From michael at dilworth.net Sun Oct 1 03:19:51 2006 From: michael at dilworth.net (Michael R. Dilworth (E-mail)) Date: Sun Oct 1 03:20:06 2006 Subject: Whitelisting and SA, Bayes issues. Message-ID: <033101c6e500$1420c350$5713cc40@OCEANII> Hopefully I'm doing some thing wrong here, but I'm stuck. Question: Why, if an from address is whitelisted, does it still go through SA? Issue: I (root@x) sends email daily, summarizing quarantined messages to my users, thus I white list root. Problem: These messages are being auto learned as "not spam". The messages include the subject line, etc. thus messing with my bayes database slightly. TIA Michael... -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1604 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060930/2ebc2f94/winmail.bin From glenn.steen at gmail.com Sun Oct 1 10:34:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Oct 1 10:34:32 2006 Subject: Daily Spam report In-Reply-To: <451EDB50.9060501@gmx.de> References: <451EDB50.9060501@gmx.de> Message-ID: <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> On 30/09/06, Cornelius Koelbel wrote: > Hi there, > > is it possible, to send a daily spam report to the user? > It is easier for my to check false positives in a list, than with every > mail. > > Besides this is a top feature for enterprise usage. > Deliver no Spams, but keep them quarantined. > Get a daily spam report and release a spam mail on user request. > > Kind regards > Cornelius To my knowledge you have two options: 1) MailWatch (version 1.x) has a quarantine report script that will do something like this. Check http://mailwatch.sf.net or the related software in the MailScanner wiki. 2) Fortress systems have a script that will do this (I think). Check http://www.fsl.com/support/ Having said that, I don't use either... (But there seem to be several who do:-) So I can't really vouch for how well they work. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Oct 1 10:39:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Oct 1 10:39:05 2006 Subject: Whitelisting and SA, Bayes issues. In-Reply-To: <033101c6e500$1420c350$5713cc40@OCEANII> References: <033101c6e500$1420c350$5713cc40@OCEANII> Message-ID: <223f97700610010239tc930d76k178638e5760dbd7@mail.gmail.com> On 01/10/06, Michael R. Dilworth (E-mail) wrote: > Hopefully I'm doing some thing wrong here, but I'm stuck. > > Question: Why, if an from address is whitelisted, does it still go through > SA? > > Issue: I (root@x) sends email daily, summarizing quarantined messages to my > users, thus I white list root. > > Problem: These messages are being auto learned as "not spam". The messages > include the subject line, etc. thus messing with my bayes database > slightly. > > TIA Michael... > > How do you whitelist it? Through a ruleset on what/which settings? If done right, SA shouldn't be invoked on whitelisted mails. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Oct 1 10:53:37 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 1 10:53:55 2006 Subject: MailScanner ANNOUNCE: Stable version 4.56 released Message-ID: <451F9021.4080600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! A new stable release for you. New things this time include: - -- control of reports sent to senders of "too large" messages, - -- Postfix 2.3 support, - -- fine control of maximum size of message section sent to SpamAssassin, - -- significant improvement to reliability of tnef extraction utility, - -- new location for web bug replacement to alleviate server load. Available from www.mailscanner.info The full Change Log is this: * New Features and Improvements * 1 Added a complete new set of configuration settings to report on messages and attachments that are outside the size limits set in MailScanner.conf. These are: Sender Size Report Stored Size Message Report Deleted Size Message Report Size Modify Subject Size Subject Text These are used in exactly the same way as the other sets of options that tag and modify the message for other reasons. 3 Improved report of "message too large" case. 3 Updated Catalan language files courtesy of Jordi Sanfeliu. 3 Increased default max SpamAssassin message size to catch more single-image spam messages. 3 Solved compatibility with Postfix 2.3. 3 Upgraded Sys::Syslog to 0.18 which fixes all the compatibility problems of 0.17 and 0.16. 3 Upgraded Kaspersky support to 5.5. 4 Added new features to "Max SpamAssassin Size" setting: --- behave as before trackback --- get n bytes then backtrack looking for the start of the attachment we are in the middle of. continue --- get n bytes then continue up to a maximum of m extra bytes looking for the end of the attachment we are in the middle of. 5 Upgraded to tnef version 1.4.3. 5 Upgraded Archive::Zip to 1.16. Builds properly on x64 architectures. * Fixes * 1 When 'Outgoing Queue Dir' was changed from the default, kicking sendmail into attempting delivery of a new processed message in the outgoing queue would just wait for the next regular run of the queue. Now fixed so that a delivery attempt is made immediately. This fix only affects users who have changed the "Outgoing Queue Dir" setting and who are also using sendmail as their MTA. 2 Missed 2 "defined" checks on variables before using them. Thanks to Andy Kirkpatrick for spotting that one. 2 Fixed version number check. 3 Fixed output bug in less strict phishing net. Does anyone use this? 3 Fixed bug in Sendmail KickMessage() function. Thanks to Martin Billy. 4 Removed Postfix 2.3 extra, and reverted to simple regexp as Holger's version is buggy (mismatched ')'). 5 Changed number of viruses found reported to be max of each AV package's value. 6 Rewrote logic of addenvto so it should now work correctly when the setting is blank. 6 Put in new version of Postfix 2.3 regexp. And please buy the book if you haven't already! :-) Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFH5AiEfZZRxQVtlQRAhHzAJ0ejTZqRudRsWTFb8kzMOr8+ewKygCghDGN BKFM+cEnBlqtCYBc8Jd9mEI= =pfjK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From cornelius.koelbel at gmx.de Sun Oct 1 10:54:21 2006 From: cornelius.koelbel at gmx.de (Cornelius Koelbel) Date: Sun Oct 1 10:54:37 2006 Subject: Daily Spam report In-Reply-To: <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> References: <451EDB50.9060501@gmx.de> <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> Message-ID: <451F904D.1060307@gmx.de> Hi Glenn, thanks for your reply. So I see that Mailscanner does not support this by itself. I saw mailwatch, but did not like to use mysql and php, which is needed by mailwatch. So I will look around at fortress systems or start my mysqld :( Kind regards Cornelius Glenn Steen schrieb: > On 30/09/06, Cornelius Koelbel wrote: >> Hi there, >> >> is it possible, to send a daily spam report to the user? >> It is easier for my to check false positives in a list, than with every >> mail. >> >> Besides this is a top feature for enterprise usage. >> Deliver no Spams, but keep them quarantined. >> Get a daily spam report and release a spam mail on user request. >> >> Kind regards >> Cornelius > > To my knowledge you have two options: > 1) MailWatch (version 1.x) has a quarantine report script that will do > something like this. Check http://mailwatch.sf.net or the related > software in the MailScanner wiki. > 2) Fortress systems have a script that will do this (I think). Check > http://www.fsl.com/support/ > > Having said that, I don't use either... (But there seem to be several > who do:-) So I can't really vouch for how well they work. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3641 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061001/e7a4a7aa/smime.bin From hkeasytech at gmail.com Sun Oct 1 13:33:17 2006 From: hkeasytech at gmail.com (Barry Kwok) Date: Sun Oct 1 13:33:25 2006 Subject: Custom Header Message-ID: <9d2057cc0610010533n41b8a101t41f7a6eec72ec769@mail.gmail.com> I want to add custom header based on sender's domain and recipeint address. I add Non Spam Actions = %rules-dir%/scan.messages.rules into MailScanner.conf and the scan.messages.rules as: From: *@ hotmail.com and To: barry@mydomain.com header "X-hotmail-check: yes" FromOrTo: default deliver But it doesn't work -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061001/7520c393/attachment.html From glenn.steen at gmail.com Sun Oct 1 14:47:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Oct 1 14:47:32 2006 Subject: Daily Spam report In-Reply-To: <451F904D.1060307@gmx.de> References: <451EDB50.9060501@gmx.de> <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> <451F904D.1060307@gmx.de> Message-ID: <223f97700610010647t7e99e1f1j5267f1de2d52d1e4@mail.gmail.com> On 01/10/06, Cornelius Koelbel wrote: > Hi Glenn, > > thanks for your reply. So I see that Mailscanner does not support this > by itself. No, that is true.... Then again, there are a lot of things that MailScanner doesn't do *by itself*;-). > I saw mailwatch, but did not like to use mysql and php, which is needed > by mailwatch. Ok. You lose out on a pretty impressive tool, but that is entirely your prerogative:-) > So I will look around at fortress systems or start my mysqld :( You needn't look that far... It is the QuarantineReport script (a tarball linked as the final link in the first section (MailScanner...)). This excerpt is from the INSTALL file: ------ uarantineReport is: -------------------------------------------- QuarantineReport is a small application that's intended to: * Create a daily report for each user who has messages in MailScanner quarantine * Create a web link to view the message in Quarantine * Provide a link to allow the user to release the message in Quarantine * Email the report to the user The report will contain this information for each message in Quarantine: From: address_of_sender Subject: subject_of message Link_to_View Link_to_Release The application can aslo verify that recipient is a valid user by checking a file or performing an LDAP search. ----- If you run Sendmail or Exim, this seems to be viable for what you want to do. If not (Postfix, Zmail, Qmail...) you'll probably need go with MailWatch, or... hack it up to fit your MTA. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Oct 1 15:33:39 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 1 15:33:55 2006 Subject: Wikipedia Message-ID: <451FD1C3.4070906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could someone update the Wikipedia entry for MailScanner please? It's currently a short "stub" entry, which could do with expanding to include a list of features, and pointers to the various support channels available. Please can some do this for me? Thanks folks! Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFH9HEEfZZRxQVtlQRApK2AJwK++d2yaliEehrfeFfTkCMd6J6wQCfcWKA abus9k54HmP/LG7eW8jp5lQ= =z+v0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mgt at stellarcore.net Sun Oct 1 16:01:08 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Sun Oct 1 16:01:21 2006 Subject: Daily Spam report In-Reply-To: <200610011100.k91B0JfY019223@bkserver.blacknight.ie> References: <200610011100.k91B0JfY019223@bkserver.blacknight.ie> Message-ID: <451FD834.3030107@stellarcore.net> > > On 30/09/06, Cornelius Koelbel wrote: >> >> Hi there, >> >> >> >> is it possible, to send a daily spam report to the user? >> >> It is easier for my to check false positives in a list, than with every >> >> mail. >> >> >> >> Besides this is a top feature for enterprise usage. >> >> Deliver no Spams, but keep them quarantined. >> >> Get a daily spam report and release a spam mail on user request. >> >> >> >> Kind regards >> >> Cornelius > > > > To my knowledge you have two options: > > 1) MailWatch (version 1.x) has a quarantine report script that will do > > something like this. Check http://mailwatch.sf.net or the related > > software in the MailScanner wiki. > > 2) Fortress systems have a script that will do this (I think). Check > > http://www.fsl.com/support/ > > > > Having said that, I don't use either... (But there seem to be several > > who do:-) So I can't really vouch for how well they work. I don't have a daily spam report either but if I had to have one this is how I'd do it. First not sure how you store your spam I forward it to an account with this rule Spam Actions = forward spams-store@localhost Then I use a script to roll the IMAP Folders based on date. #!/bin/bash ########################################################################## #spamstore_roller.sh #Copyright Mar 8 2005 Mike Tremaine # # ########################################################################## # ########################### # ########################### #Set Global dir spamstore_user="spam-store" spamstore_group="spamstore" spamstore_spool="/var/spool/mail/$spamstore_user" spamstore_maildir="/home/$spamstore_user/mail" spamstore_mailboxlist="/home/$spamstore_user/.mailboxlist" targetdate=$(date -d -5min +%Y%m%d) purgeoffset=3weeks ################## #If system has non gnu date use perl like so #targetdate=$(perl -e 'use POSIX qw(strftime); $now_string = strftime "%Y%m%d", localtime; print "$now_string";') ############################# #Rotate spool to dated mbox if [ -s $spamstore_spool ]; then cat $spamstore_spool >> $spamstore_maildir/spam.$targetdate.mbox cp /dev/null $spamstore_spool chown $spamstore_user:$spamstore_user $spamstore_maildir/spam.$targetdate.mbox fi ############################# #Purge control purgeday=$(date -d -$purgeoffset +%Y%m%d) if [ -f $spamstore_maildir/spam.$purgeday.mbox ]; then rm -f $spamstore_maildir/spam.$purgeday.mbox fi ############################## #Rebuild mailboxlist if needed if [ -f $spamstore_mailboxlist ]; then ls -1 $spamstore_maildir | sed -e 's:\(.*\)$:mail\/\1:' > $spamstore_mailboxlist chown $spamstore_user:$spamstore_group $spamstore_mailboxlist fi # vi: shiftwidth=3 tabstop=3 et So now you have daily mailboxes for spam.... The next step to get a report would another Perl or Bash script that could grep the To/From/Subject and make a little list of whats in there. Maybe this pushes you in the right direction, maybe this wastes space in your Inbox. Good luck. -Mike From mikej at rogers.com Sun Oct 1 16:12:48 2006 From: mikej at rogers.com (Mike Jakubik) Date: Sun Oct 1 16:12:04 2006 Subject: Daily Spam report In-Reply-To: <451F904D.1060307@gmx.de> References: <451EDB50.9060501@gmx.de> <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> <451F904D.1060307@gmx.de> Message-ID: <451FDAF0.5010404@rogers.com> Cornelius Koelbel wrote: > Hi Glenn, > > thanks for your reply. So I see that Mailscanner does not support this > by itself. > I saw mailwatch, but did not like to use mysql and php, which is needed > by mailwatch. > So I will look around at fortress systems or start my mysqld :( > And what the hell do you think fortress systems uses? From prandal at herefordshire.gov.uk Sun Oct 1 16:13:49 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Oct 1 16:14:05 2006 Subject: MailScanner ANNOUNCE: Stable version 4.56 released Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D3@isabella.herefordshire.gov.uk> Julian, Max Spamassassin Size = 40000 continue 10000 Throws up this error: Oct 1 16:08:51 mx2 MailScanner[12544]: Syntax error in line 1630, 40000 continue 10000 for maxspamassassinsize should be a number Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Sunday, October 01, 2006 10:54 AM To: MailScanner discussion; MailScanner-Announce mailing list list Subject: MailScanner ANNOUNCE: Stable version 4.56 released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! A new stable release for you. New things this time include: - -- control of reports sent to senders of "too large" messages, - -- Postfix 2.3 support, - -- fine control of maximum size of message section sent to SpamAssassin, - -- significant improvement to reliability of tnef extraction utility, - -- new location for web bug replacement to alleviate server load. Available from www.mailscanner.info The full Change Log is this: * New Features and Improvements * 1 Added a complete new set of configuration settings to report on messages and attachments that are outside the size limits set in MailScanner.conf. These are: Sender Size Report Stored Size Message Report Deleted Size Message Report Size Modify Subject Size Subject Text These are used in exactly the same way as the other sets of options that tag and modify the message for other reasons. 