,G,T,P If all is OK, then maybe something changed in FC6 and the last 2 lines (kilo and kMG) are not having the same effect as they did before. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/1cde83fc/smime.bin From housey at sme-ecom.co.uk Tue Nov 7 14:41:51 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 14:41:53 2006 Subject: Could not analyze message In-Reply-To: <45509179.5060600@solidstatelogic.com> Message-ID: Nope I dont think thats the problem, ive just realised I gave the headers from the released email (i have a little script that releases an email from quarantine), below is the raw qf file data:- Any other ideals, I just cant get this email through unscanned or better still understand why MailScanner cant analyze the message. Cheers Paul V8 T1162560758 K0 N0 P31610 F8bs $_c2bthomr10.btconnect.com [194.73.73.226] $rESMTP $sc2bthomr10.btconnect.com ${daemon_flags} ${if_addr}xxxxxxxxxx S rRFC822; xxxxxxxxxxxxxx RPFD: H?P?Return-Path: H??Received: from c2bthomr10.btconnect.com (c2bthomr10.btconnect.com [194.73.73.226]) by xxxxxxxxxxxxxx (8.13.1/8.13.1) with ESMTP id kA3DWXX9018872 for ; Fri, 3 Nov 2006 13:32:38 GMT H??Received: from goldmaster.gold01.com (xxxxxxxxx.in-addr.btopenworld.com [xxxxxxxxxxxxx]) by c2bthomr10.btconnect.com (MOS 3.7.4b-GA) with ESMTP id BVA31885; Fri, 3 Nov 2006 13:27:07 GMT H??Received: from goldmaster ([192.168.0.10]) by goldmaster.gold01.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Nov 2006 13:32:29 +0000 H??From: "xxxxxxxxxxxxx" H??Subject: Proof of Delivery H??To: xxxxxxxxxxxxx H??Content-Type: multipart/mixed H??Date: Fri, 3 Nov 2006 13:32:29 +0000 H??Message-ID: H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 14:00 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > The situation is my customer has his incomming email scanned, the email > which is being quarantined is comming from one of his suppliers (i.e. they > dont smtp out via me). I dont really want to whitelist the IP as the email > comes via BT. > > I was thinking along the lines of winmail.dat as the message comes via an MS > Exchange server, but the message is all just plain text. Heres the headers > (ive blanked out various addresses) > > Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 > Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) > by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 > 13:33:11 +0000 encrypted SMTP!! and qmail....hmm I wonder if it's not decrypted before it's dropping into MailScanner????? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Tue Nov 7 14:48:37 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Nov 7 14:48:53 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: References: <454B4D1B.2000807@USherbrooke.ca> Message-ID: <45509CC5.7050302@USherbrooke.ca> Ugo Bellavance a ?crit : > Denis Beauchemin wrote: >> Ugo Bellavance a ?crit : >>> Hi, >>> >>> I'd like to know how to not have the report details in the body >>> when using the 'attachment' action for delivering. I know there is >>> an "Always include SpamAssassin Report" option, but I'm affraid I >>> won't have it in the headers if I disable it. >>> >>> Thanks, >>> >>> Ugo >>> >> Hi Ugo, >> >> I guess you could use the folloging in your spam.assassin.prefs.conf >> to clear the default report (from "man Mail::SpamAssassin::Conf"): >> clear_report_template >> Clear the report template. >> report ...some text for a report... >> Set the report template which is attached to spam mail >> messages. See the "10_misc.cf" configu- >> ration file in "/usr/share/spamassassin" for an example. >> >> If you change this, try to keep it under 78 columns. Each >> "report" line appends to the existing >> template, so use "clear_report_template" to restart. >> >> Tags can be included as explained above. >> >> I use a French-localized version here with: >> lang fr clear-report-template >> lang fr report ------------------ D?but de Rapport SpamAssassin >> --------------------- > > I don't want to change it, I only want it to be blank, nothing... is > is sufficient to just put 'clear_report_template' into the > spam.assassin.prefs.conf? > > Thanks > > I would think it would work but I didn't test it... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/2749bf44/smime.bin From martinh at solidstatelogic.com Tue Nov 7 15:01:47 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 15:02:03 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <45509FDB.1040003@solidstatelogic.com> Paul Houselander wrote: > Nope I dont think thats the problem, ive just realised I gave the headers > from the released email (i have a little script that releases an email from > quarantine), below is the raw qf file data:- > > Any other ideals, I just cant get this email through unscanned or better > still understand why MailScanner cant analyze the message. > > Cheers > > Paul can you drop this back into the queue and run mailScanner/Spamassassin in debug mode? You may then be able to spot whats going awry. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Dominique.Marant at univ-lille1.fr Tue Nov 7 15:07:07 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Tue Nov 7 15:09:14 2006 Subject: ClamAV update In-Reply-To: <455051F5.4050304@solidstatelogic.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> Message-ID: <4550A11B.6000002@univ-lille1.fr> I installed install-Clam-0.88.6-SA-3.1.7 In virus.scanners.conf : clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamavmodule /bin/false /tmp In MailScanner.conf : Virus Scanners = clamavmodule Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd It seems that clamav is not automaticaly updated because I don't see any change in /usr/local/share/clamav/ and I don't see clamav in update.virus.scanners lines in the log. How to configure MailScanner to update ClamAV every day ? Could you say me if I have to perform a freshclam by the crontab ? In the MailScanner log, how to see the version of ClamAv using by MailScanner ? In the MailScanner log, how to see the version of Spamassassin using by MailScanner ? In the MailScanner log, how to see if ClamAV version is OUTDATED ? Thanks in advance Dominique From ugob at camo-route.com Tue Nov 7 15:59:38 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 7 16:00:14 2006 Subject: Outbound scanning checklist Message-ID: Hi, I will start filtering outbound traffic soon, and here is my checklist, to share with you guys, and if someone has something to add, I'd be glad to add it. I'll post it on the wiki afterwards. 1- Get the list of IP addresses from which we'll receive outgoing e-mails 2- Allow relaying for these IP addresses 3- Disable DNSBL checks for theses IP addresses (if necessary) 4- Make sure your RDNS matches your HELO and that there is an A record that matches the RDNS, matching the IP address 5- Check the SPF records for domains that will be used outbound 6- Create ruleset as desired/needed: filetype, filenaye, spam checks (and always include SA report), content, virus Did I forget anything? Regards, ugo From ugob at camo-route.com Tue Nov 7 16:06:44 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 7 16:08:15 2006 Subject: ClamAV update In-Reply-To: <4550A11B.6000002@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> Message-ID: Dominique Marant wrote: > I installed install-Clam-0.88.6-SA-3.1.7 > > In virus.scanners.conf : > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamavmodule /bin/false /tmp > > In MailScanner.conf : > Virus Scanners = clamavmodule > Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd > > It seems that clamav is not automaticaly updated because I don't see any > change in /usr/local/share/clamav/ and I don't see clamav in > update.virus.scanners lines in the log. > > How to configure MailScanner to update ClamAV every day ? This should be done hourly, automatically. > Could you say me if I have to perform a freshclam by the crontab ? No, you don't. > In the MailScanner log, how to see the version of ClamAv using by > MailScanner ? This info is not present in MailScanner's log. > In the MailScanner log, how to see the version of Spamassassin using by > MailScanner ? This info is not present in MailScanner's log. > In the MailScanner log, how to see if ClamAV version is OUTDATED ? This info is not present in MailScanner's log. See /tmp/ClamAV.update.log > > Thanks in advance > > Dominique > > From dhawal at netmagicsolutions.com Tue Nov 7 16:11:05 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Nov 7 16:11:20 2006 Subject: Outbound scanning checklist In-Reply-To: References: Message-ID: <4550B019.1030302@netmagicsolutions.com> Ugo Bellavance wrote: > Hi, > > I will start filtering outbound traffic soon, and here is my > checklist, to share with you guys, and if someone has something to add, > I'd be glad to add it. I'll post it on the wiki afterwards. > > > > 1- Get the list of IP addresses from which we'll receive outgoing e-mails > > 2- Allow relaying for these IP addresses > > 3- Disable DNSBL checks for theses IP addresses (if necessary) > > 4- Make sure your RDNS matches your HELO and that there is an A record > that matches the RDNS, matching the IP address > > 5- Check the SPF records for domains that will be used outbound > > 6- Create ruleset as desired/needed: filetype, filenaye, spam checks > (and always include SA report), content, virus > > Did I forget anything? 7. smtp-auth (preferably over SSL) 8. prevent id spoofing over smtp-auth 9. volume / rate based throttling for authenticated users 10. also server side DK/DKIM signing From kevind at go2.ie Tue Nov 7 16:14:59 2006 From: kevind at go2.ie (Kevin Dermody) Date: Tue Nov 7 16:13:23 2006 Subject: Outbound scanning checklist In-Reply-To: References: Message-ID: <4550B103.4020702@go2.ie> Ugo Bellavance wrote: > Hi, > > I will start filtering outbound traffic soon, and here is my > checklist, to share with you guys, and if someone has something to add, > I'd be glad to add it. I'll post it on the wiki afterwards. > > > > 1- Get the list of IP addresses from which we'll receive outgoing e-mails > > 2- Allow relaying for these IP addresses > this is a really bad idea if you dont control the systems on those ip addresses. use smtp authentication if you can. > 3- Disable DNSBL checks for theses IP addresses (if necessary) > > 4- Make sure your RDNS matches your HELO and that there is an A record > that matches the RDNS, matching the IP address > > 5- Check the SPF records for domains that will be used outbound > > 6- Create ruleset as desired/needed: filetype, filenaye, spam checks > (and always include SA report), content, virus > > Did I forget anything? > > Regards, > > ugo > From housey at sme-ecom.co.uk Tue Nov 7 17:01:32 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 17:01:36 2006 Subject: Could not analyze message In-Reply-To: <45509FDB.1040003@solidstatelogic.com> Message-ID: Hi Martin Thanks for the debug tip forgot all about that! I set Debug = yes Debig SpamAssassin = no and copied the qf/qf pair back into /var/spool/mqueue.in I started up MailScanner MailScanner: In Debugging mode, not forking.... The message got quarantined but the debug info didnt really show anything - I got a message saying format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 But I put some other messages in and got exactly the same problem. Any other tips :-) Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 15:02 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Nope I dont think thats the problem, ive just realised I gave the headers > from the released email (i have a little script that releases an email from > quarantine), below is the raw qf file data:- > > Any other ideals, I just cant get this email through unscanned or better > still understand why MailScanner cant analyze the message. > > Cheers > > Paul can you drop this back into the queue and run mailScanner/Spamassassin in debug mode? You may then be able to spot whats going awry. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From martinh at solidstatelogic.com Tue Nov 7 17:09:27 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 17:09:37 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4550BDC7.4050302@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From alex at nkpanama.com Tue Nov 7 18:03:23 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Nov 7 18:04:02 2006 Subject: Outbound scanning checklist In-Reply-To: <4550B103.4020702@go2.ie> References: <4550B103.4020702@go2.ie> Message-ID: <4550CA6B.8010300@nkpanama.com> Kevin Dermody wrote: > Ugo Bellavance wrote: >> Hi, >> >> I will start filtering outbound traffic soon, and here is my >> checklist, to share with you guys, and if someone has something to >> add, I'd be glad to add it. I'll post it on the wiki afterwards. >> >> >> >> 1- Get the list of IP addresses from which we'll receive outgoing >> e-mails >> >> 2- Allow relaying for these IP addresses >> > > this is a really bad idea if you dont control the systems on those ip > addresses. use smtp authentication if you can. > This is really bad idea, period. :D > >> 3- Disable DNSBL checks for theses IP addresses (if necessary) >> >> 4- Make sure your RDNS matches your HELO and that there is an A >> record that matches the RDNS, matching the IP address >> >> 5- Check the SPF records for domains that will be used outbound >> >> 6- Create ruleset as desired/needed: filetype, filenaye, spam checks >> (and always include SA report), content, virus >> >> Did I forget anything? >> >> Regards, >> >> ugo >> From rpoe at plattesheriff.org Tue Nov 7 19:26:28 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Nov 7 19:29:25 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: <45508986.65ED.00A2.0@plattesheriff.org> >> > My thoughts so far are this: Why didn't I do this sooner. > >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine will also retry on 4xx errors, id give it a year tops (if some of >> them are not already doing it) >My objection to it is not that it doesn't work, but that it makes all >genuine mail servers work twice as hard to deliver mail. I like having an I agree, that the spammers MIGHT try to adapt to this, but at THIS MOMENT, it works. Computer tech is moment based. Since when have we used virus scanners on Microsoft OS'es that only scan on demand (real time scanning). Why? Because the virus writers adapted. The viruses are far nastier. Spam will get far, far nastier. I have a mailserver I admin that gets the following in spam statistics .. for yesterday at midnight. 1040 blocked yesterday due to sendmail access.db blocks (the worst subnet offenders from foreign countries) 20,000 blocked for invalid recipient 124 blocked by RBLs, of which I cannot use all of because their clients host email servers on DSL / Cable modem connections. 68 blocked by spamassassin for high spam score 2000 greylist 1st attempts 204 greylist passes They STILL get spam .. but it's blocked almost ALL of the image based spams, and almost ALL of the pharmaceutical messages, and most of the nasty porn stuff. And with the bayes poisioning they get, SA wasn't touching it .. I agree, greylisting isn't the best thing since sliced bread .. but with the wild state of things on the Internet, it sure comes close IMO. Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to spamassassin with OCR recognition. This email domain name is 10 years old. It used to run Groupwise 5.2 (ok, so maybe it still does) which the GWIA is so horribly broken that it will accept email to ANY user (doesn't relay it, but DOES accept it even if invalid). So the spammers have dictionary attacked it for SO long that they all think that asuidewiuwer@thatdomainname is a vaild recipient, while it is not. Rob From rpoe at plattesheriff.org Tue Nov 7 19:31:06 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Nov 7 19:33:42 2006 Subject: Dictionary Attacks In-Reply-To: <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> <453E72D3.4090600@pixelhammer.com> <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> Message-ID: <45508A9C.65ED.00A2.0@plattesheriff.org> >My frustration with the deluge of spam of late has gotten to the >point that I'm fairly convinced I will stop the spam filtering on the >domain of the next user that bitches to me about the spam they're >getting. Then they can see what spam they've *not* been getting. Did that for someone. They then complained about the deluge of new spam. It didn't work. From mikea at mikea.ath.cx Tue Nov 7 20:12:18 2006 From: mikea at mikea.ath.cx (mikea) Date: Tue Nov 7 20:12:23 2006 Subject: Greylisting .. nice .. In-Reply-To: <45508986.65ED.00A2.0@plattesheriff.org>; from rpoe@plattesheriff.org on Tue, Nov 07, 2006 at 01:26:28PM -0600 References: <45508986.65ED.00A2.0@plattesheriff.org> Message-ID: <20061107141218.D5240@mikea.ath.cx> On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote: > >> > My thoughts so far are this: Why didn't I do this sooner. > > > >> Its going to be pointless soon, problem is, as more and more people > do > >> this, it wont be long before the common garden variety spammers > smtp > >> engine will also retry on 4xx errors, id give it a year tops (if > some of > >> them are not already doing it) > > >My objection to it is not that it doesn't work, but that it makes all > >genuine mail servers work twice as hard to deliver mail. I like > having an > > I agree, that the spammers MIGHT try to adapt to this, but at THIS > MOMENT, it works. Computer tech is moment based. Since when have we > used virus scanners on Microsoft OS'es that only scan on demand (real > time scanning). Why? Because the virus writers adapted. The viruses > are far nastier. Spam will get far, far nastier. > > I have a mailserver I admin that gets the following in spam statistics > .. for yesterday at midnight. > > 1040 blocked yesterday due to sendmail access.db blocks (the worst > subnet offenders from foreign countries) > 20,000 blocked for invalid recipient > 124 blocked by RBLs, of which I cannot use all of because their clients > host email servers on DSL / Cable modem connections. > 68 blocked by spamassassin for high spam score > 2000 greylist 1st attempts > 204 greylist passes > > They STILL get spam .. but it's blocked almost ALL of the image based > spams, and almost ALL of the pharmaceutical messages, and most of the > nasty porn stuff. And with the bayes poisioning they get, SA wasn't > touching it .. > > I agree, greylisting isn't the best thing since sliced bread .. but > with the wild state of things on the Internet, it sure comes close IMO. > Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to > spamassassin with OCR recognition. > > This email domain name is 10 years old. It used to run Groupwise 5.2 > (ok, so maybe it still does) which the GWIA is so horribly broken that > it will accept email to ANY user (doesn't relay it, but DOES accept it > even if invalid). > > So the spammers have dictionary attacked it for SO long that they all > think that asuidewiuwer@thatdomainname is a vaild recipient, while it is > not. >From my inbound mailfilter's logs, about 1030 local: $ grep graylist /var/log/maillog | wc -l 2807 $ grep "accepted for delivery" /var/log/maillog | wc -l 2308 Just now, at 1409 local: grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l 2642 3115 That's 500 or so mails that graylisting stopped at 10:30, minus the ones still in the graylisting delay when I pulled the sample. Probably about 480 mails actually had been stopped then. The difference still is about 500-ish, and that's mails that the later stages of the filter (MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. That's in addition to extensive blacklists, a regular-expression-match milter, and some other stuff, and before the sendmail access database, MailScanner, SpamAssassin, and ClamAV. Some days I'm more than a bit amazed that *anything* gets through. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jwilliams at courtesymortgage.com Tue Nov 7 20:35:19 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Tue Nov 7 20:35:23 2006 Subject: Have a problem here...need some quick advice Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD179@cmexchange01.CourtesyMortgage.local> I'll get right to it. I lost part of my mailscaner today. Still doing the research, but I suspect hardware failure. in the meantime, while I am rebuilding mailscanner, I need some suggestions to get postfix working with clamav back. I have a quick postfix box up and running, but I am not sure how to get clamav setup to scan the messages. I am in a little panic mode here so I apologize for the rush sounding and not doing a thorough search for this. Thank you for your help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/cfdb4741/attachment.html From dave.list at pixelhammer.com Tue Nov 7 20:51:25 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Nov 7 20:51:38 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061107141218.D5240@mikea.ath.cx> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: <4550F1CD.9060708@pixelhammer.com> mikea wrote: > On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote: >>>>> My thoughts so far are this: Why didn't I do this sooner. >>>> Its going to be pointless soon, problem is, as more and more people >> do >>>> this, it wont be long before the common garden variety spammers >> smtp >>>> engine will also retry on 4xx errors, id give it a year tops (if >> some of >>>> them are not already doing it) >>> My objection to it is not that it doesn't work, but that it makes all >>> genuine mail servers work twice as hard to deliver mail. I like >> having an >> >> I agree, that the spammers MIGHT try to adapt to this, but at THIS >> MOMENT, it works. Computer tech is moment based. Since when have we >> used virus scanners on Microsoft OS'es that only scan on demand (real >> time scanning). Why? Because the virus writers adapted. The viruses >> are far nastier. Spam will get far, far nastier. >> >> I have a mailserver I admin that gets the following in spam statistics >> .. for yesterday at midnight. >> >> 1040 blocked yesterday due to sendmail access.db blocks (the worst >> subnet offenders from foreign countries) >> 20,000 blocked for invalid recipient >> 124 blocked by RBLs, of which I cannot use all of because their clients >> host email servers on DSL / Cable modem connections. >> 68 blocked by spamassassin for high spam score >> 2000 greylist 1st attempts >> 204 greylist passes >> >> They STILL get spam .. but it's blocked almost ALL of the image based >> spams, and almost ALL of the pharmaceutical messages, and most of the >> nasty porn stuff. And with the bayes poisioning they get, SA wasn't >> touching it .. >> >> I agree, greylisting isn't the best thing since sliced bread .. but >> with the wild state of things on the Internet, it sure comes close IMO. >> Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to >> spamassassin with OCR recognition. >> >> This email domain name is 10 years old. It used to run Groupwise 5.2 >> (ok, so maybe it still does) which the GWIA is so horribly broken that >> it will accept email to ANY user (doesn't relay it, but DOES accept it >> even if invalid). >> >> So the spammers have dictionary attacked it for SO long that they all >> think that asuidewiuwer@thatdomainname is a vaild recipient, while it is >> not. > >>From my inbound mailfilter's logs, about 1030 local: > $ grep graylist /var/log/maillog | wc -l > 2807 > $ grep "accepted for delivery" /var/log/maillog | wc -l > 2308 > > Just now, at 1409 local: > grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l > 2642 > 3115 > > That's 500 or so mails that graylisting stopped at 10:30, minus the > ones still in the graylisting delay when I pulled the sample. Probably > about 480 mails actually had been stopped then. The difference still > is about 500-ish, and that's mails that the later stages of the filter > (MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. > > That's in addition to extensive blacklists, a regular-expression-match > milter, and some other stuff, and before the sendmail access database, > MailScanner, SpamAssassin, and ClamAV. > > Some days I'm more than a bit amazed that *anything* gets through. > bash# cat /var/log/maillogs/maillog | grep 'stat=queued' | wc -l 33384 bash# cat /var/log/maillogs/maillog | grep 'reject=451' | wc -l 89036 bash# cat /var/log/maillogs/maillog | grep 'auto-whitelisted' | wc -l 8833 That is just one server. I would be buried without Milter-Greylist, I would be looking for a job without MailScanner. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jwilliams at courtesymortgage.com Tue Nov 7 20:51:37 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Tue Nov 7 20:51:41 2006 Subject: Have a problem here...need some quick advice Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD17B@cmexchange01.CourtesyMortgage.local> Anothe quick note: I was able to backup all my config files for MailScanner and postfix. I was running 4.46-6 and postfix 2.2.6 I know there are changes, but anything significant? I am just trying to get this back up ASAP. -Jason ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 12:35 PM To: mailscanner@lists.mailscanner.info Subject: Have a problem here...need some quick advice I'll get right to it. I lost part of my mailscaner today. Still doing the research, but I suspect hardware failure. in the meantime, while I am rebuilding mailscanner, I need some suggestions to get postfix working with clamav back. I have a quick postfix box up and running, but I am not sure how to get clamav setup to scan the messages. I am in a little panic mode here so I apologize for the rush sounding and not doing a thorough search for this. Thank you for your help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/c829c7d8/attachment-0001.html From mikej at rogers.com Tue Nov 7 21:19:33 2006 From: mikej at rogers.com (Mike Jakubik) Date: Tue Nov 7 21:19:21 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <4550F865.4070503@rogers.com> Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is > because some vp's would like to know the cost of the commercial > products. Ultimately I think MailScanner does a great job with the > proper configs and I would be willing to bet that it does a lot better > job than a lot of the commercial products you have to pay for. Does > anyone out there have any product names and annual costs they can > provide? I've got roughly 3,000 mail users and we are getting about > 100,000 emails per day. I am working on such a product myself. It is based on MailScanner and all the other popular Open Source spam software and runs of FreeBSD. The difference from a self made OSS product is that it is an all-in-one, self managed appliance. It features a web interface that lets you tweak most of the important MS options, as well as some extras not found in MS such as; Automatic user detection (for custom login to view reports, manage quarantine and black/white lists). Daily quarantine reports sent to users via email. Active Directory integration, to download local recipient lists and reject unknown users at the MTA level. RAID and hardware monitoring. Automatic updates and upgrades. While the product is not feature complete yet, i have a number of clients using it as a test, and they are all happy with it so far. Price wise, i am shooting for somewhere around $1700 CDN for the product, and $30/Month for updates. This is however a small/medium version, and is designed for lower loads (roughly half of what you specified). A higher end version will simply require better hardware, on which i can not give you an accurate estimate at this point (my best guess is about $800 more). The hardware is all quality SuperMicro components, no cheap desktop components. If anyone wants more information or screenshots of the interface, feel free to email me in private. Also, if anyone is brave enough and willing, i could provide the current product for free (minus hardware and shipping costs) on a test and feedback basis. You can keep using the product when/if a final version is released, and if you are not happy with it for some reason, you can use the hardware for some other function. It is a stable product, but is not feature complete and ready for mass production yet. From steve.roy.wojciechowski at gmail.com Tue Nov 7 23:57:03 2006 From: steve.roy.wojciechowski at gmail.com (Steve Roy-Wojciechowski) Date: Tue Nov 7 23:57:06 2006 Subject: MailScanner and Exchange 5.5 Message-ID: I am setting up a MailScanner system that will sit infront of an Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 blindly accepts mail for the domain without first checking the user. I was wanting incoming mail to the mailscanner machine to be checked by exchange and dropped at the incoming point if the user/mailbox doesn't exist. I am using sendmail on the Linux/MS machine with mail being forwarded via a mailertable rule. Is there another way of accomplishing this with either sendmail or mailscanner or even on exchange? There are approx 100 email addresses. My client will be upgrading to exchange 2003 sometime, but not in the near future. Thanks Steve From jwilliams at courtesymortgage.com Wed Nov 8 00:01:59 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:02:03 2006 Subject: Quick help on getting FreeBSD mailscanner backup Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD180@cmexchange01.CourtesyMortgage.local> Almost have the box back up, but I am missing something. After rebuilding the entire box, starting it up, I see this in my logs: Nov 7 17:29:27 gammaflux2 MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Nov 7 17:29:27 gammaflux2 MailScanner[779]: Read 748 hostnames from the phishing whitelist Nov 7 17:29:27 gammaflux2 MailScanner[779]: User's home directory /var/spool/postfix is not writable Nov 7 17:29:27 gammaflux2 MailScanner[779]: You need to set the "SpamAssassin User State Dir" to a directory that the "Run As User" can write to Nov 7 17:29:28 gammaflux2 MailScanner[779]: Using SpamAssassin results cache Nov 7 17:29:28 gammaflux2 MailScanner[779]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db I know it is something very simple, but I am missing it. I know I am rushing and missing easy things. Here are some settings in my configs: Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Appreciate the quick help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/39eb02ee/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 00:10:43 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:10:47 2006 Subject: Quick help on getting FreeBSD mailscanner backup Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD182@cmexchange01.CourtesyMortgage.local> Nevermind. Figured it out. Spoke to quickly. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 4:02 PM To: MailScanner discussion Subject: Quick help on getting FreeBSD mailscanner backup Almost have the box back up, but I am missing something. After rebuilding the entire box, starting it up, I see this in my logs: Nov 7 17:29:27 gammaflux2 MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Nov 7 17:29:27 gammaflux2 MailScanner[779]: Read 748 hostnames from the phishing whitelist Nov 7 17:29:27 gammaflux2 MailScanner[779]: User's home directory /var/spool/postfix is not writable Nov 7 17:29:27 gammaflux2 MailScanner[779]: You need to set the "SpamAssassin User State Dir" to a directory that the "Run As User" can write to Nov 7 17:29:28 gammaflux2 MailScanner[779]: Using SpamAssassin results cache Nov 7 17:29:28 gammaflux2 MailScanner[779]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db I know it is something very simple, but I am missing it. I know I am rushing and missing easy things. Here are some settings in my configs: Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Appreciate the quick help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/315c8fc4/attachment.html From KGoods at AIAInsurance.com Wed Nov 8 00:04:36 2006 From: KGoods at AIAInsurance.com (Ken Goods) Date: Wed Nov 8 00:11:42 2006 Subject: MailScanner and Exchange 5.5 Message-ID: <13C0059880FDD3118DC600508B6D4A6D013D8D3C@aiainsurance.com> Steve Roy-Wojciechowski wrote: > I am setting up a MailScanner system that will sit infront of an > Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 > blindly accepts mail for the domain without first checking the user. > I was wanting incoming mail to the mailscanner machine to be checked > by exchange and dropped at the incoming point if the user/mailbox > doesn't exist. I am using sendmail on the Linux/MS machine with mail > being forwarded via a mailertable rule. Is there another way of > accomplishing this with either sendmail or mailscanner or even on > exchange? > There are approx 100 email addresses. My client will be upgrading to > exchange 2003 sometime, but not in the near future. > Thanks > > Steve Hi Steve, Easily doable with sendmail's virtusertable. I use it here and it works a charm. Since I've only got about two hundred email addresses that don't change that often I usually do it manually. I did however export the mailboxes form Exchange (5.5) and wrote a little visual basic program to initially build the list. If you'd like to know more details contact me off list since this is a little off topic. HTH! Kind regards, Ken Ken Goods Network Administrator AIA/CropUSA Insurance, Inc. From Jeff.Mills at versacold.com.au Wed Nov 8 00:13:53 2006 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Nov 8 00:12:36 2006 Subject: MailScanner and Exchange 5.5 Message-ID: <197F21E06E4D2A478519EA9078D6AA1C0466D032@poclexch.AU.POCOLD.POCL> Is there another way of > accomplishing this with either sendmail or mailscanner or even on > exchange? I'm using postfix/mailscanner in front of exchange, and I use a pearl script to pull valid email addresses from AD and populate a file for hashing in postfix. Some info here: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#ms_exchange Postix's relay_recipient_maps points to this file, and invalid email addresses are immediately rejected. *** "This company is now part of the Versacold Holdings Corp. and is no longer owned by or affiliated with the P&O Group" *** Please update your address books: Was: firstname.lastname@pocold.com.au Now: firstname.lastname@versacold.com.au ************** www.versacold.com ************** From james at grayonline.id.au Wed Nov 8 00:14:10 2006 From: james at grayonline.id.au (James Gray) Date: Wed Nov 8 00:14:29 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061107141218.D5240@mikea.ath.cx> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/11/2006, at 7:12 AM, mikea wrote: > $ grep graylist /var/log/maillog | wc -l > 2807 > $ grep "accepted for delivery" /var/log/maillog | wc -l > 2308 > > Just now, at 1409 local: > grep "accepted for delivery" /var/log/maillog | wc -l && grep > graylist /var/log/maillog | wc -l > 2642 > 3115 Just a quick observation that has nothing to do with grey listing :) Most *nix admins I know have broken old habits and no longer do the old (and unnecessary) "cat | less" in lieu of the more terse "less " along with other redundant pipes. Similarly "grep" can count matching lines without the need of piping through "wc" (at least I can confirm this with Gnu grep...not sure of the others). grep | wc -l is effectively the same as grep -c "man grep" reveals: - -c, --count Suppress normal output; instead print a count of matching lines for each input file. With the -v, --invert-match option (see below), count non-matching lines. Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" option has been around for ages in Gnu-land and gnu-grep is the standard on Mac OSX along with all the Linuxes. Usual disclaimers apply and YYMV :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFUSFWwBHpdJO7b9ERApL5AKDC6PDIvvkmvveQ5/EuPgIZ/mJGfACdGI7S JfLQ8xiN8e9g5qNy6veecQ0= =tRr0 -----END PGP SIGNATURE----- From jwilliams at courtesymortgage.com Wed Nov 8 00:17:06 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:17:09 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> Just a quick question. Any major changes I need to be aware that might not work with my new setup? I have noticed a few different things and wasn't sure if it would affect MailScanner or MTA transactions at all. I appreciate the help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/2ec6ca09/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 00:43:03 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:43:13 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Ok...I am back up, for the most part, but have a question. I see this in my maillog file: Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid 125: not a regular file That happens after I type: "mailq" at the command line. I'm sure something is boogered up on my end. At this point, I am extremely tired and am starting to overlook and make mistakes. Anyone have a idea? This is probably more directed towards postfix, but wasn't sure if I missed a config setting somewhere for MS. Thanks. -Jason ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 4:17 PM To: MailScanner discussion Subject: MailScanner users using latest Postfix Just a quick question. Any major changes I need to be aware that might not work with my new setup? I have noticed a few different things and wasn't sure if it would affect MailScanner or MTA transactions at all. I appreciate the help. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/42c406fa/attachment.html From drew at technologytiger.net Wed Nov 8 00:44:42 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 00:44:46 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> Message-ID: <4115A05E-6D1D-41E9-B30F-CF1B42EE9A73@technologytiger.net> On 8 Nov 2006, at 00:17, Jason Williams wrote: > Just a quick question. > > Any major changes I need to be aware that might not work with my > new setup? > I have noticed a few different things and wasn't sure if it would > affect MailScanner or MTA transactions at all. Don't think so from the top of my head. There are a few extras that you can play with in your own time (Like milter support in PF) but providing you have set your queue depths correctly (You will know if you haven't, it won't work!) both sides of MailScanner nothing much else has changed really. Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/9e7f3e16/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 01:13:04 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 01:13:12 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> > Don't think so from the top of my head. There are a few extras that you can play with in your own time (Like milter support in PF) but providing you have set your queue depths correctly You will > know if you haven't, it won't work!) both sides of MailScanner nothing much else has changed really. Drew -------- Thanks. I appreciate. Well, it is accepting and delivering mail, so that is a good thing. Looks like I need to go through a just comb through the config file again and set all my settings as needed. I was not planning on this today, so I apologize for sounding and being very rushed. If I can ask a quick question. Is this correct, for settings in MailScanner.conf? Should: Incoming Work Dir = /var/spool/MailScanner/incoming Thar right? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/b603e9a7/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 01:28:35 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 01:28:43 2006 Subject: Notify Senders question Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Something that is odd right now. I have setup MS to NOT notify any senders if they send a virus, blocked files, blocked content, basically everything. In a quick test, I sent it from my account to a outside account and noticed that it did not notify me (the sender) which is great. However, it notified the recipient. Is there a way to disable that? Or is that built in and should it be that way? -Thanks -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/d9f489f3/attachment.html From Dominique.Marant at univ-lille1.fr Wed Nov 8 08:12:47 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Wed Nov 8 08:13:23 2006 Subject: ClamAV update In-Reply-To: References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> Message-ID: <4551917F.2010800@univ-lille1.fr> Ugo Bellavance a ?crit : > Dominique Marant wrote: >> I installed install-Clam-0.88.6-SA-3.1.7 >> >> In virus.scanners.conf : >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> clamavmodule /bin/false /tmp >> >> In MailScanner.conf : >> Virus Scanners = clamavmodule >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> >> It seems that clamav is not automaticaly updated because I don't see >> any change in /usr/local/share/clamav/ and I don't see clamav in >> update.virus.scanners lines in the log. >> >> How to configure MailScanner to update ClamAV every day ? > > This should be done hourly, automatically. No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam yesterday. And no update since yesterday : # ls -l /usr/local/share/clamav total 7000 -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd > >> Could you say me if I have to perform a freshclam by the crontab ? > > No, you don't. > >> In the MailScanner log, how to see the version of ClamAv using by >> MailScanner ? > > This info is not present in MailScanner's log. > >> In the MailScanner log, how to see the version of Spamassassin using >> by MailScanner ? > > This info is not present in MailScanner's log. > >> In the MailScanner log, how to see if ClamAV version is OUTDATED ? > > This info is not present in MailScanner's log. > > See /tmp/ClamAV.update.log > >> >> Thanks in advance >> >> Dominique >> >> > From martinh at solidstatelogic.com Wed Nov 8 09:15:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 09:15:15 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Message-ID: <4551A016.2010402@solidstatelogic.com> Jason Williams wrote: > Ok...I am back up, for the most part, but have a question. > > I see this in my maillog file: > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > 125: not a regular file > > That happens after I type: "mailq" at the command line. > > I'm sure something is boogered up on my end. > At this point, I am extremely tired and am starting to overlook and make > mistakes. > > Anyone have a idea? This is probably more directed towards postfix, but > wasn't sure if I missed a config setting somewhere for MS. > > Thanks. > > -Jason > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Jason > Williams > *Sent:* Tuesday, November 07, 2006 4:17 PM > *To:* MailScanner discussion > *Subject:* MailScanner users using latest Postfix > > Just a quick question. > > Any major changes I need to be aware that might not work with my new setup? > I have noticed a few different things and wasn't sure if it would affect > MailScanner or MTA transactions at all. > > I appreciate the help. > > -Jason Jason If you've just gone to PF 2.3 from 2.2 or previous that major change is that PF no longer does split spool directories by default. Hence why you see 'old' directories in the spool and you've not told PF to do split spool in the main.cf. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Wed Nov 8 09:26:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:26:16 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611080126j15935c41tf95d6012fc3209c4@mail.gmail.com> On 08/11/06, Jason Williams wrote: > > > > Don't think so from the top of my head. There are a few extras that you > can play with in your own time (Like milter support in PF) but providing you > have set your queue depths correctly You will > know if you haven't, it > won't work!) both sides of MailScanner nothing much else has changed really. > > > Drew > -------- > > Thanks. I appreciate. > Well, it is accepting and delivering mail, so that is a good thing. > > Looks like I need to go through a just comb through the config file again > and set all my settings as needed. > I was not planning on this today, so I apologize for sounding and being very > rushed. > If I can ask a quick question. Is this correct, for settings in > MailScanner.conf? > > Should: > Incoming Work Dir = /var/spool/MailScanner/incoming > > > Thar right? Jason, from am earlier mail by you, I couldn't help noticing that you had set the Incoming Work Dir to the postfiox hold queue directory... This is, simply put, wrong. Set it to something like /var/spool/MailScanner/incoming ... This is the directory where the MailScanner children "plays" all by their lonesome selves... There will be a subdirectory/process ID (with the PID as name). These subdirectories could potentially confuise the hell out of things, if placed in an active postfix queue. As it is now, when set to the hold queue, the only postfix commands that are affected are postqueue -p (mailq for short:-) and postsuper, and probably rather mildly. Simply stop MailScanner, adjust MailScanner.conf and fire it up again. So the quick answer is "yes":-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 09:36:02 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:36:05 2006 Subject: Notify Senders question In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611080136l79831846ud0a50275b1196b30@mail.gmail.com> On 08/11/06, Jason Williams wrote: > > > > Something that is odd right now. > > I have setup MS to NOT notify any senders if they send a virus, blocked > files, blocked content, basically everything. > > In a quick test, I sent it from my account to a outside account and noticed > that it did not notify me (the sender) which is great. However, it notified > the recipient. > > Is there a way to disable that? > Or is that built in and should it be that way? > Check your settings for Silent Viruses Still Deliver Silent Viruses and possibly some others like Deliver Disinfected Files Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 09:41:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:41:13 2006 Subject: ClamAV update In-Reply-To: <4551917F.2010800@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> Message-ID: <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> On 08/11/06, Dominique Marant wrote: > Ugo Bellavance a ?crit : > > Dominique Marant wrote: > >> I installed install-Clam-0.88.6-SA-3.1.7 > >> > >> In virus.scanners.conf : > >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > >> clamavmodule /bin/false /tmp > >> > >> In MailScanner.conf : > >> Virus Scanners = clamavmodule > >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd > >> > >> It seems that clamav is not automaticaly updated because I don't see > >> any change in /usr/local/share/clamav/ and I don't see clamav in > >> update.virus.scanners lines in the log. > >> > >> How to configure MailScanner to update ClamAV every day ? > > > > This should be done hourly, automatically. > > No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam yesterday. > And no update since yesterday : > > # ls -l /usr/local/share/clamav > total 7000 > -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd > -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd > (snip) > > This info is not present in MailScanner's log. > > > > See /tmp/ClamAV.update.log This is the part of Ugos advice you should pay attention to. Run update_virus_scanners by hand, then check the mail log (to see which scanners it has detected, and tried to update... For this to work with clamavmodule, you need a correct entry for clamav in virus.scanners.conf), as well as the file /tmp/ClamAV.update.log (which holds the output from any, possibly failed, freshclam runs). Look at that, and report any errors... if you still need help with this;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Wed Nov 8 09:42:58 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Nov 8 09:43:15 2006 Subject: Could not analyze message In-Reply-To: <4550BDC7.4050302@solidstatelogic.com> Message-ID: Hi Martin Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of any note. New Batch: Scanning 1 messages, 2080 bytes Created attachment dirs for 1 messages SpamAssassin returned 0 Virus and Content Scanning: Starting Commencing scanning by clamavmodule... Completed scanning by clamavmodule Completed checking by /usr/bin/file Saved entire message to /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 Ive tried this now with a fresh install of the latest stable version of MailScanner and get the same "Could not analyze message", so I believe the problem is easily reproducible. I can send someone offlist the qf/df pair? Thanks for your help so far. Kind Regards Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 17:09 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From glenn.steen at gmail.com Wed Nov 8 09:45:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:45:30 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <4551A016.2010402@solidstatelogic.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <4551A016.2010402@solidstatelogic.com> Message-ID: <223f97700611080145r4040131cs282a0551250f89b8@mail.gmail.com> On 08/11/06, Martin Hepworth wrote: (snip) > > Jason > If you've just gone to PF 2.3 from 2.2 or previous that major change is > that PF no longer does split spool directories by default. > > Hence why you see 'old' directories in the spool and you've not told PF > to do split spool in the main.cf. > Nope. The problem is a simple Miss Config in MS...:-D See my other answer in this thread for details (if you're really interrested:). Good guess though, even if it isn't right;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Wed Nov 8 10:11:14 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Nov 8 10:11:18 2006 Subject: Could not analyze message In-Reply-To: Message-ID: Emmm, I was just trying a few things and tried changing the following line in the qf file H??Content-Type: multipart/mixed to H??Content-Type: text/plain; charset="iso-8859-1";format=flowed (i copied from another plain text email I had) and the message was not quarantined, so it must be this that is causing MailScanner to throw up the "Could not analyze message", the message is just plain text, I dont imagine this is a MailScanner prob as this is the only message that I get with this problem. Can anyone shed any light on this? could it be a badly written mail client? do you need some other headers when Content-Type: is multipart/mixed? This is the complete bit of the qf file (after all the recived lines) H??From: "xxxxxxxxxxxxx" H??Subject: Proof of Delivery H??To: xxxxxxxxxxxxx H??Content-Type: multipart/mixed H??Date: Fri, 3 Nov 2006 13:32:29 +0000 H??Message-ID: H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] Ive just taken a look at another message that is multipart/mixed and it has Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1920_10465405.1162980009645" Which the message that Could not be analyzed does not Cheers Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Paul Houselander Sent: 08 November 2006 09:43 To: MailScanner discussion Subject: RE: Could not analyze message Hi Martin Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of any note. New Batch: Scanning 1 messages, 2080 bytes Created attachment dirs for 1 messages SpamAssassin returned 0 Virus and Content Scanning: Starting Commencing scanning by clamavmodule... Completed scanning by clamavmodule Completed checking by /usr/bin/file Saved entire message to /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 Ive tried this now with a fresh install of the latest stable version of MailScanner and get the same "Could not analyze message", so I believe the problem is easily reproducible. I can send someone offlist the qf/df pair? Thanks for your help so far. Kind Regards Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 17:09 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From martinh at solidstatelogic.com Wed Nov 8 10:13:52 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 10:14:20 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4551ADE0.6060102@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of > any note. > > New Batch: Scanning 1 messages, 2080 bytes > Created attachment dirs for 1 messages > SpamAssassin returned 0 > Virus and Content Scanning: Starting > Commencing scanning by clamavmodule... > Completed scanning by clamavmodule > Completed checking by /usr/bin/file > Saved entire message to > /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 > > Ive tried this now with a fresh install of the latest stable version of > MailScanner and get the same "Could not analyze message", so I believe the > problem is easily reproducible. I can send someone offlist the qf/df pair? > > Thanks for your help so far. > > Kind Regards > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 17:09 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Hi Martin >> >> Thanks for the debug tip forgot all about that! >> >> I set >> >> Debug = yes >> Debig SpamAssassin = no >> >> and copied the qf/qf pair back into /var/spool/mqueue.in >> >> I started up MailScanner >> >> MailScanner: In Debugging mode, not forking.... >> >> The message got quarantined but the debug info didnt really show > anything - >> I got a message saying >> >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> >> But I put some other messages in and got exactly the same problem. >> >> Any other tips :-) >> >> Paul >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin >> Hepworth >> Sent: 07 November 2006 15:02 >> To: MailScanner discussion >> Subject: Re: Could not analyze message >> >> >> Paul Houselander wrote: >>> Nope I dont think thats the problem, ive just realised I gave the headers >>> from the released email (i have a little script that releases an email >> from >>> quarantine), below is the raw qf file data:- >>> >>> Any other ideals, I just cant get this email through unscanned or better >>> still understand why MailScanner cant analyze the message. >>> >>> Cheers >>> >> >> Paul >> >> can you drop this back into the queue and run mailScanner/Spamassassin >> in debug mode? You may then be able to spot whats going awry. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned by the Allteks Mailsafe Service >> >> >> > Paul > set both options to debug - also check the maillog file > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul Send it to Jules - who must be busy with his day job..He also may need remote access to the machine.. mailscanner@ecs.soton.ac.uk one point can you do a MailScanner -v to see if theres any issues with perl modules?? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Wed Nov 8 10:21:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 10:21:28 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4551AF99.8050003@solidstatelogic.com> Paul Houselander wrote: > Emmm, I was just trying a few things and tried changing the following line > in the qf file > > H??Content-Type: multipart/mixed > > to > > H??Content-Type: text/plain; charset="iso-8859-1";format=flowed (i copied > from another plain text email I had) > > and the message was not quarantined, so it must be this that is causing > MailScanner to throw up the "Could not analyze message", the message is just > plain text, I dont imagine this is a MailScanner prob as this is the only > message that I get with this problem. > > Can anyone shed any light on this? could it be a badly written mail client? > do you need some other headers when Content-Type: is multipart/mixed? > > This is the complete bit of the qf file (after all the recived lines) > > H??From: "xxxxxxxxxxxxx" > H??Subject: Proof of Delivery > H??To: xxxxxxxxxxxxx > H??Content-Type: multipart/mixed > H??Date: Fri, 3 Nov 2006 13:32:29 +0000 > H??Message-ID: > H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) > FILETIME=[825D5570:01C6FF4C] > > Ive just taken a look at another message that is multipart/mixed and it has > > Mime-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_Part_1920_10465405.1162980009645" > > Which the message that Could not be analyzed does not > > Cheers > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Paul > Houselander > Sent: 08 November 2006 09:43 > To: MailScanner discussion > Subject: RE: Could not analyze message > > > Hi Martin > > Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of > any note. > > New Batch: Scanning 1 messages, 2080 bytes > Created attachment dirs for 1 messages > SpamAssassin returned 0 > Virus and Content Scanning: Starting > Commencing scanning by clamavmodule... > Completed scanning by clamavmodule > Completed checking by /usr/bin/file > Saved entire message to > /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 > > Ive tried this now with a fresh install of the latest stable version of > MailScanner and get the same "Could not analyze message", so I believe the > problem is easily reproducible. I can send someone offlist the qf/df pair? > > Thanks for your help so far. > > Kind Regards > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 17:09 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Hi Martin >> >> Thanks for the debug tip forgot all about that! >> >> I set >> >> Debug = yes >> Debig SpamAssassin = no >> >> and copied the qf/qf pair back into /var/spool/mqueue.in >> >> I started up MailScanner >> >> MailScanner: In Debugging mode, not forking.... >> >> The message got quarantined but the debug info didnt really show > anything - >> I got a message saying >> >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> >> But I put some other messages in and got exactly the same problem. >> >> Any other tips :-) >> >> Paul >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin >> Hepworth >> Sent: 07 November 2006 15:02 >> To: MailScanner discussion >> Subject: Re: Could not analyze message >> >> >> Paul Houselander wrote: >>> Nope I dont think thats the problem, ive just realised I gave the headers >>> from the released email (i have a little script that releases an email >> from >>> quarantine), below is the raw qf file data:- >>> >>> Any other ideals, I just cant get this email through unscanned or better >>> still understand why MailScanner cant analyze the message. >>> >>> Cheers >>> >> >> Paul >> >> can you drop this back into the queue and run mailScanner/Spamassassin >> in debug mode? You may then be able to spot whats going awry. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned by the Allteks Mailsafe Service >> >> >> > Paul > set both options to debug - also check the maillog file > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul looking at RFC2387 which describes all this, I'd say the client is broke. You should get some idea of the client in the headers. I'd drop Jules an email..he's mroe used to dealing with rfc stuff and readign them than me..;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From shuttlebox at gmail.com Wed Nov 8 13:14:43 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Nov 8 13:14:47 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> On 11/8/06, James Gray wrote: > Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" > option has been around for ages in Gnu-land and gnu-grep is the > standard on Mac OSX along with all the Linuxes. Standard Solaris has it: -c Prints only a count of the lines that contain the pat- tern. -- /peter From Dominique.Marant at univ-lille1.fr Wed Nov 8 13:15:38 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Wed Nov 8 13:16:12 2006 Subject: ClamAV update In-Reply-To: <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> Message-ID: <4551D87A.2080602@univ-lille1.fr> I see the problem ! By default, the install doesn't replace the files in /usr/lib/MailScanner !! So, in /usr/lib/MailScanner, the files was too old : -rwxr-xr-x 1 root root 1077 Dec 3 2002 clamav-autoupdate -rwxr-xr-x 1 root root 2104 Apr 1 2006 clamav-autoupdate.dpkg-dist -rwxr-xr-x 1 root root 1437 Dec 3 2002 clamav-wrapper -rwxr-xr-x 1 root root 6157 May 27 21:19 clamav-wrapper.dpkg-dist and so on for all Virus Scanning ... Now, it's running successfully and I see the updates in the log. FOR THE NEXT RELEASES : I think it would be interesting to replace all the files in /usr/lib/MailScanner by default. Thanks for all Dominique Glenn Steen a ?crit : > On 08/11/06, Dominique Marant wrote: >> Ugo Bellavance a ?crit : >> > Dominique Marant wrote: >> >> I installed install-Clam-0.88.6-SA-3.1.7 >> >> >> >> In virus.scanners.conf : >> >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> >> clamavmodule /bin/false /tmp >> >> >> >> In MailScanner.conf : >> >> Virus Scanners = clamavmodule >> >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> >> >> >> It seems that clamav is not automaticaly updated because I don't see >> >> any change in /usr/local/share/clamav/ and I don't see clamav in >> >> update.virus.scanners lines in the log. >> >> >> >> How to configure MailScanner to update ClamAV every day ? >> > >> > This should be done hourly, automatically. >> >> No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam >> yesterday. >> And no update since yesterday : >> >> # ls -l /usr/local/share/clamav >> total 7000 >> -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd >> -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd >> > (snip) >> > This info is not present in MailScanner's log. >> > >> > See /tmp/ClamAV.update.log > This is the part of Ugos advice you should pay attention to. > Run > update_virus_scanners > by hand, then check the mail log (to see which scanners it has > detected, and tried to update... For this to work with clamavmodule, > you need a correct entry for clamav in virus.scanners.conf), as well > as the file /tmp/ClamAV.update.log (which holds the output from any, > possibly failed, freshclam runs). > > Look at that, and report any errors... if you still need help with > this;-) From jeremy.henty at nec.ac.uk Wed Nov 8 13:25:40 2006 From: jeremy.henty at nec.ac.uk (Jeremy Henty) Date: Wed Nov 8 13:31:12 2006 Subject: Mailscanner UDP connections Message-ID: <1098353490jeremy.henty@nec.ac.uk> Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch of entries like this: MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 MailScann 19062 postfix 9u IPv4 22883899 UDP *:58005 MailScann 19062 postfix 10u IPv4 22883900 UDP *:58006 MailScann 19062 postfix 11u IPv4 22883901 UDP *:58007 MailScann 19062 postfix 12u IPv4 22883902 UDP *:58008 MailScann 19062 postfix 13u IPv4 22883903 UDP *:58009 MailScann 19062 postfix 14u IPv4 22883904 UDP *:58010 MailScann 19062 postfix 15u IPv4 22883905 UDP *:58011 MailScann 19062 postfix 16u IPv4 22883906 UDP *:58012 MailScann 19062 postfix 17u IPv4 22883907 UDP *:58013 What is Mailscanner doing that requires these connections? RBL checks? Regards, Jeremy Henty From drew at technologytiger.net Wed Nov 8 14:02:42 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 14:02:53 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage. local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Message-ID: <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> On Wed, November 8, 2006 00:43, Jason Williams wrote: > Ok...I am back up, for the most part, but have a question. > > I see this in my maillog file: > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > 125: not a regular file > > > That happens after I type: "mailq" at the command line. > > I'm sure something is boogered up on my end. > At this point, I am extremely tired and am starting to overlook and make > mistakes. > > Anyone have a idea? This is probably more directed towards postfix, but > wasn't sure if I missed a config setting somewhere for MS. I would suggest there is a razor config file in the hold queue. Just ls -al /var/spool/postfix/hold and have a look. If there is you need to do a little tweaking of your config so SA stops putting the log file there, then delete the file. Drew From glenn.steen at gmail.com Wed Nov 8 14:16:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 14:16:40 2006 Subject: ClamAV update In-Reply-To: <4551D87A.2080602@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> <4551D87A.2080602@univ-lille1.fr> Message-ID: <223f97700611080616y74dcec19gcb82b6fd64fa37da@mail.gmail.com> On 08/11/06, Dominique Marant wrote: > I see the problem ! > By default, the install doesn't replace the files in /usr/lib/MailScanner !! > > So, in /usr/lib/MailScanner, the files was too old : > -rwxr-xr-x 1 root root 1077 Dec 3 2002 clamav-autoupdate > -rwxr-xr-x 1 root root 2104 Apr 1 2006 > clamav-autoupdate.dpkg-dist > -rwxr-xr-x 1 root root 1437 Dec 3 2002 clamav-wrapper > -rwxr-xr-x 1 root root 6157 May 27 21:19 > clamav-wrapper.dpkg-dist > > and so on for all Virus Scanning ... > > Now, it's running successfully and I see the updates in the log. > > FOR THE NEXT RELEASES : > I think it would be interesting to replace all the files in > /usr/lib/MailScanner by default. > > Thanks for all > Dominique Great that you found it. I Don't rightly know who maintains the Debian package, but this error report should go to that/those person(s)... We'll just hope s/he/they are listening in:-). One could say that it is an analogous problem to the usual .rpmasve/.rpmnew one:-). Oh well. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 14:42:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 14:42:11 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> Message-ID: <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> On 08/11/06, Drew Marshall wrote: > On Wed, November 8, 2006 00:43, Jason Williams wrote: > > Ok...I am back up, for the most part, but have a question. > > > > I see this in my maillog file: > > > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > > 125: not a regular file > > > > > > That happens after I type: "mailq" at the command line. > > > > I'm sure something is boogered up on my end. > > At this point, I am extremely tired and am starting to overlook and make > > mistakes. > > > > Anyone have a idea? This is probably more directed towards postfix, but > > wasn't sure if I missed a config setting somewhere for MS. > > I would suggest there is a razor config file in the hold queue. Just ls > -al /var/spool/postfix/hold and have a look. If there is you need to do a > little tweaking of your config so SA stops putting the log file there, > then delete the file. > > Drew Usually I'd agree, but (clued in from another thread by Jason) this time it is because he set the (MailScanner) Incoming Work Dir to be the hold queue... So those errors are due to MailScanner writing one directory/child (childs PID as name) into the hold queue, nothing more "sinister" than that:-). Then again, with the speed and ... precision... Jason had while setting this up, the usual problems with bayes, razor etc isn't unlikely, I'll readily agree to that:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drew at technologytiger.net Wed Nov 8 15:27:05 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 15:27:19 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> Message-ID: <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> On Wed, November 8, 2006 14:42, Glenn Steen wrote: > > Usually I'd agree, but (clued in from another thread by Jason) this > time it is because he set the (MailScanner) Incoming Work Dir to be > the hold queue... So those errors are due to MailScanner writing one > directory/child (childs PID as name) into the hold queue, nothing more > "sinister" than that:-). Ahh yes, just read that one. Agreed. > > Then again, with the speed and ... precision... Jason had while > setting this up, the usual problems with bayes, razor etc isn't > unlikely, I'll readily agree to that:-). But I suspect in Jason's instance that is some where further down the work stack. It works, time for bed, fix fine details later :-) Now I wonder how many of us have have done that? ;-) Drew From rpoe at plattesheriff.org Wed Nov 8 16:19:12 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Nov 8 16:19:54 2006 Subject: MailScanner and Exchange 5.5 In-Reply-To: References: Message-ID: <4551AF20.65ED.00A2.0@plattesheriff.org> Same problem with a Groupwise 5.2 system. I used sendmail's access.db user@domain OK user2@domain OK @domain 550 Invalid Recipient >>> "Steve Roy-Wojciechowski" 11/7/2006 5:57 PM >>> I am setting up a MailScanner system that will sit infront of an Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 blindly accepts mail for the domain without first checking the user. I was wanting incoming mail to the mailscanner machine to be checked by exchange and dropped at the incoming point if the user/mailbox doesn't exist. I am using sendmail on the Linux/MS machine with mail being forwarded via a mailertable rule. Is there another way of accomplishing this with either sendmail or mailscanner or even on exchange? There are approx 100 email addresses. My client will be upgrading to exchange 2003 sometime, but not in the near future. Thanks Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 8 16:30:40 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 16:30:43 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> Message-ID: <223f97700611080830i25b555fbg2bbe47bcc40475f0@mail.gmail.com> On 08/11/06, Drew Marshall wrote: > On Wed, November 8, 2006 14:42, Glenn Steen wrote: > > > > Usually I'd agree, but (clued in from another thread by Jason) this > > time it is because he set the (MailScanner) Incoming Work Dir to be > > the hold queue... So those errors are due to MailScanner writing one > > directory/child (childs PID as name) into the hold queue, nothing more > > "sinister" than that:-). > > Ahh yes, just read that one. Agreed. > > > > > Then again, with the speed and ... precision... Jason had while > > setting this up, the usual problems with bayes, razor etc isn't > > unlikely, I'll readily agree to that:-). > > But I suspect in Jason's instance that is some where further down the work > stack. It works, time for bed, fix fine details later :-) Likely true, yes:). > Now I wonder how many of us have have done that? ;-) Are you suggesting that any of us would be in any way fallible? Naaah.... Or wait....:-D (I wonder what it's going to take to completely erase the memory of me fat-fingering the Non Spam Actions (when I rewrote it for the header "X-Spam..." thingy) so that I delivered quite a few messages directly into the bitbucket... Jules "idiot-proofed" it after that... I still blush, just thinking of it) Or just making do with "working" instead of "working extremely well"... Daily happening... Sigh. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 16:35:11 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 16:35:16 2006 Subject: MailScanner and Exchange 5.5 In-Reply-To: <4551AF20.65ED.00A2.0@plattesheriff.org> References: <4551AF20.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611080835u9a7b809t29ce42872f107ac0@mail.gmail.com> On 08/11/06, Rob Poe wrote: > Same problem with a Groupwise 5.2 system. I used sendmail's access.db > > user@domain OK > user2@domain OK > @domain 550 Invalid Recipient > > One could likely very easily modify the "postfix perl script" to do this... and ISTR someone having scripted this already (perhaps using a slightly different method) for sendmail, so a search of the list might just turn something up. Best would, of course, be if the one(s) who did that scripting... updated the relevant wiki page with that info. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From binaryflow at gmail.com Wed Nov 8 16:38:43 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Wed Nov 8 16:38:51 2006 Subject: Is razor working? Message-ID: I have fully configured MailScanner, spamassassin and razor (among many other programs). Everything is in full production. I have followed the documentation on razor.sourceforge.net and everything seems to be working properly. Now that I am scanning through the log files, I don't think MailScanner is using razor. Here are the stats of grep -c in /var/log/mail/info: PYZOR hits 729 times DCC hits 5450 times RAZOR hits 0 times This doesn't sound right. I will list the relevant portion of spam.assassin.prefs.conf below: # paths to utilities pyzor_path /usr/bin/pyzor dcc_path /usr/bin/dccproc razor_path /usr/bin/razor-check Using default timeouts and none of the stop checks are uncommented. I specify the location of razor with the following command: razor_config /root/.razor Razor is writing to the log file properly but I don't think MailScanner/spamassassin uses it. How can I make sure that it is being used? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/87c2431d/attachment.html From ugob at camo-route.com Wed Nov 8 16:42:05 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Nov 8 16:43:04 2006 Subject: Heads-up on Sanesecurity ClamAV signatures Message-ID: Hi, I just fixed a problem related to the sanesecurity ClamAV signatures. MailScanner kept on restarting, but I didn't realize it until I saw logwatch reports stating that MailScanner scanned 4 times more messages than it was logging to the MailWatch DB. I deleted the SaneSecurity ClamAV signatures and the messages that kept making MailScanner barf went through w/o problem. Unfortunately, I didn't save the problematic queue files, so I can't send them to SaneSecurity. Therefore, it may help people to know that I had problems with it, but, even more important, think about saving the files and sending them to prevent that. Regards, Ugo From martinh at solidstatelogic.com Wed Nov 8 16:47:00 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 16:46:59 2006 Subject: Is razor working? In-Reply-To: References: Message-ID: <45520A04.2090109@solidstatelogic.com> Douglas Ward wrote: > I have fully configured MailScanner, spamassassin and razor (among many > other programs). Everything is in full production. I have followed the > documentation on razor.sourceforge.net > and everything seems to be working properly. Now that I am scanning > through the log files, I don't think MailScanner is using razor. Here > are the stats of grep -c in /var/log/mail/info: > > PYZOR hits 729 times > DCC hits 5450 times > RAZOR hits 0 times > > This doesn't sound right. I will list the relevant portion of > spam.assassin.prefs.conf below: > > # paths to utilities > pyzor_path /usr/bin/pyzor > dcc_path /usr/bin/dccproc > razor_path /usr/bin/razor-check > > Using default timeouts and none of the stop checks are uncommented. I > specify the location of razor with the following command: > > razor_config /root/.razor > > Razor is writing to the log file properly but I don't think > MailScanner/spamassassin uses it. How can I make sure that it is being > used? Thanks! > > Douglas have you installed the plugins for Spamassassin? /etc/mail/spamassassin/*.pre Also make sure the razor config points to a decent directory (ie outside any of the spool areas.) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dward at nccumc.org Wed Nov 8 16:50:54 2006 From: dward at nccumc.org (Douglas Ward) Date: Wed Nov 8 16:50:58 2006 Subject: Is razor working? In-Reply-To: <45520A04.2090109@solidstatelogic.com> References: <45520A04.2090109@solidstatelogic.com> Message-ID: I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I uncommented dcc, razor and pyzor. This being a mandriva server I installed all three using urpmi. I did not install them using cpan. Does that make a difference? The razor config file does not point to any spool directories. On 11/8/06, Martin Hepworth wrote: > > Douglas Ward wrote: > > I have fully configured MailScanner, spamassassin and razor (among many > > other programs). Everything is in full production. I have followed the > > documentation on razor.sourceforge.net > > and everything seems to be working properly. Now that I am scanning > > through the log files, I don't think MailScanner is using razor. Here > > are the stats of grep -c in /var/log/mail/info: > > > > PYZOR hits 729 times > > DCC hits 5450 times > > RAZOR hits 0 times > > > > This doesn't sound right. I will list the relevant portion of > > spam.assassin.prefs.conf below: > > > > # paths to utilities > > pyzor_path /usr/bin/pyzor > > dcc_path /usr/bin/dccproc > > razor_path /usr/bin/razor-check > > > > Using default timeouts and none of the stop checks are uncommented. I > > specify the location of razor with the following command: > > > > razor_config /root/.razor > > > > Razor is writing to the log file properly but I don't think > > MailScanner/spamassassin uses it. How can I make sure that it is being > > used? Thanks! > > > > > Douglas > > have you installed the plugins for Spamassassin? > /etc/mail/spamassassin/*.pre > > Also make sure the razor config points to a decent directory (ie outside > any of the spool areas.) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/7abc59e2/attachment.html From martinh at solidstatelogic.com Wed Nov 8 16:54:41 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 16:54:45 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> Message-ID: <45520BD1.7020409@solidstatelogic.com> Douglas Ward wrote: > I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I > uncommented dcc, razor and pyzor. This being a mandriva server I > installed all three using urpmi. I did not install them using cpan. > Does that make a difference? The razor config file does not point to > any spool directories. > > On 11/8/06, *Martin Hepworth* > wrote: > > Douglas Ward wrote: > > I have fully configured MailScanner, spamassassin and razor > (among many > > other programs). Everything is in full production. I have > followed the > > documentation on razor.sourceforge.net > > > and everything seems to be working properly. Now that I am scanning > > through the log files, I don't think MailScanner is using > razor. Here > > are the stats of grep -c in /var/log/mail/info: > > > > PYZOR hits 729 times > > DCC hits 5450 times > > RAZOR hits 0 times > > > > This doesn't sound right. I will list the relevant portion of > > spam.assassin.prefs.conf below: > > > > # paths to utilities > > pyzor_path /usr/bin/pyzor > > dcc_path /usr/bin/dccproc > > razor_path /usr/bin/razor-check > > > > Using default timeouts and none of the stop checks are > uncommented. I > > specify the location of razor with the following command: > > > > razor_config /root/.razor > > > > Razor is writing to the log file properly but I don't think > > MailScanner/spamassassin uses it. How can I make sure that it is > being > > used? Thanks! > > > > > Douglas > > have you installed the plugins for Spamassassin? > /etc/mail/spamassassin/*.pre > > Also make sure the razor config points to a decent directory (ie outside > any of the spool areas.) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Doug Do a spamassassin -D --lint and it should mention razor etc -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:14:02 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:14:13 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, November 08, 2006 1:26 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix On 08/11/06, Jason Williams wrote: > > > > Don't think so from the top of my head. There are a few extras that > you can play with in your own time (Like milter support in PF) but providing you > have set your queue depths correctly You will > know if you haven't, it > won't work!) both sides of MailScanner nothing much else has changed really. > > > Drew > -------- > > Thanks. I appreciate. > Well, it is accepting and delivering mail, so that is a good thing. > > Looks like I need to go through a just comb through the config file > again and set all my settings as needed. > I was not planning on this today, so I apologize for sounding and > being very rushed. > If I can ask a quick question. Is this correct, for settings in > MailScanner.conf? > > Should: > Incoming Work Dir = /var/spool/MailScanner/incoming > > > Thar right? > > >Jason, from am earlier mail by you, I couldn't help noticing that you had set the Incoming Work Dir to the postfiox hold queue directory... >This is, simply put, wrong. > >Set it to something like /var/spool/MailScanner/incoming ... This is the directory where the MailScanner children "plays" all by their lonesome selves... >There will be a subdirectory/process ID (with the PID as name). These subdirectories could potentially confuise the hell out of things, if placed in an >>active postfix queue. As it is now, when set to the hold queue, the only postfix commands that are affected are postqueue -p (mailq for short:-) and >>postsuper, and probably rather mildly. > >Simply stop MailScanner, adjust MailScanner.conf and fire it up again. > >So the quick answer is "yes":-). > Thanks for the help. I can't thank you enough. Just so I am sure and have everything correct, let me put down what I have here (still brewing my morning cup of java so bare with me :) ). Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Now, I should change Incoming Work Dir to:? Incoming Work Dir = /var/spool/postfix/incoming Still get those funny messages in maillog: Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: uid 125: not a regular file Doing a quick look at the directory (incoming) gammaflux2# ls -la /var/spool/postfix/incoming/ total 14 drwx------ 7 postfix wheel 512 Nov 8 10:47 . drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 Are those directories needed? Thanks again everyone. Really appreciate your help and patience. Cheers, -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Nov 8 17:22:59 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 17:22:46 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> Message-ID: <45521273.7090003@solidstatelogic.com> Jason Williams wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: Wednesday, November 08, 2006 1:26 AM > To: MailScanner discussion > Subject: Re: MailScanner users using latest Postfix > > On 08/11/06, Jason Williams wrote: >> >> > Don't think so from the top of my head. There are a few extras that > >> you can play with in your own time (Like milter support in PF) but > providing you >> have set your queue depths correctly You will > know if you > haven't, it >> won't work!) both sides of MailScanner nothing much else has changed > really. >> >> Drew >> -------- >> >> Thanks. I appreciate. >> Well, it is accepting and delivering mail, so that is a good thing. >> >> Looks like I need to go through a just comb through the config file >> again and set all my settings as needed. >> I was not planning on this today, so I apologize for sounding and >> being very rushed. >> If I can ask a quick question. Is this correct, for settings in >> MailScanner.conf? >> >> Should: >> Incoming Work Dir = /var/spool/MailScanner/incoming >> >> >> Thar right? >> >> >> Jason, from am earlier mail by you, I couldn't help noticing that you > had set the Incoming Work Dir to the postfiox hold queue directory... >> This is, simply put, wrong. >> >> Set it to something like /var/spool/MailScanner/incoming ... This is > the directory where the MailScanner children "plays" all by their > lonesome selves... >There will be a subdirectory/process ID (with the > PID as name). These subdirectories could potentially confuise the hell > out of things, if placed in an >>active postfix queue. As it is now, > when set to the hold queue, the only postfix commands that are affected > are postqueue -p (mailq for short:-) and >>postsuper, and probably > rather mildly. >> Simply stop MailScanner, adjust MailScanner.conf and fire it up again. >> >> So the quick answer is "yes":-). >> > > > Thanks for the help. I can't thank you enough. > > Just so I am sure and have everything correct, let me put down what I > have here (still brewing my morning cup of java so bare with me :) ). > > > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > Incoming Work Dir = /var/spool/postfix/hold > Quarantine Dir = /var/spool/MailScanner/quarantine > > > Now, I should change Incoming Work Dir to:? > > Incoming Work Dir = /var/spool/postfix/incoming > > > Still get those funny messages in maillog: > > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: > uid 125: not a regular file > > > Doing a quick look at the directory (incoming) > > gammaflux2# ls -la /var/spool/postfix/incoming/ > total 14 > drwx------ 7 postfix wheel 512 Nov 8 10:47 . > drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. > drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 > drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 > drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 > > > Are those directories needed? > > > Thanks again everyone. Really appreciate your help and patience. > > Cheers, > > -Jason > Jason create a new dir for the work stuff - this can be a tmpfs on linux and is normally recommended that way -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:31:57 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:32:09 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, November 08, 2006 9:23 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix Jason Williams wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: Wednesday, November 08, 2006 1:26 AM > To: MailScanner discussion > Subject: Re: MailScanner users using latest Postfix > > On 08/11/06, Jason Williams wrote: >> >> > Don't think so from the top of my head. There are a few extras >> that > >> you can play with in your own time (Like milter support in PF) but > providing you >> have set your queue depths correctly You will > know if you > haven't, it >> won't work!) both sides of MailScanner nothing much else has changed > really. >> >> Drew >> -------- >> >> Thanks. I appreciate. >> Well, it is accepting and delivering mail, so that is a good thing. >> >> Looks like I need to go through a just comb through the config file >> again and set all my settings as needed. >> I was not planning on this today, so I apologize for sounding and >> being very rushed. >> If I can ask a quick question. Is this correct, for settings in >> MailScanner.conf? >> >> Should: >> Incoming Work Dir = /var/spool/MailScanner/incoming >> >> >> Thar right? >> >> >> Jason, from am earlier mail by you, I couldn't help noticing that you > had set the Incoming Work Dir to the postfiox hold queue directory... >> This is, simply put, wrong. >> >> Set it to something like /var/spool/MailScanner/incoming ... This is > the directory where the MailScanner children "plays" all by their > lonesome selves... >There will be a subdirectory/process ID (with the > PID as name). These subdirectories could potentially confuise the hell > out of things, if placed in an >>active postfix queue. As it is now, > when set to the hold queue, the only postfix commands that are > affected are postqueue -p (mailq for short:-) and >>postsuper, and > probably rather mildly. >> Simply stop MailScanner, adjust MailScanner.conf and fire it up again. >> >> So the quick answer is "yes":-). >> > > > Thanks for the help. I can't thank you enough. > > Just so I am sure and have everything correct, let me put down what I > have here (still brewing my morning cup of java so bare with me :) ). > > > Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = > /var/spool/postfix/incoming Incoming Work Dir = > /var/spool/postfix/hold Quarantine Dir = > /var/spool/MailScanner/quarantine > > > Now, I should change Incoming Work Dir to:? > > Incoming Work Dir = /var/spool/postfix/incoming > > > Still get those funny messages in maillog: > > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: > uid 125: not a regular file > > > Doing a quick look at the directory (incoming) > > gammaflux2# ls -la /var/spool/postfix/incoming/ total 14 > drwx------ 7 postfix wheel 512 Nov 8 10:47 . > drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. > drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 > drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 > drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 > > > Are those directories needed? > > > Thanks again everyone. Really appreciate your help and patience. > > Cheers, > > -Jason > > >Jason > >create a new dir for the work stuff - this can be a tmpfs on linux and is normally recommended that way > >Martin Hepworth So I can create something as simple as: Incoming Work Dir = /var/spool/postfix/work Put on appropriate permissions. Restart MS and that is it? Cheers, Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Nov 8 17:38:46 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 17:38:30 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> Message-ID: <45521626.9060401@solidstatelogic.com> Jason Williams wrote: > > > So I can create something as simple as: > > Incoming Work Dir = /var/spool/postfix/work > > Put on appropriate permissions. > Restart MS and that is it? > > Cheers, > > Jason > > Nearly I suggest /var/spool/mailscanner/work, then you're keeping it well out of postfix's area.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:59:08 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:59:21 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD198@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, November 08, 2006 9:39 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix Jason Williams wrote: > > > So I can create something as simple as: > > Incoming Work Dir = /var/spool/postfix/work > > Put on appropriate permissions. > Restart MS and that is it? > > Cheers, > > Jason > > >Nearly > >I suggest /var/spool/mailscanner/work, then you're keeping it well out of postfix's area.. > >-- >Martin Hepworth That did the trick. Thanks a ton! Now I can relax a bit, fine tune it, go home and get some sleep. :) Many thanks to everyone who helped. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dward at nccumc.org Wed Nov 8 18:34:58 2006 From: dward at nccumc.org (Douglas Ward) Date: Wed Nov 8 18:35:01 2006 Subject: Is razor working? In-Reply-To: <45520BD1.7020409@solidstatelogic.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> Message-ID: Lines referencing razor: [24295] dbg: diag: module installed: Razor2::Client::Agent, [24295] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [24295] dbg: razor2: local tests only, skipping Razor version 2.82 [24295] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf I did not have any warnings during the lint test. On 11/8/06, Martin Hepworth wrote: > > Douglas Ward wrote: > > I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I > > uncommented dcc, razor and pyzor. This being a mandriva server I > > installed all three using urpmi. I did not install them using cpan. > > Does that make a difference? The razor config file does not point to > > any spool directories. > > > > On 11/8/06, *Martin Hepworth* > > wrote: > > > > Douglas Ward wrote: > > > I have fully configured MailScanner, spamassassin and razor > > (among many > > > other programs). Everything is in full production. I have > > followed the > > > documentation on razor.sourceforge.net > > > > > and everything seems to be working properly. Now that I am > scanning > > > through the log files, I don't think MailScanner is using > > razor. Here > > > are the stats of grep -c in /var/log/mail/info: > > > > > > PYZOR hits 729 times > > > DCC hits 5450 times > > > RAZOR hits 0 times > > > > > > This doesn't sound right. I will list the relevant portion of > > > spam.assassin.prefs.conf below: > > > > > > # paths to utilities > > > pyzor_path /usr/bin/pyzor > > > dcc_path /usr/bin/dccproc > > > razor_path /usr/bin/razor-check > > > > > > Using default timeouts and none of the stop checks are > > uncommented. I > > > specify the location of razor with the following command: > > > > > > razor_config /root/.razor > > > > > > Razor is writing to the log file properly but I don't think > > > MailScanner/spamassassin uses it. How can I make sure that it is > > being > > > used? Thanks! > > > > > > > > Douglas > > > > have you installed the plugins for Spamassassin? > > /etc/mail/spamassassin/*.pre > > > > Also make sure the razor config points to a decent directory (ie > outside > > any of the spool areas.) > > > > -- > > Martin Hepworth > > Senior Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > Doug > > Do a spamassassin -D --lint and it should mention razor etc > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/fb7af551/attachment.html From jkau at jasper.k12.ga.us Wed Nov 8 21:01:09 2006 From: jkau at jasper.k12.ga.us (Jason Kau) Date: Wed Nov 8 21:01:18 2006 Subject: disabling Spam Check for sender reports Message-ID: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> I apologize if this question has been asked before. I can't figure how to keep sender reports (i.e. Sender Content Report, Sender Bad Filename Report, etc.) generated by MailScanner being Spam Checked. How do define a ruleset for "Spam Checks = " that excludes the sender reports given the envelope is not set in the sender report? For example, the headers of a sender report look like: ================================ Return-Path: <> X-Original-To: astokes@jasper.k12.ga.us Delivered-To: astokes@jasper.k12.ga.us Received: by puma.jasper.k12.ga.us (Postfix, from userid 89) id 4073413405B; Tue, 7 Nov 2006 10:58:10 -0500 (EST) From: "Jasper MailScanner" To: astokes@jasper.k12.ga.us Subject: Warning: Attachment stripped from email Message-Id: <20061107155810.4073413405B@puma.jasper.k12.ga.us> Date: Tue, 7 Nov 2006 10:58:10 -0500 (EST) X-Jasper-County-Schools-MailScanner-Information: MailScanner+McAfee+ClamAV X-Jasper-County-Schools-MailScanner: Found to be clean X-Jasper-County-Schools-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.9, required 5, BAYES_00 -2.60, NO_RELAYS -0.00, VIRUS_WARNING62 3.50) X-Jasper-County-Schools-MailScanner-From: X-Spam-Status: No ================================ This does not appear to match on "From: postmaster@jasper.k12.ga.us". Thank you for your help. -- Jason Kau Consultant Jasper County Schools Monticello, GA From alex at nkpanama.com Wed Nov 8 21:48:37 2006 From: alex at nkpanama.com (Alex Neuman) Date: Wed Nov 8 21:49:14 2006 Subject: Greylisting .. nice .. In-Reply-To: <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> Message-ID: <455250B5.9060709@nkpanama.com> shuttlebox wrote: > On 11/8/06, James Gray wrote: >> Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" >> option has been around for ages in Gnu-land and gnu-grep is the >> standard on Mac OSX along with all the Linuxes. > > Standard Solaris has it: > > -c Prints only a count of the lines that contain the pat- > tern. > > Old habits die hard... ;) From jimc at laridian.com Wed Nov 8 21:53:31 2006 From: jimc at laridian.com (Jim Coates) Date: Wed Nov 8 21:55:22 2006 Subject: Greylisting with Sendmail and FreeBSD In-Reply-To: <455250B5.9060709@nkpanama.com> Message-ID: <01e801c70380$54dd3970$6401a8c0@zorak> How hard is it to install Greylisting on a machine running FreeBSD, Sendmail and MailScanner? Is there a particular package that you all recommend? I asked out FreeBSD host about it, and they say that they've never used it. An interesting note - Yahoo has started using greylisting on their email accounts. Thanks, Jim From mkettler at evi-inc.com Wed Nov 8 22:12:06 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 8 22:12:15 2006 Subject: Greylisting with Sendmail and FreeBSD In-Reply-To: <01e801c70380$54dd3970$6401a8c0@zorak> References: <01e801c70380$54dd3970$6401a8c0@zorak> Message-ID: <45525636.2010003@evi-inc.com> Jim Coates wrote: > How hard is it to install Greylisting on a machine running FreeBSD, Sendmail > and MailScanner? > > Is there a particular package that you all recommend? I use milter-greylist. It's pretty easy, and it's ACL based setup lets you set it up more-or-less any way you want.. greylist by default, or by explicit rule, etc. The current release candidates also support using dnsrbl's as acl rules, and per-rule over-ride of greylist duration. Putting the two together you can do things like greylist for longer periods of time if they're listed in a DNSRBL. (useful for DNSRBLs with too many FPs to use as outright blacklists). My current setup is more-or-less: whitelist whitelist greylist spamhaus SBL, 15mins greylist spamhaus XBL, 1hr greylist SORBS-WEB, 1hr greylist SORBS-DUL, 1hr greylist 1min greylist 1min greylist (regex for hosts with no RDNS) 1min greylist (a few other regexes) 1min greylist (list of ip's allocated to apnic) 1min greylist (list of ip's allocated to lacnic) 1min whitelist default And that works pretty well. Right now XBL, and more specifically the CBL contributed part of XBL, is taking the lions share of the hits. Thus far this week: Spamhaus SBL 3216 Spamhaus XBL (CBL) 12904 Spamhaus XBL (NJABL) 87 SORBS-WEB 141 SORBS-DUL 4071 delayed 1m (others) 2987 default action: 7217 not delayed and delivered (total, incl whitelists) 10390 > > I asked out FreeBSD host about it, and they say that they've never used it. > > An interesting note - Yahoo has started using greylisting on their email > accounts. From gdoris at rogers.com Wed Nov 8 23:44:28 2006 From: gdoris at rogers.com (Gerry Doris) Date: Wed Nov 8 23:44:51 2006 Subject: mailscanner-mrtg graph labels In-Reply-To: <45509A4E.7090303@USherbrooke.ca> References: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> <45509A4E.7090303@USherbrooke.ca> Message-ID: On Tue, 7 Nov 2006, Denis Beauchemin wrote: > Gerry Doris a ?crit : >> I upgraded my system from Fedora Core 4 to 6 last weekend. Surprisingly it >> went quite well. I thought everything was working properly until I noticed >> that two of the mailscanner-mrtg graphs have their labels messed up. The >> data looks correct. >> >> The two messed up graphs are Mail Transferred and Memory. It is the top >> level as well as the detail graphs. The vertical legend for each is >> showing the number scale followed by the letters M,G,T,P spread out into >> the graph area for each number. >> >> This has been working perfectly for ages...I think? Has anyone else >> noticed this? I'm using 0.10.00. I upgraded to the unstable version 11 >> but it didn't make a difference. > Gerry, > > This looks more like an MRTG problem than a MailScanner-MRTG one because the > 2 graphs that you are having problems with come from different sources: your > log files for MTA and SNMP for memory. > > Are you sure you didn't mess up the /etc/mrtg/mailscanner-mrtg.cfg file for > these 2 graphs? This is what I have for the MTA: > YLegend[mailbytes]: Bytes > ShortLegend[mailbytes]: bytes     > Legend1[mailbytes]: Average Bytes > Legend2[mailbytes]: > Legend3[mailbytes]: Maximum Bytes > Legend4[mailbytes]: > LegendI[mailbytes]: : > LegendO[mailbytes]: > kilo[mailbytes]: 1024 > kMG[mailbytes]: k,M,G,T,P > > If all is OK, then maybe something changed in FC6 and the last 2 lines (kilo > and kMG) are not having the same effect as they did before. > > Denis I think something changed in FC6. My config file matches yours. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From taz at taz-mania.com Wed Nov 8 23:54:42 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Nov 8 23:54:46 2006 Subject: Notify Senders question In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: I would think that you would want to notify the recipient. If you had a user that sent a virus and didn't know it... then if neither the sender or recipient was informed, neither would know the email never arrived, or was striped of an attachment. On an incoming email since so many of the from addresses of Spam and/or virus senders are bogus, you wouldn't want to notify the sender as that would be as bad as Spamming them. However, for those that come from real senders to your real users, you would want them to know someone is trying to send them something, but it's not getting through instead of it just disappearing (wouldn't you?). My configuration uses a set of receiving hubs that then forward to the real mail servers, and a different out-going set of servers (smart hosts). I have different rules for each. On the incoming it only notifies the recipients and on the outgoing it notifies the senders too (which are all only internal senders) A send also cannot spoof their outgoing address because even for local outgoing they must login using SMTP auth and the outgoing server only accepts from our domain, any from that is not our domain is rejected. Also no direct port 25 access is allowed to/from the outside world. On Tue, 7 Nov 2006 17:28:35 -0800 "Jason Williams" wrote: >Something that is odd right now. > >I have setup MS to NOT notify any senders if they send a virus, >blocked >files, blocked content, basically everything. > >In a quick test, I sent it from my account to a outside account and >noticed that it did not notify me (the sender) which is great. >However, >it notified the recipient. > >Is there a way to disable that? >Or is that built in and should it be that way? > >-Thanks > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mkettler at evi-inc.com Thu Nov 9 00:13:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 9 00:13:27 2006 Subject: Mailscanner UDP connections In-Reply-To: <1098353490jeremy.henty@nec.ac.uk> References: <1098353490jeremy.henty@nec.ac.uk> Message-ID: <4552729E.90808@evi-inc.com> Jeremy Henty wrote: > Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch > of entries like this: > > MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 > MailScann 19062 postfix 9u IPv4 22883899 UDP *:58005 > MailScann 19062 postfix 10u IPv4 22883900 UDP *:58006 > MailScann 19062 postfix 11u IPv4 22883901 UDP *:58007 > MailScann 19062 postfix 12u IPv4 22883902 UDP *:58008 > MailScann 19062 postfix 13u IPv4 22883903 UDP *:58009 > MailScann 19062 postfix 14u IPv4 22883904 UDP *:58010 > MailScann 19062 postfix 15u IPv4 22883905 UDP *:58011 > MailScann 19062 postfix 16u IPv4 22883906 UDP *:58012 > MailScann 19062 postfix 17u IPv4 22883907 UDP *:58013 > > What is Mailscanner doing that requires these connections? RBL checks? Possibly.. Also, Since MailScanner loads SpamAssassin.pm as a part of itself, any network activity caused by SA tests could be attributed to MailScanner. This could be SA's DNS tests, or DCC. Really, without the port number for the foreign address, it's hard to guess what its doing. > > Regards, > > Jeremy Henty > > > From mkettler at evi-inc.com Thu Nov 9 00:17:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 9 00:17:26 2006 Subject: Mailscanner UDP connections In-Reply-To: <1098353490jeremy.henty@nec.ac.uk> References: <1098353490jeremy.henty@nec.ac.uk> Message-ID: <4552738E.1030700@evi-inc.com> Jeremy Henty wrote: > Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch > of entries like this: > > MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 For what it's worth, I use MailScanner with no RBLs at the MS level, only in SA. I run a local DNS server, and I periodically see this in netstat -anp: udp 8736 0 127.0.0.1:33867 127.0.0.1:53 ESTABLISHED 18169/MailScanner: which is the MailScanner process connecting to the local DNS server, presumably for SA RBL lookups. From vaibhav at ozdocs.net.au Thu Nov 9 00:55:16 2006 From: vaibhav at ozdocs.net.au (Vaibhav Pandey) Date: Thu Nov 9 00:55:25 2006 Subject: SeLinux Issue with SpamAssassin.cache.db Message-ID: <200611091155.AA309002912@mail.ozdocs.net.au> Dear All, I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. But my SpamAssasin.cache.db not caching anything hense I am still getting spam. in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file Here mgate: is name of the Host With best regards, Webb. From azher at niit.edu.pk Thu Nov 9 01:52:26 2006 From: azher at niit.edu.pk (Azher Amin) Date: Thu Nov 9 01:52:49 2006 Subject: FuzzyOCR Message-ID: <455289DA.6070500@niit.edu.pk> Hi, I am using MailScanner on Debian and its working fine. To test the image spams i installed the FuzzyOCR and the related packages as listed on the mailscanner wiki. However I just received an email with image which can be seen here : http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I then added the words from this image to /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again tried sending to another local account, but the image slipped again. Can some one plz guide why MailScanner missed the attachment and how i can tweak to catch images like above. Regards Azher Amin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csweeney at osubucks.org Thu Nov 9 01:59:15 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Nov 9 01:59:26 2006 Subject: FuzzyOCR In-Reply-To: <455289DA.6070500@niit.edu.pk> References: <455289DA.6070500@niit.edu.pk> Message-ID: <45528B73.4030209@osubucks.org> You might want to post this in the FuzzyOCR mailing list. This isn't really a function of MailScanner FuzzyOCR is a SpamAssassin tool. Did you run spamassassin -x -D --lint ? Does it show that its picking up the FuzzyOCR plugin? Azher Amin wrote: > Hi, > > I am using MailScanner on Debian and its working fine. To test the > image spams i installed the FuzzyOCR and the related packages as > listed on the mailscanner wiki. However I just received an email with > image which can be seen here : > http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I > then added the words from this image to > /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again > tried sending to another local account, but the image slipped again. > > Can some one plz guide why MailScanner missed the attachment and how i > can tweak to catch images like above. > > Regards > Azher Amin > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/39fdd07a/smime.bin From azher at niit.edu.pk Thu Nov 9 02:23:30 2006 From: azher at niit.edu.pk (Azher Amin) Date: Thu Nov 9 02:23:54 2006 Subject: FuzzyOCR In-Reply-To: <45528B73.4030209@osubucks.org> References: <455289DA.6070500@niit.edu.pk> <45528B73.4030209@osubucks.org> Message-ID: <45529122.2030002@niit.edu.pk> Sure I will email on FuzzyOCR list. SpamAssin is picking the plugin : Output from spamassassin -x -D --lint: [26334] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [26888] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [26888] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [26888] dbg: plugin: registered FuzzyOcr=HASH(0x881bcf8) [26888] dbg: plugin: FuzzyOcr=HASH(0x881bcf8) implements 'parse_config' Regards Azher Chris Sweeney wrote: > You might want to post this in the FuzzyOCR mailing list. This isn't > really a function of MailScanner FuzzyOCR is a SpamAssassin tool. > > Did you run spamassassin -x -D --lint ? Does it show that its picking > up the FuzzyOCR plugin? > > Azher Amin wrote: > >> Hi, >> >> I am using MailScanner on Debian and its working fine. To test the >> image spams i installed the FuzzyOCR and the related packages as >> listed on the mailscanner wiki. However I just received an email with >> image which can be seen here : >> http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I >> then added the words from this image to >> /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again >> tried sending to another local account, but the image slipped again. >> >> Can some one plz guide why MailScanner missed the attachment and how i >> can tweak to catch images like above. >> >> Regards >> Azher Amin >> >> >> -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csweeney at osubucks.org Thu Nov 9 02:30:58 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Nov 9 02:31:09 2006 Subject: FuzzyOCR In-Reply-To: <45529122.2030002@niit.edu.pk> References: <455289DA.6070500@niit.edu.pk> <45528B73.4030209@osubucks.org> <45529122.2030002@niit.edu.pk> Message-ID: <455292E2.4040204@osubucks.org> Well sorry I can't help more I'm new with FuzzyOCR myself only been using it for 2 weeks now, one week on a test machine and one in production now. Its been a wonderful tool. Its been catching so much I'd say 99% of that dang image SPAM. Its far from perfect and I know from the mailing list it will always need tweeked, but so far so good. Azher Amin wrote: > Sure I will email on FuzzyOCR list. SpamAssin is picking the plugin : > > Output from spamassassin -x -D --lint: > > [26334] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf > > [26888] dbg: plugin: fixed relative path: > /etc/mail/spamassassin/FuzzyOcr.pm > [26888] dbg: plugin: loading FuzzyOcr from > /etc/mail/spamassassin/FuzzyOcr.pm > [26888] dbg: plugin: registered FuzzyOcr=HASH(0x881bcf8) > [26888] dbg: plugin: FuzzyOcr=HASH(0x881bcf8) implements 'parse_config' > > Regards > Azher > > > Chris Sweeney wrote: >> You might want to post this in the FuzzyOCR mailing list. This isn't >> really a function of MailScanner FuzzyOCR is a SpamAssassin tool. >> >> Did you run spamassassin -x -D --lint ? Does it show that its picking >> up the FuzzyOCR plugin? >> >> Azher Amin wrote: >> >>> Hi, >>> >>> I am using MailScanner on Debian and its working fine. To test the >>> image spams i installed the FuzzyOCR and the related packages as >>> listed on the mailscanner wiki. However I just received an email with >>> image which can be seen here : >>> http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I >>> then added the words from this image to >>> /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again >>> tried sending to another local account, but the image slipped again. >>> >>> Can some one plz guide why MailScanner missed the attachment and how i >>> can tweak to catch images like above. >>> >>> Regards >>> Azher Amin >>> >>> >>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/3cedffcd/smime.bin From ajos1 at onion.demon.co.uk Thu Nov 9 02:54:54 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Nov 9 02:55:00 2006 Subject: FuzzyOCR Message-ID: - Same as Sweeny... I have only recently installed it... and not managed to test or tweak it... You will get a basic idea of what is being found by doing: gocr pict63.gif Some words are very clear... others not so clear... lots of "r"s being intepreted as "c"... I will do some testing for you later on... -----Original Message----- From: MailScanner discussion References: Message-ID: <4552A12B.7050508@niit.edu.pk> Interesting, the output is below. After this I added on of the word 'Ejaculate' in the /etc/mail/spamassassin/FuzzyOcr.words, but even then mailscanner is not recognizing it ..... is there any way that i can check whether the spamassasin is really using the FuzzyOCR ?? coz i doubt that spamassain is not using the FuzzyOCR pluggin. Regards Azher Amin ns3:/opt/MailScanner/etc# gocr /home/azher/pict63.gif _ _ Elevate sex drive to ne w levels - pe_orm I_ke a profess_onal w_th your pa _ner, She'IIloveyournewfoundsexdr_ve! _ Maintainerectionsforlonqerperiods-penetrateyourpa_nerforhoursonend! _ Raise ejaculation volu m e - Ejaculate I_ke a Pornstar_n enorm ous quant_t_es! _ Help users realize a ne w deqree of sexual confidence and control-reaI_ze total and absolutepoweranddom_nat_on_nbed w_thyourpa_ner,w_thyournew-found Den_ss_zeandsexuaIDe_ormance! Name PatcheS Reqular Now Steel p ac _ 10 patc he 8 S_9.95 _49.95 Fcee shipping Sil _ r p ac _ 25 patc he 8 S129.95 _99.95 Fcee shipping 8n d hld pac _ 40 patche8 S189.95 _l49.95 execcise _8nu8l Platin _ p ac _ 65 patc he g S259.95 _l99.95 inClUded ajos1@onion.demon.co.uk wrote: > - > > Same as Sweeny... I have only recently installed it... and not managed to test or tweak it... > > You will get a basic idea of what is being found by doing: > > gocr pict63.gif > > Some words are very clear... others not so clear... lots of "r"s being intepreted as "c"... > > I will do some testing for you later on... > > > -----Original Message----- > From: MailScanner discussion Subj: FuzzyOCR > Date: Wed, 08 Nov 2006 17:52:26 -0800 > > Hi, > > I am using MailScanner on Debian and its working fine. To test the image > spams i installed the FuzzyOCR and the related packages as listed on the > mailscanner wiki. However I just received an email with image which can > be seen here : http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB > in size. I then added the words from this image to > /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again > tried sending to another local account, but the image slipped again. > > Can some one plz guide why MailScanner missed the attachment and how i > can tweak to catch images like above. > > Regards > Azher Amin > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Thu Nov 9 08:44:23 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 08:45:04 2006 Subject: FuzzyOCR In-Reply-To: <4552A12B.7050508@niit.edu.pk> References: <4552A12B.7050508@niit.edu.pk> Message-ID: <4552EA67.9060305@chime.ucl.ac.uk> Hi, Azher Amin wrote: > Interesting, the output is below. After this I added on of the word > 'Ejaculate' in the /etc/mail/spamassassin/FuzzyOcr.words, but even then > mailscanner is not recognizing it ..... is there any way that i can > check whether the spamassasin is really using the FuzzyOCR ?? coz i > doubt that spamassain is not using the FuzzyOCR pluggin. > To test SpamAssassin save the complete email (not just the image) to a text file and run it through SpamAssassin in test mode. spamassassin -t < email.txt This will show the tests that hit on the email. To get a fuller output use debug mode: spamassassin -t -D < email.txt -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From glenn.steen at gmail.com Thu Nov 9 09:51:43 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 09:51:47 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> Message-ID: <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> On 08/11/06, Douglas Ward wrote: > Lines referencing razor: > > [24295] dbg: diag: module installed: Razor2::Client::Agent, > [24295] dbg: plugin: loading > Mail::SpamAssassin::Plugin::Razor2 from @INC > [24295] dbg: razor2: local tests only, skipping Razor > version 2.82 > [24295] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > > I did not have any warnings during the lint test. > That version of SA will only load the module(s) and test for syntax errors, not actually try to perform any network tests. Save a complete message (headers and body) to a file and run it through like this spamassassin -t < /path/to/message/file or spamassassin -t -D < /path/to/message/file for more details. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:19:30 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:19:33 2006 Subject: disabling Spam Check for sender reports In-Reply-To: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> References: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> Message-ID: <223f97700611090219i3de3a2fev8a1a1bd960f2ad21@mail.gmail.com> On 08/11/06, Jason Kau wrote: > I apologize if this question has been asked before. > > I can't figure how to keep sender reports (i.e. Sender Content Report, > Sender Bad Filename Report, etc.) generated by MailScanner being Spam > Checked. How do define a ruleset for "Spam Checks = " that excludes > the sender reports given the envelope is not set in the sender report? > For example, the headers of a sender report look like: > > ================================ > Return-Path: <> > X-Original-To: astokes@jasper.k12.ga.us > Delivered-To: astokes@jasper.k12.ga.us > Received: by puma.jasper.k12.ga.us (Postfix, from userid 89) > id 4073413405B; Tue, 7 Nov 2006 10:58:10 -0500 (EST) > From: "Jasper MailScanner" > To: astokes@jasper.k12.ga.us > Subject: Warning: Attachment stripped from email > Message-Id: <20061107155810.4073413405B@puma.jasper.k12.ga.us> > Date: Tue, 7 Nov 2006 10:58:10 -0500 (EST) > X-Jasper-County-Schools-MailScanner-Information: MailScanner+McAfee+ClamAV > X-Jasper-County-Schools-MailScanner: Found to be clean > X-Jasper-County-Schools-MailScanner-SpamCheck: not spam, > SpamAssassin (not cached, score=0.9, required 5, BAYES_00 -2.60, > NO_RELAYS -0.00, VIRUS_WARNING62 3.50) > X-Jasper-County-Schools-MailScanner-From: > X-Spam-Status: No > ================================ > > This does not appear to match on "From: postmaster@jasper.k12.ga.us". > > Thank you for your help. > Likely the sender is the "empty sender" <> (as per RFC). And you should definitely not try and whitelist that. Indeed, you shouldn't whitelist using addresses alone, at all, period. They would be far to easy to forge. Use the IP address of the sending server instead. Now, why do you _need_ these to be whitelisted? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:33:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:33:30 2006 Subject: Notify Senders question In-Reply-To: References: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611090233y39ac7680mb0651b4a51f77078@mail.gmail.com> On 09/11/06, Dennis Willson wrote: > I would think that you would want to notify the recipient. > If you had a user that sent a virus and didn't know it... then if > neither the sender or recipient was informed, neither would know the > email never arrived, or was striped of an attachment. Er, well... that is entirely *policy*, not technology:-). Depending on your setup and "local rules"... you assumptions might not hold true Dennis. And then there is the argument that a notification might be as irritating as any spam... Exactly as you go on...:-). > On an incoming email since so many of the from addresses of Spam > and/or virus senders are bogus, you wouldn't want to notify the sender > as that would be as bad as Spamming them. However, for those that come > from real senders to your real users, you would want them to know > someone is trying to send them something, but it's not getting through > instead of it just disappearing (wouldn't you?). Well, for certain setups (at least!) they would _never_ really just disappear... They would end up in quarantine ad/or logged as stripped... Possibly combined with a quarantine report. So again, that would all depend:-). > My configuration uses a set of receiving hubs that then forward to the > real mail servers, and a different out-going set of servers (smart > hosts). I have different rules for each. On the incoming it only > notifies the recipients and on the outgoing it notifies the senders > too (which are all only internal senders) A send also cannot spoof > their outgoing address because even for local outgoing they must login > using SMTP auth and the outgoing server only accepts from our domain, > any from that is not our domain is rejected. Also no direct port 25 > access is allowed to/from the outside world. Sounds like a nice setup, probably fitting your policy well;-). Mine looks quite different (I wont bore you with the details... again:-), and fit my requirements/policy equally well... Without almost any notifications at all. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:41:08 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:41:11 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <200611091155.AA309002912@mail.ozdocs.net.au> References: <200611091155.AA309002912@mail.ozdocs.net.au> Message-ID: <223f97700611090241s12ac353cy6462a26f643a5699@mail.gmail.com> On 09/11/06, Vaibhav Pandey wrote: > Dear All, > I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. > > But my SpamAssasin.cache.db not caching anything hense I am still getting spam. > > in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. > > > Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file > > > Here mgate: is name of the Host > Might be a permission problem. Have you tried stopping MailScanner, removiung the SQLite file and starting MailScanner again (thus creating a new cache file, possibly with another owner)? What permissions do you have on it? Can the user you run your MTA/MailScanner as read/write it? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hans at enem.nl Thu Nov 9 12:26:47 2006 From: hans at enem.nl (Hans Melgers) Date: Thu Nov 9 12:27:06 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? Message-ID: <45531E87.3090904@enem.nl> Hi list, Im running MS for years now, ever running flawless on freebsd. Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see something strange. Im using the sendmail2 with ms2cgp script to put MS output in my Communigate submitted queue: Sendmail2 = /usr/local/etc/ms2cgp2 However it seems MS is not providing the job number like it used too: Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, 622 bytes Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string notspam in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 (hans@fb1.enem.nl) is whitelisted Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string mailscanner in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string unreadablearchive in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string passwordedarchive in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Virus and Content Scanning: Starting Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp ^^ no jobnumber Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf failed, dying ^^ no jobnumber The ms2cgp script is unchanged, qf and df files are there. Anybody knows what's going on, hopefully a workaround ? Thanks, Hans From glenn.steen at gmail.com Thu Nov 9 12:53:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 12:53:06 2006 Subject: Is razor working? In-Reply-To: <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> Message-ID: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> On 09/11/06, Glenn Steen wrote: (snip) > That version of SA will only load the module(s) and test for syntax > errors, not actually try to perform any network tests. .... for the --lint option, of course. Jeez, when will I learn to proofread _beforehand_. Sigh. -- -- Glenn (a.k.a. Le Grand Typo) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drolland at kdinet.com Thu Nov 9 12:59:11 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:00:24 2006 Subject: OT: archive mail functionality for windows? Message-ID: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Hi all, We have a custom application that utilizes the archive mail function in MailScanner. Basically any email sent to a particular address is archived in MailScanner. The application then processes the email messages in the Archive directory and integrates them into the application. It also handles the file attachments. Now, our issue is needing to port this application to Windows. I am not at all familiar with any options that might be available to do this. If someone might have some suggestions, please let me know. Thank you for your time, Diane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/817559e5/attachment.html From martinh at solidstatelogic.com Thu Nov 9 13:05:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 13:05:09 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> References: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <4553277E.9000203@solidstatelogic.com> Diane Rolland wrote: > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is > archived in MailScanner. The application then processes the email > messages in the Archive directory and integrates them into the > application. It also handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. > > Thank you for your time, > Diane > Diane what's the application written in? perl, C ..??? besides 'archiving' the email somewhere else, what else does it do. If it needs to be accessed via windows then why not write a html interface to it then it's available on most platforms. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dhawal at netmagicsolutions.com Thu Nov 9 13:16:26 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Nov 9 13:16:48 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> References: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <45532A2A.1090801@netmagicsolutions.com> Diane Rolland wrote: > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is > archived in MailScanner. The application then processes the email > messages in the Archive directory and integrates them into the > application. It also handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. Windows? Assuming MS Exchange. Not porting but a new application.. have you seen http://www.mailarchiva.com/, they have a GPL product for exchange. - dhawal From drolland at kdinet.com Thu Nov 9 13:16:45 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:17:57 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <4553277E.9000203@solidstatelogic.com> Message-ID: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Martin Hepworth wrote: > Diane Rolland wrote: >> Hi all, >> >> We have a custom application that utilizes the archive mail function >> in MailScanner. Basically any email sent to a particular address is >> archived in MailScanner. The application then processes the email >> messages in the Archive directory and integrates them into the >> application. It also handles the file attachments. >> >> Now, our issue is needing to port this application to Windows. I am >> not at all familiar with any options that might be available to do >> this. If someone might have some suggestions, please let me know. >> >> Thank you for your time, >> Diane >> > Diane > > what's the application written in? perl, C ..??? The application is in php/mysql. > > besides 'archiving' the email somewhere else, what else does it do. > If it needs to be accessed via windows then why not write a html > interface to it then it's available on most platforms. The archive is just a temporary holding place so that the php application can parse the raw email files in the archive directory. It can take attached documents and them make them available to the web based php/mysql application. The attached documents are not available outside the application (i.e. you cannot browse to them on a file share). > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** Thanks again, Diane From martinh at solidstatelogic.com Thu Nov 9 13:30:46 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 13:36:00 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> References: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Message-ID: <45532D86.1000207@solidstatelogic.com> Diane Rolland wrote: > Martin Hepworth wrote: >> Diane Rolland wrote: >>> Hi all, >>> >>> We have a custom application that utilizes the archive mail function >>> in MailScanner. Basically any email sent to a particular address is >>> archived in MailScanner. The application then processes the email >>> messages in the Archive directory and integrates them into the >>> application. It also handles the file attachments. >>> >>> Now, our issue is needing to port this application to Windows. I am >>> not at all familiar with any options that might be available to do >>> this. If someone might have some suggestions, please let me know. >>> >>> Thank you for your time, >>> Diane >>> >> Diane >> >> what's the application written in? perl, C ..??? > > The application is in php/mysql. > >> besides 'archiving' the email somewhere else, what else does it do. >> If it needs to be accessed via windows then why not write a html >> interface to it then it's available on most platforms. > > The archive is just a temporary holding place so that the php application > can parse the raw email files in the archive directory. It can take > attached documents and them make them available to the web based php/mysql > application. The attached documents are not available outside the > application (i.e. you cannot browse to them on a file share). > >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> So why port this to Windows??? you can access the data from Windows, or are you referring to emails that don't pass through mailScanner at any stage. perhaps you could be a little more specific about what you want the app to do, that it doesn't do now. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From a.peacock at chime.ucl.ac.uk Thu Nov 9 13:39:53 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 13:40:24 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> References: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Message-ID: <45532FA9.4050401@chime.ucl.ac.uk> Diane Rolland wrote: > Martin Hepworth wrote: >> Diane Rolland wrote: >>> Hi all, >>> >>> We have a custom application that utilizes the archive mail function >>> in MailScanner. Basically any email sent to a particular address is >>> archived in MailScanner. The application then processes the email >>> messages in the Archive directory and integrates them into the >>> application. It also handles the file attachments. >>> >>> Now, our issue is needing to port this application to Windows. I am >>> not at all familiar with any options that might be available to do >>> this. If someone might have some suggestions, please let me know. >>> >>> Thank you for your time, >>> Diane >>> >> Diane >> >> what's the application written in? perl, C ..??? > > The application is in php/mysql. > >> besides 'archiving' the email somewhere else, what else does it do. >> If it needs to be accessed via windows then why not write a html >> interface to it then it's available on most platforms. > > The archive is just a temporary holding place so that the php application > can parse the raw email files in the archive directory. It can take > attached documents and them make them available to the web based php/mysql > application. The attached documents are not available outside the > application (i.e. you cannot browse to them on a file share). OK! So my question is what do you mean by 'application'? Are your referring to the whole infrastructure including MailScanner or are you just talking about your php app? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From drolland at kdinet.com Thu Nov 9 13:58:36 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:59:44 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <45532FA9.4050401@chime.ucl.ac.uk> Message-ID: <015001c70407$284fd070$9700a8c0@kdinet.local> Anthony Peacock wrote: > Diane Rolland wrote: >> Martin Hepworth wrote: >>> Diane Rolland wrote: >>>> Hi all, >>>> >>>> We have a custom application that utilizes the archive mail >>>> function in MailScanner. Basically any email sent to a particular >>>> address is archived in MailScanner. The application then >>>> processes the email messages in the Archive directory and >>>> integrates them into the application. It also handles the file >>>> attachments. >>>> >>>> Now, our issue is needing to port this application to Windows. I >>>> am not at all familiar with any options that might be available to >>>> do this. If someone might have some suggestions, please let me >>>> know. >>>> >>>> Thank you for your time, >>>> Diane >>>> >>> Diane >>> >>> what's the application written in? perl, C ..??? >> >> The application is in php/mysql. >> >>> besides 'archiving' the email somewhere else, what else does it do. >>> If it needs to be accessed via windows then why not write a html >>> interface to it then it's available on most platforms. >> >> The archive is just a temporary holding place so that the php >> application can parse the raw email files in the archive directory. >> It can take attached documents and them make them available to the >> web based php/mysql application. The attached documents are not >> available outside the application (i.e. you cannot browse to them on >> a file share). > > OK! So my question is what do you mean by 'application'? > > Are your referring to the whole infrastructure including MailScanner > or are you just talking about your php app? > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw I suppose my challenge is finding a way to get mailed delivered to a filesystem so that the php application can parse the raw mail files. On our Linux platforms we use MailScanner's archive to file functionality to do this. The php will run on either linux or windows web server, so the need I have is how to get the mail delivered to a file location where it is accessible to the php scripts. There isn't necessarily an Exchange server in the picture either, so maybe I'm needing to look at some sort of mail server?? From a.peacock at chime.ucl.ac.uk Thu Nov 9 14:04:44 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 14:05:15 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <015001c70407$284fd070$9700a8c0@kdinet.local> References: <015001c70407$284fd070$9700a8c0@kdinet.local> Message-ID: <4553357C.3010904@chime.ucl.ac.uk> Hi, Diane Rolland wrote: > Anthony Peacock wrote: >> Diane Rolland wrote: >>> Martin Hepworth wrote: >>>> Diane Rolland wrote: >>>>> Hi all, >>>>> >>>>> We have a custom application that utilizes the archive mail >>>>> function in MailScanner. Basically any email sent to a particular >>>>> address is archived in MailScanner. The application then >>>>> processes the email messages in the Archive directory and >>>>> integrates them into the application. It also handles the file >>>>> attachments. >>>>> >>>>> Now, our issue is needing to port this application to Windows. I >>>>> am not at all familiar with any options that might be available to >>>>> do this. If someone might have some suggestions, please let me >>>>> know. >>>>> >>>>> Thank you for your time, >>>>> Diane >>>>> >>>> Diane >>>> >>>> what's the application written in? perl, C ..??? >>> The application is in php/mysql. >>> >>>> besides 'archiving' the email somewhere else, what else does it do. >>>> If it needs to be accessed via windows then why not write a html >>>> interface to it then it's available on most platforms. >>> The archive is just a temporary holding place so that the php >>> application can parse the raw email files in the archive directory. >>> It can take attached documents and them make them available to the >>> web based php/mysql application. The attached documents are not >>> available outside the application (i.e. you cannot browse to them on >>> a file share). >> OK! So my question is what do you mean by 'application'? >> >> Are your referring to the whole infrastructure including MailScanner >> or are you just talking about your php app? > > I suppose my challenge is finding a way to get mailed delivered to a > filesystem so that the php application can parse the raw mail files. On our > Linux platforms we use MailScanner's archive to file functionality to do > this. > > The php will run on either linux or windows web server, so the need I have > is how to get the mail delivered to a file location where it is accessible > to the php scripts. > > There isn't necessarily an Exchange server in the picture either, so maybe > I'm needing to look at some sort of mail server?? Ah! That make the situation much simpler. Can't you use something like Samba to make the 'archive' directory on the MailScanner machine available as a Windows share? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Thu Nov 9 14:10:57 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 14:11:08 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <015001c70407$284fd070$9700a8c0@kdinet.local> References: <015001c70407$284fd070$9700a8c0@kdinet.local> Message-ID: <455336F1.3030509@solidstatelogic.com> Diane Rolland wrote: > Anthony Peacock wrote: >> Diane Rolland wrote: >>> Martin Hepworth wrote: >>>> Diane Rolland wrote: >>>>> Hi all, >>>>> >>>>> We have a custom application that utilizes the archive mail >>>>> function in MailScanner. Basically any email sent to a particular >>>>> address is archived in MailScanner. The application then >>>>> processes the email messages in the Archive directory and >>>>> integrates them into the application. It also handles the file >>>>> attachments. >>>>> >>>>> Now, our issue is needing to port this application to Windows. I >>>>> am not at all familiar with any options that might be available to >>>>> do this. If someone might have some suggestions, please let me >>>>> know. >>>>> >>>>> Thank you for your time, >>>>> Diane >>>>> >>>> Diane >>>> >>>> what's the application written in? perl, C ..??? >>> The application is in php/mysql. >>> >>>> besides 'archiving' the email somewhere else, what else does it do. >>>> If it needs to be accessed via windows then why not write a html >>>> interface to it then it's available on most platforms. >>> The archive is just a temporary holding place so that the php >>> application can parse the raw email files in the archive directory. >>> It can take attached documents and them make them available to the >>> web based php/mysql application. The attached documents are not >>> available outside the application (i.e. you cannot browse to them on >>> a file share). >> OK! So my question is what do you mean by 'application'? >> >> Are your referring to the whole infrastructure including MailScanner >> or are you just talking about your php app? >> >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw > > I suppose my challenge is finding a way to get mailed delivered to a > filesystem so that the php application can parse the raw mail files. On our > Linux platforms we use MailScanner's archive to file functionality to do > this. > > The php will run on either linux or windows web server, so the need I have > is how to get the mail delivered to a file location where it is accessible > to the php scripts. > > There isn't necessarily an Exchange server in the picture either, so maybe > I'm needing to look at some sort of mail server?? > I'd turn this on the it's head..... Start with a policy descision - mail MUST go through a validated gateway in order to achieve this. MailScanner can be one of the validated gateways. Then you need to make sure all your validated gateways dump the archives in a supported format to a supported storage point (remember Windows can do NFS mounts and Linux can mount windows/smb shares) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From drolland at kdinet.com Thu Nov 9 14:27:11 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 14:28:28 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <4553357C.3010904@chime.ucl.ac.uk> Message-ID: <015401c7040b$26447340$9700a8c0@kdinet.local> Anthony Peacock wrote: > Hi, > > Diane Rolland wrote: >> Anthony Peacock wrote: >>> Diane Rolland wrote: >>>> Martin Hepworth wrote: >>>>> Diane Rolland wrote: >>>>>> Hi all, >>>>>> >>>>>> We have a custom application that utilizes the archive mail >>>>>> function in MailScanner. Basically any email sent to a >>>>>> particular address is archived in MailScanner. The application >>>>>> then processes the email messages in the Archive directory and >>>>>> integrates them into the application. It also handles the file >>>>>> attachments. >>>>>> >>>>>> Now, our issue is needing to port this application to Windows. I >>>>>> am not at all familiar with any options that might be available >>>>>> to do this. If someone might have some suggestions, please let >>>>>> me know. >>>>>> >>>>>> Thank you for your time, >>>>>> Diane >>>>>> >>>>> Diane >>>>> >>>>> what's the application written in? perl, C ..??? >>>> The application is in php/mysql. >>>> >>>>> besides 'archiving' the email somewhere else, what else does it >>>>> do. If it needs to be accessed via windows then why not write a >>>>> html interface to it then it's available on most platforms. >>>> The archive is just a temporary holding place so that the php >>>> application can parse the raw email files in the archive directory. >>>> It can take attached documents and them make them available to the >>>> web based php/mysql application. The attached documents are not >>>> available outside the application (i.e. you cannot browse to them >>>> on a file share). >>> OK! So my question is what do you mean by 'application'? >>> >>> Are your referring to the whole infrastructure including MailScanner >>> or are you just talking about your php app? > > >> I suppose my challenge is finding a way to get mailed delivered to a >> filesystem so that the php application can parse the raw mail files. >> On our Linux platforms we use MailScanner's archive to file >> functionality to do this. >> >> The php will run on either linux or windows web server, so the need I >> have is how to get the mail delivered to a file location where it is >> accessible to the php scripts. >> >> There isn't necessarily an Exchange server in the picture either, so >> maybe I'm needing to look at some sort of mail server?? > > Ah! That make the situation much simpler. > > Can't you use something like Samba to make the 'archive' directory on > the MailScanner machine available as a Windows share? > > > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw Thanks for all of the feedback/suggestions... We deliver this application to various customers some of which refuse to do anything outside of Windows... Therefore, the need for some other solution. I'm looking at some various email servers and hopefully can find something useful. Life is so much simpler when open minded IT departments are involved :) From Denis.Beauchemin at USherbrooke.ca Thu Nov 9 14:32:31 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 9 14:32:48 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <200611091155.AA309002912@mail.ozdocs.net.au> References: <200611091155.AA309002912@mail.ozdocs.net.au> Message-ID: <45533BFF.2010302@USherbrooke.ca> Vaibhav Pandey a ?crit : > Dear All, > I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. > > But my SpamAssasin.cache.db not caching anything hense I am still getting spam. > > in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. > > > Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file > > > Here mgate: is name of the Host > > With best regards, > Webb. > I didn't take the time to understand SElinux so I disabled it on all my servers because it caused too much trouble. To do this edit /etc/selinux/config and change to: SELINUX=disabled Then save the file and reboot your server. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/bc64a76f/smime.bin From AHKAPLAN at PARTNERS.ORG Thu Nov 9 15:06:33 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Nov 9 15:06:39 2006 Subject: Allowing .bmp and other Graphic Files To Get Through Message-ID: <9C63A4713C4E3342B90428CE44806A7302679A17@PHSXMB5.partners.org> Hi there - The current MailScanner configuration on our server does not allow .bmp and other graphic files to get through to the recipient. I have received requests to be more lenient in this matter. What would be the best configuration setting(s) to implement? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/56119e03/attachment.html From dward at nccumc.org Thu Nov 9 15:11:04 2006 From: dward at nccumc.org (Douglas Ward) Date: Thu Nov 9 15:11:07 2006 Subject: Is razor working? In-Reply-To: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: Glenn, Thank you for this advice. I found that the 10 second time out setting was too short for razor to complete properly. Pushing out this timeout setting corrected the issue. Thanks for your help! Douglas On 11/9/06, Glenn Steen wrote: > > On 09/11/06, Glenn Steen wrote: > (snip) > > That version of SA will only load the module(s) and test for syntax > > errors, not actually try to perform any network tests. > .... for the --lint option, of course. Jeez, when will I learn to > proofread _beforehand_. Sigh. > > -- > -- Glenn (a.k.a. Le Grand Typo) > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/0fdcf13f/attachment.html From glenn.steen at gmail.com Thu Nov 9 15:16:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 15:16:30 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <45533BFF.2010302@USherbrooke.ca> References: <200611091155.AA309002912@mail.ozdocs.net.au> <45533BFF.2010302@USherbrooke.ca> Message-ID: <223f97700611090716q6cb4fb69oc68cf9c1c53f64bb@mail.gmail.com> On 09/11/06, Denis Beauchemin wrote: (snip) > > > I didn't take the time to understand SElinux so I disabled it on all my > servers because it caused too much trouble. > > To do this edit /etc/selinux/config and change to: > SELINUX=disabled > > Then save the file and reboot your server. > > Denis How did I miss the subject ....? Probably this darned cold making me even less sharp than usual. Sigh. Denis advice is (of course) the easy way to go. Hands up everyone who have a love-hate relationship with ACLs:-):-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.swaney at fsl.com Thu Nov 9 15:20:22 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Nov 9 15:20:24 2006 Subject: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <001701c70412$92ebfc50$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Diane Rolland > Sent: Thursday, November 09, 2006 7:59 AM > To: mailscanner@lists.mailscanner.info > Subject: OT: archive mail functionality for windows? > > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is archived > in MailScanner. The application then processes the email messages in the > Archive directory and integrates them into the application. It also > handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. > > Thank you for your time, > Diane Might not be relevant but take a look at: http://www.mailarchiva.com/ I quote: "Email Archiving for Microsoft Exchange. MailArchiva is a powerful email archiving solution. It is all you need to ensure that your organization's emails are backed up permanently. It automatically retrieves emails from Microsoft Exchange and stores them on multiple hard disks." It's a free application. You pay for support. I've tested and it seems to work as advertised but I don't know how well the free version will scale. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From Kevin_Miller at ci.juneau.ak.us Thu Nov 9 16:34:11 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 9 16:34:22 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <223f97700611090716q6cb4fb69oc68cf9c1c53f64bb@mail.gmail.com> Message-ID: Glenn Steen wrote: > Denis advice is (of course) the easy way to go. Completely off topic, but one of my favorite quotes (can't remember by whom) was along the lines of "It's always a bad idea to give advice. To give good advice is absolutely fatal." :-) > Hands up everyone who have a love-hate relationship with ACLs:-):-). I'm there... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Thu Nov 9 16:46:28 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 9 16:46:32 2006 Subject: Allowing .bmp and other Graphic Files To Get Through In-Reply-To: <9C63A4713C4E3342B90428CE44806A7302679A17@PHSXMB5.partners.org> Message-ID: Depends on how many users you're talking about. If it's just a few, I'd set up whitelists for those select folks. If you're managing multiple domains and dealing with large numbers of people wanting this, it becomes a policy decision and hence, much more political. I try to stay out of politics. In August I asked about allowing filetypes through via white lists. See the archives for August 10, subject "ALLOW FILETYPES in MailScanner.conf". Holler if you can't find it and I'll dig up the details. It was quite easy to set up... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kaplan, Andrew H. Sent: Thursday, November 09, 2006 6:07 AM To: mailscanner@lists.mailscanner.info Subject: Allowing .bmp and other Graphic Files To Get Through Hi there - The current MailScanner configuration on our server does not allow .bmp and other graphic files to get through to the recipient. I have received requests to be more lenient in this matter. What would be the best configuration setting(s) to implement? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/fd961b7c/attachment.html From joost at waversveld.nl Thu Nov 9 16:50:12 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Thu Nov 9 16:50:36 2006 Subject: [sendmail] Skipping rbl per domain Message-ID: <45535C44.708@waversveld.nl> Hi to all, I've searched but I could not find an good answer... We have some mailscanners with a lot of domains pointing to them, which are very busy. At the moment we do not use RBL's through sendmail. We let Mailscanner (SpamAssassin) handle those lookups. This way every end user can choose what to do with the SPAM. To handle the load better we want to enable some RBL-checks through sendmail but we know some customers don't want that, because then we are deciding which mail could be deleted, and which not. If you get what I mean. Is it possible to enable the RBL-checks in sendmail per domain, so customer1 can use the function(s), but customer2 does not?? Regards, Joost Waversveld From mailscanner at PDSCC.COM Thu Nov 9 17:22:38 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Thu Nov 9 17:22:44 2006 Subject: spam actions doesn't seem to be working right Message-ID: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> Okay, running MS 4.49.7-1 on Centos 4.x, also running Mailwatch. Spam Actions = store forward spambox@domain.tld Ditto for High Scoring Spam Actions Early this year in the spring, we replaced the older MS box with this one. Some point since then, there are no messages getting to the spambox account, however the end users are getting the messages tagged as spam by MS/SA which is what I want to avoid. I'm not sure what I should be looking at to resolve this as I know it worked at one point and going through the notes on changes made to the system, I don't see anything that should be causing this behaviour. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From steve.freegard at fsl.com Thu Nov 9 18:04:07 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 9 18:04:18 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <45535C44.708@waversveld.nl> References: <45535C44.708@waversveld.nl> Message-ID: <45536D97.2040608@fsl.com> Hi Joost, Joost Waversveld wrote: > Hi to all, > > I've searched but I could not find an good answer... > > We have some mailscanners with a lot of domains pointing to them, which > are very busy. At the moment we do not use RBL's through sendmail. We > let Mailscanner (SpamAssassin) handle those lookups. This way every end > user can choose what to do with the SPAM. > > To handle the load better we want to enable some RBL-checks through > sendmail but we know some customers don't want that, because then we are > deciding which mail could be deleted, and which not. If you get what I > mean. > > Is it possible to enable the RBL-checks in sendmail per domain, so > customer1 can use the function(s), but customer2 does not?? > Have a look at http://www.five-ten-sg.com/dnsbl/ it's a bit bloaty compared to the Snertsoft milters (and it's written in C++), but it does allow you to configure a blacklist policy on a per-domain basis. Hope this helps. Kind regards, Steve. From glenn.steen at gmail.com Thu Nov 9 19:03:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 19:03:56 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> Message-ID: <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> On 09/11/06, Harondel J. Sibble wrote: > Okay, running MS 4.49.7-1 on Centos 4.x, also running Mailwatch. > > Spam Actions = store forward spambox@domain.tld > > Ditto for High Scoring Spam Actions > > Early this year in the spring, we replaced the older MS box with this one. > Some point since then, there are no messages getting to the spambox account, > however the end users are getting the messages tagged as spam by MS/SA which > is what I want to avoid. > > I'm not sure what I should be looking at to resolve this as I know it worked > at one point and going through the notes on changes made to the system, I > don't see anything that should be causing this behaviour. > Why such an old MailScanner (relatively speaking:)? Updating MailScanner is really well thought out, easy and fast;-). Easy instructions on what to do (backup relevant directories etc) are in the MAQ/wiki. I'm not sure at what version the --lint, --changed and --debug options to the MailScanner command was introduced (all of which could probably help you troubleshoot this to some extent)... If you don't have them, consider an update. There are no obvious syntax errors in the MailScanner.conf? Look for silliness like unmatched quotes etc. The syntax of the file is very forgiving, but one can botch things (read: Been there...:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Thu Nov 9 19:50:31 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 9 19:51:38 2006 Subject: from and to In-Reply-To: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 03/11/06, Ugo Bellavance wrote: >> Hi, >> >> Sorry if this has been asked in the past, but I couldn't find the >> answers on the wiki or list. >> >> Is it possible to do a ruleset like this? >> >> From: toto@domain.com and To: domain.com yes >> >> Thanks, >> >> Ugo >> > Yep. Don't remember where it is documented (book, example file or > what) but that would definitely work. > I just tested, it doesn't work :( ugo From philippe at beau.nom.fr Thu Nov 9 19:52:50 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 19:53:16 2006 Subject: Mailscanner interface Message-ID: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Hello all, At first, i'm new to this so ... don't kill now, wait 5 minutes if the question already have been asked ... I would like to made interface for Mailscanner. I would like to know if someone like that already exist. The first goal is : - Get list of blocked email in - Get list of quarantine by email (one user can get his email blocked himself) - Get some light stats I know there is some product like Mailwatch or others, but i would like some advice on particulars solutions. I've some preference for the php interface ... Best regards Philippe, From ugob at camo-route.com Thu Nov 9 20:05:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 9 20:06:00 2006 Subject: Mailscanner interface In-Reply-To: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Hello all, > > At first, i'm new to this so ... don't kill now, wait 5 minutes if the > question already have been asked ... > > I would like to made interface for Mailscanner. I would like to know if > someone like that already exist. The first goal is : > > - Get list of blocked email in > - Get list of quarantine by email (one user can get his email blocked > himself) > - Get some light stats > > I know there is some product like Mailwatch or others, but i would like > some advice on particulars solutions. I think you should give a try to MailWatch first, then contribute to the code if you need anything else. BTW, V 2.0 is coming. From john at netdirect.ca Thu Nov 9 20:14:05 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 20:14:13 2006 Subject: from and to In-Reply-To: References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: <1163103245.11897.101.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 14:50 -0500, Ugo Bellavance wrote: > >> Is it possible to do a ruleset like this? > >> > >> From: toto@domain.com and To: domain.com yes > >> > > Yep. Don't remember where it is documented (book, example file or > > what) but that would definitely work. If it helps it is documented in /etc/MailScanner/rules/EXAMPLES. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map john@netdirect.ca Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 From john at netdirect.ca Thu Nov 9 20:23:19 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 20:23:32 2006 Subject: Mailscanner interface In-Reply-To: References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Message-ID: <1163103799.11897.103.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: > I think you should give a try to MailWatch first, then contribute to the > code if you need anything else. BTW, V 2.0 is coming. What's the word on which features are going to be in the 2.0? -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/75b1a1ba/attachment.bin From jwilliams at courtesymortgage.com Thu Nov 9 20:23:30 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Thu Nov 9 20:23:41 2006 Subject: New SPAM e-mails recently? Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Anyone been getting some new SPAM recently, where it comes in with subjects like: It's Lorenzo :) It's Flavia :) Bunch of names in the subject line. In the body of the message, it is a wide range of things like to buy viagra and cialis. Or a couple today are for buying stock (buy this symbol) etc. Anyone been getting these? Im still getting my SA rules back in order. Wasn't sure if any of these were sneaking through to anyone else. For those that are blocking, what is catching it so I can quickly put it in? Thanks, -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/0493a181/attachment.html From technician at cenpac.net.nr Thu Nov 9 20:38:08 2006 From: technician at cenpac.net.nr (Jon Leeman) Date: Thu Nov 9 20:38:10 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <455391B0.7000205@cenpac.net.nr> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? > > Thanks, > > -Jason Yes, I am seeing these and they're currently getting through MS / Postfix. Would also like to know how to drop them - preferrably with Postfix. Glenn? :-) Rgds., Jon (Nauru) From glenn.steen at gmail.com Thu Nov 9 20:42:23 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:42:26 2006 Subject: from and to In-Reply-To: References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: <223f97700611091242r1f638935qc7081abe4e7f3c09@mail.gmail.com> On 09/11/06, Ugo Bellavance wrote: > Glenn Steen wrote: > > On 03/11/06, Ugo Bellavance wrote: > >> Hi, > >> > >> Sorry if this has been asked in the past, but I couldn't find the > >> answers on the wiki or list. > >> > >> Is it possible to do a ruleset like this? > >> > >> From: toto@domain.com and To: domain.com yes > >> > >> Thanks, > >> > >> Ugo > >> > > Yep. Don't remember where it is documented (book, example file or > > what) but that would definitely work. > > > > I just tested, it doesn't work :( > Ok.... What, more precisely did you try, with what input (envelope sender/recipient... etc) and what did or didn't happen? "Didn't work" is such meager stuff to work with:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Thu Nov 9 20:43:27 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 9 20:43:45 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <455392EF.8070803@pixelhammer.com> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? We've been seeing them by the thousands here. Score Matching Rule Description 0.00 BAYES_50 Bayesian spam probability is 40 to 60% 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. SARE stocks catches them right off. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Thu Nov 9 20:43:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:43:48 2006 Subject: from and to In-Reply-To: <1163103245.11897.101.camel@venture.office.netdirect.ca> References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> <1163103245.11897.101.camel@venture.office.netdirect.ca> Message-ID: <223f97700611091243o42bd0b27v4f62fbb5dbbc668@mail.gmail.com> On 09/11/06, John Van Ostrand wrote: > On Thu, 2006-11-09 at 14:50 -0500, Ugo Bellavance wrote: > > >> Is it possible to do a ruleset like this? > > >> > > >> From: toto@domain.com and To: domain.com yes > > >> > > > Yep. Don't remember where it is documented (book, example file or > > > what) but that would definitely work. > > If it helps it is documented in /etc/MailScanner/rules/EXAMPLES. Rulesets are actually documented in all the places I mentioned, I was just being a tad lazy looking it up:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 20:55:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:55:45 2006 Subject: Mailscanner interface In-Reply-To: <1163103799.11897.103.camel@venture.office.netdirect.ca> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> Message-ID: <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> On 09/11/06, John Van Ostrand wrote: > On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: > > I think you should give a try to MailWatch first, then contribute to the > > code if you need anything else. BTW, V 2.0 is coming. > > What's the word on which features are going to be in the 2.0? > So far, apart from some quite irritating teasers on the MailWatch list (irritating, since they so far just make you long for 2.0 so much more:-), the MW wiki entry is all we have to go on: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:v2_ideas ... it has been in the works for quite some time now, and one can hope that the delays are due to Steve wanting to finish all the nice stuff, and perhaps inventing new nice stuff as he goes along... and not due to him lacking the time to finish it because of insignificant things like work, sleep, life (How is marital bliss Steve? Still walking around on little clouds, or have reality asserted itself (with a >THUD<):-)....:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jrudd at ucsc.edu Thu Nov 9 20:59:07 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 9 21:01:11 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <4553969B.20802@ucsc.edu> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? > I see them in my spam folder... lately, most of my spam gets caught with the RelayChecker plugin I've been writing. I've been talking about it over on the SA list. I'm probably going to make another release for it this weekend. John From campbell at cnpapers.com Thu Nov 9 21:00:48 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Nov 9 21:01:25 2006 Subject: New SPAM e-mails recently? References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <455392EF.8070803@pixelhammer.com> Message-ID: <005d01c70442$21ffe6c0$0705000a@DDF5DW71> ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Thursday, November 09, 2006 3:43 PM Subject: Re: New SPAM e-mails recently? > Jason Williams wrote: >> Anyone been getting some new SPAM recently, where it comes in with >> subjects like: >> >> It's Lorenzo :) >> It's Flavia :) >> >> Bunch of names in the subject line. >> >> In the body of the message, it is a wide range of things like to buy >> viagra and cialis. >> Or a couple today are for buying stock (buy this symbol) etc. >> >> Anyone been getting these? Im still getting my SA rules back in order. >> Wasn't sure if any of these were sneaking through to anyone else. >> For those that are blocking, what is catching it so I can quickly put it >> in? > > We've been seeing them by the thousands here. > > Score Matching Rule Description > 0.00 BAYES_50 Bayesian spam probability is 40 to 60% > 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > SARE stocks catches them right off. Not so here. I never see SARE stocks in any of them. It appears to be image based here, not sure though. Course, I load the SARE stocks manually and mine is from October 31. Steve > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From philippe at beau.nom.fr Thu Nov 9 21:06:14 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 21:06:43 2006 Subject: Mailscanner interface In-Reply-To: <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> Message-ID: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Huhu ... At first, thx for all the answers. i haven't see theses ideas before. but just a little question : is anyone can made me a summary of WORKING functionnality of MailWatch ? > On 09/11/06, John Van Ostrand wrote: >> On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: >> > I think you should give a try to MailWatch first, then contribute to >> the >> > code if you need anything else. BTW, V 2.0 is coming. >> >> What's the word on which features are going to be in the 2.0? >> > So far, apart from some quite irritating teasers on the MailWatch list > (irritating, since they so far just make you long for 2.0 so much > more:-), the MW wiki entry is all we have to go on: > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:v2_ideas Best regards Philippe, From john at netdirect.ca Thu Nov 9 21:09:15 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 21:09:24 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <1163106555.11897.117.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 12:23 -0800, Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put > it in? I have seen these at a customer, but I don't see them in my office. The only difference is that we have sendmail configured to refuse email from domains without an MX or A DNS record. Could that be it? -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From campbell at cnpapers.com Thu Nov 9 21:14:33 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Nov 9 21:15:01 2006 Subject: New SPAM e-mails recently? References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local><455392EF.8070803@pixelhammer.com> <005d01c70442$21ffe6c0$0705000a@DDF5DW71> Message-ID: <008001c70444$0ddbe2f0$0705000a@DDF5DW71> OK, I searched for SARE_MLB_Stock5 through Mailwatch, and none of the 200k+ emails have been hit by this rule. That's really strange. Do you want me to start a new thread or maybe someone has a clue as to what's going on. I have the 70_sare_stocks.cf in my /etc/mail/spamassassin directory. Is this right? The rules are added when I update my Mailwatch SA rules, so I think it's OK. Sorry to hijack - sort of related. Steve ----- Original Message ----- From: "Steve Campbell" To: "MailScanner discussion" Sent: Thursday, November 09, 2006 4:00 PM Subject: Re: New SPAM e-mails recently? > > ----- Original Message ----- > From: "DAve" > To: "MailScanner discussion" > Sent: Thursday, November 09, 2006 3:43 PM > Subject: Re: New SPAM e-mails recently? > > >> Jason Williams wrote: >>> Anyone been getting some new SPAM recently, where it comes in with >>> subjects like: >>> >>> It's Lorenzo :) >>> It's Flavia :) >>> >>> Bunch of names in the subject line. >>> >>> In the body of the message, it is a wide range of things like to buy >>> viagra and cialis. >>> Or a couple today are for buying stock (buy this symbol) etc. >>> >>> Anyone been getting these? Im still getting my SA rules back in order. >>> Wasn't sure if any of these were sneaking through to anyone else. >>> For those that are blocking, what is catching it so I can quickly put it >>> in? >> >> We've been seeing them by the thousands here. >> >> Score Matching Rule Description >> 0.00 BAYES_50 Bayesian spam probability is 40 to 60% >> 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. >> 1.66 SARE_MLB_Stock1 >> 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. >> >> SARE stocks catches them right off. > > Not so here. I never see SARE stocks in any of them. It appears to be > image based here, not sure though. Course, I load the SARE stocks manually > and mine is from October 31. > > Steve >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From bpumphrey at woodmclaw.com Thu Nov 9 21:23:34 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 9 21:23:44 2006 Subject: New SPAM e-mails recently? In-Reply-To: <455391B0.7000205@cenpac.net.nr> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jon Leeman > Sent: Thursday, November 09, 2006 3:38 PM > To: MailScanner discussion > Subject: Re: New SPAM e-mails recently? > > > Jason Williams wrote: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > I have 174 so far this month, so not too many. Mine has caught about 97% of them. Most of the catching has been done by bayes. I have stocks installed but I do not see it on these messages for whatever reason. Rules has been updating stocks I believe. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 9 21:32:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:33:01 2006 Subject: Is razor working? In-Reply-To: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/9/2006 4:53 AM: > On 09/11/06, Glenn Steen wrote: > (snip) >> That version of SA will only load the module(s) and test for syntax >> errors, not actually try to perform any network tests. > .... for the --lint option, of course. Jeez, when will I learn to > proofread _beforehand_. Sigh. > Sometime after they pry Postfix from your cold dead fingers! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From john at netdirect.ca Thu Nov 9 21:35:58 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 21:36:13 2006 Subject: New SPAM e-mails recently? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> Message-ID: <1163108158.11897.125.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 16:23 -0500, Billy A. Pumphrey wrote: > I have 174 so far this month, so not too many. Mine has caught about > 97% of them. Most of the catching has been done by bayes. I have > stocks installed but I do not see it on these messages for whatever > reason. Rules has been updating stocks I believe. Here are my results: SORBS-DNSBL, SpamAssassin (cached, score=14.361, required 4.5, autolearn=spam, BAYES_20 -0.74, DATE_IN_PAST_03_06 0.48, PYZOR_CHECK 3.70, RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, SARE_CSBIG 1.66, SARE_MLB_Stock1 1.66, SARE_MLB_Stock5 1.66) These are from an install just 4 days old and a clean bayes database. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map john@netdirect.ca Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 From ssilva at sgvwater.com Thu Nov 9 21:39:35 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:39:54 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: <45531E87.3090904@enem.nl> References: <45531E87.3090904@enem.nl> Message-ID: Hans Melgers spake the following on 11/9/2006 4:26 AM: > > > Hi list, > > Im running MS for years now, ever running flawless on freebsd. > Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see > something strange. > > Im using the sendmail2 with ms2cgp script to put MS output in my > Communigate submitted queue: > > Sendmail2 = /usr/local/etc/ms2cgp2 > > However it seems MS is not providing the job number like it used too: > > Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock > subroutine for freebsd (BSD-type) > Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, > 622 bytes > Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting > Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in > language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked > up unknown string notspam in language translation file Nov 9 13:11:32 > fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 > (hans@fb1.enem.nl) is whitelisted > Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string > mailscanner in language translation file Nov 9 13:11:32 fb1 > MailScanner[51430]: Looked up unknown string unreadablearchive in > language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked > up unknown string passwordedarchive in language translation file Nov 9 > 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep > in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: > Virus and Content Scanning: Starting > Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages > Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to > /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp > > ^^ no jobnumber > Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf > failed, dying > > ^^ no jobnumber > > The ms2cgp script is unchanged, qf and df files are there. > > Anybody knows what's going on, hopefully a workaround ? > > Thanks, > Hans > > You need to upgrade your languages.conf file. That is where the unknown string errors are comming from. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bpumphrey at woodmclaw.com Thu Nov 9 21:43:49 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 9 21:43:59 2006 Subject: New SPAM e-mails recently? In-Reply-To: <1163108158.11897.125.camel@venture.office.netdirect.ca> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140D5@woodenex.woodmaclaw.local> > > Here are my results: > > SORBS-DNSBL, SpamAssassin (cached, score=14.361, required 4.5, > autolearn=spam, BAYES_20 -0.74, DATE_IN_PAST_03_06 0.48, PYZOR_CHECK > 3.70, RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, SARE_CSBIG 1.66, > SARE_MLB_Stock1 1.66, SARE_MLB_Stock5 1.66) > > These are from an install just 4 days old and a clean bayes database. > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > Oh yes, you were looking for the rule sets. Here are a few examples: Score Matching Rule Description cached not score=11.566 5 required 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 0.14 FORGED_RCVD_HELO Received: contains a forged HELO 0.55 HELO_MISMATCH_COM 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 2.40 TVD_STOCK1 Score Matching Rule Description cached not score=15.699 5 required autolearn=spam 2.00 BAYES_80 Bayesian spam probability is 80 to 95% 0.48 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.14 FORGED_RCVD_HELO Received: contains a forged HELO 0.77 HELO_EQ_MODEMCABLE 0.97 HOST_EQ_MODEMCABLE 1.80 HOST_EQ_SHAWCAB 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 2.40 TVD_STOCK1 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 9 21:51:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:52:36 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <45535C44.708@waversveld.nl> References: <45535C44.708@waversveld.nl> Message-ID: Joost Waversveld spake the following on 11/9/2006 8:50 AM: > Hi to all, > > I've searched but I could not find an good answer... > > We have some mailscanners with a lot of domains pointing to them, which > are very busy. At the moment we do not use RBL's through sendmail. We > let Mailscanner (SpamAssassin) handle those lookups. This way every end > user can choose what to do with the SPAM. > > To handle the load better we want to enable some RBL-checks through > sendmail but we know some customers don't want that, because then we are > deciding which mail could be deleted, and which not. If you get what I > mean. > > Is it possible to enable the RBL-checks in sendmail per domain, so > customer1 can use the function(s), but customer2 does not?? > > Regards, > > Joost Waversveld This might do what you want with some experimentation; http://www.technoids.org/spamlovers.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Thu Nov 9 21:55:54 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 9 21:56:19 2006 Subject: New SPAM e-mails recently? In-Reply-To: <008001c70444$0ddbe2f0$0705000a@DDF5DW71> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local><455392EF.8070803@pixelhammer.com> <005d01c70442$21ffe6c0$0705000a@DDF5DW71> <008001c70444$0ddbe2f0$0705000a@DDF5DW71> Message-ID: <4553A3EA.80209@pixelhammer.com> Steve Campbell wrote: > OK, I searched for SARE_MLB_Stock5 through Mailwatch, and none of the > 200k+ emails have been hit by this rule. That's really strange. > > Do you want me to start a new thread or maybe someone has a clue as to > what's going on. > > I have the 70_sare_stocks.cf in my /etc/mail/spamassassin directory. Is > this right? The rules are added when I update my Mailwatch SA rules, so > I think it's OK. > > Sorry to hijack - sort of related. > > Steve > > > > ----- Original Message ----- From: "Steve Campbell" > To: "MailScanner discussion" > Sent: Thursday, November 09, 2006 4:00 PM > Subject: Re: New SPAM e-mails recently? > > >> >> ----- Original Message ----- From: "DAve" >> To: "MailScanner discussion" >> Sent: Thursday, November 09, 2006 3:43 PM >> Subject: Re: New SPAM e-mails recently? >> >> >>> Jason Williams wrote: >>>> Anyone been getting some new SPAM recently, where it comes in with >>>> subjects like: >>>> >>>> It's Lorenzo :) >>>> It's Flavia :) >>>> >>>> Bunch of names in the subject line. >>>> >>>> In the body of the message, it is a wide range of things like to buy >>>> viagra and cialis. >>>> Or a couple today are for buying stock (buy this symbol) etc. >>>> >>>> Anyone been getting these? Im still getting my SA rules back in order. >>>> Wasn't sure if any of these were sneaking through to anyone else. >>>> For those that are blocking, what is catching it so I can quickly >>>> put it >>>> in? >>> >>> We've been seeing them by the thousands here. >>> >>> Score Matching Rule Description >>> 0.00 BAYES_50 Bayesian spam probability is 40 to 60% >>> 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. >>> 1.66 SARE_MLB_Stock1 >>> 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. >>> >>> SARE stocks catches them right off. >> >> Not so here. I never see SARE stocks in any of them. It appears to be >> image based here, not sure though. Course, I load the SARE stocks >> manually and mine is from October 31. >> >> Steve We have gotten 7200 in the last five days (those that made it past the MTA rules). I consistently hit on SARE stock rules, at least the dozen messages I checked. Here is what I am running, bash-2.05b# head 70_sare_stocks.cf # SARE Stocks Ruleset for SpamAssassin # Version: 01.00.37 # Created: 2005-12-18 # Modified: 2006-10-18 # License: Artistic - http://www.rulesemporium.com/license.txt # Current Maintainer: Sare Ninja - maddoc@maddoc.net # Current Home: http://www.rulesemporium.com/rules/70_sare_stocks.cf This on all servers. I also see a sprinkling of date in future, missing headers, garbage_this and garbage_that. SARE Stocks is consistently hitting every message. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ka at pacific.net Thu Nov 9 22:03:54 2006 From: ka at pacific.net (Ken A) Date: Thu Nov 9 22:01:51 2006 Subject: trackback option not valid config option? Message-ID: <4553A5CA.1090209@pacific.net> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, 60k trackback for maxspamassassinsize should be a number Is this not the correct syntax? Thanks, Ken A Pacific.Net From glenn.steen at gmail.com Thu Nov 9 22:09:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:09:26 2006 Subject: Mailscanner interface In-Reply-To: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Message-ID: <223f97700611091409r429f4e91sf972daf992498ec2@mail.gmail.com> On 09/11/06, Philippe BEAU wrote: > Huhu ... At first, thx for all the answers. > > i haven't see theses ideas before. but just a little question : is anyone > can made me a summary of WORKING functionnality of MailWatch ? > It does basically all you stipulated and more. The 1.03 version is quite mature. You should look through the MailScanner wiki pages about it at http://wiki.mailscanner.info/doku.php?do=index&id=documentation%3Arelated_software%3Amanagement%3Amailwatch%3Adescription and more importantly the MailWatch site (that happen to be a wiki as well:) at http://mailwatch.sourceforge.net/doku.php?id=start Cheers, -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hans at enem.nl Thu Nov 9 22:09:32 2006 From: hans at enem.nl (Hans Melgers) Date: Thu Nov 9 22:09:56 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: References: <45531E87.3090904@enem.nl> Message-ID: <4553A71C.9@enem.nl> Scott Silva schreef: > Hans Melgers spake the following on 11/9/2006 4:26 AM: > >> Hi list, >> >> Im running MS for years now, ever running flawless on freebsd. >> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >> something strange. >> >> Im using the sendmail2 with ms2cgp script to put MS output in my >> Communigate submitted queue: >> >> Sendmail2 = /usr/local/etc/ms2cgp2 >> >> However it seems MS is not providing the job number like it used too: >> >> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >> subroutine for freebsd (BSD-type) >> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >> 622 bytes >> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >> up unknown string notspam in language translation file Nov 9 13:11:32 >> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >> (hans@fb1.enem.nl) is whitelisted >> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >> mailscanner in language translation file Nov 9 13:11:32 fb1 >> MailScanner[51430]: Looked up unknown string unreadablearchive in >> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >> up unknown string passwordedarchive in language translation file Nov 9 >> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >> Virus and Content Scanning: Starting >> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >> >> ^^ no jobnumber >> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >> failed, dying >> >> ^^ no jobnumber >> >> The ms2cgp script is unchanged, qf and df files are there. >> >> Anybody knows what's going on, hopefully a workaround ? >> >> Thanks, >> Hans >> >> >> > You need to upgrade your languages.conf file. That is where the unknown string > errors are comming from. > > Thanks Scott, that language error is solved, However the problem still exists. Could it be that anything has changed in how MS calls sendmail2 ? All my script needs is a msg number corresponding with the df and qf files in mqueue. It just reads the -qI argument MS (used to) sends with the sendmail command. Right now i only see -qI, without number.. I know there IS a number because the qf and df files are correct. And if i call my script from cli with that number everything works fine: like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. I installed this version on another machine, same problem. Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, 602 bytes Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 (hans@fb1.enem.nl) is whitelisted Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages Nov 9 21:59:45 fb1 ms2cgp[1670]: Job -qI << changed script to show all arguments Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf failed, dying From glenn.steen at gmail.com Thu Nov 9 22:11:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:11:32 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: <223f97700611091411w11f14c8dob42afcba84e665f2@mail.gmail.com> On 09/11/06, Scott Silva wrote: > Glenn Steen spake the following on 11/9/2006 4:53 AM: > > On 09/11/06, Glenn Steen wrote: > > (snip) > >> That version of SA will only load the module(s) and test for syntax > >> errors, not actually try to perform any network tests. > > .... for the --lint option, of course. Jeez, when will I learn to > > proofread _beforehand_. Sigh. > > > Sometime after they pry Postfix from your cold dead fingers! ;-) > :-) Hope to be around for a while longer;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From philippe at beau.nom.fr Thu Nov 9 22:14:38 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 22:15:19 2006 Subject: MailWatch question was Re: Mailscanner interface In-Reply-To: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Message-ID: <61970.90.0.125.205.1163110478.squirrel@www.choup.net> So ... i try MailWatch. Also it's not in french, but i will try it for the moment. A question, is the current version working with more than one MailScanner server ? (one is remote from the front-end interface) Best regards Philippe From glenn.steen at gmail.com Thu Nov 9 22:15:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:15:50 2006 Subject: New SPAM e-mails recently? In-Reply-To: <455391B0.7000205@cenpac.net.nr> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <455391B0.7000205@cenpac.net.nr> Message-ID: <223f97700611091415m1a9b8ah46922b55ab127740@mail.gmail.com> On 09/11/06, Jon Leeman wrote: > > Jason Williams wrote: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > > Yes, I am seeing these and they're currently getting through MS / > Postfix. Would also like to know how to drop them - preferrably with > Postfix. > > Glenn? :-) > You rang?:-) Well, I've had a few too, but most seem to get caught... so I've not reflected on why that is just yet. I'd imagine most are image based, so ImageInfo and/or FuzzyOcr should help. Will look a bit harder tomorrow (it's about bedtime around here:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Nov 9 22:45:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 22:46:23 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: Jason Williams spake the following on 11/9/2006 12:23 PM: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > in? > > Thanks, > > -Jason Mine usually hit these; 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 2.50 DIGEST_MULTIPLE Message hits more than one network digest check 1.00 FORGED_RCVD_HELO Received: contains a forged HELO 1.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 1.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 1.07 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) Some variation, but mostly in the SARE rules and the digests. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 22:57:14 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:00:11 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: <4553A71C.9@enem.nl> References: <45531E87.3090904@enem.nl> <4553A71C.9@enem.nl> Message-ID: Hans Melgers spake the following on 11/9/2006 2:09 PM: > > > Scott Silva schreef: >> Hans Melgers spake the following on 11/9/2006 4:26 AM: >> >>> Hi list, >>> >>> Im running MS for years now, ever running flawless on freebsd. >>> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >>> something strange. >>> >>> Im using the sendmail2 with ms2cgp script to put MS output in my >>> Communigate submitted queue: >>> >>> Sendmail2 = /usr/local/etc/ms2cgp2 >>> >>> However it seems MS is not providing the job number like it used too: >>> >>> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >>> subroutine for freebsd (BSD-type) >>> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >>> 622 bytes >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>> up unknown string notspam in language translation file Nov 9 13:11:32 >>> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >>> (hans@fb1.enem.nl) is whitelisted >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >>> mailscanner in language translation file Nov 9 13:11:32 fb1 >>> MailScanner[51430]: Looked up unknown string unreadablearchive in >>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>> up unknown string passwordedarchive in language translation file Nov 9 >>> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >>> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >>> Virus and Content Scanning: Starting >>> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >>> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >>> >>> ^^ no jobnumber >>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >>> failed, dying >>> >>> ^^ no jobnumber >>> >>> The ms2cgp script is unchanged, qf and df files are there. >>> >>> Anybody knows what's going on, hopefully a workaround ? >>> >>> Thanks, >>> Hans >>> >>> >>> >> You need to upgrade your languages.conf file. That is where the >> unknown string >> errors are comming from. >> >> > Thanks Scott, that language error is solved, However the problem still > exists. > Could it be that anything has changed in how MS calls sendmail2 ? > > All my script needs is a msg number corresponding with the df > and qf files in mqueue. It just reads the -qI argument > MS (used to) sends with the sendmail command. Right now i only see -qI, > without number.. > I know there IS a number because the qf and df files are correct. And if > i call my script from cli with that number everything works fine: > > like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. > > I installed this version on another machine, same problem. > > Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, > 602 bytes > Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting > Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 > (hans@fb1.enem.nl) is whitelisted > Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting > Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages > Nov 9 21:59:45 fb1 ms2cgp[1670]: Job > -qI << changed script to > show all arguments > Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to > /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp > Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf > failed, dying It was worth a shot. I thought that the munged languages file could be messing up the calls. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 23:10:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:10:43 2006 Subject: MailWatch question was Re: Mailscanner interface In-Reply-To: <61970.90.0.125.205.1163110478.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> <61970.90.0.125.205.1163110478.squirrel@www.choup.net> Message-ID: Philippe BEAU spake the following on 11/9/2006 2:14 PM: > So ... > > i try MailWatch. Also it's not in french, but i will try it for the > moment. A question, is the current version working with more than one > MailScanner server ? (one is remote from the front-end interface) > > Best regards > > Philippe > It can be set up to oversee many mailscanner servers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 23:13:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:16:15 2006 Subject: trackback option not valid config option? In-Reply-To: <4553A5CA.1090209@pacific.net> References: <4553A5CA.1090209@pacific.net> Message-ID: Ken A spake the following on 11/9/2006 2:03 PM: > > Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, > 60k trackback for maxspamassassinsize should be a number > > Is this not the correct syntax? > Thanks, > > Ken A > Pacific.Net try 60000. There has been some problems parsing the k in amounts. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Nov 9 23:28:26 2006 From: ka at pacific.net (Ken A) Date: Thu Nov 9 23:26:13 2006 Subject: trackback option not valid config option? In-Reply-To: References: <4553A5CA.1090209@pacific.net> Message-ID: <4553B99A.7030801@pacific.net> Scott Silva wrote: > Ken A spake the following on 11/9/2006 2:03 PM: >> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, >> 60k trackback for maxspamassassinsize should be a number >> >> Is this not the correct syntax? >> Thanks, >> >> Ken A >> Pacific.Net > try 60000. There has been some problems parsing the k in amounts. I tried that too. I think it's something with Config.pm thinking this is still only a 'number' type setting. I'm just not sure whether the warning means the limit gets some default, or if it's honoring the setting in the config file? This is version 4.56.6-1 Thanks, Ken A Pacific.Net > > From ka at pacific.net Fri Nov 10 00:49:36 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 10 00:47:31 2006 Subject: trackback option not valid config option? In-Reply-To: <4553B99A.7030801@pacific.net> References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> Message-ID: <4553CCA0.5000303@pacific.net> Ken A wrote: > > > Scott Silva wrote: >> Ken A spake the following on 11/9/2006 2:03 PM: >>> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, >>> 60k trackback for maxspamassassinsize should be a number >>> >>> Is this not the correct syntax? >>> Thanks, >>> >>> Ken A >>> Pacific.Net >> try 60000. There has been some problems parsing the k in amounts. > > I tried that too. I think it's something with Config.pm thinking this is > still only a 'number' type setting. > > I'm just not sure whether the warning means the limit gets some default, > or if it's honoring the setting in the config file? This is version > 4.56.6-1 Julian, I did some testing, and MailScanner is using the default of 30k when I specify the trackback option to Max SpamAssassin Size. For now, I've just hardcoded $maxsize in SA.pm (certainly not the right way to fix this!), but it works, and gets me through the weekend. The trackback option seems to work correctly once it is used by MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every time otherwise. Thanks, Ken A. Pacific.Net > Thanks, > Ken A > Pacific.Net > > > >> >> From campbell at cnpapers.com Fri Nov 10 01:00:17 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 10 01:00:35 2006 Subject: Think I found why SAREs rules weren't working. Message-ID: <1163120417.4553cf2145c04@perdition.cnpapers.net> OK, I feel a little blushy now, but this is what I found about why my SARE rule sets weren't working. A little background - For some time, auto-learn hasn't been working. I noticed this a while back, but just thought it might have been due to a great set of Bayes files. I also noticed that the SARE rules were catching a lot (none, in fact), but just noticed the "none" part today with the recent thread on "New SPAM emails recently". I have both SARE adult and stocks in my /etc/mail/spamassassin folder. When I would update the rules database for MailWatch from the Tools menu, they showed up. When I ran Spamassassin Lint test from the same menu, nothing showed up as a problem. The problem was I never noticed that a lot of the rules files weren't showing up. I use a lot of Sendmail access table entries and was doing pretty well without the rules. So I was given a false sense of "rightness" until I ran into these "Hi" emails and they weren't being trapped. I soon discovered that the setting in MailScanner.conf, SpamAssassin Site Rules Dir, was blank, apparently from a past update that I didn't catch. At one point, this folder _was_ being used. After setting this to "/etc/mail/spamassassin", all is well now. It must not use the default I thought it did. AutoLearn even works now. Hope this helps someone else. Steve Campbell ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mikej at rogers.com Fri Nov 10 01:05:07 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Nov 10 01:05:03 2006 Subject: Releasing dangerous content from quarantine using MailWatch Message-ID: <4553D043.207@rogers.com> While adding the local server (127.0.0.1) to the whitelist allows releasing of quarantined spam emails using MailWatch, doing so with emails that have blocked filenames or content does not work, as the whitelist seems to be ignored for this. Does anyone know of a workaround for this? From ugob at camo-route.com Fri Nov 10 04:07:39 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 04:08:00 2006 Subject: Releasing dangerous content from quarantine using MailWatch In-Reply-To: <4553D043.207@rogers.com> References: <4553D043.207@rogers.com> Message-ID: Mike Jakubik wrote: > While adding the local server (127.0.0.1) to the whitelist allows > releasing of quarantined spam emails using MailWatch, doing so with > emails that have blocked filenames or content does not work, as the > whitelist seems to be ignored for this. Does anyone know of a workaround > for this? > Create a ruleset for "Virus Scanning = ". Should include filetype/name checks. Ugo From r.berber at computer.org Fri Nov 10 04:42:31 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Nov 10 04:42:49 2006 Subject: trackback option not valid config option? In-Reply-To: <4553CCA0.5000303@pacific.net> References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> <4553CCA0.5000303@pacific.net> Message-ID: Ken A wrote: [snip] >> I'm just not sure whether the warning means the limit gets some >> default, or if it's honoring the setting in the config file? This is >> version 4.56.6-1 > > Julian, > I did some testing, and MailScanner is using the default of 30k when I > specify the trackback option to Max SpamAssassin Size. For now, I've > just hardcoded $maxsize in SA.pm (certainly not the right way to fix > this!), but it works, and gets me through the weekend. > > The trackback option seems to work correctly once it is used by > MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every > time otherwise. I think the trackback option was introduced after the version you have, I have it (and it works fine) with version 4.57.1 . -- Ren? Berber From develop at in-tech.us Fri Nov 10 05:13:12 2006 From: develop at in-tech.us (Integrated Technologies) Date: Fri Nov 10 05:07:47 2006 Subject: Bayes daily cron job Message-ID: <000001c70486$f15c5f40$c8fea8c0@intech.us> I am running the following: CentOS 4.4 MailScanner 4.56.8-1 Spamassassin 3.0.6-1.el4 I currently have the parameter, "Rebuild Bayes Every = 0" set in my MailScanner.conf file and would like to set up a daily cron job to expire these old Bayes tokens. I downloaded and printed the MailScanner Administrators Guide, Version 1.0.5. On page 64, it gives an example script for this exact requirement: #! /bin/bash # re-builds the Bayes database daily /usr/bin/sa-learn --sync --force-expire \ -p /etc/MailScanner/spam.assassin.prefs.conf I placed the following script in my /etc/cron.daily folder and it is giving me this error: /etc/cron.daily/bayes.cron: line 4: -p: command not found When I remove the -p switch, I receive the following error: /etc/cron.daily/bayes.cron: line 4: /etc/MailScanner/spam.assassin.prefs.conf: Permission denied Any help here would be appreciated. My gratitude for your patience and time! SRB -------------------- Integrated Technologies has scanned this message for viruses and it is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/1a49cd01/attachment.html From ka at pacific.net Fri Nov 10 05:42:44 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 10 05:42:56 2006 Subject: trackback option not valid config option? In-Reply-To: References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> <4553CCA0.5000303@pacific.net> Message-ID: <45541154.7080203@pacific.net> Ren? Berber wrote: > Ken A wrote: > [snip] >>> I'm just not sure whether the warning means the limit gets some >>> default, or if it's honoring the setting in the config file? This is >>> version 4.56.6-1 >> Julian, >> I did some testing, and MailScanner is using the default of 30k when I >> specify the trackback option to Max SpamAssassin Size. For now, I've >> just hardcoded $maxsize in SA.pm (certainly not the right way to fix >> this!), but it works, and gets me through the weekend. >> >> The trackback option seems to work correctly once it is used by >> MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every >> time otherwise. > > I think the trackback option was introduced after the version you have, I have > it (and it works fine) with version 4.57.1 . This may be something that was fixed in that version. Thanks! Ken A. Pacific.Net From jimc at laridian.com Fri Nov 10 05:41:33 2006 From: jimc at laridian.com (Jim Coates) Date: Fri Nov 10 05:43:19 2006 Subject: OT: milter-greylist config In-Reply-To: Message-ID: <03c001c7048a$e1e4ba90$6401a8c0@zorak> This may be a dumb question, but how do you go about copying the greylist exceptions from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.1 6 over to your milter-greylist.conf? I copied them in there an added the acl whitelist info before each of them, but it bombed upon restarting the milter because it didn't like the addresses that were incomplete (IE - missing the last number from the IP etc). Also - I have the local host set as whitelisted, but do I also need the public IP of our MTA set as whitelisted? The reason I ask is that I went to send an email to another user on our system and it immediately told me it was rejected. Thanks, Jim Coates From glenn.steen at gmail.com Fri Nov 10 08:23:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:23:18 2006 Subject: New SPAM e-mails recently? In-Reply-To: References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> On 09/11/06, Scott Silva wrote: > Jason Williams spake the following on 11/9/2006 12:23 PM: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > Mine usually hit these; > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 2.50 DIGEST_MULTIPLE Message hits more than one network digest check > 1.00 FORGED_RCVD_HELO Received: contains a forged HELO > 1.