3 Improved report of "message too large" case. 3 Updated Catalan language files courtesy of Jordi Sanfeliu. 3 Increased default max SpamAssassin message size to catch more single-image spam messages. 3 Solved compatibility with Postfix 2.3. 3 Upgraded Sys::Syslog to 0.18 which fixes all the compatibility problems of 0.17 and 0.16. 3 Upgraded Kaspersky support to 5.5. 4 Added new features to "Max SpamAssassin Size" setting: --- behave as before trackback --- get n bytes then backtrack looking for the start of the attachment we are in the middle of. continue --- get n bytes then continue up to a maximum of m extra bytes looking for the end of the attachment we are in the middle of. 5 Upgraded to tnef version 1.4.3. 5 Upgraded Archive::Zip to 1.16. Builds properly on x64 architectures. * Fixes * 1 When 'Outgoing Queue Dir' was changed from the default, kicking sendmail into attempting delivery of a new processed message in the outgoing queue would just wait for the next regular run of the queue. Now fixed so that a delivery attempt is made immediately. This fix only affects users who have changed the "Outgoing Queue Dir" setting and who are also using sendmail as their MTA. 2 Missed 2 "defined" checks on variables before using them. Thanks to Andy Kirkpatrick for spotting that one. 2 Fixed version number check. 3 Fixed output bug in less strict phishing net. Does anyone use this? 3 Fixed bug in Sendmail KickMessage() function. Thanks to Martin Billy. 4 Removed Postfix 2.3 extra, and reverted to simple regexp as Holger's version is buggy (mismatched ')'). 5 Changed number of viruses found reported to be max of each AV package's value. 6 Rewrote logic of addenvto so it should now work correctly when the setting is blank. 6 Put in new version of Postfix 2.3 regexp. And please buy the book if you haven't already! :-) Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFH5AiEfZZRxQVtlQRAhHzAJ0ejTZqRudRsWTFb8kzMOr8+ewKygCghDGN BKFM+cEnBlqtCYBc8Jd9mEI= =pfjK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pravin.rane at gmail.com Sun Oct 1 16:20:27 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Sun Oct 1 16:20:29 2006 Subject: Selective Spam Checks Message-ID: <13c021a90610010820r13a52d6dwb51d032e97625893@mail.gmail.com> I have 2 IPs 10.1.1.100 and 10.1.1.200 on my mail server 10.1.1.100 is MX 10.1.1.200 is for outgoing SMTP My users use Second IP10.1.1.200 for sending mails I want to disable Spam Checks for the mails which are coming only from my SMTP IP (10.1.1.200) What rule I should wirte ? -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061001/364daa1b/attachment.html From marcel-ml at irc-addicts.de Sun Oct 1 16:39:00 2006 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Sun Oct 1 16:39:33 2006 Subject: Daily Spam report In-Reply-To: <451FDAF0.5010404@rogers.com> References: <451EDB50.9060501@gmx.de> <223f97700610010234p43d8fed4oe377d7b2d0c0d9f@mail.gmail.com> <451F904D.1060307@gmx.de> <451FDAF0.5010404@rogers.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, On Sun, 1 Oct 2006, Mike Jakubik wrote: > Cornelius Koelbel wrote: > > Hi Glenn, > > > > thanks for your reply. So I see that Mailscanner does not support this > > by itself. > > I saw mailwatch, but did not like to use mysql and php, which is needed > > by mailwatch. > > So I will look around at fortress systems or start my mysqld :( > > > > And what the hell do you think fortress systems uses? > > i am using the fortress-script. ;) without any kind of mysql ;) I had to do some settings, as the default behaviour sents out the report to every recipient within the mail. Means, if you do reveive a mail for a number of recipient even outside of your system and the system sis setup to sent mails via localhost, the other recipient would also receive the spam-report ;) So, as my system is very low, i use the setup to check for recipient via txt-file. Second: i had to change the domain within the script, as this was setup to use the fortress-domain. I do not know, if this was changed after my download of the script.. So, now all my users (the four) are happy to receive the spamreport on daily basis.. =) and to be able to release false spam-detected mails.. Greetings Marcel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFH+EXeuKbXOoTCo8RApRqAJ9N22J9NY5OonqXla7SvorsaRWNNgCfTZ0J GeVAqTaClwrF9IHvjtVFikU= =Lmuv -----END PGP SIGNATURE----- From hgh at rcwm.com Sun Oct 1 23:31:04 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Sun Oct 1 23:27:26 2006 Subject: SOLVED Re: Only a few incoming emails seem to be getting scanned. {Scanned} In-Reply-To: <223f97700609290635q76e500ck8b1edfe1e0698958@mail.gmail.com> References: <451BBDE5.80104@rcwm.com> <451BC2CE.4090107@solidstatelogic.com> <451CA3FD.2010707@rcwm.com> <223f97700609290059h6ed7138ci50fa9c9e49180c82@mail.gmail.com> <451D0852.3000700@rcwm.com> <223f97700609290635q76e500ck8b1edfe1e0698958@mail.gmail.com> Message-ID: <452041A8.4070108@rcwm.com> Glenn Steen wrote: > On 29/09/06, Henry Hollenberg wrote: > >> Glenn Steen wrote: >> > On 29/09/06, Henry Hollenberg wrote: >> > (snip) >> > >> >> > Have you checked that all the appropriate stuff in postfix has been >> >> done... >> >> > >> >> >> >> Ooops!, you were right. I skipped the postfix steps somehow.... >> >> I've done them and restarted postfix and mailscanner.....now let's >> >> see how it goes.... >> > >> > >> > Ah, that explains it. Setting up postfix for delivery to the "hold" queue fixed my "broken" install. After this MailScanner was able to pick up the emails and process them. THanks guys. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Sun Oct 1 23:57:04 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Sun Oct 1 23:53:23 2006 Subject: mailscanner hangs on automatic restart {Scanned} Message-ID: <452047C0.7010002@rcwm.com> It looks like mailscanner is hanging every time it does it's automatic restart at 14400 sec. If I do a manual restart /etc/init.d/mailscanner restart the logs look like this: Oct 1 17:32:06 bastion MailScanner[30537]: MailScanner E-Mail Virus Scanner version 4.41.3 starting... Oct 1 17:32:06 bastion postfix/smtpd[30539]: connect from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] Oct 1 17:32:06 bastion MailScanner[30537]: Read 120 hostnames from the phishing whitelist Oct 1 17:32:09 bastion postfix/smtpd[30539]: NOQUEUE: reject: RCPT from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131]: 554 Service unavailable; Client host [69.138.210.131] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?69.138.210.131; from= to= proto=SMTP helo= Oct 1 17:32:09 bastion postfix/smtpd[30539]: lost connection after RCPT from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] Oct 1 17:32:09 bastion postfix/smtpd[30539]: disconnect from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] Oct 1 17:32:09 bastion MailScanner[30537]: Using locktype = flock Otherwise the system seems to be hammering the spam.....yeah! hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Mon Oct 2 00:33:58 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Mon Oct 2 00:30:15 2006 Subject: pyzor ip bad in debian install {Scanned} In-Reply-To: <452047C0.7010002@rcwm.com> References: <452047C0.7010002@rcwm.com> Message-ID: <45205066.2090104@rcwm.com> Has anyone else noticed the pyzor IP being bad in the debian install? I found a reference by a Chris Pollock where he mentioned a new IP and it seemed to work. Link: https://sourceforge.net/mailarchive/forum.php?thread_id=30601945&forum_id=8711 snippet from that post: quote: Olivier, try using this address: quote: quote: 82.94.255.100:24441 quote: quote: Milton Cyrus set this one up back in March and I've been using it ever quote: sense. Just remember that if you run "pyzor discover" you'll have to quote: re-enter it in your Pyzor server list. I've had no problems at all using quote: this server. quote: quote: HTH So I changed mine from what shipped (66.250.40.33:24441), to the IP above and it seemed to work. But is it safe to use??? hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Mon Oct 2 01:53:34 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Mon Oct 2 01:49:58 2006 Subject: bayes problem {Scanned} In-Reply-To: <451D2749.8050203@delodder.be> References: <451D2749.8050203@delodder.be> Message-ID: <4520630E.1010400@rcwm.com> Philippe Delodder wrote: > Hi, > > when i run spamassassin -D --lint i see that bayes is used but when i > check the header of an email that is spam i don't see use of bayes in > MailScanner-SpamCheck. is that normal? > > I'm using MailScanner version 4.54.6 with postfix > > Philippe Delodder > > > I was wondering the exact same thing. I have trained the system with a bunch of emails and it still doesn't seem to be putting BAYES scores on them: bastion:~/.pyzor# sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 752 0 non-token data: nspam 0.000 0 695 0 non-token data: nham 0.000 0 80524 0 non-token data: ntokens 0.000 0 1141401016 0 non-token data: oldest atime 0.000 0 1159706957 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count And where I expect to see something: X-gosemr-MailScanner-SpamCheck: spam, SpamAssassin (score=9.285, required 6, DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, FORGED_RCVD_HELO 0.05, RAZOR2_CF_RANGE_51_100 1.49, RAZOR2_CHECK 0.15, URIBL_JP_SURBL 4.00, URIBL_OB_SURBL 2.00) Am I jumping the gun? hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Mon Oct 2 09:37:04 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 2 09:37:07 2006 Subject: bayes problem {Scanned} In-Reply-To: <4520630E.1010400@rcwm.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> Message-ID: <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> On 02/10/06, Henry Hollenberg wrote: > Philippe Delodder wrote: > > Hi, > > > > when i run spamassassin -D --lint i see that bayes is used but when i > > check the header of an email that is spam i don't see use of bayes in > > MailScanner-SpamCheck. is that normal? > > > > I'm using MailScanner version 4.54.6 with postfix > > > > Philippe Delodder > > > > > > > > I was wondering the exact same thing. I have trained the system with a bunch of > emails and it still doesn't seem to be putting BAYES scores on them: > > bastion:~/.pyzor# sa-learn --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 752 0 non-token data: nspam > 0.000 0 695 0 non-token data: nham > 0.000 0 80524 0 non-token data: ntokens > 0.000 0 1141401016 0 non-token data: oldest atime > 0.000 0 1159706957 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal sync atime > 0.000 0 0 0 non-token data: last expiry atime > 0.000 0 0 0 non-token data: last expire atime delta > 0.000 0 0 0 non-token data: last expire reduction count > > > And where I expect to see something: > > X-gosemr-MailScanner-SpamCheck: spam, SpamAssassin (score=9.285, required 6, > DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, FORGED_RCVD_HELO 0.05, > RAZOR2_CF_RANGE_51_100 1.49, RAZOR2_CHECK 0.15, URIBL_JP_SURBL 4.00, > URIBL_OB_SURBL 2.00) > > Am I jumping the gun? > Henry, I see you are using root here... (the telltale # prompt:)... Can the postfix user find/read the bayes DB? Become your PF user and redo that;-)... su - postfix -s /bin/bash sa-learn ...... whatever.... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Oct 2 09:43:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 2 09:43:30 2006 Subject: PGP sig missing. Message-ID: <223f97700610020143v5d5570f8r8bf4e3f385095311@mail.gmail.com> The signature file seems to be missing for at least the rpm install... The link http://www.mailscanner.info/files/4/rpm/MailScanner-4.56.7-1.rpm.tar.gz.sig leads to a "Forbidden" error: Forbidden You don't have permission to access /files/4/rpm/MailScanner-4.56.7-1.rpm.tar.gz.sig on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/1.3.35 Server at www.mailscanner.info Port 80 .... Could you fix that Jules? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tgc at statsbiblioteket.dk Mon Oct 2 11:03:13 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Oct 2 11:03:17 2006 Subject: Installing 4.56.7 on RHEL 2.1 Message-ID: <4520E3E1.1050600@statsbiblioteket.dk> I've just done a test upgrade from 4.41-3 to 4.56.7 on an RHEL 2.1 host. There were several issues that I've described below. Before installing the host had 4.41-3 with the perl module versions installed that was distributed with that version of MailScanner + a few updates/extras. Here's MailScanner -v output from a production host with the same config: --- This is Red Hat Enterprise Linux ES release 2.1 (Panama) This is Perl version 5.006001 (5.6.1) This is MailScanner version 4.41.3 Module versions are: 1.14 Archive::Zip 1.119 Convert::BinHex 1.03 Fcntl 2.6 File::Basename 2.03 File::Copy 2.00 FileHandle 1.0404 File::Path 0.12 File::Temp 1.29 HTML::Entities 3.45 HTML::Parser 2.30 HTML::TokeParser 1.20 IO 1.08 IO::File 1.121 IO::Pipe 1.50 Mail::Header 3.05 MIME::Base64 5.417 MIME::Decoder 5.417 MIME::Decoder::UU 5.417 MIME::Head 5.417 MIME::Parser 3.03 MIME::QuotedPrint 5.417 MIME::Tools 0.10 Net::CIDR 1.03 POSIX 1.72 Socket 0.01 Sys::Syslog 1.01 Time::localtime Optional module versions are: 1.75 DB_File missing Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Inline missing Mail::ClamAV 2.64 Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite 0.49 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI missing Sys::Hostname::Long 1.1604 Test::Harness missing Test::Simple missing Text::Balanced 1.35 URI --- Since I'd be updating SA to 3.1.5 later I had built (with cpan2rpm) and installed perl-ExtUtils-MakeMaker 6.30, perl-Getopt-Long 2.35, perl-Compress-Zlib 1.42, perl-IO-Zlib 1.04 and perl-Archive-Tar 1.30 before doing the MailScanner upgrade. I ran ./install.sh to do the installation but several modules failed to build and the tnef package could not be installed. The modules that failed where: perl-DBI perl-File-Temp perl-Sys-Syslog perl-Archive-Zip perl-DBD-SQLite All of them except perl-DBD-SQLite fails because they need Test::More to run their tests. I installed perl-Test-Simple 0.51 which I happened to have around and this fixes it for perl-Archive-Zip and perl-File-Temp. perl-DBI still fails because it also needs perl-Storable. Curiously the distribution includes perl-Storable-2.15 but install.sh doesn't build it. Rebuilding it by hand works fine. Perl-DBI still fails to complete but what is even worse is that during the build it installs files directly into /usr instead of the BuildRoot! (exactly why I never build stuff as root under normal circumstances). I instead used cpan2rpm to package perl-DBI 1.50 and that produces a working src.rpm. perl-Sys-Syslog fails the build stage and seems not to be perl 5.6.1 compatible out of the box (5.6.1 lacks const char * in the typemap which Sys-Syslog wants). Adding a typemap file to the source with this alias fixes the build. I ended up building a new src.rpm altogether using cpan2rpm after I discovered that the build failed on RHEL 3 & 4 with unpackaged file errors. perl-DBD-SQLite fails because SQLite is not available. After installing SQLite and the new perl-DBI it builds fine. The tnef package requires glibc 2.3 and is thus incompatible with RHEL 2.1 which is based on glibc 2.2. I fixed up the specfile included in the upstream source and rebuilt it to fix this. I realize that I'm fighting a loosing battle since most people are running newer versions of perl and newer Linux dists etc. Just thought you should know that atleast the RPM version of MailScanner seems to effectively require perl 5.8 and glibc 2.3 for easy installation. With that said here's MailScanner 4.56.7 with SpamAssassin 3.1.5 running on RHEL 2.1... --- [root@eon MailScanner-4.56.7-1]# MailScanner -v Running on Linux eon 2.4.9-e.65 #1 Thu Aug 4 20:19:30 EDT 2005 i686 unknown This is Red Hat Enterprise Linux ES release 2.1 (Panama) This is Perl version 5.006001 (5.6.1) This is MailScanner version 4.56.7 Module versions are: 1.16 Archive::Zip 1.119 Convert::BinHex 1.03 Fcntl 2.6 File::Basename 2.03 File::Copy 2.00 FileHandle 1.0404 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.20 IO 1.08 IO::File 1.121 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.03 POSIX 1.72 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.01 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.75 DB_File 1.12 DBD::SQLite 1.50 DBI missing Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001005 Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite 1.24 Net::IP 0.49 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 1.1604 Test::Harness 0.51 Test::Simple missing Text::Balanced 1.35 URI --- sa-update is not yet working since it'll need a newer libwww-perl (for LWP::UserAgent) but otherwise it seems to be working well. -tgc From ylacan at teicam.com Mon Oct 2 11:05:56 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Mon Oct 2 11:06:30 2006 Subject: pyzor ip bad in debian install {Scanned} In-Reply-To: <45205066.2090104@rcwm.com> References: <452047C0.7010002@rcwm.com> <45205066.2090104@rcwm.com> Message-ID: <4520E484.70209@teicam.com> Henry Hollenberg wrote: > Has anyone else noticed the pyzor IP being bad in > the debian install? > > I found a reference by a Chris Pollock where he mentioned a new IP and > it seemed > to work. > > Link: > https://sourceforge.net/mailarchive/forum.php?thread_id=30601945&forum_id=8711 > > > snippet from that post: > > quote: Olivier, try using this address: > quote: > quote: 82.94.255.100:24441 > quote: > quote: Milton Cyrus set this one up back in March and I've been > using it ever > quote: sense. Just remember that if you run "pyzor discover" you'll > have to > quote: re-enter it in your Pyzor server list. I've had no problems > at all using > quote: this server. > quote: > quote: HTH > > So I changed mine from what shipped (66.250.40.33:24441), to the IP > above and it seemed to work. > > But is it safe to use??? > > hgh. > Hi, I ran into the same problem as you and stumbled across the same IP. I've been running it for a few months now and haven't run into any trouble whatsoever. Now if it's "safe" to use is a question I couldn't answer right now. I'd be curious to know what IP other people from the mailing list use... -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From prandal at herefordshire.gov.uk Mon Oct 2 11:27:41 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Oct 2 11:29:20 2006 Subject: Installing 4.56.7 on RHEL 2.1 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F979A1B@isabella.herefordshire.gov.uk> It would have been easier to upgrade the whole box to CentOS 3.x or 4.x ;-) Your Net::DNS is really old, it might be worthwhile updating that via CPAN. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tom G. Christensen > Sent: 02 October 2006 11:03 > To: mailscanner@lists.mailscanner.info > Subject: Installing 4.56.7 on RHEL 2.1 > > I've just done a test upgrade from 4.41-3 to 4.56.7 on an > RHEL 2.1 host. > There were several issues that I've described below. > > Before installing the host had 4.41-3 with the perl module versions > installed that was distributed with that version of > MailScanner + a few > updates/extras. > Here's MailScanner -v output from a production host with the > same config: > --- > This is Red Hat Enterprise Linux ES release 2.1 (Panama) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.41.3 > Module versions are: > 1.14 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.12 File::Temp > 1.29 HTML::Entities > 3.45 HTML::Parser > 2.30 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.50 Mail::Header > 3.05 MIME::Base64 > 5.417 MIME::Decoder > 5.417 MIME::Decoder::UU > 5.417 MIME::Head > 5.417 MIME::Parser > 3.03 MIME::QuotedPrint > 5.417 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 0.01 Sys::Syslog > 1.01 Time::localtime > > Optional module versions are: > 1.75 DB_File > missing Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 2.64 Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > 0.49 Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > missing Sys::Hostname::Long > 1.1604 Test::Harness > missing Test::Simple > missing Text::Balanced > 1.35 URI > --- > > Since I'd be updating SA to 3.1.5 later I had built (with > cpan2rpm) and > installed perl-ExtUtils-MakeMaker 6.30, perl-Getopt-Long 2.35, > perl-Compress-Zlib 1.42, perl-IO-Zlib 1.04 and perl-Archive-Tar 1.30 > before doing the MailScanner upgrade. > > I ran ./install.sh to do the installation but several modules > failed to > build and the tnef package could not be installed. > The modules that failed where: > perl-DBI > perl-File-Temp > perl-Sys-Syslog > perl-Archive-Zip > perl-DBD-SQLite > > All of them except perl-DBD-SQLite fails because they need Test::More > to run their tests. I installed perl-Test-Simple 0.51 which I > happened > to have around and this fixes it for perl-Archive-Zip and > perl-File-Temp. > perl-DBI still fails because it also needs perl-Storable. > Curiously the > distribution includes perl-Storable-2.15 but install.sh doesn't build > it. Rebuilding it by hand works fine. Perl-DBI still fails to > complete > but what is even worse is that during the build it installs files > directly into /usr instead of the BuildRoot! (exactly why I > never build > stuff as root under normal circumstances). > I instead used cpan2rpm to package perl-DBI 1.50 and that produces a > working src.rpm. > perl-Sys-Syslog fails the build stage and seems not to be perl 5.6.1 > compatible out of the box (5.6.1 lacks const char * in the > typemap which > Sys-Syslog wants). Adding a typemap file to the source with > this alias > fixes the build. I ended up building a new src.rpm altogether using > cpan2rpm after I discovered that the build failed on RHEL 3 & 4 with > unpackaged file errors. > perl-DBD-SQLite fails because SQLite is not available. After > installing > SQLite and the new perl-DBI it builds fine. > > The tnef package requires glibc 2.3 and is thus incompatible > with RHEL > 2.1 which is based on glibc 2.2. I fixed up the specfile > included in the > upstream source and rebuilt it to fix this. > > I realize that I'm fighting a loosing battle since most people are > running newer versions of perl and newer Linux dists etc. > Just thought you should know that atleast the RPM version of > MailScanner > seems to effectively require perl 5.8 and glibc 2.3 for easy > installation. > > With that said here's MailScanner 4.56.7 with SpamAssassin > 3.1.5 running > on RHEL 2.1... > > --- > [root@eon MailScanner-4.56.7-1]# MailScanner -v > Running on > Linux eon 2.4.9-e.65 #1 Thu Aug 4 20:19:30 EDT 2005 i686 unknown > This is Red Hat Enterprise Linux ES release 2.1 (Panama) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.56.7 > Module versions are: > 1.16 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.86 Time::HiRes > 1.01 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.75 DB_File > 1.12 DBD::SQLite > 1.50 DBI > missing Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 3.001005 Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > 1.24 Net::IP > 0.49 Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > 1.1604 Test::Harness > 0.51 Test::Simple > missing Text::Balanced > 1.35 URI > --- > > sa-update is not yet working since it'll need a newer > libwww-perl (for > LWP::UserAgent) but otherwise it seems to be working well. > > -tgc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From hgh at rcwm.com Mon Oct 2 13:17:06 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Mon Oct 2 13:13:34 2006 Subject: bayes problem {Scanned} In-Reply-To: <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> Message-ID: <45210342.2060607@rcwm.com> Glenn Steen wrote: >> >> And where I expect to see something: >> >> X-gosemr-MailScanner-SpamCheck: spam, SpamAssassin (score=9.285, >> required 6, >> DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, FORGED_RCVD_HELO 0.05, >> RAZOR2_CF_RANGE_51_100 1.49, RAZOR2_CHECK 0.15, URIBL_JP_SURBL >> 4.00, >> URIBL_OB_SURBL 2.00) >> >> Am I jumping the gun? >> > Henry, I see you are using root here... (the telltale # prompt:)... > Can the postfix user find/read the bayes DB? Become your PF user and > redo that;-)... > su - postfix -s /bin/bash > sa-learn ...... whatever.... > Ok, changed the permissions on /root/.spamassassin to postfix:postfix but still seem to be getting some errors. Don't see where to change the expected location of the bayes db in the config files.....got to get to work....I'll look around some more tonight! hgh. postfix@bastion:/root$ sa-learn --dump magic ERROR: Bayes dump returned an error, please re-run with -D for more information postfix@bastion:/root$ sa-learn -D --dump magic debug: SpamAssassin version 3.0.3 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin/X11', which doesn't exist, dropping. debug: PATH included '/usr/games', keeping. debug: Final PATH set to: /usr/local/bin:/usr/bin:/bin:/usr/games debug: using "/etc/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: config: read file /usr/share/spamassassin/65_debian.cf debug: using "/etc/spamassassin" for site rules dir debug: config: read file /etc/spamassassin/local.cf debug: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1453 debug: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857fa28) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8ec8a50) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8eaa8dc) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857fa28) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8ec8a50) implements 'parse_config' debug: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1453 No such file or directory debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/postfix/.spamassassin/bayes_toks debug: Score set 0 chosen. debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/postfix/.spamassassin/bayes_toks ERROR: Bayes dump returned an error, please re-run with -D for more information postfix@bastion:/root$ -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From drew at technologytiger.net Mon Oct 2 13:32:52 2006 From: drew at technologytiger.net (Drew Marshall) Date: Mon Oct 2 13:33:16 2006 Subject: bayes problem {Scanned} In-Reply-To: <45210342.2060607@rcwm.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> <45210342.2060607@rcwm.com> Message-ID: <49714.194.70.180.170.1159792372.squirrel@www.technologytiger.net> On Mon, October 2, 2006 13:17, Henry Hollenberg wrote: > Glenn Steen wrote: >> Henry, I see you are using root here... (the telltale # prompt:)... >> Can the postfix user find/read the bayes DB? Become your PF user and >> redo that;-)... >> su - postfix -s /bin/bash >> sa-learn ...... whatever.... >> > > Ok, changed the permissions on /root/.spamassassin to postfix:postfix but > still seem to be getting some errors. Don't see where to change the > expected location of the bayes db in the config files.....got > to get to work....I'll look around some more tonight! > > hgh. > debug: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs > file OK this is your clue ^^^^^^^^^^^^^^^^ In fact that's wrong also as you will have a good chance that Postfix will moan about non queue files in it's home directory if you are not careful. Check out the bottom of MailScanner.conf where there is an 'advanced option' for the location of the Bayes database (/var/spool/MailScanner/spamassassin from memory). Make sure you set it and give it postfix:postfix permissions. That is where you need to put your starter database/ trained database, again with the right permissions. At the same time, you will want to watch our for Razor files too. There was a thread over the last couple of months giving the file settings to tell Razor where to put it's home directory. All this is only because in your passwd file the user postfix has a home directory of /var/spool/postfix and that's where MailScanner will try to put things (Because it's running as the postfix user). HTH Drew From glenn.steen at gmail.com Mon Oct 2 13:35:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 2 13:35:06 2006 Subject: bayes problem {Scanned} In-Reply-To: <45210342.2060607@rcwm.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> <45210342.2060607@rcwm.com> Message-ID: <223f97700610020535q3a35225fn9b34c5191a7e3a22@mail.gmail.com> On 02/10/06, Henry Hollenberg wrote: > Glenn Steen wrote: > >> > >> And where I expect to see something: > >> > >> X-gosemr-MailScanner-SpamCheck: spam, SpamAssassin (score=9.285, > >> required 6, > >> DCC_CHECK 1.37, DIGEST_MULTIPLE 0.23, FORGED_RCVD_HELO 0.05, > >> RAZOR2_CF_RANGE_51_100 1.49, RAZOR2_CHECK 0.15, URIBL_JP_SURBL > >> 4.00, > >> URIBL_OB_SURBL 2.00) > >> > >> Am I jumping the gun? > >> > > Henry, I see you are using root here... (the telltale # prompt:)... > > Can the postfix user find/read the bayes DB? Become your PF user and > > redo that;-)... > > su - postfix -s /bin/bash > > sa-learn ...... whatever.... > > > > Ok, changed the permissions on /root/.spamassassin to postfix:postfix but > still seem to be getting some errors. Don't see where to change the > expected location of the bayes db in the config files.....got > to get to work....I'll look around some more tonight! > > hgh. > > > postfix@bastion:/root$ sa-learn --dump magic > ERROR: Bayes dump returned an error, please re-run with -D for more information > postfix@bastion:/root$ sa-learn -D --dump magic (snip) > debug: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1453 > No such file or directory As expected when run as postfix where ~postfix is a non-writable home directory, this fails. And then the following is just as expected. > > debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/postfix/.spamassassin/bayes_toks > debug: Score set 0 chosen. > debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/postfix/.spamassassin/bayes_toks > ERROR: Bayes dump returned an error, please re-run with -D for more information > postfix@bastion:/root$ > What you need do is either to make sure there are adequate writable subdirs in the home directory of the postfix user (.spamassassin, .razor, .pyzor ... whatever:), or explicitly place these things somewhere and tell the relevant subsystem/program where it is. For Bayes, you might have bayes_path /etc/MailScanner/bayes/bayes bayes_file_mode 0770 in your /etc/mail/spamassassin/mailscanner.cf file (note that the above should be a path to an existing directory + the leading "fragment" of the filenames the bayes files are to have...). If you have manually set a lot of ham/spam in _roots_ bayes files, you could well just move them to the new location and chown/chmod them appropriately. After that everything should be fine:). Much (if not all) of this is mentioned in various places on the wiki etc etc. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gborders at jlewiscooper.com Mon Oct 2 14:17:07 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Mon Oct 2 14:17:47 2006 Subject: "Friends Only" In-Reply-To: <4520E3E1.1050600@statsbiblioteket.dk> References: <4520E3E1.1050600@statsbiblioteket.dk> Message-ID: <45211153.3030509@jlewiscooper.com> Greetings list-mates, The PHB's have discovered the ability of some mail systems that require you to "validate" your address before they will accept messages, thus avoiding SPAM. Example, surgemail has a "Friends System" http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a package that sits between the MTA and MUA and does the authentication. Yippie yay, now they want it too. -_- Without wanting to spark any further heated debates on autoresponders, I wanted to query the group and see if there was any slick bolt-ons for sendmail / MailScanner / Mailwatch out there that might take advantage of some whitelisting mechanisms we already have. I can see potential of a custom script within MailScanner that could send a subscribe/verify message, and then auto-add to a whitelist upon receiving a proper response from the human sender. Any ideas folks? Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpumphrey at woodmclaw.com Mon Oct 2 15:36:45 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Oct 2 15:36:52 2006 Subject: bayes problem In-Reply-To: <451D2749.8050203@delodder.be> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729731@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Philippe Delodder > Sent: Friday, September 29, 2006 10:02 AM > To: MailScanner discussion > Subject: bayes problem > > Hi, > > when i run spamassassin -D --lint i see that bayes is used but when i > check the header of an email that is spam i don't see use of bayes in > MailScanner-SpamCheck. is that normal? > > I'm using MailScanner version 4.54.6 with postfix > > Philippe Delodder > I would start by making sure you do the correct lint. Make sure you specify the config file. It was mentioned that you shouldn't have to anymore, either I misunderstood it or it was wrong. Anyway, do this: spamassassin -D --lint -p /etc/MailScanner/spam.assassin.conf.prefs Here is the different in the lint: (without the -p argument) [1712] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file (with the -p argument) [1712] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file I am not sure about the normal bayes in header question. I checked my headers of random emails and bayes was in all of them. Seems like I remember something normal about it sometimes not being in the header, but wait for other input. Also here is a good command to run. sa-learn --dump magic Example of mine: [root@WoodenMS2 ~]# sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 164042 0 non-token data: nspam 0.000 0 328180 0 non-token data: nham 0.000 0 174468 0 non-token data: ntokens 0.000 0 1159604893 0 non-token data: oldest atime 0.000 0 1159797182 0 non-token data: newest atime 0.000 0 1159796609 0 non-token data: last journal sync atime 0.000 0 1159777716 0 non-token data: last expiry atime 0.000 0 172800 0 non-token data: last expire atime delta 0.000 0 31252 0 non-token data: last expire reduction count Shows you that things are going on and bayes is populating. I am also assuming that you are running this all in root and using config defaults in most places, like the bayes configuration in /etc/MailScanner/spam.assassin.conf.prefs From matt at coders.co.uk Mon Oct 2 15:41:10 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Oct 2 15:41:26 2006 Subject: "Friends Only" In-Reply-To: <45211153.3030509@jlewiscooper.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> Message-ID: <45212506.8060906@coders.co.uk> Greg Borders wrote: > Greetings list-mates, > > The PHB's have discovered the ability of some mail systems that require > you to "validate" your address before they will accept messages, thus > avoiding SPAM. Example, surgemail has a "Friends System" > http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a > package that sits between the MTA and MUA and does the authentication. > > Yippie yay, now they want it too. -_- > > Without wanting to spark any further heated debates on autoresponders, > I wanted to query the group and see if there was any slick bolt-ons for > sendmail / MailScanner / Mailwatch out there that might take advantage > of some whitelisting mechanisms we already have. I can see potential of > a custom script within MailScanner that could send a subscribe/verify > message, and then auto-add to a whitelist upon receiving a proper > response from the human sender. > Before you go down this router - try milter-sender (or I have a perl replacement if you are interested) which checks that the email address is accepted by the MX's for the domain before accepting it. I have found a 60% reduction in crud before it gets as far as MailScanner. I would highly recommend doing this even if you are wanting to go down the auto responder route and I would also suggest that the auto responder is placed AFTER MailScanner as it would ensure that the majority of Spam is removed before sending more crap to the joe jobbed addresses. You will also need to ensure that the email is sent from a different IP than your outbound email as it will only take about a week before you will be in SpamCop. Matt From bpumphrey at woodmclaw.com Mon Oct 2 15:43:54 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Oct 2 15:43:58 2006 Subject: MailScanner ANNOUNCE: Stable version 4.56 released In-Reply-To: <451F9021.4080600@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729732@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Sunday, October 01, 2006 5:54 AM > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: MailScanner ANNOUNCE: Stable version 4.56 released > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks! > > A new stable release for you. New things this time include: > Web site suggestion: On the news, it would be convenient for a link of the releases for download. Such as: 1/10/2006 - Release stable version 4.56. New this month: control of reports sent to senders of "too large" messages, Postfix 2.3 support, fine control of maximum size of message section sent to SpamAssassin, significant improvement to reliability of tnef extraction utility. From dward at nccumc.org Mon Oct 2 15:47:15 2006 From: dward at nccumc.org (Douglas Ward) Date: Mon Oct 2 15:47:18 2006 Subject: "Friends Only" In-Reply-To: <45212506.8060906@coders.co.uk> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> Message-ID: Is there a similar function in postfix? On 10/2/06, Matt Hampton wrote: > > Greg Borders wrote: > > Greetings list-mates, > > > > The PHB's have discovered the ability of some mail systems that require > > you to "validate" your address before they will accept messages, thus > > avoiding SPAM. Example, surgemail has a "Friends System" > > http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a > > package that sits between the MTA and MUA and does the authentication. > > > > Yippie yay, now they want it too. -_- > > > > Without wanting to spark any further heated debates on autoresponders, > > I wanted to query the group and see if there was any slick bolt-ons for > > sendmail / MailScanner / Mailwatch out there that might take advantage > > of some whitelisting mechanisms we already have. I can see potential of > > a custom script within MailScanner that could send a subscribe/verify > > message, and then auto-add to a whitelist upon receiving a proper > > response from the human sender. > > > > Before you go down this router - try milter-sender (or I have a perl > replacement if you are interested) which checks that the email address > is accepted by the MX's for the domain before accepting it. I have > found a 60% reduction in crud before it gets as far as MailScanner. > > I would highly recommend doing this even if you are wanting to go down > the auto responder route and I would also suggest that the auto > responder is placed AFTER MailScanner as it would ensure that the > majority of Spam is removed before sending more crap to the joe jobbed > addresses. > > You will also need to ensure that the email is sent from a different IP > than your outbound email as it will only take about a week before you > will be in SpamCop. > > Matt > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061002/f78e3d1f/attachment.html From lodder at delodder.be Mon Oct 2 15:54:35 2006 From: lodder at delodder.be (Philippe Delodder) Date: Mon Oct 2 15:55:08 2006 Subject: bayes problem In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729731@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501729731@woodenex.woodmaclaw.local> Message-ID: <4521282B.6080107@delodder.be> Billy A. Pumphrey schreef: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Philippe Delodder >> Sent: Friday, September 29, 2006 10:02 AM >> To: MailScanner discussion >> Subject: bayes problem >> >> Hi, >> >> when i run spamassassin -D --lint i see that bayes is used but when i >> check the header of an email that is spam i don't see use of bayes in >> MailScanner-SpamCheck. is that normal? >> >> I'm using MailScanner version 4.54.6 with postfix >> >> Philippe Delodder >> >> > > I would start by making sure you do the correct lint. Make sure you > specify the config file. It was mentioned that you shouldn't have to > anymore, either I misunderstood it or it was wrong. Anyway, do this: > spamassassin -D --lint -p /etc/MailScanner/spam.assassin.conf.prefs > > Here is the different in the lint: > (without the -p argument) > [1712] dbg: config: using "/root/.spamassassin/user_prefs" for user > prefs file > > (with the -p argument) > [1712] dbg: config: using "/root/.spamassassin/user_prefs" for user > prefs file > > I am not sure about the normal bayes in header question. I checked my > headers of random emails and bayes was in all of them. Seems like I > remember something normal about it sometimes not being in the header, > but wait for other input. > > Also here is a good command to run. > sa-learn --dump magic > > Example of mine: > [root@WoodenMS2 ~]# sa-learn --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 164042 0 non-token data: nspam > 0.000 0 328180 0 non-token data: nham > 0.000 0 174468 0 non-token data: ntokens > 0.000 0 1159604893 0 non-token data: oldest atime > 0.000 0 1159797182 0 non-token data: newest atime > 0.000 0 1159796609 0 non-token data: last journal > sync atime > 0.000 0 1159777716 0 non-token data: last expiry > atime > 0.000 0 172800 0 non-token data: last expire > atime delta > 0.000 0 31252 0 non-token data: last expire > reduction count > > Shows you that things are going on and bayes is populating. I am also > assuming that you are running this all in root and using config defaults > in most places, like the bayes configuration in > /etc/MailScanner/spam.assassin.conf.prefs > > > With help of you guys i fixed it and now it's all seems to work perfectly thx for the help -- Philippe Delodder lodder@delodder.be http://www.delodder.be -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061002/dbac85cb/signature.bin From martinh at solidstatelogic.com Mon Oct 2 15:55:17 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Oct 2 15:55:40 2006 Subject: "Friends Only" In-Reply-To: <45212506.8060906@coders.co.uk> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> Message-ID: <45212855.2030102@solidstatelogic.com> Matt Hampton wrote: > Greg Borders wrote: >> Greetings list-mates, >> >> The PHB's have discovered the ability of some mail systems that require >> you to "validate" your address before they will accept messages, thus >> avoiding SPAM. Example, surgemail has a "Friends System" >> http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a >> package that sits between the MTA and MUA and does the authentication. >> >> Yippie yay, now they want it too. -_- >> >> Without wanting to spark any further heated debates on autoresponders, >> I wanted to query the group and see if there was any slick bolt-ons for >> sendmail / MailScanner / Mailwatch out there that might take advantage >> of some whitelisting mechanisms we already have. I can see potential of >> a custom script within MailScanner that could send a subscribe/verify >> message, and then auto-add to a whitelist upon receiving a proper >> response from the human sender. >> > > Before you go down this router - try milter-sender (or I have a perl > replacement if you are interested) which checks that the email address > is accepted by the MX's for the domain before accepting it. I have > found a 60% reduction in crud before it gets as far as MailScanner. > > I would highly recommend doing this even if you are wanting to go down > the auto responder route and I would also suggest that the auto > responder is placed AFTER MailScanner as it would ensure that the > majority of Spam is removed before sending more crap to the joe jobbed > addresses. > > You will also need to ensure that the email is sent from a different IP > than your outbound email as it will only take about a week before you > will be in SpamCop. > > Matt > > And of course this auto resonder 'annoys' people when they get the autoresponder emailing them when they never sent you a message in the first place..