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% > 1.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address > 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > 1.07 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) > > Some variation, but mostly in the SARE rules and the digests. > I've now checked mine too. Yesterday I got 340, where all but one was marked as spam (7 were low-scoring, the rest high). The rules that did it for me was Bayes, Razor, TVD_STOCK1, DIGEST_MULTIPLE, DCC, a slew of BLs (SORBS_DUL etc etc), HELO_DYNAMIC_* and SPF_NEUTRAL ... and then some. So, for me these haven't really been a problem (Postfix and all:-). Note that I don't run the SARE stocks rules, else those would likely have made an impact too. And finally, my gut reaction ("they're probably images") was plain wrong. Aren't statistics wonderful:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 08:28:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:28:26 2006 Subject: New SPAM e-mails recently? In-Reply-To: <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> Message-ID: <223f97700611100028x74166279u9fa1ed03423cb6fc@mail.gmail.com> On 10/11/06, Glenn Steen wrote: (snip) > I've now checked mine too. Yesterday I got 340, where all but one was > marked as spam (7 were low-scoring, the rest high). The rules that did > it for me was Bayes, Razor, TVD_STOCK1, DIGEST_MULTIPLE, DCC, a slew > of BLs (SORBS_DUL etc etc), HELO_DYNAMIC_* and SPF_NEUTRAL ... and > then some. > > So, for me these haven't really been a problem (Postfix and all:-). > > Note that I don't run the SARE stocks rules, else those would likely > have made an impact too. > > And finally, my gut reaction ("they're probably images") was plain > wrong. Aren't statistics wonderful:-). > BTW, there seems to be a variation where the subject is "hi xxx.xxx" (xxx.xxx == the user part of the email address) that hit pretty much the same rules. Had about 200 of those yesterday (yesterday was an all-time-high for spam (and caught spam) here:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 08:37:53 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:38:02 2006 Subject: Bayes daily cron job In-Reply-To: <000001c70486$f15c5f40$c8fea8c0@intech.us> References: <000001c70486$f15c5f40$c8fea8c0@intech.us> Message-ID: <223f97700611100037n31f33602rbbc31998b0aeba9b@mail.gmail.com> On 10/11/06, Integrated Technologies wrote: > > > > > I am running the following: > > > > CentOS 4.4 > > MailScanner 4.56.8-1 > > Spamassassin 3.0.6-1.el4 > > > > I currently have the parameter, "Rebuild Bayes Every = 0" set in my > MailScanner.conf file and would like to set up a daily cron job to expire > these old Bayes tokens. > > I downloaded and printed the MailScanner Administrators Guide, Version > 1.0.5. On page 64, it gives an example script for this exact requirement: > > > > #! /bin/bash > > # re-builds the Bayes database daily > > /usr/bin/sa-learn --sync --force-expire \ > > -p /etc/MailScanner/spam.assassin.prefs.conf > You have whitespace or something like that _after_ the backslash. Don't. Since quite a few versions back MailScanner should have a link from /etc/mail/spamassassin/mailscanner.cf pointing at your spam.assassin.prefs.conf, so you likely don't need specify it separately. Change the script to #! /bin/bash # re-builds the Bayes database daily /usr/bin/sa-learn --sync --force-expire # End of script -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From joost at waversveld.nl Fri Nov 10 10:35:37 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 10:36:02 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: References: <45535C44.708@waversveld.nl> Message-ID: <455455F9.6010509@waversveld.nl> Scott, This is exactly what I was looking for, great! I also looked at the solution of Steven Freegard, but that solution needs an extra milter. This solution is 'standard' available in sendmail. I think we are going to integrate this in our systems.... Thanks again!! Best Regards, Joost Waversveld Scott Silva wrote: > Joost Waversveld spake the following on 11/9/2006 8:50 AM: >> Hi to all, >> >> I've searched but I could not find an good answer... >> >> We have some mailscanners with a lot of domains pointing to them, which >> are very busy. At the moment we do not use RBL's through sendmail. We >> let Mailscanner (SpamAssassin) handle those lookups. This way every end >> user can choose what to do with the SPAM. >> >> To handle the load better we want to enable some RBL-checks through >> sendmail but we know some customers don't want that, because then we are >> deciding which mail could be deleted, and which not. If you get what I >> mean. >> >> Is it possible to enable the RBL-checks in sendmail per domain, so >> customer1 can use the function(s), but customer2 does not?? >> >> Regards, >> >> Joost Waversveld > This might do what you want with some experimentation; > http://www.technoids.org/spamlovers.html > > From martinh at solidstatelogic.com Fri Nov 10 10:42:40 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 10 10:42:50 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <455455F9.6010509@waversveld.nl> References: <45535C44.708@waversveld.nl> <455455F9.6010509@waversveld.nl> Message-ID: <455457A0.5080902@solidstatelogic.com> Joost Waversveld wrote: > Scott, > > This is exactly what I was looking for, great! > > I also looked at the solution of Steven Freegard, but that solution > needs an extra milter. This solution is 'standard' available in sendmail. > > I think we are going to integrate this in our systems.... > > Thanks again!! > > Best Regards, > > Joost Waversveld > > > Scott Silva wrote: >> Joost Waversveld spake the following on 11/9/2006 8:50 AM: >>> Hi to all, >>> >>> I've searched but I could not find an good answer... >>> >>> We have some mailscanners with a lot of domains pointing to them, which >>> are very busy. At the moment we do not use RBL's through sendmail. We >>> let Mailscanner (SpamAssassin) handle those lookups. This way every end >>> user can choose what to do with the SPAM. >>> >>> To handle the load better we want to enable some RBL-checks through >>> sendmail but we know some customers don't want that, because then we are >>> deciding which mail could be deleted, and which not. If you get what I >>> mean. >>> >>> Is it possible to enable the RBL-checks in sendmail per domain, so >>> customer1 can use the function(s), but customer2 does not?? >>> >>> Regards, >>> >>> Joost Waversveld >> This might do what you want with some experimentation; >> http://www.technoids.org/spamlovers.html >> >> Joost I'd look at milter-ahead or sender-verification (http://smfs.sourceforge.net/smf-sav.html, which can also so recipient verification) so reduce your load too. i drop over 66% of my inbound traffic this way. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From joost at waversveld.nl Fri Nov 10 10:57:24 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 10:57:46 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <455457A0.5080902@solidstatelogic.com> References: <45535C44.708@waversveld.nl> <455455F9.6010509@waversveld.nl> <455457A0.5080902@solidstatelogic.com> Message-ID: <45545B14.8030603@waversveld.nl> Martin, That are indeed very good options but we are an hosting-provider and we want the customer to decide what is SPAM and what is not. Only for the customer who really understands what is happening and what it means, we want to implement this features. Also, at the moment we use windows mailservers with MailScanner in front of them. I did not investigate yet if these milters will work with the mailserver. I'll keep them in mind for the future. Thanx for the information. Best regards, Joost Waversveld Martin Hepworth wrote: > Joost Waversveld wrote: >> Scott, >> >> This is exactly what I was looking for, great! >> >> I also looked at the solution of Steven Freegard, but that solution >> needs an extra milter. This solution is 'standard' available in sendmail. >> >> I think we are going to integrate this in our systems.... >> >> Thanks again!! >> >> Best Regards, >> >> Joost Waversveld >> >> >> Scott Silva wrote: >>> Joost Waversveld spake the following on 11/9/2006 8:50 AM: >>>> Hi to all, >>>> >>>> I've searched but I could not find an good answer... >>>> >>>> We have some mailscanners with a lot of domains pointing to them, which >>>> are very busy. At the moment we do not use RBL's through sendmail. We >>>> let Mailscanner (SpamAssassin) handle those lookups. This way every end >>>> user can choose what to do with the SPAM. >>>> >>>> To handle the load better we want to enable some RBL-checks through >>>> sendmail but we know some customers don't want that, because then we >>>> are >>>> deciding which mail could be deleted, and which not. If you get what I >>>> mean. >>>> >>>> Is it possible to enable the RBL-checks in sendmail per domain, so >>>> customer1 can use the function(s), but customer2 does not?? >>>> >>>> Regards, >>>> >>>> Joost Waversveld >>> This might do what you want with some experimentation; >>> http://www.technoids.org/spamlovers.html >>> >>> > Joost > > I'd look at milter-ahead or sender-verification > (http://smfs.sourceforge.net/smf-sav.html, which can also so recipient > verification) so reduce your load too. > > i drop over 66% of my inbound traffic this way. > From hans at enem.nl Fri Nov 10 11:48:57 2006 From: hans at enem.nl (Hans Melgers) Date: Fri Nov 10 11:54:29 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: References: <45531E87.3090904@enem.nl> <4553A71C.9@enem.nl> Message-ID: <45546729.7040805@enem.nl> Scott Silva schreef: > Hans Melgers spake the following on 11/9/2006 2:09 PM: > >> Scott Silva schreef: >> >>> Hans Melgers spake the following on 11/9/2006 4:26 AM: >>> >>> >>>> Hi list, >>>> >>>> Im running MS for years now, ever running flawless on freebsd. >>>> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >>>> something strange. >>>> >>>> Im using the sendmail2 with ms2cgp script to put MS output in my >>>> Communigate submitted queue: >>>> >>>> Sendmail2 = /usr/local/etc/ms2cgp2 >>>> >>>> However it seems MS is not providing the job number like it used too: >>>> >>>> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >>>> subroutine for freebsd (BSD-type) >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >>>> 622 bytes >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >>>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>>> up unknown string notspam in language translation file Nov 9 13:11:32 >>>> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >>>> (hans@fb1.enem.nl) is whitelisted >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >>>> mailscanner in language translation file Nov 9 13:11:32 fb1 >>>> MailScanner[51430]: Looked up unknown string unreadablearchive in >>>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>>> up unknown string passwordedarchive in language translation file Nov 9 >>>> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >>>> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >>>> Virus and Content Scanning: Starting >>>> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >>>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >>>> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >>>> >>>> ^^ no jobnumber >>>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >>>> failed, dying >>>> >>>> ^^ no jobnumber >>>> >>>> The ms2cgp script is unchanged, qf and df files are there. >>>> >>>> Anybody knows what's going on, hopefully a workaround ? >>>> >>>> Thanks, >>>> Hans >>>> >>>> >>>> >>>> >>> You need to upgrade your languages.conf file. That is where the >>> unknown string >>> errors are comming from. >>> >>> >>> >> Thanks Scott, that language error is solved, However the problem still >> exists. >> Could it be that anything has changed in how MS calls sendmail2 ? >> >> All my script needs is a msg number corresponding with the df >> and qf files in mqueue. It just reads the -qI argument >> MS (used to) sends with the sendmail command. Right now i only see -qI, >> without number.. >> I know there IS a number because the qf and df files are correct. And if >> i call my script from cli with that number everything works fine: >> >> like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. >> >> I installed this version on another machine, same problem. >> >> Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, >> 602 bytes >> Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting >> Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 >> (hans@fb1.enem.nl) is whitelisted >> Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting >> Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Job >> -qI << changed script to >> show all arguments >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to >> /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf >> failed, dying >> > It was worth a shot. I thought that the munged languages file could be messing > up the calls. > > The problem is solved. It appeared to be a bug in this MS version and is already solved in later versions. Thanks Julian and everybody else helping! From prandal at herefordshire.gov.uk Fri Nov 10 12:24:02 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 10 12:24:11 2006 Subject: milter-greylist config Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057BF07@isabella.herefordshire.gov.uk> With milter-greylist-3.0rc6, you do list "my network" addr { 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 } acl whitelist list "my network" As for your other problem, grep greylist /etc/mail/maillog and see what it tells you. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Coates > Sent: 10 November 2006 05:42 > To: 'MailScanner discussion' > Subject: OT: milter-greylist config > > This may be a dumb question, but how do you go about copying > the greylist > exceptions from > http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ > ip.txt?rev=1.1 > 6 over to your milter-greylist.conf? I copied them in there > an added the > acl whitelist info before each of them, but it bombed upon > restarting the > milter because it didn't like the addresses that were incomplete (IE - > missing the last number from the IP etc). > > Also - I have the local host set as whitelisted, but do I > also need the > public IP of our MTA set as whitelisted? The reason I ask is > that I went to > send an email to another user on our system and it > immediately told me it > was rejected. > > Thanks, > Jim Coates > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From philippe at beau.nom.fr Fri Nov 10 13:22:45 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 13:22:57 2006 Subject: Mailwatch configuration for some servers Message-ID: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Hello all, I've try Mailwatch and find it very usefull. Also i found there is a lot of developpement to do on. i would like to found a documentation to install Mailwatch with 2 mailscanners servers. Is anyone did it ? i have made a french version of mailwatch (if someone is interested) and i will plan to integrate this to my web interface best regards Philippe, From amoore at dekalbmemorial.com Fri Nov 10 13:48:10 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Fri Nov 10 13:48:14 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> If you are hosting individual e-mail accounts, then you should give milter-ahead a second look. All it does is verify that the recipient's e-mail address really exists by querying the internal mail server hosting the domain. If it does not exist, then it rejects the e-mail. That way you're not chewing up processing time with MailScanner scanning e-mails that are only going to be rejected because the account doesn't exist. I used to have a lot of those messages clogging my outbound mail queue on my MailScanner box until I started using milter-ahead. Joost Waversveld wrote: > Martin, > > That are indeed very good options but we are an hosting-provider and > we want the customer to decide what is SPAM and what is not. Only for > the customer who really understands what is happening and what it > means, we want to implement this features. Also, at the moment we use > windows mailservers with MailScanner in front of them. I did not > investigate yet if these milters will work with the mailserver. > > I'll keep them in mind for the future. Thanx for the information. > > Best regards, > > Joost Waversveld > < snip > >> >> I'd look at milter-ahead or sender-verification >> (http://smfs.sourceforge.net/smf-sav.html, which can also so >> recipient verification) so reduce your load too. >> >> i drop over 66% of my inbound traffic this way. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN E-mail: amoore@dekalbmemorial.com From joost at waversveld.nl Fri Nov 10 14:02:02 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 14:02:29 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> Message-ID: <4554865A.5040204@waversveld.nl> Ya, I know, but we are hosting a lot of different domains, not just one domain. We use the mailserver Imail on Windows for now. We are planning to change this, but this will not be in the near future I think. Should milter-ahead work with Imail?? If so, it's an option we can think of implementing... Our vision for now is that we do not want to through any email, if not necessary. It's up to the customer to decide this. Now I'm busy with the RBL in sendmail on per-domain basis, because some of the domains generate so much SPAM, that it is abnormal. Aaron K. Moore wrote: > If you are hosting individual e-mail accounts, then you should give > milter-ahead a second look. All it does is verify that the recipient's > e-mail address really exists by querying the internal mail server > hosting the domain. If it does not exist, then it rejects the e-mail. > > That way you're not chewing up processing time with MailScanner scanning > e-mails that are only going to be rejected because the account doesn't > exist. > > I used to have a lot of those messages clogging my outbound mail queue > on my MailScanner box until I started using milter-ahead. > > Joost Waversveld wrote: >> Martin, >> >> That are indeed very good options but we are an hosting-provider and >> we want the customer to decide what is SPAM and what is not. Only for >> the customer who really understands what is happening and what it >> means, we want to implement this features. Also, at the moment we use >> windows mailservers with MailScanner in front of them. I did not >> investigate yet if these milters will work with the mailserver. >> >> I'll keep them in mind for the future. Thanx for the information. >> >> Best regards, >> >> Joost Waversveld >> > < snip > >>> I'd look at milter-ahead or sender-verification >>> (http://smfs.sourceforge.net/smf-sav.html, which can also so >>> recipient verification) so reduce your load too. >>> >>> i drop over 66% of my inbound traffic this way. > From john at netdirect.ca Fri Nov 10 14:07:00 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:07:11 2006 Subject: Bayes daily cron job In-Reply-To: <000001c70486$f15c5f40$c8fea8c0@intech.us> References: <000001c70486$f15c5f40$c8fea8c0@intech.us> Message-ID: <1163167621.11897.146.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 23:13 -0600, Integrated Technologies wrote: > I am running the following: > #! /bin/bash > > # re-builds the Bayes database daily > > /usr/bin/sa-learn --sync --force-expire \ > > -p /etc/MailScanner/spam.assassin.prefs.conf > > I placed the following script in my /etc/cron.daily folder and it is > giving me this error: > /etc/cron.daily/bayes.cron: line 4: -p: command not found > When I remove the ?p switch, I receive the following error: > /etc/cron.daily/bayes.cron: line > 4: /etc/MailScanner/spam.assassin.prefs.conf: Permission denied Your problem is that the backslash (\) is not working. It indicates line continuance when followed by a line feed. Here is what I think is wrong: 1. There is a space, tab or other whitespace character after the \. 2. Your script has CRLF line breaks because it was created in windows. I think it's option 1. delete the blank after the \ or simply remove the backslash and join the two lines. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From john at netdirect.ca Fri Nov 10 14:14:55 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:15:06 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <1163168095.11897.156.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/f8a026bd/attachment.bin From ugob at camo-route.com Fri Nov 10 14:15:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 14:22:51 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? It can be done, but I don't think there is much doc on it. Contact Steve Freegard from FSL (the author of MailWatch) for details. > > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface You should discuss with Steve before investing too much efforts on MailWatch 1.x. There will probably be a lot of changes in 2.0, especially the switch from MySQL to Postgresql. > > best regards > > Philippe, > > Nice to see that you are willing to help :). There is a separate mailing list for MailWatch, you'd be better off discussing there. http://lists.sourceforge.net/lists/listinfo/mailwatch-users http://sourceforge.net/forum/?group_id=87163 Ugo From philippe at beau.nom.fr Fri Nov 10 14:24:07 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:24:18 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <1163168095.11897.156.camel@venture.office.netdirect.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> Message-ID: <3259.82.127.125.185.1163168647.squirrel@www.choup.net> oh ... NFS ! i don't want this .. it will slow all .. (lot of files etc..) Regards Philippe, > On Fri, 2006-11-10 at 14:22 +0100, Philippe BEAU wrote: > >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? >> >> i have made a french version of mailwatch (if someone is interested) and >> i >> will plan to integrate this to my web interface > > > I haven't done it but it seems to be there are only a few things to do: > > Determine one server to be the MailWatch server and which will be the > database server. > > 1. Install MailWatch on your designated MailWatch server. > 2. Configure the MailWatch.pm file on both systems to use the same > database server host. It doesn't matter which one has the database. > 3. Configure the database permissions so that both servers have > permissions to read and write. > 4. Use NFS to share the /var/spool/MailScanner folder on the MailWatch > server and configure the other server to mount it on > its /var/spool/MailScanner. > > There will likely be other issues to address like mail server > configuration or whitelisting. > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Fri Nov 10 14:26:11 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Nov 10 14:26:32 2006 Subject: Think I found why SAREs rules weren't working. In-Reply-To: <1163120417.4553cf2145c04@perdition.cnpapers.net> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140E0@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: Thursday, November 09, 2006 8:00 PM > To: mailscanner@lists.mailscanner.info > Subject: Think I found why SAREs rules weren't working. > > OK, I feel a little blushy now, but this is what I found about why my SARE > rule > sets weren't working. > > A little background - > > For some time, auto-learn hasn't been working. I noticed this a while > back, but > just thought it might have been due to a great set of Bayes files. > > I also noticed that the SARE rules were catching a lot (none, in fact), > but just > noticed the "none" part today with the recent thread on "New SPAM emails > recently". > > I have both SARE adult and stocks in my /etc/mail/spamassassin folder. > > When I would update the rules database for MailWatch from the Tools menu, > they > showed up. When I ran Spamassassin Lint test from the same menu, nothing > showed > up as a problem. The problem was I never noticed that a lot of the rules > files > weren't showing up. I use a lot of Sendmail access table entries and was > doing > pretty well without the rules. > > So I was given a false sense of "rightness" until I ran into these "Hi" > emails > and they weren't being trapped. > > I soon discovered that the setting in MailScanner.conf, SpamAssassin Site > Rules > Dir, was blank, apparently from a past update that I didn't catch. At one > point, > this folder _was_ being used. After setting this to > "/etc/mail/spamassassin", > all is well now. It must not use the default I thought it did. > > AutoLearn even works now. > > Hope this helps someone else. > > Steve Campbell > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > -- Glad to here all is better. Billy Pumphrey IT Manager Wooden & McLaughlin http://www.billypumphrey.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at netdirect.ca Fri Nov 10 14:37:47 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:38:07 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3259.82.127.125.185.1163168647.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> Message-ID: <1163169467.11897.163.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/0df604f3/attachment.bin From philippe at beau.nom.fr Fri Nov 10 14:47:51 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:48:03 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <1163169467.11897.163.camel@venture.office.netdirect.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> Message-ID: <3425.82.127.125.185.1163170071.squirrel@www.choup.net> i thunk they use XML/RPC but apparently no ... >From Mailwatch website : XML-RPC support that allows multiple MailScanner/MailWatch installations to act as one. Can anyone confirm ? Philippe, > On Fri, 2006-11-10 at 15:24 +0100, Philippe BEAU wrote: > >> oh ... NFS ! i don't want this .. it will slow all .. (lot of files >> etc..) > > > Another solution, but more complicated is the Global File System that > RedHat purchased recently. Unlike NFS, GFS scales to multiple servers > very well in situations where the servers are not competing for the same > files. I believe GFS is available for CentOS, but it does require a > shared block device. It is expected to be used with a SAN but it can be > used with GNBD and a Linux server. > > The other issues that came to mind was message IDs. It is possible, but > unlikely that one message from each server will have the same message > ID on the same day and one will overwrite the other. Settings changes > would be another challenge. > > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ugob at camo-route.com Fri Nov 10 14:52:16 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 14:54:58 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3425.82.127.125.185.1163170071.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> <3425.82.127.125.185.1163170071.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > i thunk they use XML/RPC but apparently no ... > >>From Mailwatch website : > > XML-RPC support that allows multiple MailScanner/MailWatch installations > to act as one. > > > > Can anyone confirm ? I can confirm. It does work. > > Philippe, From philippe at beau.nom.fr Fri Nov 10 14:57:27 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:57:40 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <3496.82.127.125.185.1163170647.squirrel@www.choup.net> Re, > Philippe BEAU wrote: >> Hello all, >> >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? > > It can be done, but I don't think there is much doc on it. Contact > Steve Freegard from FSL (the author of MailWatch) for details. > yes but ... to contact me ... you have to first found his email ! i've subscribe to the Mailing list ... another one .... Philippe From philippe at beau.nom.fr Fri Nov 10 15:01:08 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 15:01:21 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> <3425.82.127.125.185.1163170071.squirrel@www.choup.net> Message-ID: <3550.82.127.125.185.1163170868.squirrel@www.choup.net> > Philippe BEAU wrote: >> i thunk they use XML/RPC but apparently no ... >> >>>From Mailwatch website : >> >> XML-RPC support that allows multiple MailScanner/MailWatch installations >> to act as one. >> >> >> >> Can anyone confirm ? > > I can confirm. It does work. yes but have you a clear documentation ? i don't found anything about Philippe, From dhawal at netmagicsolutions.com Fri Nov 10 15:19:00 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Nov 10 15:19:22 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <45549864.9020900@netmagicsolutions.com> Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? > > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface > > best regards > > Philippe, No docs.. some guidelines though. Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one of them as the Database server (or have an altogether different DB server). Configure Mailwatch.pm and conf.php on every server to talk to the database on this server (and additionally SQLBlacklist.pm). To reduce complication install but do not use MailScanner + MTA + MailWatch + SA (with rules) on the DB server as well. Make sure you rsync the MailScanner configuration files and any extra rules that you use in SA. Now see if each server can ping to every other server using their respective FQDNs (read Fully qualified hostnames). Additionally each server ought to be able to access apache (port 80) on every other server. This should get you started.. more can be taken up on the mailwatch list if required. - dhawal From glenn.steen at gmail.com Fri Nov 10 15:22:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 15:23:02 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? Yes, Steve Freegard;-). Look in the mailwatch directory (created by unpacking te tar-ball) for the file Remote_DB.txt ... Perhaps a bit of a misnomer, but it is all you need (together with the normal install doc) to setup multiple MailScanner gateways logging to one database, but with quarantine etc distributed. Note that you need at least the MailScanner config directory on the "frontend server", and at least a skeleton install of MailWatch on each gateway (so that XML-RPC can function)... And that it is rather important that the IP address <-> FQDN coupling is setup correctly for each machine. > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface I think Denis or Ugo (or perhaps some other of our Canadian friends) have done this too. 2.0 will have some facility builtin (the demos we've seen have used automatic translation courtesy of Google or somesuch... rather abominable, and lacking Swedish(!):-). We'll see where that lands. Eventually:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From philippe at beau.nom.fr Fri Nov 10 15:28:17 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 15:28:29 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <45549864.9020900@netmagicsolutions.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> Message-ID: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> > Philippe BEAU wrote: >> Hello all, >> >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? >> >> i have made a french version of mailwatch (if someone is interested) and >> i >> will plan to integrate this to my web interface >> >> best regards >> >> Philippe, > > No docs.. some guidelines though. > > Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one > of them as the Database server (or have an altogether different DB > server). Configure Mailwatch.pm and conf.php on every server to talk to > the database on this server (and additionally SQLBlacklist.pm). > i'm ok with this. > To reduce complication install but do not use MailScanner + MTA + > MailWatch + SA (with rules) on the DB server as well. Make sure you > rsync the MailScanner configuration files and any extra rules that you > use in SA. > > Now see if each server can ping to every other server using their > respective FQDNs (read Fully qualified hostnames). Additionally each > server ought to be able to access apache (port 80) on every other server. > > This should get you started.. more can be taken up on the mailwatch list > if required. > yes but how the main server know the others ? > - dhawal > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jimc at laridian.com Fri Nov 10 15:34:30 2006 From: jimc at laridian.com (Jim Coates) Date: Fri Nov 10 15:36:15 2006 Subject: milter-greylist config In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B581057BF07@isabella.herefordshire.gov.uk> Message-ID: <03eb01c704dd$b755b740$6401a8c0@zorak> My server uses poprelayd to handle relaying authentication (the server is an offsite server). Is there a way to have the milter whitelist people who authenticate to poprelay? Jim -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Friday, November 10, 2006 6:24 AM To: MailScanner discussion Subject: RE: milter-greylist config With milter-greylist-3.0rc6, you do list "my network" addr { 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 } acl whitelist list "my network" As for your other problem, grep greylist /etc/mail/maillog and see what it tells you. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Coates > Sent: 10 November 2006 05:42 > To: 'MailScanner discussion' > Subject: OT: milter-greylist config > > This may be a dumb question, but how do you go about copying > the greylist > exceptions from > http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ > ip.txt?rev=1.1 > 6 over to your milter-greylist.conf? I copied them in there > an added the > acl whitelist info before each of them, but it bombed upon > restarting the > milter because it didn't like the addresses that were incomplete (IE - > missing the last number from the IP etc). > > Also - I have the local host set as whitelisted, but do I > also need the > public IP of our MTA set as whitelisted? The reason I ask is > that I went to > send an email to another user on our system and it > immediately told me it > was rejected. > > Thanks, > Jim Coates > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Nov 10 15:39:38 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 10 15:40:12 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> Message-ID: <45549D3A.9090308@USherbrooke.ca> Glenn Steen a ?crit : > i have made a french version of mailwatch (if someone is interested) > and i > > I think Denis or Ugo (or perhaps some other of our Canadian friends) > have done this too. > 2.0 will have some facility builtin (the demos we've seen have used > automatic translation courtesy of Google or somesuch... rather > abominable, and lacking Swedish(!):-). We'll see where that lands. > Eventually:-). > Sorry, I don't use MW... just mailscanner-mrtg with some local mods. Maybe Ugo? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/2f4ef797/smime.bin From dhawal at netmagicsolutions.com Fri Nov 10 15:42:31 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Nov 10 15:42:52 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> <3846.82.127.125.185.1163172497.squirrel@www.choup.net> Message-ID: <45549DE7.4000004@netmagicsolutions.com> Philippe BEAU wrote: [SNIP] >> To reduce complication install but do not use MailScanner + MTA + >> MailWatch + SA (with rules) on the DB server as well. Make sure you >> rsync the MailScanner configuration files and any extra rules that you >> use in SA. >> >> Now see if each server can ping to every other server using their >> respective FQDNs (read Fully qualified hostnames). Additionally each >> server ought to be able to access apache (port 80) on every other server. >> >> This should get you started.. more can be taken up on the mailwatch list >> if required. > > yes but how the main server know the others ? using XML-RPC, thats why you need to ensure that all servers can talk to each other via their respective FQDNs over port 80. BTW, there is no 'main' server.. you can manage any quarantine folder from any of the servers as long as they are talking to the same database. - dhawal From t.d.lee at durham.ac.uk Fri Nov 10 15:45:44 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Nov 10 15:46:07 2006 Subject: SA 3.1.7 returning no result to MS? Message-ID: (Linux/FC5; sendmail 8.13.7; MS 4.56.8) Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to 3.1.7. The MS config has: Log Spam = yes Log Non Spam = yes In the daily logs we now seem to be getting several occurence of: Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) and: Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) scattered amongst the occurences of more real data. (Around 7% of entries on one machine, around 4% on the other, are in such truncated/empty forms). The daily logs prior to this show no occurences at all. Any thoughts? Further data: 1. At the same time, I also got Razor2 working (from within SA) on these two machines. 2. When I check on a third (higher MX, lower preference) machine on which I did a similar upgrade, but on which Razor had been working properly working both before and after the upgrade, this has such entries both before and after. Which sort of points the finger towards Razor, rather than the SA upgrade. Anyone seen anything like this before? Is the apparently empty result from SA something that MS might be able to detect? How to debug something like this? (My next step might be to disable Razor and see if that seemed to stop these occurences. But that would simply provide an extra data point, not really provide a useful route to debug, understand and fix this overall MS/SA/Razor issue.) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From P.G.M.Peters at utwente.nl Fri Nov 10 15:49:28 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Nov 10 15:49:34 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <45549F88.5070009@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven De Troch wrote on 1-11-2006 23:24: > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? Every time MS checks the incoming queue it tries to get as much messages as possible in the batch to scan. With the configured maximum of course. The reason you sometime see "100 waiting, 1 scanning" is because the other 99 are locked. Either by sendmail not having received the complete message yet. Or other MS children are already scanning those messages. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVJ+HelLo80lrIdIRAi1+AJ93mzgRcVJ1nmOP0Ro753Yo/a46RQCfetAI IBN76qZzV83YSvuhmy1/bro= =+8AW -----END PGP SIGNATURE----- From glenn.steen at gmail.com Fri Nov 10 15:50:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 15:50:19 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> <3846.82.127.125.185.1163172497.squirrel@www.choup.net> Message-ID: <223f97700611100750k6cc51e7coa18bfdac2a94f6ba@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > > Philippe BEAU wrote: > >> Hello all, > >> > >> I've try Mailwatch and find it very usefull. Also i found there is a lot > >> of developpement to do on. > >> > >> i would like to found a documentation to install Mailwatch with 2 > >> mailscanners servers. Is anyone did it ? > >> > >> i have made a french version of mailwatch (if someone is interested) and > >> i > >> will plan to integrate this to my web interface > >> > >> best regards > >> > >> Philippe, > > > > No docs.. some guidelines though. > > > > Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one > > of them as the Database server (or have an altogether different DB > > server). Configure Mailwatch.pm and conf.php on every server to talk to > > the database on this server (and additionally SQLBlacklist.pm). > > > > i'm ok with this. > > > To reduce complication install but do not use MailScanner + MTA + > > MailWatch + SA (with rules) on the DB server as well. Make sure you > > rsync the MailScanner configuration files and any extra rules that you > > use in SA. > > > > Now see if each server can ping to every other server using their > > respective FQDNs (read Fully qualified hostnames). Additionally each > > server ought to be able to access apache (port 80) on every other server. > > > > This should get you started.. more can be taken up on the mailwatch list > > if required. > > > > yes but how the main server know the others ? > By the maillog table content. Do a select distinct(hostname) from maillog; in the mysql CLI (on the mailscanner DB, of course). This should yield the FQDN of the host that put the entry in the database... and would hold any quarantine files etc. The rest is quite simple;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From P.G.M.Peters at utwente.nl Fri Nov 10 15:51:06 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Nov 10 15:51:12 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: <45549FEA.7090006@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote on 2-11-2006 1:54: > If you are rebuilding the access file (makemap) sendmail will read it. It only > seems to need a restart if you rebuild the cf file. Sendmail automatically rereads all map-files (aliases, virtuser, access, mailertable) but not all the other configurations (virthosts, sendmail.cf). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVJ/qelLo80lrIdIRAprlAJoCGN8nEUo++ueCLIdG/A/qmDXlzQCcDvRJ zlYMkkjYCLxzz8LWyYGCE8Q= =uZBw -----END PGP SIGNATURE----- From vlad at mazek.com Fri Nov 10 15:56:36 2006 From: vlad at mazek.com (Vlad Mazek) Date: Fri Nov 10 15:57:16 2006 Subject: MailScanner/sendmail load balancing Message-ID: <4554A134.4060103@mazek.com> Does anybody use Linux Virtual Server with MailScanner/sendmail? Any recommendations / pitfalls? If not, do you recommend / use something else to spread the load across multiple MailScanner servers? -Vlad From ugob at camo-route.com Fri Nov 10 15:59:13 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 16:00:45 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <45549D3A.9090308@USherbrooke.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Glenn Steen a ?crit : >> i have made a french version of mailwatch (if someone is interested) >> and i >> >> I think Denis or Ugo (or perhaps some other of our Canadian friends) >> have done this too. >> 2.0 will have some facility builtin (the demos we've seen have used >> automatic translation courtesy of Google or somesuch... rather >> abominable, and lacking Swedish(!):-). We'll see where that lands. >> Eventually:-). >> > Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > Maybe Ugo? No, I haven't translated MW. I'll most likely be translating MW 2.0, though. From danc at bluestarshows.com Fri Nov 10 15:57:50 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Nov 10 16:02:13 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it Message-ID: <00a901c704e0$f9a257e0$0200000a@danc3> Hi all, I'm perplexed, Today I took a spam email from my inbox that got through Mailscanner and saved it to my mail server. I then ran it though spamassassin(spamassassin -t test.eml) and it caught it as SPAM. What's up with that?? Just yesterday I upgraded to the latest version of Mailscanner (thanks volunteers) because a lot of spam was getting through. After many hours of work I also installed the Fuzzy OCR plugin. Mailscanner appears to be working fine and using spamassassin. My maillog shows lines this: MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 Thanks in advance From mkettler at evi-inc.com Fri Nov 10 16:06:52 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 10 16:07:47 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: Message-ID: <4554A39C.1050404@evi-inc.com> David Lee wrote: > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > 3.1.7. The MS config has: > Log Spam = yes > Log Non Spam = yes > > In the daily logs we now seem to be getting several occurence of: > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > and: > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > scattered amongst the occurences of more real data. (Around 7% of entries > on one machine, around 4% on the other, are in such truncated/empty forms). > > The daily logs prior to this show no occurences at all. > > Any thoughts? spamassassin --lint any errors reported, or just runs and exits quietly? spamassassin -D --lint, and see what the "default rules dir" is, and make sure all the default .cf files are there. > 2. When I check on a third (higher MX, lower preference) machine on which > I did a similar upgrade, but on which Razor had been working properly > working both before and after the upgrade, this has such entries both > before and after. Which sort of points the finger towards Razor, rather > than the SA upgrade. I highly doubt razor is involved. From the sounds of it, SA isn't parsing its ruleset. From ugob at camo-route.com Fri Nov 10 16:07:26 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 16:08:44 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3496.82.127.125.185.1163170647.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <3496.82.127.125.185.1163170647.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Re, > >> Philippe BEAU wrote: >>> Hello all, >>> >>> I've try Mailwatch and find it very usefull. Also i found there is a lot >>> of developpement to do on. >>> >>> i would like to found a documentation to install Mailwatch with 2 >>> mailscanners servers. Is anyone did it ? >> It can be done, but I don't think there is much doc on it. Contact >> Steve Freegard from FSL (the author of MailWatch) for details. >> > > yes but ... to contact me ... you have to first found his email ! i've > subscribe to the Mailing list ... another one .... That is the best path to take, as everyone on the list can benefit from the input. BTW MailWatch's development is paid by FSL and is GPL released. For advanced features, there might not be a lot of easy-to-find documentation, so if you need advanced features, I suggest you support MailWatch's development by collaborating with Steve (steve.freegard at fsl.com) or paying FSL to do the job on your servers. They do a great job and the pricetag is fair. Regards, Ugo From glenn.steen at gmail.com Fri Nov 10 16:27:56 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 16:28:00 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: Message-ID: <223f97700611100827w6b24562ai5dcb5dc24c308f31@mail.gmail.com> On 10/11/06, David Lee wrote: > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > 3.1.7. The MS config has: > Log Spam = yes > Log Non Spam = yes > > In the daily logs we now seem to be getting several occurence of: > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > and: > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > scattered amongst the occurences of more real data. (Around 7% of entries > on one machine, around 4% on the other, are in such truncated/empty forms). > > The daily logs prior to this show no occurences at all. > > Any thoughts? > > Further data: > > 1. At the same time, I also got Razor2 working (from within SA) on these > two machines. > > 2. When I check on a third (higher MX, lower preference) machine on which > I did a similar upgrade, but on which Razor had been working properly > working both before and after the upgrade, this has such entries both > before and after. Which sort of points the finger towards Razor, rather > than the SA upgrade. > > > > Anyone seen anything like this before? Is the apparently empty result > from SA something that MS might be able to detect? How to debug something > like this? > > (My next step might be to disable Razor and see if that seemed to stop > these occurences. But that would simply provide an extra data point, not > really provide a useful route to debug, understand and fix this overall > MS/SA/Razor issue.) > Could be razor, I suppose. But couldn't this be the same sa-update "madness" some have seen, where MS/SA simply fail to load the moved/merged/updated rules from /var/lib/spamassassin/....? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Fri Nov 10 16:35:04 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 10 16:35:19 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <00a901c704e0$f9a257e0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> Message-ID: <4554AA38.2070909@solidstatelogic.com> Dan Carl wrote: > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance > Check the SA paths in MailScanner to make sure you're running the same rules - also check you've only got one perl and one SA installed. IF you've run sa-update make sure MS knows about it by setting SpamAssassin Local State Dir = /var/lib -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at herefordshire.gov.uk Fri Nov 10 16:38:52 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 10 16:39:22 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057C030@isabella.herefordshire.gov.uk> In the intervening period dnsbl and uribl rules could have triggered. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dan Carl > Sent: 10 November 2006 15:58 > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner not catching SPAM but manual run via SA > catches it > > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through > Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) > and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours > of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Nov 10 17:01:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 17:01:10 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <00a901c704e0$f9a257e0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> Message-ID: <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> On 10/11/06, Dan Carl wrote: > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance Do the "spamassassin --lint" and "spamassassin -D --lint" as the user you run your MTA as. Same result? If you've upgraded SA, did you run the sa-update after that? Does it look like MailScanners instance of SA is finding/using the correct /var/lib/spamassassin/...? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Fri Nov 10 17:06:48 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Nov 10 17:06:52 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <4554A134.4060103@mazek.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek > Sent: November 10, 2006 10:57 AM > To: MailScanner discussion > Subject: MailScanner/sendmail load balancing > > Does anybody use Linux Virtual Server with MailScanner/sendmail? > Any recommendations / pitfalls? > If not, do you recommend / use something else to spread the load across > multiple MailScanner servers? > In our environment, we have a small cluster of incoming mail servers, each running Postfix & MailScanner. We balance these via DNS, in the same way that Google, Yahoo, and many other email players do: our MX points to a single hostname (mail01), which in turn has A-records for each of the machines in the cluster. ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. ;; mail01.ubisoft.com. 3600 IN A 216.98.56.133 mail01.ubisoft.com. 3600 IN A 216.98.56.138 mail01.ubisoft.com. 3600 IN A 216.98.56.132 Done and done - it works like a charm, and it is fantastically easy to set up and maintain. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From mailscanner at PDSCC.COM Fri Nov 10 17:27:38 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Fri Nov 10 17:27:16 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net>, <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> Message-ID: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> On 9 Nov 2006 at 20:03, Glenn Steen wrote: > Why such an old MailScanner (relatively speaking:)? Updating Just haven't gotten around to it ;-) Plus scheduling downtime to do the upgrade at this office is difficult at best. > help you troubleshoot this to some extent)... If you don't have them, > consider an update. Might give that a try this weekend. > There are no obvious syntax errors in the MailScanner.conf? Look for > silliness like unmatched quotes etc. The syntax of the file is very > forgiving, but one can botch things (read: Been there... about purchases and T-shirts />:-). No, none, other than this specific problem, it just hums along. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From philippe at beau.nom.fr Fri Nov 10 17:48:15 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 17:48:29 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> Message-ID: <64489.90.0.125.205.1163180895.squirrel@www.choup.net> > Denis Beauchemin wrote: >> Glenn Steen a ?crit : >>> i have made a french version of mailwatch (if someone is interested) >>> and i >>> >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) >>> have done this too. >>> 2.0 will have some facility builtin (the demos we've seen have used >>> automatic translation courtesy of Google or somesuch... rather >>> abominable, and lacking Swedish(!):-). We'll see where that lands. >>> Eventually:-). >>> >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. >> Maybe Ugo? > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > though. > Also the translation permit me to view the php code and it just take somes minutes. Also the gettext is very wonderful for this type of job ! Philippe > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Nov 10 19:51:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 19:51:46 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> Message-ID: <223f97700611101151x56a3af58y2d5cf6de0fd4ae17@mail.gmail.com> On 10/11/06, Harondel J. Sibble wrote: > > > On 9 Nov 2006 at 20:03, Glenn Steen wrote: > > > Why such an old MailScanner (relatively speaking:)? Updating > > Just haven't gotten around to it ;-) Plus scheduling downtime to do the > upgrade at this office is difficult at best. When you do the upgrade, the actual _processes_ aren't affected untill you do the "service MailScanner restart"... No need for any perceptible downtime at all;-). Last time the complete process took me 10 minutes, tops. If you also wan't to do SA etc, you might need add a few minutes, but... This is SMTP, are you really in such a situation that you can't afor a 10-15 minute "gap" (worst case:-)? > > help you troubleshoot this to some extent)... If you don't have them, > > consider an update. > > Might give that a try this weekend. > > > There are no obvious syntax errors in the MailScanner.conf? Look for > > silliness like unmatched quotes etc. The syntax of the file is very > > forgiving, but one can botch things (read: Been there... > about purchases and T-shirts />:-). > > No, none, other than this specific problem, it just hums along. Best type of system:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 19:59:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 19:59:32 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <64489.90.0.125.205.1163180895.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> <64489.90.0.125.205.1163180895.squirrel@www.choup.net> Message-ID: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > > Denis Beauchemin wrote: > >> Glenn Steen a ?crit : > >>> i have made a french version of mailwatch (if someone is interested) > >>> and i > >>> > >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) > >>> have done this too. > >>> 2.0 will have some facility builtin (the demos we've seen have used > >>> automatic translation courtesy of Google or somesuch... rather > >>> abominable, and lacking Swedish(!):-). We'll see where that lands. > >>> Eventually:-). > >>> > >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > >> Maybe Ugo? > > > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > > though. > > > > Also the translation permit me to view the php code and it just take somes > minutes. Also the gettext is very wonderful for this type of job ! > Mais bien-sur;-). Might even offer to do the Swedish one myself... Unless someone beats me to it:-). Anyway, I hope you have enough documentation now to be able to forge ahead. Do take up any problems you encounter on the MailWatch list (since they would likely be a bit off-topic on this one). You might run into some rather well-known errors/discrepancies with 1.0.3, but a quick search of gmane/the archive should get you through those (Message Ops containing more than the quarantined entries, geoip update not working right on some systems etc). Cheers, -- -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Nov 10 20:16:09 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 20:16:24 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> <64489.90.0.125.205.1163180895.squirrel@www.choup.net> <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 10/11/06, Philippe BEAU wrote: >> > Denis Beauchemin wrote: >> >> Glenn Steen a ?crit : >> >>> i have made a french version of mailwatch (if someone is interested) >> >>> and i >> >>> >> >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) >> >>> have done this too. >> >>> 2.0 will have some facility builtin (the demos we've seen have used >> >>> automatic translation courtesy of Google or somesuch... rather >> >>> abominable, and lacking Swedish(!):-). We'll see where that lands. >> >>> Eventually:-). >> >>> >> >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. >> >> Maybe Ugo? >> > >> > No, I haven't translated MW. I'll most likely be translating MW 2.0, >> > though. >> > >> >> Also the translation permit me to view the php code and it just take >> somes >> minutes. Also the gettext is very wonderful for this type of job ! >> > Mais bien-sur;-). > Might even offer to do the Swedish one myself... Unless someone beats > me to it:-). > Anyway, I hope you have enough documentation now to be able to forge > ahead. Do take up any problems you encounter on the MailWatch list > (since they would likely be a bit off-topic on this one). You might > run into some rather well-known errors/discrepancies with 1.0.3, but a > quick search of gmane/the archive should get you through those > (Message Ops containing more than the quarantined entries, geoip > update not working right on some systems etc). And, if you feel like it, you can document what you did and put it online. If you document it in french, I'll gladly translate it into english. Ugo From mrm at medicine.wisc.edu Fri Nov 10 20:16:35 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Nov 10 20:17:08 2006 Subject: What is causing this rule to be tripped? Message-ID: <45548946.7FBE.00FC.3@medicine.wisc.edu> Never had an issue like this before. This morning a pdf attachment tripped the deny .{150,} Very long filename rule. The filename is: RealTime Ultra.pdf Anyone know what could cause this? Mike From steve.swaney at fsl.com Fri Nov 10 20:31:05 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Nov 10 20:31:08 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> Message-ID: <021701c70507$25e51ab0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Friday, November 10, 2006 2:59 PM > To: MailScanner discussion > Subject: Re: Mailwatch configuration for some servers > > On 10/11/06, Philippe BEAU wrote: > > > Denis Beauchemin wrote: > > >> Glenn Steen a ?crit : > > >>> i have made a french version of mailwatch (if someone is interested) > > >>> and i > > >>> > > >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) > > >>> have done this too. > > >>> 2.0 will have some facility builtin (the demos we've seen have used > > >>> automatic translation courtesy of Google or somesuch... rather > > >>> abominable, and lacking Swedish(!):-). We'll see where that lands. > > >>> Eventually:-). > > >>> > > >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > > >> Maybe Ugo? > > > > > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > > > though. > > > > > > > Also the translation permit me to view the php code and it just take > somes > > minutes. Also the gettext is very wonderful for this type of job ! > > > Mais bien-sur;-). > Might even offer to do the Swedish one myself... Unless someone beats > me to it:-). > Anyway, I hope you have enough documentation now to be able to forge > ahead. Do take up any problems you encounter on the MailWatch list > (since they would likely be a bit off-topic on this one). You might > run into some rather well-known errors/discrepancies with 1.0.3, but a > quick search of gmane/the archive should get you through those > (Message Ops containing more than the quarantined entries, geoip > update not working right on some systems etc). > > Cheers, > -- > -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) At the risk of stealing Steve's thunder, the new MailWatch will have multi-language support which will make it much easier easy to provide translations so I wouldn?t spend a lot of time translating the current version. Steve is very busy right now working on the new MailWatch and new product for us which maybe why he's not been as active responding to MailWatch questions on this list as he normally is. Just keep an eye on http://mailwatch.sourceforge.net/ or sign up for the MailWatch mailing list on the web site. It won't be that long :) Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From jwilliams at courtesymortgage.com Fri Nov 10 20:33:37 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Fri Nov 10 20:33:54 2006 Subject: What is causing this rule to be tripped? Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> >Never had an issue like this before. This morning a pdf attachment >tripped the >deny .{150,} Very long filename rule. The filename is: >RealTime Ultra.pdf > >Anyone know what could cause this? > >Mike I have had these stripped off before and I think it is because there is a space between 'RealTime' and 'Ultra' I also would get this stripped if the file would be named like: RealTime.Ultra.pdf I could be wrong though. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Fri Nov 10 20:51:18 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 10 20:51:34 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <4554E646.6000309@USherbrooke.ca> Michael Masse a ?crit : > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? > > Mike > > Michael, The file name you are seeing in your logs has been sanitized so it won't cause any harm. This rule catches filenames that are at least 150 characters long. Usually there is a lot of whitespace in the file name (but MS won't show it to you). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/532abbb0/smime.bin From danc at bluestarshows.com Fri Nov 10 20:47:33 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Nov 10 20:51:58 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3> <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> Message-ID: <016401c70509$72f609c0$0200000a@danc3> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, November 10, 2006 11:01 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > On 10/11/06, Dan Carl wrote: > > Hi all, > > > > I'm perplexed, > > Today I took a spam email from my inbox that got through Mailscanner and > > saved it to my mail server. > > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > > as SPAM. > > What's up with that?? > > > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > > volunteers) > > because a lot of spam was getting through. After many hours of work I also > > installed the Fuzzy OCR plugin. > > > > Mailscanner appears to be working fine and using spamassassin. > > My maillog shows lines this: > > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > > > Thanks in advance I check the conf and SpamAssassin Local State Dir = /var/lib is correct as Martin stated in previous post > Do the "spamassassin --lint" and "spamassassin -D --lint" as the user > you run your MTA as. Same result? spamassassin --lint yeilds no output spamassassin -D --lint snipid [28023] dbg: config: read file /etc/mail/spamassassin/init.pre [28023] dbg: config: read file /etc/mail/spamassassin/v310.pre [28023] dbg: config: read file /etc/mail/spamassassin/v312.pre [28023] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [28023] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [28023] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [28023] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [28023] dbg: config: using "/etc/mail/spamassassin" for site rules dir [28023] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [28023] dbg: config: read file /etc/mail/spamassassin/local.cf [28023] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > If you've upgraded SA, did you run the sa-update after that? I ran sa-update > Does it look like MailScanners instance of SA is finding/using the correct > /var/lib/spamassassin/...? > sorry not sure how to verify this. > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Nov 10 21:19:34 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 10 21:19:47 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <4554ECE6.207@evi-inc.com> Michael Masse wrote: > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? A very long filename, over 150 characters in length. Note the filename you're seeing in the report and your maillog is the "sanitized" filename, not necessarily the real filename in the original message. Check with the sender to be sure. The santization is done to prevent an absurdly long filename (ie: many thousands of charachters long) from flooding your logs with really large entries. From mrm at medicine.wisc.edu Fri Nov 10 21:29:55 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Nov 10 21:30:24 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> Message-ID: <45549A76.7FBE.00FC.3@medicine.wisc.edu> >>> On 11/10/2006 at 2:33 PM, in message <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local>, "Jason Williams" wrote: >> Never had an issue like this before. This morning a pdf attachment >>tripped the >>deny .{150,} Very long filename rule. The filename is: >>RealTime Ultra.pdf >> >>Anyone know what could cause this? >> >>Mike > > > I have had these stripped off before and I think it is because there is > a space between 'RealTime' and 'Ultra' > > I also would get this stripped if the file would be named like: > RealTime.Ultra.pdf > > I could be wrong though. > > -Jason Thanks. Looking at the log I can now see that the length of the filename was indeed over 150 characters long. Mike From ssilva at sgvwater.com Sat Nov 11 04:53:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 04:54:37 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net>, <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> Message-ID: Harondel J. Sibble spake the following on 11/10/2006 9:27 AM: > > On 9 Nov 2006 at 20:03, Glenn Steen wrote: > >> Why such an old MailScanner (relatively speaking:)? Updating > > Just haven't gotten around to it ;-) Plus scheduling downtime to do the > upgrade at this office is difficult at best. > >> help you troubleshoot this to some extent)... If you don't have them, >> consider an update. > > Might give that a try this weekend. > >> There are no obvious syntax errors in the MailScanner.conf? Look for >> silliness like unmatched quotes etc. The syntax of the file is very >> forgiving, but one can botch things (read: Been there...> about purchases and T-shirts />:-). > > No, none, other than this specific problem, it just hums along. > I can do MailScanner upgrades with less than 5 minutes downtime. It doesn't really take that much. You can run the install while the process is running, and the children in memory will happily finish. After the install is done, just restart mailscanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 11 05:13:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 05:13:40 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 11/10/2006 12:16 PM: > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? > > Mike > That name in the logs is sanitized by mailscanner. If it put the actual long filename, it might cause a buffer overrun in syslog. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 08:20:35 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 08:20:38 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <021701c70507$25e51ab0$287ba8c0@office.fsl> References: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> <021701c70507$25e51ab0$287ba8c0@office.fsl> Message-ID: <223f97700611110020t781e7d00h804f6fd4430e11c@mail.gmail.com> On 10/11/06, Stephen Swaney wrote: > (snippety-snip) > > Mais bien-sur;-). > > Might even offer to do the Swedish one myself... Unless someone beats > > me to it:-). > > Anyway, I hope you have enough documentation now to be able to forge > > ahead. Do take up any problems you encounter on the MailWatch list > > (since they would likely be a bit off-topic on this one). You might > > run into some rather well-known errors/discrepancies with 1.0.3, but a > > quick search of gmane/the archive should get you through those > > (Message Ops containing more than the quarantined entries, geoip > > update not working right on some systems etc). > > > > Cheers, > > -- > > -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) > > At the risk of stealing Steve's thunder, the new MailWatch will have > multi-language support which will make it much easier easy to provide > translations so I wouldn't spend a lot of time translating the current > version. Wouldn't dream of "jumping the gun" there:-). > Steve is very busy right now working on the new MailWatch and new product > for us which maybe why he's not been as active responding to MailWatch > questions on this list as he normally is. > > Just keep an eye on http://mailwatch.sourceforge.net/ or sign up for the > MailWatch mailing list on the web site. > > It won't be that long :) Since you _are_ the PHB^H^H^HBoss, that last statement is really wonderful news;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Nov 11 08:26:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 08:26:54 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <016401c70509$72f609c0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> <016401c70509$72f609c0$0200000a@danc3> Message-ID: <223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> On 10/11/06, Dan Carl wrote: > (snip) > > If you've upgraded SA, did you run the sa-update after that? > I ran sa-update Good. > > Does it look like MailScanners instance of SA is finding/using the correct > > /var/lib/spamassassin/...? > > > sorry not sure how to verify this. Well, the output you just showed (snipped by me:) is an indicator. You could add a rule that would be sure to fire into that directory, restart MS and run a testmessage through... and look at what rules fired... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From roalda at gmail.com Sat Nov 11 11:18:33 2006 From: roalda at gmail.com (Roald) Date: Sat Nov 11 11:18:37 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <4554865A.5040204@waversveld.nl> References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> <4554865A.5040204@waversveld.nl> Message-ID: On 11/10/06, Joost Waversveld wrote: > > Ya, I know, but we are hosting a lot of different domains, not just one > domain. > > We use the mailserver Imail on Windows for now. We are planning to > change this, but this will not be in the near future I think. Should > milter-ahead work with Imail?? If so, it's an option we can think of > implementing... Hi! We have a similar setup, with a lot of domains on a Imail-server and several Exchange-servers and also other Linux-servers, and smf-sav works great. -- Roald Martin Amundsen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061111/1e69d182/attachment.html From joost at waversveld.nl Sat Nov 11 13:19:17 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Sat Nov 11 13:19:25 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> <4554865A.5040204@waversveld.nl> Message-ID: <20061111141917.1jng39frk8w044k4@webmail.waversveld.nl> Roald, Ok, great to hear that... I'm going to take a closer look at smf-sav then... Thanx for the information!!! Joost Waversveld ----- Bericht van roalda@gmail.com --------- Datum: Sat, 11 Nov 2006 12:18:33 +0100 Van: Roald Antwoorden aan:MailScanner discussion Onderwerp: Re: [sendmail] Skipping rbl per domain Aan: MailScanner discussion > On 11/10/06, Joost Waversveld wrote: >> >> Ya, I know, but we are hosting a lot of different domains, not just one >> domain. >> >> We use the mailserver Imail on Windows for now. We are planning to >> change this, but this will not be in the near future I think. Should >> milter-ahead work with Imail?? If so, it's an option we can think of >> implementing... > > > > Hi! We have a similar setup, with a lot of domains on a Imail-server and > several Exchange-servers and also other Linux-servers, and smf-sav works > great. > > -- > Roald Martin Amundsen > ----- Einde bericht van roalda@gmail.com ----- From alex at nkpanama.com Sat Nov 11 14:41:03 2006 From: alex at nkpanama.com (Alex Neuman) Date: Sat Nov 11 14:41:43 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> Message-ID: <4555E0FF.8090300@nkpanama.com> Daniel Maher wrote: > In our environment, we have a small cluster of incoming mail servers, each running Postfix & MailScanner. We balance these via DNS, in the same way that Google, Yahoo, and many other email players do: our MX points to a single hostname (mail01), which in turn has A-records for each of the machines in the cluster. > > ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. > ;; > mail01.ubisoft.com. 3600 IN A 216.98.56.133 > mail01.ubisoft.com. 3600 IN A 216.98.56.138 > mail01.ubisoft.com. 3600 IN A 216.98.56.132 > > Done and done - it works like a charm, and it is fantastically easy to set up and maintain. > Do you also cluster the message stores? POP/IMAP? From dhawal at netmagicsolutions.com Sat Nov 11 15:05:26 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Sat Nov 11 15:05:44 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <4555E0FF.8090300@nkpanama.com> References: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> <4555E0FF.8090300@nkpanama.com> Message-ID: <4555E6B6.9000403@netmagicsolutions.com> Alex Neuman wrote: > Daniel Maher wrote: >> In our environment, we have a small cluster of incoming mail servers, >> each running Postfix & MailScanner. We balance these via DNS, in the >> same way that Google, Yahoo, and many other email players do: our MX >> points to a single hostname (mail01), which in turn has A-records for >> each of the machines in the cluster. >> >> ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. >> ;; >> mail01.ubisoft.com. 3600 IN A 216.98.56.133 >> mail01.ubisoft.com. 3600 IN A 216.98.56.138 >> mail01.ubisoft.com. 3600 IN A 216.98.56.132 >> >> Done and done - it works like a charm, and it is fantastically easy to >> set up and maintain. >> > Do you also cluster the message stores? POP/IMAP? I doubt you can do this for POP due to the UIDL problem, it'll create havoc for the 'leave message on server' people. You could though do it for the IMAP users, since they are supposed to always connected. - dhawal From lists at gmnet.net Sat Nov 11 15:52:39 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 15:52:46 2006 Subject: Mail Not Delivering Message-ID: <1163260360.27853.97.camel@thor.greenbuzz.net> Hi, Yesterday my mail stopped getting to the in-boxes. I am using sendmail and MailScanner 4.23.11. when I stopped MailScanner, and just started sendmail, things get delevered fine, however, during the time it was not delivering mail, I sent myself a bunch of test emails, and I never got them at all. It seems that I have lost mail! What happened to that mail? will it be delivered eventually? One clue that I noticed in /var/log/messages: Nov 10 15:45:32 pipe named[1928]: lame server resolving '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): 206.154.202.54#53 I will appreciate any help on this... Thanks! Rick From martinh at solidstatelogic.com Sat Nov 11 17:10:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 11 17:10:30 2006 Subject: Mail Not Delivering In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <455603F5.4050101@solidstatelogic.com> Mailing Lists wrote: > Hi, > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > and MailScanner 4.23.11. when I stopped MailScanner, and just started > sendmail, things get delevered fine, however, during the time it was not > delivering mail, I sent myself a bunch of test emails, and I never got > them at all. It seems that I have lost mail! > What happened to that mail? will it be delivered eventually? > > One clue that I noticed in /var/log/messages: > Nov 10 15:45:32 pipe named[1928]: lame server resolving > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > 206.154.202.54#53 > > I will appreciate any help on this... > > Thanks! > Rick > > Hi wow, thats really really old code you got running there - three years at least. check the inbound, and outbound queues to see if they are there.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From lists at gmnet.net Sat Nov 11 17:33:41 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 17:33:48 2006 Subject: Mail Not Delivering In-Reply-To: <455603F5.4050101@solidstatelogic.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> Message-ID: <1163266421.27853.120.camel@thor.greenbuzz.net> On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: > Mailing Lists wrote: > > Hi, > > > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > > and MailScanner 4.23.11. when I stopped MailScanner, and just started > > sendmail, things get delevered fine, however, during the time it was not > > delivering mail, I sent myself a bunch of test emails, and I never got > > them at all. It seems that I have lost mail! > > What happened to that mail? will it be delivered eventually? > > > > One clue that I noticed in /var/log/messages: > > Nov 10 15:45:32 pipe named[1928]: lame server resolving > > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > > 206.154.202.54#53 > > > > I will appreciate any help on this... > > > > Thanks! > > Rick > > > > > Hi > > wow, thats really really old code you got running there - three years at > least. > > check the inbound, and outbound queues to see if they are there.. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Forgive me for not knowing much about this. but I looked in the /var/spool/MailScanner/incoming/ directory. there are a few directories there but no files at all. Is this the right place to look? were are the inbound and outbound directories? Right it is old! I installed it back when it was new as a rpm. The OS is RedHat 9. Now is seems there is no rpm for it. Is there any good docs that step me through an upgrade? Thanks! Rick From ssilva at sgvwater.com Sat Nov 11 19:55:02 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 19:55:24 2006 Subject: Mail Not Delivering In-Reply-To: <1163266421.27853.120.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> Message-ID: Mailing Lists spake the following on 11/11/2006 9:33 AM: > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: >> Mailing Lists wrote: >>> Hi, >>> >>> Yesterday my mail stopped getting to the in-boxes. I am using sendmail >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started >>> sendmail, things get delevered fine, however, during the time it was not >>> delivering mail, I sent myself a bunch of test emails, and I never got >>> them at all. It seems that I have lost mail! >>> What happened to that mail? will it be delivered eventually? >>> >>> One clue that I noticed in /var/log/messages: >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): >>> 206.154.202.54#53 >>> >>> I will appreciate any help on this... >>> >>> Thanks! >>> Rick >>> >>> >> Hi >> >> wow, thats really really old code you got running there - three years at >> least. >> >> check the inbound, and outbound queues to see if they are there.. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> > > Forgive me for not knowing much about this. but I looked in > the /var/spool/MailScanner/incoming/ directory. there are a few > directories there but no files at all. Is this the right place to look? > were are the inbound and outbound directories? > > Right it is old! I installed it back when it was new as a rpm. The OS is > RedHat 9. Now is seems there is no rpm for it. Is there any good docs > that step me through an upgrade? > > Thanks! > Rick > > > > Go to www.mailscanner.info there are links to the current code, and lots of docs. The current rpm install is actually several src.rpms and the mailscanner rpm in a tarball. You unpack the tarball in some working directory and run an install.sh script. It will update any code you need fixed, and give you some instructions at the end. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 20:08:10 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 20:08:13 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> Message-ID: <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> On 11/11/06, Scott Silva wrote: > Mailing Lists spake the following on 11/11/2006 9:33 AM: > > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: > >> Mailing Lists wrote: > >>> Hi, > >>> > >>> Yesterday my mail stopped getting to the in-boxes. I am using sendmail > >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started > >>> sendmail, things get delevered fine, however, during the time it was not > >>> delivering mail, I sent myself a bunch of test emails, and I never got > >>> them at all. It seems that I have lost mail! > >>> What happened to that mail? will it be delivered eventually? > >>> > >>> One clue that I noticed in /var/log/messages: > >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving > >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > >>> 206.154.202.54#53 > >>> > >>> I will appreciate any help on this... > >>> > >>> Thanks! > >>> Rick > >>> > >>> > >> Hi > >> > >> wow, thats really really old code you got running there - three years at > >> least. > >> > >> check the inbound, and outbound queues to see if they are there.. > >> > >> -- > >> Martin Hepworth > >> Senior Systems Administrator > >> Solid State Logic > >> Tel: +44 (0)1865 842300 > >> > > > > Forgive me for not knowing much about this. but I looked in > > the /var/spool/MailScanner/incoming/ directory. there are a few > > directories there but no files at all. Is this the right place to look? > > were are the inbound and outbound directories? > > > > Right it is old! I installed it back when it was new as a rpm. The OS is > > RedHat 9. Now is seems there is no rpm for it. Is there any good docs > > that step me through an upgrade? > > > > Thanks! > > Rick > > > > > > > > > Go to www.mailscanner.info there are links to the current code, and lots of > docs. The current rpm install is actually several src.rpms and the mailscanner > rpm in a tarball. You unpack the tarball in some working directory and run an > install.sh script. It will update any code you need fixed, and give you some > instructions at the end. > One could also point a helping finger to the MAQ and the rest of the wiki (both contain partly overlapping instructions for how to go about the upgrade(s) necessary). You'll find them from the documentation page on www.mailscanner.info;-). Another thing to consider is if it isn't time for a more Alexanrian cut, so to speak, to solve this Gordian knot:-):-)... If MailScanner is that old, so is probably every part of the system. Perhaps time for a fresh start? Anyway, the queues Martin is alluding to are the mqueue.in and mqueue ones (usually found in /var/spool). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Sat Nov 11 20:27:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 20:27:46 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/11/2006 12:08 PM: > On 11/11/06, Scott Silva wrote: >> Mailing Lists spake the following on 11/11/2006 9:33 AM: >> > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: >> >> Mailing Lists wrote: >> >>> Hi, >> >>> >> >>> Yesterday my mail stopped getting to the in-boxes. I am using >> sendmail >> >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started >> >>> sendmail, things get delevered fine, however, during the time it >> was not >> >>> delivering mail, I sent myself a bunch of test emails, and I >> never got >> >>> them at all. It seems that I have lost mail! >> >>> What happened to that mail? will it be delivered eventually? >> >>> >> >>> One clue that I noticed in /var/log/messages: >> >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving >> >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): >> >>> 206.154.202.54#53 >> >>> >> >>> I will appreciate any help on this... >> >>> >> >>> Thanks! >> >>> Rick >> >>> >> >>> >> >> Hi >> >> >> >> wow, thats really really old code you got running there - three >> years at >> >> least. >> >> >> >> check the inbound, and outbound queues to see if they are there.. >> >> >> >> -- >> >> Martin Hepworth >> >> Senior Systems Administrator >> >> Solid State Logic >> >> Tel: +44 (0)1865 842300 >> >> >> > >> > Forgive me for not knowing much about this. but I looked in >> > the /var/spool/MailScanner/incoming/ directory. there are a few >> > directories there but no files at all. Is this the right place to look? >> > were are the inbound and outbound directories? >> > >> > Right it is old! I installed it back when it was new as a rpm. The >> OS is >> > RedHat 9. Now is seems there is no rpm for it. Is there any good docs >> > that step me through an upgrade? >> > >> > Thanks! >> > Rick >> > >> > >> > >> > >> Go to www.mailscanner.info there are links to the current code, and >> lots of >> docs. The current rpm install is actually several src.rpms and the >> mailscanner >> rpm in a tarball. You unpack the tarball in some working directory and >> run an >> install.sh script. It will update any code you need fixed, and give >> you some >> instructions at the end. >> > One could also point a helping finger to the MAQ and the rest of the > wiki (both contain partly overlapping instructions for how to go about > the upgrade(s) necessary). You'll find them from the documentation > page on www.mailscanner.info;-). > > Another thing to consider is if it isn't time for a more Alexanrian > cut, so to speak, to solve this Gordian knot:-):-)... If MailScanner > is that old, so is probably every part of the system. Perhaps time for > a fresh start? > > Anyway, the queues Martin is alluding to are the mqueue.in and mqueue > ones (usually found in /var/spool). > I guess I'm not the only one working today! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 20:59:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 20:59:54 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> Message-ID: <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> On 11/11/06, Scott Silva wrote: (snip) > I guess I'm not the only one working today! > Free time.... I've heard of the concept.... Don't really know when I'll actually experience it:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Sat Nov 11 22:22:29 2006 From: res at ausics.net (Res) Date: Sat Nov 11 22:22:37 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> Message-ID: On Sat, 11 Nov 2006, Glenn Steen wrote: > Free time.... I've heard of the concept.... Don't really know when > I'll actually experience it:-) Thats because you run postmix Glenn :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From lists at gmnet.net Sat Nov 11 23:59:20 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 23:59:26 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <1163289560.27853.146.camel@thor.greenbuzz.net> Hi, Thanks for all your replies, but this is starting to get serious! I have a bunch of clients who are expecting mail, and I don't know what to tell them. Here is the situation: Mail stopped being delivered last Friday with no notice! I even sent test emails right from my local command promt to myself and they went nowhere! i.e. #echo test |mail -s test lists@gmnet.net Where did this mail go? Right now, I am running sendmail w/o mailscanner at all! this is the only way mail gets delivered! Please Help! Rick From bhuff at colltech.com Sun Nov 12 01:04:57 2006 From: bhuff at colltech.com (Bill Huff) Date: Sun Nov 12 01:05:10 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163289560.27853.146.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> Message-ID: Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. I hope that this helps. I know that feeling that comes when you think that you have lost users mail. -- Bill ______________________________________________________________________ Bill Huff, CISSP ?| ? Director, IT Services Division - MTI Technology Corporation voice: 512-263-0770 x 262 ?|? fax: 512-263-0606 ?|? cell: 512-630-5424 web: www.mti.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Saturday, November 11, 2006 5:59 PM To: MailScanner discussion Subject: Re: Mail Not Delivering --REALLY BAD!! Hi, Thanks for all your replies, but this is starting to get serious! I have a bunch of clients who are expecting mail, and I don't know what to tell them. Here is the situation: Mail stopped being delivered last Friday with no notice! I even sent test emails right from my local command promt to myself and they went nowhere! i.e. #echo test |mail -s test lists@gmnet.net Where did this mail go? Right now, I am running sendmail w/o mailscanner at all! this is the only way mail gets delivered! Please Help! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lists at gmnet.net Sun Nov 12 03:46:50 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 03:47:12 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> Message-ID: <1163303210.27853.167.camel@thor.greenbuzz.net> On Sat, 2006-11-11 at 19:04 -0600, Bill Huff wrote: > Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. > > Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. > > The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. > > I hope that this helps. I know that feeling that comes when you think that you have lost users mail. > > -- > Bill > > _______________________________________ Thanks for the info! My directories are just like you said. unfortunately, it seems that I DID loose email!! there is nothing in the queues. I just stopped sendmail, started MailScanner, sent myself another test email, and never got it again!! so now I'm running sendmail by itself and it is fine. my maillog file shows tons of the following: Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 but MailScanner is not even running! I am running barefoot w/o protection!! Rick From res at ausics.net Sun Nov 12 03:54:50 2006 From: res at ausics.net (Res) Date: Sun Nov 12 03:54:58 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: What version Sendmail? and are you using the correct lock type On Sat, 11 Nov 2006, Mailing Lists wrote: > On Sat, 2006-11-11 at 19:04 -0600, Bill Huff wrote: >> Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. >> >> Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. >> >> The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. >> >> I hope that this helps. I know that feeling that comes when you think that you have lost users mail. >> >> -- >> Bill >> >> _______________________________________ > > Thanks for the info! > > My directories are just like you said. unfortunately, it seems that I > DID loose email!! there is nothing in the queues. I just stopped > sendmail, started MailScanner, sent myself another test email, and never > got it again!! so now I'm running sendmail by itself and it is fine. my > maillog file shows tons of the following: > > Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue > file for message k9HDF4fq030592 > > but MailScanner is not even running! I am running barefoot w/o > protection!! > > Rick > > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From uxbod at splatnix.net Sun Nov 12 09:49:21 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Nov 12 09:48:59 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: <20061112094921.760eb155@localhost> Do you have a rougue MailScanner process running then ? ps -ef | grep -i mailscanner What happens if you run MailScanner if the foreground so you can see what it is doing ? UxBoD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at gmnet.net Sun Nov 12 17:32:34 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 17:32:42 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: <1163352754.27853.197.camel@thor.greenbuzz.net> I think this points to the problem... in my /var/log/maillog I get tons of these... Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 Does anybody know what this means?? Thanks for your help!! Rick From prandal at herefordshire.gov.uk Sun Nov 12 17:50:29 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 17:50:45 2006 Subject: Mail Not Delivering --REALLY BAD!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> cd /var/spool/mqueue.in Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and restart MailScanner. Or is it not always the same message id? Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Sunday, November 12, 2006 5:33 PM To: MailScanner discussion Subject: RE: Mail Not Delivering --REALLY BAD!! I think this points to the problem... in my /var/log/maillog I get tons of these... Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 Does anybody know what this means?? Thanks for your help!! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sun Nov 12 18:09:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 18:10:15 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163352754.27853.197.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> Message-ID: <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> On 12/11/06, Mailing Lists wrote: > I think this points to the problem... > > in my /var/log/maillog I get tons of these... > > Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue > file for message k9HDF4fq030592 > > Does anybody know what this means?? > > Thanks for your help!! > Rick > It might indicate that you are using one type of locking in Sendmail and another in MailScanner, so that MailScanner starts reading before the file is really finished being written. Might cause all sorts of problems. (In "MailScanner speak" the locking types are called posix (for fcntl() ...) and flock (for flock:-). At about version 8.12.11, there was a shift in Sendmail locking (for linux) from flock to posix/fcntl ... And newer versions of MailScanner has moved from the default assumption that flock is right for sendmail to the assumption that posix is right (you can be explicit about this). So what to do might be very much dependant on what happened on that Friday. Did you upgrade sendmail? Likely your MailScanner needs have Lock Type set to posix (assuming an "elderly" MailScanner)... If it was an update of MailScanner, you might need set it to "flock", to match an older sendmail... But there has been an interesting idea "aired" already... After stopping MailScanner, are there any MailScanner processes lingering? There should be none, and it should definitely not be logging anything after you had stopped it. If there are such processes, try just killing them off, check that they die, then fire up MailScanner again. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jon at radel.com Sun Nov 12 18:38:38 2006 From: jon at radel.com (Jon Radel) Date: Sun Nov 12 18:38:16 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> Message-ID: <45576A2E.8050500@radel.com> Have you explored whether your machine has been subverted? There is always the possibility that somebody has installed something that handles SMTP, which might have very strange effects, or simply broken sendmail. You're running all this on RH 9 (old, old). Have you been applying all the security patches from the Fedora Legacy Project, which issued a security update for sendmail as recently as this April? If you have this machine bare on the Internet w/o at least a paranoid firewall at the host level, and you've not installed any patches since Red Hat dropped support for RH 9, well.... That would be not so good. I've re-read all your responses to this, and I don't catch any place where you've answered the implicit question that came up several times: Did you do ANYTHING to the configuration of this machine on Friday? Did you do ANYTHING to the configuration of the network it plugs into on Friday? --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2828 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/832a2830/smime.bin From glenn.steen at gmail.com Sun Nov 12 18:40:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 18:40:48 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> Message-ID: <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> On 11/11/06, Res wrote: > On Sat, 11 Nov 2006, Glenn Steen wrote: > > > Free time.... I've heard of the concept.... Don't really know when > > I'll actually experience it:-) > > Thats because you run postmix Glenn :) > (... Moving severly off-topic...) Nope, I think it has something to do with general understaffing and continually jumping from one hot spot to the next (networking (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some hefty AIX boxes, a slew of Suns, a plethora of linuces), backup (Networker mostly), DBAing some fairly big Oracle DBs, some Postgresql and some MySQL, trying to do some app development on and off, and generally help the windoze guys whenever they need it (which they seem to do, continually) ... not to mention the overall responsiblity for the center facilities (alarmsystems, cooling, Novec fire extinguishing facility, KVM switches etc etc) ... and the list goes on (ad nauseum:) ). In other words, no different situation than most of you have;-). The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, so that I can do all the rest;-)... I'm sure I'd have to commit a lot more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I used that... After all, I know PF pretty well by now:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at gmnet.net Sun Nov 12 18:45:03 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 18:45:07 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> Message-ID: <1163357103.27853.219.camel@thor.greenbuzz.net> On Sun, 2006-11-12 at 17:50 +0000, Randal, Phil wrote: > cd /var/spool/mqueue.in > > Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and > restart MailScanner. > > Or is it not always the same message id? > > Cheers, > > Phil Thanks, That fixed that, but when I run MailScanner, some mail still does not get delevered.. Here is a snip from my maillog... Nov 12 13:12:21 pipe sendmail[23527]: kACICK54023527: from=, size=570, class=0, nrcpts=1, msgid=<1163355140.27853.213.camel@thor.greenbuzz.net>, proto=ESMTP, daemon=MTA, relay=mailgate5.sover.net [209.198.87.110] Nov 12 13:12:24 pipe MailScanner[23528]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Nov 12 13:12:24 pipe MailScanner[23525]: RBL Check Infinite-Monkeys timed out and was killed, consecutive failure 1 of 7 Thanks for all youe help!! Rick From lists at gmnet.net Sun Nov 12 18:50:25 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 18:50:32 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <45576A2E.8050500@radel.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> <45576A2E.8050500@radel.com> Message-ID: <1163357425.27853.223.camel@thor.greenbuzz.net> On Sun, 2006-11-12 at 13:38 -0500, Jon Radel wrote: > Have you explored whether your machine has been subverted? There is > always the possibility that somebody has installed something that > handles SMTP, which might have very strange effects, or simply broken > sendmail. You're running all this on RH 9 (old, old). Have you been > applying all the security patches from the Fedora Legacy Project, which > issued a security update for sendmail as recently as this April? > > If you have this machine bare on the Internet w/o at least a paranoid > firewall at the host level, and you've not installed any patches since > Red Hat dropped support for RH 9, well.... That would be not so good. > > I've re-read all your responses to this, and I don't catch any place > where you've answered the implicit question that came up several times: > Did you do ANYTHING to the configuration of this machine on Friday? > Did you do ANYTHING to the configuration of the network it plugs into on > Friday? sorry, I did nothing to the config files for a while. It was working fine on Fri morning. and yes I do have a solid firewall in place... I plan on replacing the whole system in a few months, i guess I just want a basic solution for now... > > --Jon Radel From csweeney at osubucks.org Sun Nov 12 18:50:27 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sun Nov 12 18:50:43 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163357103.27853.219.camel@thor.greenbuzz.net> References: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> <1163357103.27853.219.camel@thor.greenbuzz.net> Message-ID: <45576CF3.5040904@osubucks.org> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/6f7e435b/smime.bin From glenn.steen at gmail.com Sun Nov 12 19:24:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 19:24:49 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163357425.27853.223.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> <45576A2E.8050500@radel.com> <1163357425.27853.223.camel@thor.greenbuzz.net> Message-ID: <223f97700611121124w4245c5eamdfcf2b4f6c911008@mail.gmail.com> On 12/11/06, Mailing Lists wrote: (snip) > sorry, I did nothing to the config files for a while. It was working > fine on Fri morning. and yes I do have a solid firewall in place... I > plan on replacing the whole system in a few months, i guess I just want > a basic solution for now... Setting up a new system could be done in a day or two (in its entirety... Counting the time to acquire HW;-)... And it'd likely solve all your problems, so you should perhaps reconsider your timetable. Just a suggestion, mind you;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Sun Nov 12 19:43:19 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 19:43:33 2006 Subject: Mail Not Delivering --REALLY BAD!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DE@isabella.herefordshire.gov.uk> The Infinite monkeys RBL has long gone to the great bit bucket in the sky. You need to remove it from your RBL list in /etc/MailScanner/MailScanner.conf Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Sunday, November 12, 2006 6:45 PM To: MailScanner discussion Subject: RE: Mail Not Delivering --REALLY BAD!! On Sun, 2006-11-12 at 17:50 +0000, Randal, Phil wrote: > cd /var/spool/mqueue.in > > Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and > restart MailScanner. > > Or is it not always the same message id? > > Cheers, > > Phil Thanks, That fixed that, but when I run MailScanner, some mail still does not get delevered.. Here is a snip from my maillog... Nov 12 13:12:21 pipe sendmail[23527]: kACICK54023527: from=, size=570, class=0, nrcpts=1, msgid=<1163355140.27853.213.camel@thor.greenbuzz.net>, proto=ESMTP, daemon=MTA, relay=mailgate5.sover.net [209.198.87.110] Nov 12 13:12:24 pipe MailScanner[23528]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Nov 12 13:12:24 pipe MailScanner[23525]: RBL Check Infinite-Monkeys timed out and was killed, consecutive failure 1 of 7 Thanks for all youe help!! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From admin at thenamegame.com Sun Nov 12 20:01:21 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 19:54:10 2006 Subject: Debora is a huge spammers!!!! Message-ID: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/deee1d77/attachment.html From prandal at herefordshire.gov.uk Sun Nov 12 20:21:20 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:21:29 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DF@isabella.herefordshire.gov.uk> Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/1d2b56d2/attachment.html From admin at thenamegame.com Sun Nov 12 20:40:57 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 20:33:32 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681DF@isabella.herefordshire.gov.uk> Message-ID: <200611122033.kACKXUcD030959@bkserver.blacknight.ie> As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/1e8afd49/attachment.html From prandal at herefordshire.gov.uk Sun Nov 12 20:39:34 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:39:46 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E0@isabella.herefordshire.gov.uk> Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/f1d29032/attachment.html From admin at thenamegame.com Sun Nov 12 20:56:30 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 20:49:06 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E0@isabella.herefordshire.gov.uk> Message-ID: <200611122049.kACKn3KF031398@bkserver.blacknight.ie> Already using CBL. Iv seen it on 32 boxes, same Debora spam messages being pumped inbound. Boxes are located all over the world not just in the USA so this is a worldwide issue. Cant say its just one or two boxes. CBL doesn't stop it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/ace03442/attachment-0001.html From prandal at herefordshire.gov.uk Sun Nov 12 20:53:08 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:54:12 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/b72a766b/attachment.html From admin at thenamegame.com Sun Nov 12 21:24:21 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 21:16:51 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> Message-ID: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> I did a grep on Debora in my logs and although that ip reveals the same ip as what you have the rest are from all different ips so ip blocking wont do it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:53 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/4d69ca95/attachment.html From arturs at netvision.net.il Sun Nov 12 22:15:26 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sun Nov 12 22:18:11 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> Message-ID: <015101c706a8$0e9f9400$3701a8c0@lapxp> i see it too, about 40 instances in maillog during 20 hours. Different IP all. Most were catched by MS. If i'd get ~25,000 such spams a day, i'd consider filtering them at MTA, everything that would stop the flood on the spot would be good. Otherways, it is just a short-lasting workaround and a waste of time. Best, -- Arthur Sherman +972-52-4878851 CPTeam _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 11:24 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! I did a grep on Debora in my logs and although that ip reveals the same ip as what you have the rest are from all different ips so ip blocking wont do it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:53 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/56ddcaa8/attachment.html From glenn.steen at gmail.com Sun Nov 12 22:31:47 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 22:31:50 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> <200611122116.kACLGo1c031961@bkserver.blacknight.ie> Message-ID: <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> On 12/11/06, Michael S. wrote: > I did a grep on Debora in my logs and although that ip reveals the same ip > as what you have the rest are from all different ips so ip blocking wont do > it. Look through the stuff since the begining of this month... Had 28 matches, where 3 would've been false positives with a rule rejecting anyone named debora.*@.* ... would be unacceptable to me. And MS cauth the other ones so...:-). If saw this in very large numbers, I might be tempted do try capitalise it... But I'm afraid that if you cannot find something else they have in common (and that you can easily identify at SMTP time), you wouldn't be able to use this at all. For me, looking at the headers for the 28, nothing really popped out. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Mon Nov 13 00:31:20 2006 From: res at ausics.net (Res) Date: Mon Nov 13 00:31:35 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> Message-ID: On Sun, 12 Nov 2006, Glenn Steen wrote: > Nope, I think it has something to do with general understaffing and > continually jumping from one hot spot to the next (networking > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup *snip* what are you a one man NOC ? surely you can delegate, but I know if somthing f2#$#s up it still comes back down to me, thats why competant engineers by my side are a must ;) > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I We are shortly about to remove qmail from equation on all our virtual domain boxes by using sendmail and cyrus, I'm sick to death of spending 2 days patching the usless peice of crap every time we want some other feature thats defaultly in sendmail and has been in it for like 8 years or more. bernstein is right about one thing tho, qmail is secure, afterall how can you exploit somthing that does nothing :D -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jimc at laridian.com Mon Nov 13 04:42:02 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Nov 13 04:44:30 2006 Subject: OT: poprelayd and milter-greylist In-Reply-To: Message-ID: <008301c706de$10bf7e40$6401a8c0@zorak> Hey all... I have a server that handles all mail from our remote offices (offsite offices). We use poprelayd to handle relay authentication for our mail services. We recently started using milter-greylist, but I'm running into a problem where dynamic IPs are changing on my remote offices and therefore are no longer listed as whitelisted in the milter-greylist config file. I'm wondering if there is a way to take the poprelayd IP table and auto-whitelist the milter-greylst config using those IPs (which would also mean adding new ones as they are "approved" by poprelayd. Any thoughts? Thanks, Jim Coates From ram at netcore.co.in Mon Nov 13 07:03:23 2006 From: ram at netcore.co.in (Ramprasad) Date: Mon Nov 13 07:03:50 2006 Subject: how to not run SA-scan if on whitelist/blacklist Message-ID: <1163401404.780.26.camel@darkstar.netcore.co.in> We are using MS 4.50.15 for spamassassin and AV checks I use "Is Definitely Not Spam = " feature for whitelisting when a mail is already on this how do I tell MS not to run SA for such a mail. Currently the mail is sent thru spamassassin and the checks happen before the whitelisting happens Thanks Ram From matt at coders.co.uk Mon Nov 13 08:17:06 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 08:17:38 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> <200611122116.kACLGo1c031961@bkserver.blacknight.ie> <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> Message-ID: <45582A02.9000009@coders.co.uk> Glenn Steen wrote: > On 12/11/06, Michael S. wrote: >> I did a grep on Debora in my logs and although that ip reveals the >> same ip >> as what you have the rest are from all different ips so ip blocking >> wont do >> it. > Look through the stuff since the begining of this month... Had 28 > matches, where 3 would've been false positives with a rule rejecting > anyone named debora.*@.* ... would be unacceptable to me. And MS cauth > the other ones so...:-). Gone back through my logs and only 185 got as far as MS - of these 11 were not identified as spam and of these only 6 were false negatives. Of those 6 - 3 were caused by SA timeouts. I was getting Razor hits on the rest and Bayes was > 60% on two of them. The lowest score was 2.5, the highest 4.76. I haven't (touch wood) had a false negative since the 5th. The majority (at least an order of magnitude larger) were blocked at connection level. I haven't had a chance to work out which milters hit the most but I have the following installed: milter-link, smf-sav, smf-grey (patched to only greylist if the sending IP is on an RBL) and smf-spf (reject only on fails). > > If saw this in very large numbers, I might be tempted do try > capitalise it... But I'm afraid that if you cannot find something else > they have in common (and that you can easily identify at SMTP time), > you wouldn't be able to use this at all. > For me, looking at the headers for the 28, nothing really popped out. > The only thing that I saw was they All had X-Priority: 3(normal) set. matt From martinh at solidstatelogic.com Mon Nov 13 09:05:15 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 13 09:05:33 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <4558354B.20705@solidstatelogic.com> Michael S. wrote: > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > Michael trapping them nicely here without fuzzyocr or imageinfo.. 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 1.25 HOST_EQ_IT 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.79 SARE_LWSHORTT 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock2 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. the SARE stocks rules is very useful here... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 13 09:19:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 09:19:32 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> Message-ID: <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> On 13/11/06, Res wrote: > On Sun, 12 Nov 2006, Glenn Steen wrote: > > > Nope, I think it has something to do with general understaffing and > > continually jumping from one hot spot to the next (networking > > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some > > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup > > *snip* what are you a one man NOC ? surely you can delegate, but I > know if somthing f2#$#s up it still comes back down to me, thats why > competant engineers by my side are a must ;) The term there is _understaffed_;-). Then one becomes "key" to operations in oh so many ways. Sigh. We're leasing the needed people to delegate to, but... It's not the same as a fellow employee. > > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, > > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I > > We are shortly about to remove qmail from equation on all our virtual > domain boxes by using sendmail and cyrus, I'm sick to death of spending 2 days > patching the usless peice of crap every time we want some other feature > thats defaultly in sendmail and has been in it for like 8 years or more. > > bernstein is right about one thing tho, qmail is secure, afterall how can > you exploit somthing that does nothing :D > Yep:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From matt at coders.co.uk Mon Nov 13 10:44:06 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 10:44:31 2006 Subject: OT: poprelayd and milter-greylist In-Reply-To: <008301c706de$10bf7e40$6401a8c0@zorak> References: <008301c706de$10bf7e40$6401a8c0@zorak> Message-ID: <45584C76.6080100@coders.co.uk> Jim Coates wrote: > Hey all... > > I have a server that handles all mail from our remote offices (offsite > offices). > > We use poprelayd to handle relay authentication for our mail services. > > We recently started using milter-greylist, but I'm running into a problem > where dynamic IPs are changing on my remote offices and therefore are no > longer listed as whitelisted in the milter-greylist config file. > > I'm wondering if there is a way to take the poprelayd IP table and > auto-whitelist the milter-greylst config using those IPs (which would also > mean adding new ones as they are "approved" by poprelayd. > > Any thoughts? Is there a particular reason why you can't use SMTP-AUTH? milter-greylist can use that as an automatic whitelist. Alternatively: http://hcpnet.free.fr/milter-greylist/poprelay/ matt From t.d.lee at durham.ac.uk Mon Nov 13 10:56:09 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 13 10:56:33 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: <4554A39C.1050404@evi-inc.com> References: <4554A39C.1050404@evi-inc.com> Message-ID: On Fri, 10 Nov 2006, Matt Kettler wrote: > David Lee wrote: > > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > > 3.1.7. The MS config has: > > Log Spam = yes > > Log Non Spam = yes > > > > In the daily logs we now seem to be getting several occurence of: > > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > > > and: > > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > > > scattered amongst the occurences of more real data. (Around 7% of entries > > on one machine, around 4% on the other, are in such truncated/empty forms). > > > > The daily logs prior to this show no occurences at all. > > > > Any thoughts? > > spamassassin --lint any errors reported, or just runs and exits quietly? Runs and exits quietly. > spamassassin -D --lint, and see what the "default rules dir" is, and make sure > all the default .cf files are there. Attached. Looks mostly clean. There's an SA "FP_MIXED_PORN3" problem, but apparently several people have reported this in various places and, if I read those reports correctly, it is not deemed to be a major problem (rather just a warning). Googling around a little, I find: http://www.gossamer-threads.com/lists/spamassassin/users/87230 and one of the replies in the thread says: "There's been some discussion about scores with 0 rating popping similar so I wonder if that's related." That "0 rating" sounds like the symptoms I'm seeing. Message ... is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) When I do a manual "sa-update", the entries continue to appear in the log file. But when I follow this with "service MailScanner reload", these entries almost cease for a while. ("For a while"? I tried before the weekend and they seemed to have ceased. Returning after the weekend, they seem to have resumed. Re-tried just now: seem to have ceased.) Note that this void scoring is only on a minority of the emails (nothing like all of them). > > > 2. When I check on a third (higher MX, lower preference) machine on which > > I did a similar upgrade, but on which Razor had been working properly > > working both before and after the upgrade, this has such entries both > > before and after. Which sort of points the finger towards Razor, rather > > than the SA upgrade. > > I highly doubt razor is involved. From the sounds of it, SA isn't parsing its > ruleset. But (speculation!) might some sort of SA/Razor timeout cause subsequent SA results to be discarded/ignored, causing emptiness to be returned to MS? (I'm happy not to get distracted onto this razor datapoint, but I though I at least ought to have mentioned it...) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : -------------- next part -------------- [30406] dbg: logger: adding facilities: all [30406] dbg: logger: logging level is DBG [30406] dbg: generic: SpamAssassin version 3.1.7 [30406] dbg: config: score set 0 chosen. [30406] dbg: util: running in taint mode? yes [30406] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [30406] dbg: util: PATH included '/usr/kerberos/sbin', keeping [30406] dbg: util: PATH included '/usr/kerberos/bin', keeping [30406] dbg: util: PATH included '/sbin', keeping [30406] dbg: util: PATH included '/bin', keeping [30406] dbg: util: PATH included '/usr/sbin', keeping [30406] dbg: util: PATH included '/usr/bin', keeping [30406] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [30406] dbg: util: PATH included '/usr/local/clamav/bin', keeping [30406] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/clamav/bin [30406] dbg: message: ---- MIME PARSER START ---- [30406] dbg: message: main message type: text/plain [30406] dbg: message: parsing normal part [30406] dbg: message: added part, type: text/plain [30406] dbg: message: ---- MIME PARSER END ---- [30406] dbg: dns: is Net::DNS::Resolver available? yes [30406] dbg: dns: Net::DNS version: 0.59 [30406] dbg: diag: perl platform: 5.008008 linux [30406] dbg: diag: module installed: Digest::SHA1, version 2.11 [30406] dbg: diag: module installed: HTML::Parser, version 3.54 [30406] dbg: diag: module installed: MIME::Base64, version 3.07 [30406] dbg: diag: module installed: DB_File, version 1.814 [30406] dbg: diag: module installed: Net::DNS, version 0.59 [30406] dbg: diag: module installed: Net::SMTP, version 2.29 [30406] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [30406] dbg: diag: module installed: IP::Country::Fast, version 604.001 [30406] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [30406] dbg: diag: module not installed: Net::Ident ('require' failed) [30406] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [30406] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [30406] dbg: diag: module installed: Time::HiRes, version 1.86 [30406] dbg: diag: module installed: DBI, version 1.52 [30406] dbg: diag: module installed: Getopt::Long, version 2.35 [30406] dbg: diag: module installed: LWP::UserAgent, version 2.033 [30406] dbg: diag: module installed: HTTP::Date, version 1.47 [30406] dbg: diag: module installed: Archive::Tar, version 1.29 [30406] dbg: diag: module installed: IO::Zlib, version 1.04 [30406] dbg: ignore: using a test message to lint rules [30406] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [30406] dbg: config: read file /etc/mail/spamassassin/init.pre [30406] dbg: config: read file /etc/mail/spamassassin/v310.pre [30406] dbg: config: read file /etc/mail/spamassassin/v312.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [30406] dbg: config: using "/etc/mail/spamassassin" for site rules dir [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [30406] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [30406] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [30406] dbg: config: read file /etc/mail/spamassassin/german.cf [30406] dbg: config: read file /etc/mail/spamassassin/local.cf [30406] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [30406] dbg: config: read file /etc/mail/spamassassin/nazi.cf [30406] dbg: config: read file /etc/mail/spamassassin/spamassassin.cf [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x256fa30) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x2532530) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [30406] dbg: razor2: local tests only, skipping Razor [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x26f38a0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [30406] dbg: dcc: local tests only, disabling DCC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x2765410) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [30406] dbg: pyzor: local tests only, disabling Pyzor [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x27977a0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [30406] dbg: razor2: local tests only, skipping Razor [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2=HASH(0x25c9350), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [30406] dbg: reporter: local tests only, disabling SpamCop [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x27c96f0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x27f7240) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x2807ca0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x281dbc0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x282ba40) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x28407b0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2840850), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x25c9590), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2532820), already registered [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre" for included file [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [30406] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [30406] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [30406] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [30406] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [30406] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x28407b0) implements 'finish_parsing_end' [30406] dbg: replacetags: replacing tags [30406] dbg: replacetags: done replacing tags [30406] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [30406] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [30406] dbg: bayes: found bayes db version 3 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: config: score set 2 chosen. [30406] dbg: message: ---- MIME PARSER START ---- [30406] dbg: message: main message type: text/plain [30406] dbg: message: parsing normal part [30406] dbg: message: added part, type: text/plain [30406] dbg: message: ---- MIME PARSER END ---- [30406] dbg: dns: is DNS available? 0 [30406] dbg: metadata: X-Spam-Relays-Trusted: [30406] dbg: metadata: X-Spam-Relays-Untrusted: [30406] dbg: metadata: X-Spam-Relays-Internal: [30406] dbg: metadata: X-Spam-Relays-External: [30406] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) implements 'extract_metadata' [30406] dbg: metadata: X-Relay-Countries: [30406] dbg: message: no encoding detected [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'parsed_metadata' [30406] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) implements 'parsed_metadata' [30406] dbg: rules: local tests only, ignoring RBL eval [30406] dbg: check: running tests for priority: 0 [30406] dbg: rules: running header regexp tests; score so far=0 [30406] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [30406] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1163413298@lint_rules> [30406] dbg: rules: " [30406] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [30406] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1163413298" [30406] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [30406] dbg: eval: all '*To' addrs: [30406] dbg: rules: ran eval rule NO_RELAYS ======> got hit [30406] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [30406] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [30406] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [30406] dbg: uri: running uri tests; score so far=-0.001 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: bayes: corpus size: nspam = 2768964, nham = 846951 [30406] dbg: bayes: score = 0.146100146430509 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: bayes: untie-ing [30406] dbg: bayes: untie-ing db_toks [30406] dbg: bayes: untie-ing db_seen [30406] dbg: rules: ran eval rule BAYES_20 ======> got hit [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=-0.741 [30406] dbg: rules: running full-text regexp tests; score so far=-0.741 [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'check_tick' [30406] dbg: check: running tests for priority: 500 [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'check_post_dnsbl' [30406] dbg: rules: running meta tests; score so far=-0.741 [30406] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' [30406] dbg: rules: running header regexp tests; score so far=1.416 [30406] dbg: rules: running body-text per-line regexp tests; score so far=1.416 [30406] dbg: uri: running uri tests; score so far=1.416 [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.416 [30406] dbg: rules: running full-text regexp tests; score so far=1.416 [30406] dbg: check: running tests for priority: 1000 [30406] dbg: rules: running meta tests; score so far=1.416 [30406] dbg: rules: running header regexp tests; score so far=1.416 [30406] dbg: rules: running body-text per-line regexp tests; score so far=1.416 [30406] dbg: uri: running uri tests; score so far=1.416 [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.416 [30406] dbg: rules: running full-text regexp tests; score so far=1.416 [30406] dbg: check: is spam? score=1.416 required=5 [30406] dbg: check: tests=BAYES_20,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [30406] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID From tenderby at mailwash.com.au Mon Nov 13 11:18:21 2006 From: tenderby at mailwash.com.au (Tony Enderby) Date: Mon Nov 13 11:18:49 2006 Subject: Slightly OT - RBL test. Message-ID: <4558547D.4010602@mailwash.com.au> Hi all, I was wondering if someone who gets a fair mail volume passing through their servers (10 to 30k) per day and who uses MailScanner would mind testing a budding RBL I am setting up and in the process of testing at the moment. The current IP lists are small and won't return anything useful for a while but I'd like to load test the servers on which they run. If you feel like helping please give me a yell when you get a moment. Thanks, Tony. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From mikechoo at opensos.net Mon Nov 13 13:24:33 2006 From: mikechoo at opensos.net (Michael Choo) Date: Mon Nov 13 13:24:55 2006 Subject: File extension issue Message-ID: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2423 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/55dc48a3/smime.bin From glenn.steen at gmail.com Mon Nov 13 13:43:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 13:44:07 2006 Subject: File extension issue In-Reply-To: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> References: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Message-ID: <223f97700611130543r40fd6398peab0fe8e99b6ce8b@mail.gmail.com> On 13/11/06, Michael Choo wrote: > > Ran into this issue, user is running Mac OS X which can use multiple periods > in the filename. > Don't suppose there is a work around besides disabling file checks? > > MailScanner: Attempt to hide real filename extension (IMR WITH BW-8.xls.pdf) > Sure there is. Either you could just disable that rule in filenames.rules.conf, or you could use the "overloading" feature of the Filename setting to do some intelligent exceptions (look at the wiki page http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading) ... Or you could convince him/her to not do that:-):-). > cheers > -Mike Bottoms up! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at woodmclaw.com Mon Nov 13 15:06:32 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Nov 13 15:06:47 2006 Subject: Mail Not Delivering In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140F3@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Mailing Lists > Sent: Saturday, November 11, 2006 10:53 AM > To: mailscanner@lists.mailscanner.info > Subject: Mail Not Delivering > > Hi, > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > and MailScanner 4.23.11. when I stopped MailScanner, and just started > sendmail, things get delevered fine, however, during the time it was not > delivering mail, I sent myself a bunch of test emails, and I never got > them at all. It seems that I have lost mail! > What happened to that mail? will it be delivered eventually? > > One clue that I noticed in /var/log/messages: > Nov 10 15:45:32 pipe named[1928]: lame server resolving > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > 206.154.202.54#53 > > I will appreciate any help on this... > > Thanks! > Rick > > > -- Try doing this command, which tells sendmail to process messages in queue (at least for my version). Sendmail -q -v Billy Pumphrey IT Manager Wooden & McLaughlin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Nov 13 15:47:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Nov 13 15:48:01 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <4558938B.8000907@USherbrooke.ca> Michael S. a ?crit : > > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > I seem to be getting many thousands a day (more than 18000 yesterday)... I think I will deploy milter-regex: http://www.benzedrine.cx/milter-regex.html Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/267cd621/smime.bin From danc at bluestarshows.com Mon Nov 13 15:38:30 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 15:49:03 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3> <223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> Message-ID: <013301c70739$c57359f0$0200000a@danc3> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Saturday, November 11, 2006 2:26 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > On 10/11/06, Dan Carl wrote: > > > (snip) > > > If you've upgraded SA, did you run the sa-update after that? > > I ran sa-update > Good. > > > Does it look like MailScanners instance of SA is finding/using the correct > > > /var/lib/spamassassin/...? > > > > > sorry not sure how to verify this. > Well, the output you just showed (snipped by me:) is an indicator. You > could add a rule that would be sure to fire into that directory, > restart MS and run a testmessage through... and look at what rules > fired... Can you please explain how to do this? Question: Do these need to be set? SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = The conf says that if spamassassin is installed in its defualt location(which mine is) they don't need to be set.. Correct? > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Mon Nov 13 15:58:24 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 13 15:58:35 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: <4554A39C.1050404@evi-inc.com> Message-ID: <45589620.2010900@evi-inc.com> David Lee wrote: > On Fri, 10 Nov 2006, Matt Kettler wrote: > >> David Lee wrote: >>> (Linux/FC5; sendmail 8.13.7; MS 4.56.8) >>> >>> Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to >>> 3.1.7. The MS config has: >>> Log Spam = yes >>> Log Non Spam = yes >>> >>> In the daily logs we now seem to be getting several occurence of: >>> Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) >>> >>> and: >>> Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) >>> >>> scattered amongst the occurences of more real data. (Around 7% of entries >>> on one machine, around 4% on the other, are in such truncated/empty forms). >>> >>> The daily logs prior to this show no occurences at all. >>> >>> Any thoughts? >> spamassassin --lint any errors reported, or just runs and exits quietly? > > Runs and exits quietly. > >> spamassassin -D --lint, and see what the "default rules dir" is, and make sure >> all the default .cf files are there. > > Attached. Looks mostly clean. > > There's an SA "FP_MIXED_PORN3" problem, but apparently several people have > reported this in various places and, if I read those reports correctly, it > is not deemed to be a major problem (rather just a warning). > Check your mail logs for messages along the lines of "SpamAssassin timed out and was killed" From prandal at herefordshire.gov.uk Mon Nov 13 16:15:08 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 13 16:16:27 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D838@isabella.herefordshire.gov.uk> You'll need SpamAssassin Local State Dir = /var/lib but the others should be OK. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dan Carl > Sent: 13 November 2006 15:39 > To: MailScanner discussion > Subject: Re: Mailscanner not catching SPAM but manual run via > SA catches it > > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Saturday, November 11, 2006 2:26 AM > Subject: Re: Mailscanner not catching SPAM but manual run via > SA catches it > > > > On 10/11/06, Dan Carl wrote: > > > > > (snip) > > > > If you've upgraded SA, did you run the sa-update after that? > > > I ran sa-update > > Good. > > > > Does it look like MailScanners instance of SA is > finding/using the > correct > > > > /var/lib/spamassassin/...? > > > > > > > sorry not sure how to verify this. > > Well, the output you just showed (snipped by me:) is an > indicator. You > > could add a rule that would be sure to fire into that directory, > > restart MS and run a testmessage through... and look at what rules > > fired... > Can you please explain how to do this? > Question: > Do these need to be set? > SpamAssassin Install Prefix = > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > The conf says that if spamassassin is installed in its defualt > location(which mine is) > they don't need to be set.. Correct? > > > > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From anders.andersson at ltkalmar.se Mon Nov 13 17:10:50 2006 From: anders.andersson at ltkalmar.se (Anders Andersson, IT) Date: Mon Nov 13 17:10:58 2006 Subject: SV: File extension issue In-Reply-To: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Message-ID: <5EBABD62DC5AC048AD8AEC3312E02D4CCD3237@exchange03.lkl.ltkalmar.se> Personally, I just removed the double periods check. It will still check the last extension for forbiden extensions. Just make sure you got a desent filetype.rules.conf to rely on /Anders ________________________________ Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Michael Choo Skickat: den 13 november 2006 14:25 Till: mailscanner@lists.mailscanner.info ?mne: File extension issue Ran into this issue, user is running Mac OS X which can use multiple periods in the filename. Don't suppose there is a work around besides disabling file checks? MailScanner: Attempt to hide real filename extension (IMR WITH BW-8.xls.pdf) cheers -Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/992f1c83/attachment.html From mikes at hartwellcorp.com Mon Nov 13 17:39:10 2006 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon Nov 13 17:41:03 2006 Subject: Upgraded to new SA+Clam - Bayes not working Message-ID: <3BF93070B3D1B047BA7ABF612958950DF78C23@hcex.hartwellcorp.com> Last Friday I updated to the new SA+Clam package. Over the weekend it became clear from the amout of spam getting through that something was not right. ;) It looks as if the Bayes scoring is not working. Thinking that the database change might be the culprit I downloaded the starter DB for SA 3.0 from the Fortress systems site and installed. However, that does not seem to have solved the problem. Could someone point me to any pertinent troubleshooting docs? Thank you for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/e73a3acc/attachment.html From t.d.lee at durham.ac.uk Mon Nov 13 17:41:03 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 13 17:41:18 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: <45589620.2010900@evi-inc.com> References: <4554A39C.1050404@evi-inc.com> <45589620.2010900@evi-inc.com> Message-ID: On Mon, 13 Nov 2006, Matt Kettler wrote: > [...] > Check your mail logs for messages along the lines of "SpamAssassin timed out and > was killed" There are a few "... was killed, failure of 20" but they don't appear near the emtpy SA returns, and although they build in series, the "" don't seem to reach anywhere near the "20". There's nothing else nearby in the log that seems linked. There are some "SpamAssassin cache hit for message XXX" next to the failures, but that same process both before after returns non-empty with such incidents (as if these incidents are sporadic, rather than an MS process going long-term bad/corrupt). If someone who knows SA (3.1.7) or MS (4.56.8) internals can dream up some debug/log statements, I'd be happy to try to patch them in and watch what happens. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rpoe at plattesheriff.org Mon Nov 13 17:43:14 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:44:01 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <4558354B.20705@solidstatelogic.com> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> <4558354B.20705@solidstatelogic.com> Message-ID: <45585A52.65ED.00A2.0@plattesheriff.org> grep -c debora maillog* maillog:1364 maillog.1:4611 maillog.2:732 maillog.3:4 maillog.4:3 >>> Martin Hepworth 11/13/2006 3:05 AM >>> Michael S. wrote: > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > Michael trapping them nicely here without fuzzyocr or imageinfo.. 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 1.25 HOST_EQ_IT 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.79 SARE_LWSHORTT 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock2 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. the SARE stocks rules is very useful here... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Mon Nov 13 17:50:10 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:51:39 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <015101c706a8$0e9f9400$3701a8c0@lapxp> References: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> <015101c706a8$0e9f9400$3701a8c0@lapxp> Message-ID: <45585BF2.65ED.00A2.0@plattesheriff.org> grep -c debora maillog server 1: 5881 server 2: 7996 server 3: 380 server 4: 1366 server 5: 1752 All of these servers are on different networks, each handling different domain names. Server 2 is a co-located web host, and it has 2 relay domains (i.e. it scans and forwards for 2 domains), and 38 local domain names (for clients). All servers are Centos (3 or 4, mostly 4), MailScanner latest, SA latest, 4-5 are greylisting, clam latest, running most of the SARE rulesets, most of them are using at least 1 or 2 RBLs. From rpoe at plattesheriff.org Mon Nov 13 17:53:11 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:53:53 2006 Subject: Annoying!!! Message-ID: <45585CA7.65ED.00A2.0@plattesheriff.org> Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. From martinh at solidstatelogic.com Mon Nov 13 18:03:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 13 18:03:42 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B36D.60904@solidstatelogic.com> Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > Rob the latest sare_stock and dcc/razor2 handle the email quite nicely.... there's a nice ruleset for SA to deal with bounce email at.... http://www.timj.co.uk/linux/bogus-virus-warnings.cf BUT you'll need to stop of the rules firing otherwise alot of mailscanner processed stuff will get caught....add this to your local.cf score VIRUS_WARNING15 0 score VIRUS_WARNING28 0 score VIRUS_WARNING33 0 score VIRUS_WARNING62 0 score VIRUS_WARNING66 0 score VIRUS_WARNING226 0 score VIRUS_WARNING250 0 score VIRUS_WARNING300 0 score VIRUS_WARNING326 0 score VIRUS_WARNING339 0 score VIRUS_WARNING340 0 -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 13 18:05:16 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 18:05:19 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> On 13/11/06, Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > Why do you "catch all"? Reject unknown instead. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From danc at bluestarshows.com Mon Nov 13 18:01:04 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 18:05:38 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3> Message-ID: <01f501c7074d$b0296e90$0200000a@danc3> I dont understand whats going on. Here's a header that was marked as spam. X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.897, required 6, BAYES_99 3.50, FORGED_RCVD_HELO 0.14, HTML_40_50 0.50, HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_XBL 3.90) Doesn't this tell me that mailscanner is using Spamassassin? If it is, why when I manually run spam that doesn't get marked through spamassassin I get an output like this? Content analysis details: (9.0 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7092] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [151.41.202.96 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [151.41.202.96 listed in sbl-xbl.spamhaus.org] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [151.41.202.96 listed in combined.njabl.org] The header shows: X-Bluestar-SpamScore: sssss X-Spam-Status: No Please someone tell me how to stop this crap from getting through? ----- Original Message ----- From: "Dan Carl" To: "MailScanner discussion" Sent: Monday, November 13, 2006 9:38 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Saturday, November 11, 2006 2:26 AM > Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > > > On 10/11/06, Dan Carl wrote: > > > > > (snip) > > > > If you've upgraded SA, did you run the sa-update after that? > > > I ran sa-update > > Good. > > > > Does it look like MailScanners instance of SA is finding/using the > correct > > > > /var/lib/spamassassin/...? > > > > > > > sorry not sure how to verify this. > > Well, the output you just showed (snipped by me:) is an indicator. You > > could add a rule that would be sure to fire into that directory, > > restart MS and run a testmessage through... and look at what rules > > fired... > Can you please explain how to do this? > Question: > Do these need to be set? > SpamAssassin Install Prefix = > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > The conf says that if spamassassin is installed in its defualt > location(which mine is) > they don't need to be set.. Correct? > > > > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ka at pacific.net Mon Nov 13 18:08:48 2006 From: ka at pacific.net (Ken A) Date: Mon Nov 13 18:06:32 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B4B0.3050309@pacific.net> Catchalls are popular with spammers. They like the fact that all bounces that they generate will be delivered to some poor sucker and not end up in a postmaster box that might be looked at carefully and reported more quickly. You should remove the catchall and bounce the bounces. Ken Pacific.Net Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of > the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery > failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like > them to stop, it's quite annoying. > > > From matt at coders.co.uk Mon Nov 13 18:11:30 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 18:11:58 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B552.3080902@coders.co.uk> Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > If you are running sendmail look at milter-null matt From clacroix at cegep-ste-foy.qc.ca Mon Nov 13 18:25:02 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Mon Nov 13 18:25:10 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <45585A52.65ED.00A2.0@plattesheriff.org> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> <4558354B.20705@solidstatelogic.com> <45585A52.65ED.00A2.0@plattesheriff.org> Message-ID: <200611131325.03871.clacroix@cegep-ste-foy.qc.ca> I'm also beiing hit quite a bit by this debora :) maillog:22218 maillog.0.bz2:59521 maillog.1.bz2:5076 On Monday 13 November 2006 12:43, Rob Poe wrote: > grep -c debora maillog* > maillog:1364 > maillog.1:4611 > maillog.2:732 > maillog.3:4 > maillog.4:3 > > >>> Martin Hepworth 11/13/2006 3:05 AM >>> > > Michael S. wrote: > > The huge increase in stock spam that everyone is seeing is coming from > > the username that is consistently the same. Has anyone noticed? > > > > These are different variations of the username@ > > > > > > > > deborahpessanha@bridportleisure.com > > > > > > deborasalsano@brokermart.com > > > > deborahvw@brooksmetals.com > > > > > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > > > > > > > Is there an exim rule that one can implement in exim.conf for example > > that rejects all mail arriving from Debora??????@fakedomain.com > > ? > > > > > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > > there are thousands and the less MS has to work the better. > > > > > > > > Thanks > > Michael > > trapping them nicely here without fuzzyocr or imageinfo.. > > 5.40 BAYES_99 Bayesian spam probability is 99 to 100% > 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.77 DIGEST_MULTIPLE Message hits more than one network digest check > 1.25 HOST_EQ_IT > 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level > above 50% > 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.79 SARE_LWSHORTT > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock2 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > the SARE stocks rules is very useful here... > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From prandal at herefordshire.gov.uk Mon Nov 13 18:34:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 13 18:35:18 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D886@isabella.herefordshire.gov.uk> grep -c "from= -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Rob Poe > Sent: 13 November 2006 17:43 > To: MailScanner discussion; Martin Hepworth > Subject: Re: Debora is a huge spammers!!!! > > grep -c debora maillog* > maillog:1364 > maillog.1:4611 > maillog.2:732 > maillog.3:4 > maillog.4:3 > > > > >>> Martin Hepworth 11/13/2006 > 3:05 AM >>> > Michael S. wrote: > > The huge increase in stock spam that everyone is seeing is > coming from > > the username that is consistently the same. Has anyone noticed? > > > > These are different variations of the username@ > > > > > > > > deborahpessanha@bridportleisure.com > > > > > > deborasalsano@brokermart.com > > > > deborahvw@brooksmetals.com > > > > > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > > > > > > > Is there an exim rule that one can implement in exim.conf > for example > > that rejects all mail arriving from Debora??????@fakedomain.com > > ? > > > > > > > > Id rather do this at SMTP time instead of allows MS to kill > it off as > > there are thousands and the less MS has to work the better. > > > > > > > > Thanks > > > Michael > > trapping them nicely here without fuzzyocr or imageinfo.. > > 5.40 BAYES_99 Bayesian spam probability is 99 to 100% > 4.00 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > 0.77 DIGEST_MULTIPLE Message hits more than one network digest check > 1.25 HOST_EQ_IT > 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 > confidence level > above 50% > 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.79 SARE_LWSHORTT > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock2 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > the SARE stocks rules is very useful here... > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rpoe at plattesheriff.org Mon Nov 13 20:39:01 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 20:39:37 2006 Subject: Annoying!!! In-Reply-To: <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> Message-ID: <45588385.65ED.00A2.0@plattesheriff.org> >Why do you "catch all"? Reject unknown instead. Catch all, because it's used for family, but I use the rob- prefix .. When I sign up for a site, i use a code that I know I used on each site .. makes it easier to filter out spam if/when the email address gets sold.. From dward at nccumc.org Mon Nov 13 20:45:06 2006 From: dward at nccumc.org (Douglas Ward) Date: Mon Nov 13 20:45:08 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: I have started rejecting the .gif extension in postfix. That has taken care of the majority of the image based stock spam (for now). On 11/13/06, Rob Poe wrote: > > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the > bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, > bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to > stop, it's quite annoying. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/d4beaa50/attachment.html From r.berber at computer.org Mon Nov 13 20:46:44 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 20:47:54 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <01f501c7074d$b0296e90$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3> <01f501c7074d$b0296e90$0200000a@danc3> Message-ID: Dan Carl wrote: > I dont understand whats going on. > Here's a header that was marked as spam. > X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.897, > required 6, BAYES_99 3.50, FORGED_RCVD_HELO 0.14, HTML_40_50 0.50, > HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, > RCVD_IN_XBL 3.90) > Doesn't this tell me that mailscanner is using Spamassassin? Yes. > If it is, why when I manually run spam that doesn't get marked through > spamassassin I get an output like this? > > Content analysis details: (9.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- ------------------------------------------------ > -- > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.7092] > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [151.41.202.96 listed in dnsbl.sorbs.net] > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > [151.41.202.96 listed in sbl-xbl.spamhaus.org] > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > [151.41.202.96 listed in combined.njabl.org] 7.9 / 9.0 is from RBLs, perhaps you have configured MS to use its own RBL checks (or none at all) and they are different from what SA uses by default. That would mean that you didn't configure SA as recommended (link MS's etc/spam.assassin.prefs.conf to /etc/mail/spamassassin/mailscanner.cf or to local.cf, so they use the same configuration). > The header shows: > X-Bluestar-SpamScore: sssss > X-Spam-Status: No [snip] About 5 (for the same message?), this could also be caused by AWL. If you are running SA as a different user, this happens all the time, I prefer to run `spamassassin -x ...` to avoid this (but not cache hits or image hits, which are more difficult to avoid) and erase the email address from the whitelist (i.e. `spamassassin --remove-addr-from-whitelist=...`). You need to analyze just one message in detail, what scores differ, what rules match or don't match. Then look at what is causing the differences. -- Ren? Berber From ccampbell at brueggers.com Mon Nov 13 20:46:45 2006 From: ccampbell at brueggers.com (Christian Campbell) Date: Mon Nov 13 20:48:13 2006 Subject: OT: Sendmail.cf question Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/5034b4dc/smime.bin From Kevin_Miller at ci.juneau.ak.us Mon Nov 13 21:07:03 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Nov 13 21:07:18 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. Are you running SPF? It won't stop the spam, but many sites will refuse to accept it if it's not coming from your server. That will cut down on the bounce messages. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From john at netdirect.ca Mon Nov 13 21:20:00 2006 From: john at netdirect.ca (John Van Ostrand) Date: Mon Nov 13 21:20:14 2006 Subject: OT: Sendmail.cf question In-Reply-To: References: Message-ID: <1163452800.11897.266.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/a661c1fa/attachment.bin From res at ausics.net Mon Nov 13 21:33:54 2006 From: res at ausics.net (Res) Date: Mon Nov 13 21:34:11 2006 Subject: Slightly OT - RBL test. In-Reply-To: <4558547D.4010602@mailwash.com.au> References: <4558547D.4010602@mailwash.com.au> Message-ID: On Mon, 13 Nov 2006, Tony Enderby wrote: > Hi all, > > I was wondering if someone who gets a fair mail volume passing through their > servers (10 to 30k) per day > and who uses MailScanner would mind testing a budding RBL I am setting up and > in the process of testing > at the moment. > > The current IP lists are small and won't return anything useful for a while > but I'd like to load test the servers on which they run. Useing rbldnsd? I set this up once, we used a crappy single cpu p3 server with like only 512 ram, thats how gutless it was..(well it was only occupying storage space otherwise)... Our 6 key mail servers processed well over 3 million messages a day and it never murmered, nor was there any impact on the mail servers, we went this way because it was easier to maintain our mail blocking rather than add them to all the servers access lists. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From danc at bluestarshows.com Mon Nov 13 21:38:20 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 21:42:25 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> Message-ID: <029501c7076c$0a099110$0200000a@danc3> ----- Original Message ----- From: "Ren? Berber" To: Sent: Monday, November 13, 2006 2:46 PM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > > If it is, why when I manually run spam that doesn't get marked through > > spamassassin I get an output like this? > > > > Content analysis details: (9.0 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- ---------------------------------------------- -- > > -- > > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > > [score: 0.7092] > > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address > > [151.41.202.96 listed in dnsbl.sorbs.net] > > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > > [151.41.202.96 listed in sbl-xbl.spamhaus.org] > > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > > [151.41.202.96 listed in combined.njabl.org] > > 7.9 / 9.0 is from RBLs, perhaps you have configured MS to use its own RBL checks > (or none at all) and they are different from what SA uses by default. That I have no RBL listed in my MS conf. because I thought if it was set to use SA it would use SA's RBL. > would mean that you didn't configure SA as recommended (link MS's > etc/spam.assassin.prefs.conf to /etc/mail/spamassassin/mailscanner.cf or to > local.cf, so they use the same configuration). Have the link set. /etc/mail/spamassassin/mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf > > The header shows: > > X-Bluestar-SpamScore: sssss > > X-Spam-Status: No > [snip] > > About 5 (for the same message?), YES > this could also be caused by AWL. If you are > running SA as a different user, this happens all the time, I prefer to run I have spamassassin and mailscanner running as the same user. > `spamassassin -x ...` to avoid this (but not cache hits or image hits, which are > more difficult to avoid) and erase the email address from the whitelist (i.e. > `spamassassin --remove-addr-from-whitelist=...`) > You need to analyze just one message in detail, what scores differ, what rules > match or don't match. Then look at what is causing the differences. OK I know how run a test email through SA: spamassassin -tx < test.eml How do I do it with Mailscanner? > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From leah at frauerpower.com Mon Nov 13 21:42:53 2006 From: leah at frauerpower.com (Leah Cunningham) Date: Mon Nov 13 21:42:48 2006 Subject: Messages passing through Mailscanner lose X-Mailer headers, and turn up as SPAM, but no Mailscanner no problem Message-ID: <200611131642.53900.leah@frauerpower.com> I have a strange problem. I have a client whose internal user is able to successfully send messages to me from their old Q-Mail server without a problem. If the same user, with the same mail client, computer, etc, sends a message through a newer mail server that I have set up for them that runs MailScanner (with Postfix), the message is detected by my own mail server (and many others) as Spam, and has different headers. It seems part of the reason is that Spamassassin thinks it is a bogus Outlook, maybe because the X-Mailer header is not there. The major difference I notice is that in the one that went through MailScanner, we are missing these two headers that are in the one that went through their old mail server, and I want to know why: X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Here are the headers when the message is sent through their old Qmail based server: Return-Path: Delivered-To: leah@frauerpower.com Received: from misconnew.misconsult.com (misconsult.com [209.226.172.34]) by sauerkraut.heinous.org (Postfix) with SMTP id D7BB6E565 for ; Thu, 9 Nov 2006 15:17:10 -0500 (EST) Received: (qmail 3965 invoked by uid 1010); 9 Nov 2006 20:33:11 -0000 Received: from robert@misconsult.com by misconnew by uid 1007 with qmail-scanner-1.20st (clamuko: 0.70. spamassassin: 2.63. Clear:RC:1(192.168.1.28):. Processed in 62.666888 secs); 09 Nov 2006 20:33:11 -0000 Received: from unknown (HELO MIS05) (192.168.1.28) by misconnew.misconsult.com with SMTP; 9 Nov 2006 20:32:05 -0000 From: "Bob Lewis" To: Subject: Test 3 Nov 9 to leah@frauerpower.com Date: Thu, 9 Nov 2006 15:15:50 -0500 Message-ID: <000801c7043b$dcf7aff0$1c01a8c0@MIS05> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0009_01C70411.F421A7F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-heinous-MailScanner-Information: Please contact the ISP for more information X-heinous-MailScanner: Found to be clean X-heinous-MailScanner-From: robert@misconsult.com X-Spam-Status: No X-Length: 10426 X-UID: 3026 And here are the headers using the Postfix + MailScanner combination: Return-Path: Delivered-To: support@frauerpower.com Received: from misconsult.com (misconsult.com [209.226.172.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sauerkraut.heinous.org (Postfix) with ESMTP id B6A10DE3C for ; Thu, 9 Nov 2006 12:49:27 -0500 (EST) From: "Bob Lewis" To: Subject: {Spam?} test nov 9 Date: Thu, 9 Nov 2006 12:49:02 -0500 Message-ID: <000301c70427$5b061770$1c01a8c0@MIS05> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C703FD.72328070" X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-misconsult-MailScanner-Information: Please contact the ISP for more information X-misconsult-MailScanner: Found to be clean X-misconsult-MailScanner-From: robert@misconsult.com X-Spam-Status: No, Yes X-heinous-MailScanner-Information: Please contact the ISP for more information X-heinous-MailScanner: Found to be clean X-heinous-MailScanner-SpamCheck: spam, SpamAssassin (score=8.23, required 6, BAYES_00 -2.60, HTML_90_100 0.11, HTML_MESSAGE 0.00, MISSING_MIMEOLE 1.61, MSGID_DOLLARS 1.72, PRIORITY_NO_NAME 2.70, RATWARE_MS_HASH 1.91, RATWARE_OUTLOOK_NONAME 2.78) X-heinous-MailScanner-SpamScore: ssssssss X-heinous-MailScanner-From: robert@misconsult.com Any ideas on why these headers are missing, and what else I might do so that we can have the new mail server work? Please cc leah@heinous.org on this if it's not too much trouble. Thanks, Leah -- Leah Cunningham : d416-585-9971x692 : d416-703-5977 : m416-559-6511 Frauerpower! Co. : www.frauerpower.com : Toronto, ON Canada From r.berber at computer.org Mon Nov 13 22:13:58 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 22:16:49 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <029501c7076c$0a099110$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] > I have no RBL listed in my MS conf. because I thought if it was set to use > SA it would use SA's RBL. It does, but the configuration (mailscanner.cf) has to explicitly enable it with "skip_rbl_checks 0" (the default is set to 1). [snip] > OK I know how run a test email through SA: > spamassassin -tx < test.eml > How do I do it with Mailscanner? The easiest way is to send a message from outside. MS works with the mail queues so any manual test would have to add the qf/df files directly to mqueue.in which doesn't look easy to me. -- Ren? Berber From chandler at chapman.edu Mon Nov 13 22:31:34 2006 From: chandler at chapman.edu (Jay Chandler) Date: Mon Nov 13 22:31:46 2006 Subject: Massive queue buildup Message-ID: Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/17deeafb/attachment.html From brent.addis at pronet.co.nz Mon Nov 13 22:42:32 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 22:44:22 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 11:31 AM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5930 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/40f2a805/attachment.bin From john at netdirect.ca Mon Nov 13 22:51:51 2006 From: john at netdirect.ca (John Van Ostrand) Date: Mon Nov 13 22:52:09 2006 Subject: Messages passing through Mailscanner lose X-Mailer headers, and turn up as SPAM, but no Mailscanner no problem In-Reply-To: <200611131642.53900.leah@frauerpower.com> References: <200611131642.53900.leah@frauerpower.com> Message-ID: <1163458311.11897.286.camel@venture.office.netdirect.ca> On Mon, 2006-11-13 at 16:42 -0500, Leah Cunningham wrote: > I have a strange problem. I have a client whose internal user is able to > successfully send messages to me from their old Q-Mail server without a > problem. If the same user, with the same mail client, computer, etc, sends a > message through a newer mail server that I have set up for them that runs > MailScanner (with Postfix), the message is detected by my own mail server > (and many others) as Spam, and has different headers. It seems part of the > reason is that Spamassassin thinks it is a bogus Outlook, maybe because the > X-Mailer header is not there. > > The major difference I notice is that in the one that went through > MailScanner, we are missing these two headers that are in the one that went > through their old mail server, and I want to know why: > > X-Mailer: Microsoft Outlook, Build 10.0.2627 > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This may not be much help, but you have received headers missing too. Based on the Spam report in the second message I think you've identified the missing Outlook headers as being the key. Find out whether postfix or Mailscanner is removing them and you should be fine. I would try a tcpdump on the client's postfix server to see what is being delivered to postfix. Do a similar one on the outgoing email to at least confirm that it's the client server. I use sendmail, where a split queue is used. One may be able to examine the queue files in each queue if you can stop the processes at the right time. Good luck. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From raymond at prolocation.net Mon Nov 13 22:55:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 13 22:55:03 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: Hi! > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown > last week-- was forced to throw this box into production early. > > It ran fine over the weekend, but today there's a massive queue buildup when > I run an mqueue-- 10K so far and building. > > Any idea where to look to sort out where it's coming from? I know this sounds silly, but what about your mail log? > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load > average of around 13. Slow DNS lookups? Large bayes db's ect ect ... Bye, Raymond. From danc at bluestarshows.com Mon Nov 13 22:57:44 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 23:01:50 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> Message-ID: <02d601c70777$216cf580$0200000a@danc3> ----- Original Message ----- From: "Ren? Berber" To: Sent: Monday, November 13, 2006 4:13 PM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > Dan Carl wrote: > [snip] > > I have no RBL listed in my MS conf. because I thought if it was set to use > > SA it would use SA's RBL. > > It does, but the configuration (mailscanner.cf) has to explicitly enable it with > "skip_rbl_checks 0" (the default is set to 1). this defers from what's noted in the mailscanner cf # By default, SpamAssassin will run RBL checks. If your ISP already # does this, stop RBL checks in SpamAssassin by un-commenting the # following line but I uncommented it out anyway and set it to 0 like you suggested > [snip] > > OK I know how run a test email through SA: > > spamassassin -tx < test.eml > > How do I do it with Mailscanner? > Test with the same message FROM SPAMASSASSIN: Content analysis details: (9.1 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [58.56.112.230 listed in sbl-xbl.spamhaus.org] 3.2 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL [58.56.112.230 listed in sbl-xbl.spamhaus.org] FROM MAILSCANNER: X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.094, required 6, BAYES_50 0.00, DATE_IN_PAST_03_06 0.48, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SBL 3.16, RCVD_IN_XBL 3.90) X-Bluestar-SpamScore: sssssssss Looks to me like there very close to one another. Do they have to be exact? Both marked them as spam, good no problem. The problem I have is the the ones that get though MailScanner. They contain no information in the header. Example: FROM MAILSCANNER: X-Bluestar-Scanned: Found to be clean X-Spam-Status: No FROM SPAMASSASSIN: Content analysis details: (31.9 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 4.1 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.6529] 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: goneextra.com] 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: goneextra.com] 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: goneextra.com] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: goneextra.com] 0.8 DIGEST_MULTIPLE Message hits more than one network digest check These are the same message. What gives? Me dog could tell this is SPAM. Its like Mailscanner changes the header but never scans the message Any ideas for me? sorry for the length just trying a give detail infomation. I set conf file to log spam and no spam maybe I'll find something here. thx for your help. > The easiest way is to send a message from outside. MS works with the mail > queues so any manual test would have to add the qf/df files directly to > mqueue.in which doesn't look easy to me. > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Nov 13 23:24:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 13 23:25:53 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/13/2006 1:19 AM: > On 13/11/06, Res wrote: >> On Sun, 12 Nov 2006, Glenn Steen wrote: >> >> > Nope, I think it has something to do with general understaffing and >> > continually jumping from one hot spot to the next (networking >> > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some >> > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup >> >> *snip* what are you a one man NOC ? surely you can delegate, but I >> know if somthing f2#$#s up it still comes back down to me, thats why >> competant engineers by my side are a must ;) > The term there is _understaffed_;-). Then one becomes "key" to > operations in oh so many ways. Sigh. We're leasing the needed people > to delegate to, but... It's not the same as a fellow employee. > >> > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, >> > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I >> >> We are shortly about to remove qmail from equation on all our virtual >> domain boxes by using sendmail and cyrus, I'm sick to death of >> spending 2 days >> patching the usless peice of crap every time we want some other feature >> thats defaultly in sendmail and has been in it for like 8 years or more. >> >> bernstein is right about one thing tho, qmail is secure, afterall how can >> you exploit somthing that does nothing :D >> > Yep:-). > Understaffed and underpaid! That is the sysop's theme song! Lets all sing along!!! It is so easy for my boss to give me 3 or 4 jobs, but I sure can't get payroll to cut me 3 or 4 paychecks!!!! I'll stop sniveling now! I'll just go beat my head against a server. :-/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From chandler at chapman.edu Mon Nov 13 23:39:02 2006 From: chandler at chapman.edu (Jay Chandler) Date: Mon Nov 13 23:39:12 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: > Check your not running one of those massive blacklists from SARE. > > I was running one for a while while testing and a similar thing > happened. removing it dropped my average scan time from ~2 1/2 > minutes to 11 seconds per message. > Where does one determine how long the average scan time is? > Other ideas: > > - Check your dns servers are capable of standing up to the amount > of dns requests you are making. Running something like nscd locally > is a good idea. > I suspect they are, but I'll verify this. > - Are you running very many RBL's within mailscanner? Try disabling > these and see if it helps. > Three or four-- nothing insane. > - Are you running any type of recipient verification? (as in, > checking that the person being sent the mail actually exists). If > not, try turning it on. I am unsure what it is called within > postfix as I don't use it. > We are. Messages to undefined users fault to a 5xx error. > - Check out http://wiki.mailscanner.info/doku.php? > id=maq:index#optimization_tips which has a few others as well. > Thanks! > How much mail are you handling a day? I have a couple of single cpu > 3.0 ghz machines comfortably handling many thousands of messages a > day. > Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/959a54f8/attachment.html From damian at workgroupsolutions.com Mon Nov 13 23:45:59 2006 From: damian at workgroupsolutions.com (Damian Mendoza) Date: Mon Nov 13 23:46:13 2006 Subject: Massive queue buildup In-Reply-To: Message-ID: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/8d1d4a16/attachment.html From pete at enitech.com.au Mon Nov 13 23:47:46 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Nov 13 23:47:54 2006 Subject: Massive queue buildup In-Reply-To: References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45590422.60706@enitech.com.au> Happened to me for a while - it was always an issue with a ruleset in SA. Are you sure you arent running a redundant one? If you disable SA do you get the same problem? spamassassin -D --lint would probably give you a few hints. From brent.addis at pronet.co.nz Mon Nov 13 23:48:07 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 23:49:36 2006 Subject: Massive queue buildup References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF51@pro-ak-exch01.hosted.pronet.net.nz> if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7350 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/ddd4ef2c/attachment-0001.bin From r.berber at computer.org Mon Nov 13 23:51:13 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 23:51:37 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <02d601c70777$216cf580$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] > Looks to me like there very close to one another. > Do they have to be exact? No, but one score is just the rounded (to one decimal) value, so they seem to be the same. > Both marked them as spam, good no problem. > > The problem I have is the the ones that get though MailScanner. > They contain no information in the header. That's an option on MS, look for "Always Include SpamAssassin Report". [snip] > These are the same message. > What gives? Me dog could tell this is SPAM. > Its like Mailscanner changes the header but never scans the message > Any ideas for me? I would take a look at the mail log, was the message white listed? Perhaps it used a fake address which causes MS to not scan it (check custom rules if you use them). > sorry for the length just trying a give detail infomation. No problem. [snip] -- Ren? Berber From brent.addis at pronet.co.nz Mon Nov 13 23:49:29 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 23:54:34 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza Sent: Tue 11/14/2006 12:45 PM To: MailScanner discussion Subject: RE: Massive queue buildup Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7762 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/a8336973/attachment.bin From ka at pacific.net Tue Nov 14 00:05:30 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 14 00:03:14 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <4559084A.6060801@pacific.net> Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. Oh, come on.. tell us how!! lol They probably shouldn't have been using email to do what they were, but thats not the point. > > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. There's no reason for it to delay legit mail. Just configure to delay suspicious mail, based on rbl lookup or helo or whatever.. Ken A. Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza > Sent: Tue 11/14/2006 12:45 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. > > > > That should get your server load down to 2.0 or lower to keep up with your traffic. > > > > > > Regards, > > > Damian Mendoza > > Mission Viejo, CA > > 949 586-2200 > > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: Monday, November 13, 2006 2:32 PM > To: mailscanner@lists.mailscanner.info > Subject: Massive queue buildup > > > > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. > > > > It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. > > > > Any idea where to look to sort out where it's coming from? > > > > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. > > > > Any guidance would be greatly appreciated. > > > > From chandler at chapman.edu Tue Nov 14 00:09:54 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:09:58 2006 Subject: Massive queue buildup Message-ID: Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. From brent.addis at pronet.co.nz Tue Nov 14 00:12:37 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:15:43 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF54@pro-ak-exch01.hosted.pronet.net.nz> 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7654 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/19854a1b/attachment.bin From brent.addis at pronet.co.nz Tue Nov 14 00:19:35 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:21:03 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <4559084A.6060801@pacific.net> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> you can't guarantee that non suspicious (however urgent) email won't be listed in an rbl or have an invalid HELO at all times. Copied from another list as well: One important thing to watch for is that for larger sites the server that first tries to send your email might not be the one that tries to resend it later. Greylisting sites will thus block the email for a while until the sending site gets lucky and uses the same machine twice in a row. Generating tempfail messages to sending sites is just asking for trouble IMHO. You really can't determine exactly they will act and how long they will take to retry to send the message. Any delay is 100% your fault although most people using greylisting seem keen to push the blame to the sending site. It's the equivalent of ignoring someone when they first email/call you and saying "If it's important they'll ring back" . Not very polite and possibly not providing the best service to customers. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Ken A Sent: Tue 11/14/2006 1:05 PM To: MailScanner discussion Subject: Re: Massive queue buildup Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. Oh, come on.. tell us how!! lol They probably shouldn't have been using email to do what they were, but thats not the point. > > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. There's no reason for it to delay legit mail. Just configure to delay suspicious mail, based on rbl lookup or helo or whatever.. Ken A. Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza > Sent: Tue 11/14/2006 12:45 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. > > > > That should get your server load down to 2.0 or lower to keep up with your traffic. > > > > > > Regards, > > > Damian Mendoza > > Mission Viejo, CA > > 949 586-2200 > > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: Monday, November 13, 2006 2:32 PM > To: mailscanner@lists.mailscanner.info > Subject: Massive queue buildup > > > > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. > > > > It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. > > > > Any idea where to look to sort out where it's coming from? > > > > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. > > > > Any guidance would be greatly appreciated. > > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6850 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/f62ade16/attachment.bin From ssilva at sgvwater.com Tue Nov 14 00:30:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 14 00:30:37 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: Rob Poe spake the following on 11/13/2006 9:53 AM: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > Have you thought about setting up SPF records? At least a system could find out if they are not from you by spf lookups. I know that SPF isn't a spam tool, but it is an IP address spoofing check. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Tue Nov 14 00:35:43 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 14 00:35:51 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45590F5F.50803@evi-inc.com> Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. But it is the point. If time is in any way critical, email isn't for you. PERIOD. Greylisting didn't nearly kill someone, some person used email where time criticality was a life-or-death issue. That person's bad choice of communication methods nearly killed someone. Greylisting has nothing to do with it. Quite frankly, any spam control technology, like say, SpamAssassin, could have FPed on the message, causing it to possibly be ignored by the recipient. Would you say SA nearly killed someone? Would you stop using it and insist everyone else do the same? What if one of the routers in that email path had crashed or had a hardware failure, would say that Cisco nearly killed someone? Would you stop using Cisco products and insist everyone else do the same? Bad disk on the mailserver? Seagate's a killer? Loss of power? BGE? Yeah, definitely don't use electricity.. it's unreliable and could kill someone. Let's face it, the email user in question is lucky THEY didn't kill someone with their mistake. Greylisting is not to blame here. Keep the life-and-death dramatics of someone's mistakes out of it. > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. It doesn't add unnecessary delay to most messages, Not if you do it *right*. So far this week (today and Sunday) my greylist has: handled 16,493 total messages delayed 12,238 messages. allowed 4,255 messages to be delivered without delay. accepted 330 messages after delay. Of the 330 delayed messages, only 9 were not tagged as spam by SA. Of these 9, 2 were spams that SA failed to tag, 5 were mass-mailed newsletters (delivery speed not important), and only 2 were personal messages. So 2 significant FPs out of 16,493 messages. 0.01% error rate, not too bad. Any spam control technology has it's downfalls. loss, delay, or depriortization of mail will be a side effect of any of these systems in some cases. If you do greylisting right, you can keep the delays down to a sane level and still hack off a lot of spam. Approximately 72.2% of the inbound mail has been eliminated. From ka at pacific.net Tue Nov 14 00:47:44 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 14 00:45:27 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <4559084A.6060801@pacific.net> <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45591230.1000201@pacific.net> Brent Addis wrote: > you can't guarantee that non suspicious (however urgent) email won't be listed in an rbl or have an invalid HELO at all times. true. ymmv with any anti-spam system. I'd love it if we could clone each end user's brain and create a AI based system that simply used each end users' brain's response to the message to determine if each message to was spam or not. That would be pretty foolproof. Sadly, perhaps.. we don't have that ability. :-( > Copied from another list as well: > One important thing to watch for is that for larger sites the server that > first tries to send your email might not be the one that tries to resend > it later. Greylisting sites will thus block the email for a while until > the sending site gets lucky and uses the same machine twice in a row. Not true. You can greylist on IP, MAIL, RCPT, HELO. It doesn't have to be just the IP and RCPT. > Generating tempfail messages to sending sites is just asking for > trouble IMHO. You really can't determine exactly they will act and how > long they will take to retry to send the message. Any delay is 100% > your fault although most people using greylisting seem keen to push the > blame to the sending site. If a site is not RFC compliant, or is listed in several RBLs, they certainly have some responsibility in that - at least 99.99% of the time if you are using a reliable RBL. You can also whitelist any non rfc compliant and/or rbl listed domains as you wish. > It's the equivalent of ignoring someone when they first email/call you and > saying "If it's important they'll ring back" . Not very polite and > possibly not providing the best service to customers. In terms of telephone call, it's more like having your calls screened. Ken A Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Ken A > Sent: Tue 11/14/2006 1:05 PM > To: MailScanner discussion > Subject: Re: Massive queue buildup > > > > > > Brent Addis wrote: >> greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. > > Oh, come on.. tell us how!! lol > > > They probably shouldn't have been using email to do what they were, but > thats not the point. >> greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. > > There's no reason for it to delay legit mail. Just configure to delay > suspicious mail, based on rbl lookup or helo or whatever.. > > Ken A. > Pacific.Net > > >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza >> Sent: Tue 11/14/2006 12:45 PM >> To: MailScanner discussion >> Subject: RE: Massive queue buildup >> >> >> >> Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. >> >> >> >> That should get your server load down to 2.0 or lower to keep up with your traffic. >> >> >> >> >> >> Regards, >> >> >> Damian Mendoza >> >> Mission Viejo, CA >> >> 949 586-2200 >> >> >> >> >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler >> Sent: Monday, November 13, 2006 2:32 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Massive queue buildup >> >> >> >> Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. >> >> >> >> It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. >> >> >> >> Any idea where to look to sort out where it's coming from? >> >> >> >> It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. >> >> >> >> Any guidance would be greatly appreciated. >> >> >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From chandler at chapman.edu Tue Nov 14 00:46:51 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:46:56 2006 Subject: Massive queue buildup Message-ID: Yeah, we used to run greylisting, but there's no way I'd condone it here. "Almost killed someone" seems a bit over the top, though... :-) -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: Fluorescent lights are generating negative ions. If turning them off doesn't work, take them out and put tin foil on the ends. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:49 PM To: MailScanner discussion Subject: RE: Massive queue buildup greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza Sent: Tue 11/14/2006 12:45 PM To: MailScanner discussion Subject: RE: Massive queue buildup Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. From brent.addis at pronet.co.nz Tue Nov 14 00:47:31 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:49:04 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <45590F5F.50803@evi-inc.com> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF56@pro-ak-exch01.hosted.pronet.net.nz> ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Matt Kettler Sent: Tue 11/14/2006 1:35 PM To: MailScanner discussion Subject: Re: Massive queue buildup Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. >But it is the point. If time is in any way critical, email isn't for you. PERIOD. Unfortunatly, no matter how many times to tell people with this, they will still use email. People have this perception that email is the ultimate communicaton tool. We get complaints when email doesn't appear for more than a minute. Suffice it to say the person sending the email now knows about mail delays. You can't educate every single user about this sort of thing (people come and go very often) , all you can do is reduce the possiblity of it happening. I'm not really willing to enter a flame war on greylisting as I care very little about it. I do however take your below statements on board. This is simply my opinion on greylisting and in no way did I mean to get your panties in a knot. >Greylisting didn't nearly kill someone, some person used email where time >criticality was a life-or-death issue. That person's bad choice of communication >methods nearly killed someone. Greylisting has nothing to do with it. >Quite frankly, any spam control technology, like say, SpamAssassin, could have >FPed on the message, causing it to possibly be ignored by the recipient. Would >you say SA nearly killed someone? Would you stop using it and insist everyone >else do the same? >What if one of the routers in that email path had crashed or had a hardware >failure, would say that Cisco nearly killed someone? Would you stop using Cisco >products and insist everyone else do the same? >Bad disk on the mailserver? Seagate's a killer? >Loss of power? BGE? Yeah, definitely don't use electricity.. it's unreliable and >could kill someone. >Let's face it, the email user in question is lucky THEY didn't kill someone with >their mistake. >Greylisting is not to blame here. Keep the life-and-death dramatics of someone's >mistakes out of it. > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. >It doesn't add unnecessary delay to most messages, Not if you do it *right*. >So far this week (today and Sunday) my greylist has: > handled 16,493 total messages > delayed 12,238 messages. > allowed 4,255 messages to be delivered without delay. > accepted 330 messages after delay. >Of the 330 delayed messages, only 9 were not tagged as spam by SA. Of these 9, 2 >were spams that SA failed to tag, 5 were mass-mailed newsletters (delivery speed >not important), and only 2 were personal messages. >So 2 significant FPs out of 16,493 messages. 0.01% error rate, not too bad. >Any spam control technology has it's downfalls. loss, delay, or depriortization >of mail will be a side effect of any of these systems in some cases. >If you do greylisting right, you can keep the delays down to a sane level and >still hack off a lot of spam. Approximately 72.2% of the inbound mail has been >eliminated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6814 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/e109c96b/attachment.bin From chandler at chapman.edu Tue Nov 14 00:52:30 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:52:34 2006 Subject: Massive queue buildup Message-ID: brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Tue Nov 14 00:54:40 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:57:08 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF58@pro-ak-exch01.hosted.pronet.net.nz> ok, what about batch processing speed? Try enabling that within MailScanner.conf ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:52 PM To: MailScanner discussion Subject: RE: Massive queue buildup brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files