(bit like bouncing spam, autoresonders are a bad idea). http://spamlinks.net/prevent-secure-backscatter-fake.htm (for one of many good links on why bouncing spam/autoresponders are a bad idea). Besides milter-sender there's also milter-ahead which checks the 'to' address existing on your system (if you're not using sendmail see the mailScanner wiki for your MTA on how to do this). Again using this technique you can drop over 66% of inbound traffic... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mikea at mikea.ath.cx Mon Oct 2 16:23:13 2006 From: mikea at mikea.ath.cx (mikea) Date: Mon Oct 2 16:23:18 2006 Subject: "Friends Only" In-Reply-To: <45212855.2030102@solidstatelogic.com>; from martinh@solidstatelogic.com on Mon, Oct 02, 2006 at 03:55:17PM +0100 References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> Message-ID: <20061002102313.A54043@mikea.ath.cx> On Mon, Oct 02, 2006 at 03:55:17PM +0100, Martin Hepworth wrote: > Matt Hampton wrote: > > Greg Borders wrote: > >> Greetings list-mates, > >> The PHB's have discovered the ability of some mail systems that require > >> you to "validate" your address before they will accept messages, thus > >> avoiding SPAM. Example, surgemail has a "Friends System" > >> http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a > >> package that sits between the MTA and MUA and does the authentication. > >> Yippie yay, now they want it too. -_- > >> Without wanting to spark any further heated debates on autoresponders, > >> I wanted to query the group and see if there was any slick bolt-ons for > >> sendmail / MailScanner / Mailwatch out there that might take advantage > >> of some whitelisting mechanisms we already have. I can see potential of > >> a custom script within MailScanner that could send a subscribe/verify > >> message, and then auto-add to a whitelist upon receiving a proper > >> response from the human sender. > > Before you go down this router - try milter-sender (or I have a perl > > replacement if you are interested) which checks that the email address > > is accepted by the MX's for the domain before accepting it. I have > > found a 60% reduction in crud before it gets as far as MailScanner. > > I would highly recommend doing this even if you are wanting to go down > > the auto responder route and I would also suggest that the auto > > responder is placed AFTER MailScanner as it would ensure that the > > majority of Spam is removed before sending more crap to the joe jobbed > > addresses. > > You will also need to ensure that the email is sent from a different IP > > than your outbound email as it will only take about a week before you > > will be in SpamCop. > And of course this auto resonder 'annoys' people when they get the > autoresponder emailing them when they never sent you a message in the > first place..(bit like bouncing spam, autoresonders are a bad idea). > http://spamlinks.net/prevent-secure-backscatter-fake.htm > (for one of many good links on why bouncing spam/autoresponders are a > bad idea). As regards autoresponders: if you autorespond to spam with forged headers and envelope senders, those responses are: o unsolicited o bulk o E-mail which is how a great many mailadmins define spam. You'll wind up in their bl[oa]cklists as a result, which I strongly suspect is _directly_ contrary to the desires of your PHBs. At best, Challenge/Response (or C/R) systems are not a _good_ idea, and in the present environment, they're a Very Bad Idea Indeed. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From gborders at jlewiscooper.com Mon Oct 2 16:32:52 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Mon Oct 2 16:33:21 2006 Subject: "Friends Only" In-Reply-To: <45212855.2030102@solidstatelogic.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> Message-ID: <45213124.30701@jlewiscooper.com> Martin Hepworth wrote: > Matt Hampton wrote: >> Greg Borders wrote: >>> Greetings list-mates, >>> >>> The PHB's have discovered the ability of some mail systems that require >>> you to "validate" your address before they will accept messages, thus >>> avoiding SPAM. Example, surgemail has a "Friends System" >>> http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a >>> package that sits between the MTA and MUA and does the authentication. >>> >>> Yippie yay, now they want it too. -_- >>> >>> Without wanting to spark any further heated debates on >>> autoresponders, I wanted to query the group and see if there was any >>> slick bolt-ons for >>> sendmail / MailScanner / Mailwatch out there that might take advantage >>> of some whitelisting mechanisms we already have. I can see >>> potential of >>> a custom script within MailScanner that could send a subscribe/verify >>> message, and then auto-add to a whitelist upon receiving a proper >>> response from the human sender. >>> >> >> Before you go down this router - try milter-sender (or I have a perl >> replacement if you are interested) which checks that the email address >> is accepted by the MX's for the domain before accepting it. I have >> found a 60% reduction in crud before it gets as far as MailScanner. >> >> I would highly recommend doing this even if you are wanting to go down >> the auto responder route and I would also suggest that the auto >> responder is placed AFTER MailScanner as it would ensure that the >> majority of Spam is removed before sending more crap to the joe jobbed >> addresses. >> >> You will also need to ensure that the email is sent from a different IP >> than your outbound email as it will only take about a week before you >> will be in SpamCop. >> >> Matt >> >> > > And of course this auto resonder 'annoys' people when they get the > autoresponder emailing them when they never sent you a message in the > first place..(bit like bouncing spam, autoresonders are a bad idea). > > http://spamlinks.net/prevent-secure-backscatter-fake.htm > (for one of many good links on why bouncing spam/autoresponders are a > bad idea). > > Besides milter-sender there's also milter-ahead which checks the 'to' > address existing on your system (if you're not using sendmail see the > mailScanner wiki for your MTA on how to do this). Again using this > technique you can drop over 66% of inbound traffic... Thanks for the replies fellas. I totally agree this is a bad idea. I fully am aware of the milter techniques to reduce SPAM in general. (I'm using milter-greylist, and greet-pause features already.) This is more along the lines of the PHP's seeing something they perceive as 'slick', and wanting it for themselves, not realizing the hornet's nest of autoresponder complications that can occur on the back end. I'll send the info up the line and let them sweat it out if they want to risk getting SpamCop-ed. Thanks for the link Martin, Great info/ammo for PHB's there. ^_^ -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.siddall at elirion.net Mon Oct 2 16:50:54 2006 From: richard.siddall at elirion.net (Richard Siddall) Date: Mon Oct 2 16:51:45 2006 Subject: "Friends Only" In-Reply-To: <45213124.30701@jlewiscooper.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45213124.30701@jlewiscooper.com> Message-ID: <4521355E.2050405@elirion.net> Greg Borders wrote: [snip] > This is more along the lines of the PHP's seeing something they perceive > as 'slick', and wanting it for themselves, not realizing the hornet's > nest of autoresponder complications that can occur on the back end. > I'll send the info up the line and let them sweat it out if they want to > risk getting SpamCop-ed. Thanks for the link Martin, Great info/ammo for > PHB's there. ^_^ Greg, There's also the argument that many people will not respond to such auto-responders when they send legitimate mail, so there's the potential for loss of business. Regards, Richard Siddall From jaearick at colby.edu Mon Oct 2 17:00:39 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Oct 2 17:00:51 2006 Subject: 4.56.7: "max message size is '40000'" Message-ID: Julian, Ok, I hang my head in shame and say that I didn't beta-test earlier versions of 4.56. September was a busy month. I just upgraded from 4.55.10 to 4.56.7 on my setup (Solaris 10, SA 3.1.5, sophos and clam, dcc 1.3.40). I ran it first in debug mode to see what would happen (output attached). Not much. Then I attempted to fire up 4.56.7 in normal mode. I got zero syslog output, and nothing seemed to happen except several MS processes were sucking up CPU time: # ps -ef | grep perl root 15405 15337 0 11:55:16 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 15394 15336 2 11:55:14 ? 0:02 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 15407 19023 0 11:55:16 pts/2 0:00 grep perl root 15336 1 0 11:55:03 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail root 15337 15336 3 11:55:03 ? 0:08 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail I did go from version 0.13 to 0.18 of Sys-Syslog, but this does not seem to have anything to do with this. 4.55.10 works fine with the new Sys-Syslog. So, 4.56.7 never gets off the ground. Any ideas? Any other Solaris 10 users with this issue? Jeff Earickson Colby College -------------- next part -------------- Sun Microsystems Inc. SunOS 5.10 Generic January 2005 Starting MailScanner... In Debugging mode, not forking... [11203] dbg: logger: adding facilities: all [11203] dbg: logger: logging level is DBG [11203] dbg: generic: SpamAssassin version 3.1.5 [11203] dbg: config: score set 0 chosen. [11203] dbg: util: running in taint mode? no [11203] dbg: message: ---- MIME PARSER START ---- [11203] dbg: message: main message type: text/plain [11203] dbg: message: parsing normal part [11203] dbg: message: added part, type: text/plain [11203] dbg: message: ---- MIME PARSER END ---- [11203] dbg: dns: is Net::DNS::Resolver available? yes [11203] dbg: dns: Net::DNS version: 0.58 [11203] dbg: ignore: test message to precompile patterns and load modules [11203] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [11203] dbg: config: read file /etc/mail/spamassassin/init.pre [11203] dbg: config: read file /etc/mail/spamassassin/v310.pre [11203] dbg: config: read file /etc/mail/spamassassin/v312.pre [11203] dbg: config: using "/opt/perl5/share/spamassassin" for sys rules pre files [11203] dbg: config: using "/opt/perl5/share/spamassassin" for default rules dir [11203] dbg: config: read file /opt/perl5/share/spamassassin/10_misc.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_advance_fee.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_anti_ratware.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_body_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_compensate.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_dnsbl_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_drugs.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_fake_helo_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_head_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_html_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_meta_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_net_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_phrases.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_porn.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_ratware.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/20_uri_tests.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/23_bayes.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_accessdb.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_antivirus.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_body_tests_es.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_body_tests_pl.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_dcc.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_dkim.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_domainkeys.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_hashcash.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_pyzor.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_razor2.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_replace.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_spf.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_textcat.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/25_uribl.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_de.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_fr.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_it.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_nl.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_pl.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/30_text_pt_br.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/50_scores.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_awl.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_whitelist.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_whitelist_dk.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_whitelist_dkim.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_whitelist_spf.cf [11203] dbg: config: read file /opt/perl5/share/spamassassin/60_whitelist_subject.cf [11203] dbg: config: using "/etc/mail/spamassassin" for site rules dir [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf [11203] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf [11203] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [11203] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf [11203] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [11203] dbg: config: read file /etc/mail/spamassassin/backhair.cf [11203] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf [11203] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf [11203] dbg: config: read file /etc/mail/spamassassin/local.cf [11203] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x1695740) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x1744438) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xf8ecfc) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x16b9430) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [11203] dbg: dcc: network tests on, registering DCC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x174e278) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [11203] dbg: pyzor: network tests on, attempting Pyzor [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x185abc8) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [11203] dbg: razor2: razor2 is available, version 2.82 [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x16d3994) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [11203] dbg: reporter: network tests on, attempting SpamCop [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x1fb6798) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x2122be4) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x212dd64) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x212e790) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x2137a0c) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x214401c) [11203] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /opt/perl5/lib/site_perl/5.8.8/Mail/SpamAssassin/ImageInfo.pm [11203] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x2165fa8) [11203] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [11203] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [11203] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [11203] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [11203] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [11203] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i [11203] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [11203] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i [11203] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i [11203] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&\#])'i [11203] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i [11203] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i [11203] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x214401c) implements 'finish_parsing_end' [11203] dbg: replacetags: replacing tags [11203] dbg: replacetags: done replacing tags [11203] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks [11203] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen [11203] dbg: bayes: found bayes db version 3 [11203] dbg: bayes: DB journal sync: last sync: 1159802156 [11203] dbg: config: score set 3 chosen. [11203] dbg: message: ---- MIME PARSER START ---- [11203] dbg: message: main message type: text/plain [11203] dbg: message: parsing normal part [11203] dbg: message: added part, type: text/plain [11203] dbg: message: ---- MIME PARSER END ---- [11203] dbg: dns: dns_available set to yes in config file, skipping test [11203] dbg: metadata: X-Spam-Relays-Trusted: [11203] dbg: metadata: X-Spam-Relays-Untrusted: [11203] dbg: metadata: X-Spam-Relays-Internal: [11203] dbg: metadata: X-Spam-Relays-External: [11203] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x1695740) implements 'extract_metadata' [11203] dbg: metadata: X-Relay-Countries: [11203] dbg: message: no encoding detected [11203] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x1695740) implements 'parsed_metadata' [11203] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x1744438) implements 'parsed_metadata' [11203] dbg: uridnsbl: domains to query: [11203] dbg: check: running tests for priority: 0 [11203] dbg: rules: running header regexp tests; score so far=0 [11203] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [11203] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" [11203] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1159802232.9713@spamassassin_spamd_init> [11203] dbg: rules: " [11203] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [11203] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [11203] dbg: rules: " [11203] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1159802232" [11203] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [11203] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [11203] dbg: eval: all '*To' addrs: [11203] dbg: spf: no suitable relay for spf use found, skipping SPF check [11203] dbg: rules: ran eval rule NO_RELAYS ======> got hit [11203] dbg: spf: cannot get Envelope-From, cannot use SPF [11203] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [11203] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [11203] dbg: spf: spf_whitelist_from: could not find useable envelope sender [11203] dbg: rules: running body-text per-line regexp tests; score so far=0.96 [11203] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [11203] dbg: uri: running uri tests; score so far=0.96 [11203] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.96 [11203] dbg: rules: running full-text regexp tests; score so far=0.96 [11203] dbg: info: entering helper-app run mode [11203] dbg: info: leaving helper-app run mode [11203] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [11203] dbg: razor2: results: spam? 0 [11203] dbg: razor2: results: engine 8, highest cf score: 0 [11203] dbg: razor2: results: engine 4, highest cf score: 0 [11203] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor [11203] dbg: dcc: dccifd is available: /opt/dcc/dccifd [11203] dbg: info: entering helper-app run mode [11203] dbg: dcc: dccifd got response: X-DCC-dcc.uncw.edu-Metrics: jasper 1201; Body=11284 Fuz1=14545 Fuz2=2866124 [11203] dbg: info: leaving helper-app run mode [11203] dbg: dcc: listed: BODY=11284/999999 FUZ1=14545/999999 FUZ2=2866124/999999 [11203] dbg: rules: ran eval rule DCC_CHECK ======> got hit [11203] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x1744438) implements 'check_tick' [11203] dbg: check: running tests for priority: 500 [11203] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x1744438) implements 'check_post_dnsbl' [11203] dbg: rules: running meta tests; score so far=3.13 [11203] info: rules: meta test SARE_SUB_ACCEPT_CCARDS has undefined dependency '__SARE_SUB_FROM_PAYPAL' [11203] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [11203] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [11203] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [11203] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [11203] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' [11203] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' [11203] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' [11203] dbg: rules: running header regexp tests; score so far=5.076 [11203] dbg: rules: running body-text per-line regexp tests; score so far=5.076 [11203] dbg: uri: running uri tests; score so far=5.076 [11203] dbg: rules: running raw-body-text per-line regexp tests; score so far=5.076 [11203] dbg: rules: running full-text regexp tests; score so far=5.076 [11203] dbg: check: running tests for priority: 1000 [11203] dbg: rules: running meta tests; score so far=5.076 [11203] dbg: rules: running header regexp tests; score so far=5.076 [11203] dbg: rules: running body-text per-line regexp tests; score so far=5.076 [11203] dbg: uri: running uri tests; score so far=5.076 [11203] dbg: rules: running raw-body-text per-line regexp tests; score so far=5.076 [11203] dbg: rules: running full-text regexp tests; score so far=5.076 [11203] dbg: check: is spam? score=5.076 required=5 [11203] dbg: check: tests=DCC_CHECK,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [11203] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID [11203] dbg: bayes: untie-ing [11203] dbg: bayes: untie-ing db_toks [11203] dbg: bayes: untie-ing db_seen max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' max message size is '40000' Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 max message size is '40000' Terminated From steve.swaney at fsl.com Mon Oct 2 17:19:04 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Oct 2 17:19:14 2006 Subject: "Friends Only" In-Reply-To: <4521355E.2050405@elirion.net> Message-ID: <030801c6e63e$7abb64a0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Richard Siddall > Sent: Monday, October 02, 2006 11:51 AM > To: MailScanner discussion > Subject: Re: "Friends Only" > > Greg Borders wrote: > [snip] > > This is more along the lines of the PHP's seeing something they perceive > > as 'slick', and wanting it for themselves, not realizing the hornet's > > nest of autoresponder complications that can occur on the back end. > > I'll send the info up the line and let them sweat it out if they want to > > risk getting SpamCop-ed. Thanks for the link Martin, Great info/ammo for > > PHB's there. ^_^ > > Greg, > > There's also the argument that many people will not respond to such > auto-responders when they send legitimate mail, so there's the potential > for loss of business. > > Regards, > > Richard Siddall I'm one of the ones that don't respond to auto-responders. And when the fist e-tickets go missing you probably hear about it :( Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From hmkash at arl.army.mil Mon Oct 2 17:49:55 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Oct 2 17:50:00 2006 Subject: Large emails being tagged as spam - false positives Message-ID: <229A346E44379140A59A48951B56E0C00260CD33@ARLABML01.DS.ARL.ARMY.MIL> > And hopefully the new more complex settings of Max SpamAssassin Size > that you can use if you want, will help to alleviate the problem. Take a > look at the Change Log. But there's still no way to say "I don't think there will ever be a spam over 100k, so don't bother sending any messages over 100k to SA since they could potentially be blocked as false positives." The message the original poster on this topic complained about was blocked based mostly on header checks - changing the amount of the body that was sent to SA wouldn't have made any difference. The only way to have avoided this false positive would be an option to not send messages over a certain size to SA. I still advocate a "Max SpamAssassin Size = ### skip" option so that any messages over ### bytes bypasses the SA checks. Some people may not agree with this, but it should be an option the user has at their disposal. Howard From mkettler at evi-inc.com Mon Oct 2 18:06:00 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 2 18:06:17 2006 Subject: "Friends Only" In-Reply-To: <45211153.3030509@jlewiscooper.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> Message-ID: <452146F8.8070405@evi-inc.com> Greg Borders wrote: > Greetings list-mates, > > The PHB's have discovered the ability of some mail systems that require > you to "validate" your address before they will accept messages, thus > avoiding SPAM. Example, surgemail has a "Friends System" > http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a > package that sits between the MTA and MUA and does the authentication. > > Yippie yay, now they want it too. -_- > > Without wanting to spark any further heated debates on autoresponders, > I wanted to query the group and see if there was any slick bolt-ons for > sendmail / MailScanner / Mailwatch out there that might take advantage > of some whitelisting mechanisms we already have. I can see potential of > a custom script within MailScanner that could send a subscribe/verify > message, and then auto-add to a whitelist upon receiving a proper > response from the human sender. > > Any ideas folks? TMDA is the bolt-on I can think of. That said, systems like this are in effect trusting someone else to do your spam filtering for you. I personally take the approach of doing whatever I want when I get a TMDA-type challenge. After all, you're unwillingly foisting your spam problems into my mailbox. So after pissing me off by spamming me, do you really expect me to make a reasonable choice for your benefit? - If I get a challenge for an email I'm pretty sure I did not send, I authorize it. After all, what do i know, maybe you really did want that pharmacy spam. I'm just trying to help you receive all the mail you deserve :) - I also sometimes report the mis-directed TMDA messages to spamcop if I can prove it wasn't actually sent from my domain. My domain has SPF records, so if you can't even bother to do a SPF check to eliminate obvious forgeries before sending me notices, I consider it abuse. - If I get one for an email I did send, but the content is really only to the recipients benefit, I refuse to authorize it. - If I get one for an email that I did send, but is to my benefit, I might authorize it, unless I can find a way to blame the sender that will cause them more inconvenience than it does me. And apparently I'm not the only one who takes to SpamCop'ing TMDA messages: http://mla.libertine.org/tmda-users/2003-08/msg00171.html http://www.mail-archive.com/tmda-users@tmda.net/msg07964.html From ssilva at sgvwater.com Mon Oct 2 19:07:10 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 2 19:09:00 2006 Subject: [OT] Sendmail and access file question In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B023A0D5E@MED-CORE03-MS1.med.wayne.edu> References: <45194556.21708.19C30420@cobalt-users1.fishnet.co.uk> <8F2A53954C22554EB75D9643FCCE0C6B023A0D5E@MED-CORE03-MS1.med.wayne.edu> Message-ID: Rose, Bobby spake the following on 9/30/2006 2:45 PM: > > I've researched this before in the past but I didn't really find > anything about it on the net or the bat book that says 'ay' or 'nay' on > the possibility. Does anyone know if sendmail's access file can > override the default action based on "both" the mail from and rcpt to or > if a hack exists that allows such definitions? For example I'm blocking > the domain of evil.remote.domain in the access file but > user@local.domain wants mail from spammer@evil.remote.domain but only > from spammer@evil.remote.domain. In that example, I'm only aware that I > can either OK spammer@evil.remote.domain and thus allow it to email > everyone or I use the spamfriend rule on user@local.domain which means > he'll get spam from all remote.domains. > > I know I can define this kind of rule in Mailscanner but that also means > I have to accept all mail from spammer@evil.remote.domain which leads to > undeliverable bounces and more wasted traffic and cpu cycles. > > Thanks for any input. > -=B AFAIK the access file is all or nothing. You would have to allow all from the evil spammer, and then let MailScanner sort it out. Sounds like you need to lart a luser. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Oct 2 19:21:08 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 2 19:22:08 2006 Subject: Large emails being tagged as spam - false positives In-Reply-To: <229A346E44379140A59A48951B56E0C00260CD33@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CD33@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: Kash, Howard (Civ, ARL/CISD) spake the following on 10/2/2006 9:49 AM: > >> And hopefully the new more complex settings of Max SpamAssassin Size >> that you can use if you want, will help to alleviate the problem. Take > a >> look at the Change Log. > > But there's still no way to say "I don't think there will ever be a spam > over 100k, so don't bother sending any messages over 100k to SA since > they could potentially be blocked as false positives." The message the > original poster on this topic complained about was blocked based mostly > on header checks - changing the amount of the body that was sent to SA > wouldn't have made any difference. The only way to have avoided this > false positive would be an option to not send messages over a certain > size to SA. I still advocate a "Max SpamAssassin Size = ### skip" > option so that any messages over ### bytes bypasses the SA checks. Some > people may not agree with this, but it should be an option the user has > at their disposal. > > > Howard Then you will be the first one on the list of quarter meg spam! A spammer will do whatever he can to get his junk across the most accounts possible. It is just "spray and pray", and hope you get someone to buy your crap. If the spammer has to send larger messages to assure that he gets more "views", then he will do just that. If the problem is that a certain MailScanner user wants to accept mail from dial-up addresses and open proxies, then just turn off the spamassassin tests for those occurances. Or make the users authenticate first, and they won't hit those traps. You don't have to do a complete re-write of a program so it makes it easier to do something the wrong way. I have users that send from dial-up accounts, and dsl and cable addresses. But they have to smtp-auth first, and they have no problems, because then they are trusted. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From t.d.lee at durham.ac.uk Mon Oct 2 19:55:02 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Oct 2 19:55:10 2006 Subject: [OT] Sendmail and access file question In-Reply-To: References: <45194556.21708.19C30420@cobalt-users1.fishnet.co.uk> <8F2A53954C22554EB75D9643FCCE0C6B023A0D5E@MED-CORE03-MS1.med.wayne.edu> Message-ID: Re: > > I've researched this before in the past but I didn't really find > > anything about it on the net or the bat book that says 'ay' or 'nay' on > > the possibility. Does anyone know if sendmail's access file can > > override the default action based on "both" the mail from and rcpt to or > > if a hack exists that allows such definitions? For example I'm blocking > > the domain of evil.remote.domain in the access file but > > user@local.domain wants mail from spammer@evil.remote.domain but only > > from spammer@evil.remote.domain. In that example, I'm only aware that I > > can either OK spammer@evil.remote.domain and thus allow it to email > > everyone or I use the spamfriend rule on user@local.domain which means > > he'll get spam from all remote.domains. > > > > I know I can define this kind of rule in Mailscanner but that also means > > I have to accept all mail from spammer@evil.remote.domain which leads to > > undeliverable bounces and more wasted traffic and cpu cycles. > > > > Thanks for any input. > > -=B > AFAIK the access file is all or nothing. You would have to allow all from the > evil spammer, and then let MailScanner sort it out. > Sounds like you need to lart a luser. To operate on sender/recipient combinations, the "check_compat" ruleset and FEATURE(compat_check) might give you routes to explore. A slight caution: This is one of the lesser known corners of sendmail. It may require some work, perhaps even creating your own "LOCAL_RUELSETS" entry etc. The path to success may be more tortuous than for "access". The journey may be more solitary, with fewer experienced guides to hand. Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From ssilva at sgvwater.com Mon Oct 2 20:04:58 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 2 20:06:07 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: <4520E3E1.1050600@statsbiblioteket.dk> References: <4520E3E1.1050600@statsbiblioteket.dk> Message-ID: Tom G. Christensen spake the following on 10/2/2006 3:03 AM: > I've just done a test upgrade from 4.41-3 to 4.56.7 on an RHEL 2.1 host. > There were several issues that I've described below. > > Before installing the host had 4.41-3 with the perl module versions > installed that was distributed with that version of MailScanner + a few > updates/extras. > Here's MailScanner -v output from a production host with the same config: > --- > This is Red Hat Enterprise Linux ES release 2.1 (Panama) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.41.3 > Module versions are: > 1.14 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.12 File::Temp > 1.29 HTML::Entities > 3.45 HTML::Parser > 2.30 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.50 Mail::Header > 3.05 MIME::Base64 > 5.417 MIME::Decoder > 5.417 MIME::Decoder::UU > 5.417 MIME::Head > 5.417 MIME::Parser > 3.03 MIME::QuotedPrint > 5.417 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 0.01 Sys::Syslog > 1.01 Time::localtime > > Optional module versions are: > 1.75 DB_File > missing Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 2.64 Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > 0.49 Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > missing Sys::Hostname::Long > 1.1604 Test::Harness > missing Test::Simple > missing Text::Balanced > 1.35 URI > --- > > Since I'd be updating SA to 3.1.5 later I had built (with cpan2rpm) and > installed perl-ExtUtils-MakeMaker 6.30, perl-Getopt-Long 2.35, > perl-Compress-Zlib 1.42, perl-IO-Zlib 1.04 and perl-Archive-Tar 1.30 > before doing the MailScanner upgrade. > > I ran ./install.sh to do the installation but several modules failed to > build and the tnef package could not be installed. > The modules that failed where: > perl-DBI > perl-File-Temp > perl-Sys-Syslog > perl-Archive-Zip > perl-DBD-SQLite > > All of them except perl-DBD-SQLite fails because they need Test::More to > run their tests. I installed perl-Test-Simple 0.51 which I happened to > have around and this fixes it for perl-Archive-Zip and perl-File-Temp. > perl-DBI still fails because it also needs perl-Storable. Curiously the > distribution includes perl-Storable-2.15 but install.sh doesn't build > it. Rebuilding it by hand works fine. Perl-DBI still fails to complete > but what is even worse is that during the build it installs files > directly into /usr instead of the BuildRoot! (exactly why I never build > stuff as root under normal circumstances). > I instead used cpan2rpm to package perl-DBI 1.50 and that produces a > working src.rpm. > perl-Sys-Syslog fails the build stage and seems not to be perl 5.6.1 > compatible out of the box (5.6.1 lacks const char * in the typemap which > Sys-Syslog wants). Adding a typemap file to the source with this alias > fixes the build. I ended up building a new src.rpm altogether using > cpan2rpm after I discovered that the build failed on RHEL 3 & 4 with > unpackaged file errors. > perl-DBD-SQLite fails because SQLite is not available. After installing > SQLite and the new perl-DBI it builds fine. > > The tnef package requires glibc 2.3 and is thus incompatible with RHEL > 2.1 which is based on glibc 2.2. I fixed up the specfile included in the > upstream source and rebuilt it to fix this. > > I realize that I'm fighting a loosing battle since most people are > running newer versions of perl and newer Linux dists etc. > Just thought you should know that atleast the RPM version of MailScanner > seems to effectively require perl 5.8 and glibc 2.3 for easy installation. > > With that said here's MailScanner 4.56.7 with SpamAssassin 3.1.5 running > on RHEL 2.1... > > --- > [root@eon MailScanner-4.56.7-1]# MailScanner -v > Running on > Linux eon 2.4.9-e.65 #1 Thu Aug 4 20:19:30 EDT 2005 i686 unknown > This is Red Hat Enterprise Linux ES release 2.1 (Panama) > This is Perl version 5.006001 (5.6.1) > > This is MailScanner version 4.56.7 > Module versions are: > 1.16 Archive::Zip > 1.119 Convert::BinHex > 1.03 Fcntl > 2.6 File::Basename > 2.03 File::Copy > 2.00 FileHandle > 1.0404 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.20 IO > 1.08 IO::File > 1.121 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.03 POSIX > 1.72 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.86 Time::HiRes > 1.01 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.75 DB_File > 1.12 DBD::SQLite > 1.50 DBI > missing Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 3.001005 Mail::SpamAssassin > missing Mail::SPF::Query > missing Net::CIDR::Lite > 1.24 Net::IP > 0.49 Net::DNS > missing Net::LDAP > missing Parse::RecDescent > missing SAVI > 1.1604 Test::Harness > 0.51 Test::Simple > missing Text::Balanced > 1.35 URI > --- > > sa-update is not yet working since it'll need a newer libwww-perl (for > LWP::UserAgent) but otherwise it seems to be working well. > > -tgc That is why old distros go off of support and die. As time passes, it takes more and more work to keep them running. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brose at med.wayne.edu Mon Oct 2 20:06:16 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Oct 2 20:06:20 2006 Subject: [OT] Sendmail and access file question In-Reply-To: Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B023A0EDC@MED-CORE03-MS1.med.wayne.edu> I knew about the check_compat option but it has 2 problems, 1) you've already accepted the whole message 2) doesn't have an OK/RELAY action. I'm taking a look at milter-regex even though I was hoping for something less intrusive like a local ruleset that someone had already written for this kind of purpose. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of David Lee Sent: Monday, October 02, 2006 2:55 PM To: MailScanner discussion Subject: Re: [OT] Sendmail and access file question Re: > > I've researched this before in the past but I didn't really find > > anything about it on the net or the bat book that says 'ay' or 'nay' > > on the possibility. Does anyone know if sendmail's access file can > > override the default action based on "both" the mail from and rcpt > > to or if a hack exists that allows such definitions? For example > > I'm blocking the domain of evil.remote.domain in the access file but > > user@local.domain wants mail from spammer@evil.remote.domain but > > only from spammer@evil.remote.domain. In that example, I'm only > > aware that I can either OK spammer@evil.remote.domain and thus allow > > it to email everyone or I use the spamfriend rule on > > user@local.domain which means he'll get spam from all remote.domains. > > > > I know I can define this kind of rule in Mailscanner but that also > > means I have to accept all mail from spammer@evil.remote.domain > > which leads to undeliverable bounces and more wasted traffic and cpu cycles. > > > > Thanks for any input. > > -=B > AFAIK the access file is all or nothing. You would have to allow all > from the evil spammer, and then let MailScanner sort it out. > Sounds like you need to lart a luser. To operate on sender/recipient combinations, the "check_compat" ruleset and FEATURE(compat_check) might give you routes to explore. A slight caution: This is one of the lesser known corners of sendmail. It may require some work, perhaps even creating your own "LOCAL_RUELSETS" entry etc. The path to success may be more tortuous than for "access". The journey may be more solitary, with fewer experienced guides to hand. Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Mon Oct 2 20:46:27 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 2 20:46:34 2006 Subject: URIBL Message-ID: Some while back Julian added the URIBL black and greylist entries in spam.assassin.prefs.conf but they're commented out by default. Have they proven themselves to be pretty reliable - i.e., not a lot of false positives? I'm inclined to enable them but am interested in some feedback first. Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From campbell at cnpapers.com Mon Oct 2 21:04:03 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Oct 2 21:04:38 2006 Subject: Another Auto Learn question Message-ID: <174701c6e65d$e8e29bf0$0705000a@DDF5DW71> I sort of followed the thread on auto-learning recently back in August, but didn't pay much mind to it as I _used_ to have auto-learn working. I recently checked, though, and don't see anything showing up that is autolearned. I have a well used Bayes file set so I have long ago reached the 200 email mark. I am a little behind in versions, running MS 4.52.2 and SA 3.001001 (listed by MS -v). I think everything is OK in my spam.assassin.prefs.conf file to enable this, although I just recently uncommented the bayes_auto_learn line there, but the comment says it is on by default. Sorry to rehash something, but the prior thread ended as solved without saying how it was solved. I didn't see much in the archives by the way I was searching. Thanks for clues. Steve Campbell campbell@cnpapers.com Charleston Newspapers From ocean at dilworth.net Mon Oct 2 21:17:59 2006 From: ocean at dilworth.net (Michael Dilworth) Date: Mon Oct 2 21:18:18 2006 Subject: Whitelisting and SA, Bayes issues. In-Reply-To: <223f97700610010239tc930d76k178638e5760dbd7@mail.gmail.com> Message-ID: <05a801c6e65f$dbcffb40$5713cc40@OCEANII> > > Hopefully I'm doing some thing wrong here, but I'm stuck. > > > > Question: Why, if an from address is whitelisted, does it > still go through > > SA? > > > > Issue: I (root@x) sends email daily, summarizing > quarantined messages to my > > users, thus I white list root. > > > > Problem: These messages are being auto learned as "not > spam". The messages > > include the subject line, etc. thus messing with my bayes database > > slightly. > > > > TIA Michael... > > > > > How do you whitelist it? Through a ruleset on what/which settings? > If done right, SA shouldn't be invoked on whitelisted mails. > > -- > -- Glenn I've added from: root@x to spam.whitelist.rules... The email is still passed to SA, which autolearns stuff I'd rather it didn't. From daniel.maher at ubisoft.com Mon Oct 2 21:29:23 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Oct 2 21:29:29 2006 Subject: URIBL In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D2E5@UBIMAIL1.ubisoft.org> I use URIBL and have been happy with the results. YMMV, of course. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: October 2, 2006 3:46 PM > To: MailScanner discussion > Subject: URIBL > > Some while back Julian added the URIBL black and greylist entries in > spam.assassin.prefs.conf but they're commented out by default. Have > they proven themselves to be pretty reliable - i.e., not a lot of false > positives? I'm inclined to enable them but am interested in some > feedback first. > > Thanks much... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Mon Oct 2 21:36:54 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Oct 2 21:37:12 2006 Subject: URIBL In-Reply-To: References: Message-ID: <45217865.5030506@USherbrooke.ca> Kevin Miller a ?crit : > Some while back Julian added the URIBL black and greylist entries in > spam.assassin.prefs.conf but they're commented out by default. Have > they proven themselves to be pretty reliable - i.e., not a lot of false > positives? I'm inclined to enable them but am interested in some > feedback first. > > Thanks much... > > ...Kevin > Kevin, So far today URIBL scored that many emails: URIBL_BLACK 19658 URIBL_GREY 136 URIBL_JP_SURBL 10317 URIBL_SBL 15676 Yesterday they scored: URIBL_BLACK 51669 URIBL_GREY 193 URIBL_JP_SURBL 35168 URIBL_SBL 45264 Have been running it for months and have been really happy with it. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061002/8a0d7e2e/smime.bin From mkettler at evi-inc.com Mon Oct 2 21:37:30 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 2 21:37:40 2006 Subject: URIBL In-Reply-To: References: Message-ID: <4521788A.1070400@evi-inc.com> Kevin Miller wrote: > Some while back Julian added the URIBL black and greylist entries in > spam.assassin.prefs.conf but they're commented out by default. Have > they proven themselves to be pretty reliable - i.e., not a lot of false > positives? I'm inclined to enable them but am interested in some > feedback first. IMHO, no, they aren't very reliable but I'd be in the minority. That said, I still find them very useful, but I also find they tend to FP on "overlap" conditions a lot. And that overlap causes a lot of problems when you've got URIBL scoring high, and tacking onto some other URIBL (most often BLACK+WS) which also scores high. (Note: I'm also the cause of a massive flamewar over on spamassassin-users on this topic. ) As a result of my own real-world problems with "multi-listing" I personally use very mild scores: score URIBL_BLACK 1.5 score URIBL_GREY 0.001 And an over-lap compensation rule (beware of line wrap): meta URIBL_BLACK_OVERLAP (URIBL_BLACK && (URIBL_AB_SURBL || URIBL_JP_SURBL || URIBL_OB_SURBL || URIBL_WS_SURBL || URIBL_SC_SURBL)) score URIBL_BLACK_OVERLAP -1.0 The over-lap rule in effect reduces URIBL_BLACK to 0.5 points if it's also matching any other SURBL rule. To me, this makes a lot of sense because the SURBL rules were score-tuned with respect to each other, but URIBL_BLACK was not a part of that mix. Simply adding URIBL_BLACK in with a strong score upsets that balance. From mkettler at evi-inc.com Mon Oct 2 22:06:00 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 2 22:06:10 2006 Subject: URIBL In-Reply-To: <45217865.5030506@USherbrooke.ca> References: <45217865.5030506@USherbrooke.ca> Message-ID: <45217F38.5020502@evi-inc.com> Denis Beauchemin wrote: > Kevin Miller a ?crit : >> Some while back Julian added the URIBL black and greylist entries in >> spam.assassin.prefs.conf but they're commented out by default. Have >> they proven themselves to be pretty reliable - i.e., not a lot of false >> positives? I'm inclined to enable them but am interested in some >> feedback first. >> >> Thanks much... >> >> ...Kevin >> > Kevin, > > So far today URIBL scored that many emails: > URIBL_BLACK 19658 > URIBL_GREY 136 > URIBL_JP_SURBL 10317 > URIBL_SBL 15676 For what it's worth my stats so far this week (Today and Sunday) are: URIBL_BLACK 2410 URIBL_GREY 56 URIBL_AB_SURBL 375 URIBL_JP_SURBL 1948 URIBL_OB_SURBL 1678 URIBL_SC_SURBL 263 URIBL_WS_SURBL 1449 And some stats from some custom rules that track multi-list hits: URIBL_BLACK_OVERLAP (uribl + one or more SURBL lists) 2113 SURBL_MULTI1 (at least 2 surbl lists ie: 1 extra beyond the first) 1867 SURBL_MULTI2 (at least 3 surbl lists ) 1192 SURBL_MULTI3 (at least 4 surbl lists) 320 SURBL_MULTI4 (all 5 surbl lists) 101 And some totals: total spam: 2849 total not spam: 2057 total email examined by SA : 4906 From spamtrap71892316634 at anime.net Mon Oct 2 22:34:35 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Mon Oct 2 22:34:39 2006 Subject: "Friends Only" In-Reply-To: <45212855.2030102@solidstatelogic.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> Message-ID: On Mon, 2 Oct 2006, Martin Hepworth wrote: > Besides milter-sender there's also milter-ahead which checks the 'to' address > existing on your system (if you're not using sendmail see the mailScanner > wiki for your MTA on how to do this). Again using this technique you can drop > over 66% of inbound traffic... Is there any milter which checks the SOA of URLs in the message body and drops them if the SOA is in china (or pakistan, or wherever)? -Dan From mkettler at evi-inc.com Mon Oct 2 22:54:09 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 2 22:54:20 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> Message-ID: <45218A81.20503@evi-inc.com> Dan Hollis wrote: > On Mon, 2 Oct 2006, Martin Hepworth wrote: >> Besides milter-sender there's also milter-ahead which checks the 'to' >> address existing on your system (if you're not using sendmail see the >> mailScanner wiki for your MTA on how to do this). Again using this >> technique you can drop over 66% of inbound traffic... > > Is there any milter which checks the SOA of URLs in the message body and > drops them if the SOA is in china (or pakistan, or wherever)? > > -Dan Not that I know of. That and you'd probably have a lot more false positives here than you expect. With the amount of "farming out" of basic web-presence services, where the website's DNS hosting lives really has very little to do with where the company that owns it is. I mean, if I get re-routed to India when I call a US-based company for tech support, why should I expect to have a US-based DNS server for their website? From cornelius.koelbel at gmx.de Mon Oct 2 23:16:04 2006 From: cornelius.koelbel at gmx.de (Cornelius Koelbel) Date: Mon Oct 2 23:16:12 2006 Subject: Panda Wrapper Message-ID: <45218FA4.7000800@gmx.de> Hi, something seems to be wrong with the panda wrapper. When testing the wrapper with /usr/lib/MailScanner/panda-wrapper /opt/pavcl/usr /tmp/ it will not return. The call /opt/pavcl/usr /tmp/ opens an interactive text interface. Using ame : pavcl Relocations: (not relocatable) Version : 9.0.0 Vendor: (none) and Name : mailscanner Relocations: (not relocatable) Version : 4.55.10 Vendor: Electronics and Computer Science, University of Southampton Kind regards Cornelius -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3641 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/76b4a2c6/smime.bin From mkettler at evi-inc.com Mon Oct 2 23:32:33 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 2 23:32:58 2006 Subject: Whitelisting and SA, Bayes issues. In-Reply-To: <05a801c6e65f$dbcffb40$5713cc40@OCEANII> References: <05a801c6e65f$dbcffb40$5713cc40@OCEANII> Message-ID: <45219381.70706@evi-inc.com> Michael Dilworth wrote: > I've added from: root@x to spam.whitelist.rules... > > The email is still passed to SA, which autolearns stuff > I'd rather it didn't. > Do you have: Always Include SpamAssassin Report = yes In your MailScanner.conf? If so, this forces the message to be SA-scanned, even if it's whitelisted. From res at ausics.net Mon Oct 2 23:33:08 2006 From: res at ausics.net (Res) Date: Mon Oct 2 23:33:15 2006 Subject: [OT] Sendmail and access file question In-Reply-To: References: <45194556.21708.19C30420@cobalt-users1.fishnet.co.uk> <8F2A53954C22554EB75D9643FCCE0C6B023A0D5E@MED-CORE03-MS1.med.wayne.edu> Message-ID: On Mon, 2 Oct 2006, Scott Silva wrote: >> the domain of evil.remote.domain in the access file but >> user@local.domain wants mail from spammer@evil.remote.domain but only >> from spammer@evil.remote.domain. In that example, I'm only aware that I > AFAIK the access file is all or nothing. You would have to allow all from the > evil spammer, and then let MailScanner sort it out. > Sounds like you need to lart a luser. The better approach is to allow ALL mail to the user that wants it, To:usr@wants.spam then mailscanner can whitelist the from: evil@bunny and to usr@wants.spam This minimises the risk to other users > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From brose at med.wayne.edu Mon Oct 2 23:52:12 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Oct 2 23:52:15 2006 Subject: [OT] Sendmail and access file question In-Reply-To: Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B023A0F56@MED-CORE03-MS1.med.wayne.edu> But it also increase load since the message has to be processed and you've already accepted the message so it's not possible to reject; bounce yes but then that's another issue if the message have bogus return addresses so you end up with the extra load of sendmail retries. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Monday, October 02, 2006 6:33 PM To: MailScanner discussion Subject: Re: [OT] Sendmail and access file question On Mon, 2 Oct 2006, Scott Silva wrote: >> the domain of evil.remote.domain in the access file but >> user@local.domain wants mail from spammer@evil.remote.domain but only >> from spammer@evil.remote.domain. In that example, I'm only aware >> that I > AFAIK the access file is all or nothing. You would have to allow all > from the evil spammer, and then let MailScanner sort it out. > Sounds like you need to lart a luser. The better approach is to allow ALL mail to the user that wants it, To:usr@wants.spam then mailscanner can whitelist the from: evil@bunny and to usr@wants.spam This minimises the risk to other users > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From spamtrap71892316634 at anime.net Tue Oct 3 01:11:32 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Tue Oct 3 01:11:36 2006 Subject: "Friends Only" In-Reply-To: <45218A81.20503@evi-inc.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: On Mon, 2 Oct 2006, Matt Kettler wrote: > Dan Hollis wrote: >> On Mon, 2 Oct 2006, Martin Hepworth wrote: >>> Besides milter-sender there's also milter-ahead which checks the 'to' >>> address existing on your system (if you're not using sendmail see the >>> mailScanner wiki for your MTA on how to do this). Again using this >>> technique you can drop over 66% of inbound traffic... >> Is there any milter which checks the SOA of URLs in the message body and >> drops them if the SOA is in china (or pakistan, or wherever)? > Not that I know of. > That and you'd probably have a lot more false positives here than you expect. > > With the amount of "farming out" of basic web-presence services, where the > website's DNS hosting lives really has very little to do with where the company > that owns it is. > I mean, if I get re-routed to India when I call a US-based company for tech > support, why should I expect to have a US-based DNS server for their website? Why shouldn't I be able to blacklist individual known spam SOAs? -Dan From tim at denmantire.com Tue Oct 3 01:07:49 2006 From: tim at denmantire.com (Tim Boyer) Date: Tue Oct 3 02:20:37 2006 Subject: Reject vs. bounce Message-ID: Apologies if this has been discussed ad infinitum before. I've been running a mailserver since 1996, but just heard about MailScanner Saturday, thanks to Steve Swaney's excellent talk at the Ohio LinuxFest. I've been using DNSBLs and a private blocklist with SpamAssassin, and ClamAV as milters, so when I reject an email it's rejected, not bounced back to the (99.999% bogus) 'From" address. I've heard and read that MailScanner has a 'bounce' option. Is this what I think it is - a bounce back to the 'From'? Or is it a reject before the connection's been dropped and the email accepted? -- tim boyer tim@denmantire.com From hgh at rcwm.com Tue Oct 3 03:24:32 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Tue Oct 3 03:20:56 2006 Subject: bayes problem {Scanned} In-Reply-To: <223f97700610020535q3a35225fn9b34c5191a7e3a22@mail.gmail.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> <45210342.2060607@rcwm.com> <223f97700610020535q3a35225fn9b34c5191a7e3a22@mail.gmail.com> Message-ID: <4521C9E0.3060204@rcwm.com> Glenn Steen wrote: summary: bayes manually fed several hundred SPAM/HAM and still not working. > What you need do is either to make sure there are adequate writable > subdirs in the home directory of the postfix user (.spamassassin, > .razor, .pyzor ... whatever:), or explicitly place these things > somewhere and tell the relevant subsystem/program where it is. For > Bayes, you might have > bayes_path /etc/MailScanner/bayes/bayes > bayes_file_mode 0770 > > in your /etc/mail/spamassassin/mailscanner.cf file (note that the > above should be a path to an existing directory + the leading > "fragment" of the filenames the bayes files are to have...). > If you have manually set a lot of ham/spam in _roots_ bayes files, you > could well just move them to the new location and chown/chmod them > appropriately. After that everything should be fine:). > > Much (if not all) of this is mentioned in various places on the wiki etc > etc. > Ok, added dir: .spamassassin, .razor, .pyzor and did chown postfix:root on them: bastion:/var/spool/postfix# ls -la total 88 drwxr-xr-x 22 root root 4096 Oct 2 21:07 . drwxr-xr-x 8 root root 4096 Sep 26 20:41 .. drwxr-xr-x 2 postfix root 4096 Oct 2 21:07 .pyzor drwxr-xr-x 2 postfix root 4096 Oct 2 21:07 .razor drwxr-xr-x 2 postfix root 4096 Oct 2 21:05 .spamassassin drwx------ 18 postfix root 4096 Jun 26 2004 active drwx------ 18 postfix root 4096 Jun 26 2004 bounce drwx------ 2 postfix root 4096 Jun 24 2004 corrupt drwx------ 18 postfix root 4096 Jun 28 2004 defer drwx------ 18 postfix root 4096 Jun 28 2004 deferred drwxr-xr-x 2 root root 4096 Oct 1 14:22 etc drwx------ 4 postfix root 4096 Aug 11 2004 flush drwx------ 18 postfix root 4096 Sep 29 01:00 hold drwx------ 18 postfix root 4096 Oct 2 21:07 incoming drwxr-xr-x 2 root root 4096 Oct 1 14:22 lib drwx-wx--T 2 postfix postdrop 4096 Oct 1 06:25 maildrop drwxr-xr-x 2 postfix root 4096 Jun 30 2004 pid drwx------ 2 postfix root 4096 Oct 1 14:22 private drwx--s--- 2 postfix postdrop 4096 Oct 1 14:22 public drwx------ 2 postfix root 4096 Jun 24 2004 saved drwx------ 12 postfix root 4096 Aug 8 21:32 trace drwxr-xr-x 3 root root 4096 Jun 24 2004 usr Now have output of sa-learn -D --dump magic: bastion:/var/spool/postfix# sa-learn -D --dump magic debug: SpamAssassin version 3.0.3 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/bin/X11', which doesn't exist, dropping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: Final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin debug: using "/etc/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: config: read file /usr/share/spamassassin/65_debian.cf debug: using "/etc/spamassassin" for site rules dir debug: config: read file /etc/spamassassin/local.cf debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: config: read file /root/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857fef4) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb8418) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8e848f4) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x857fef4) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8eb8418) implements 'parse_config' debug: bayes: 8558 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 8558 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: Score set 2 chosen. 0.000 0 3 0 non-token data: bayes db version 0.000 0 752 0 non-token data: nspam 0.000 0 695 0 non-token data: nham 0.000 0 80524 0 non-token data: ntokens 0.000 0 1141401016 0 non-token data: oldest atime 0.000 0 1159706957 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count debug: bayes: 8558 untie-ing debug: bayes: 8558 untie-ing db_toks debug: bayes: 8558 untie-ing db_seen And it works!!!, I think? X-gosemr-MailScanner-SpamCheck: not spam, SpamAssassin (score=-5.899, required 6, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -2.60), not spam, SpamAssassin (score=-2.599, required 6, autolearn=not spam, BAYES_00 -2.60) Halleluja, THankyou Glenn and of course Julian. Kicking spam butt and liking it. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jrudd at ucsc.edu Tue Oct 3 03:34:23 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Oct 3 03:34:54 2006 Subject: Reject vs. bounce In-Reply-To: References: Message-ID: <4521CC2F.6080508@ucsc.edu> Tim Boyer wrote: > Apologies if this has been discussed ad infinitum before. I've been running a > mailserver since 1996, but just heard about MailScanner Saturday, thanks to > Steve Swaney's excellent talk at the Ohio LinuxFest. > > I've been using DNSBLs and a private blocklist with SpamAssassin, and ClamAV as > milters, so when I reject an email it's rejected, not bounced back to the > (99.999% bogus) 'From" address. > > I've heard and read that MailScanner has a 'bounce' option. Is this what I > think it is - a bounce back to the 'From'? Or is it a reject before the > connection's been dropped and the email accepted? > It is a bounce back to the "From" address, not a rejection during the connection. Mailscanner doesn't run during the SMTP session, therefore it can't do SMTP rejections nor SMTP tempfails. From ugob at camo-route.com Tue Oct 3 03:43:42 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Oct 3 03:44:04 2006 Subject: Reject vs. bounce In-Reply-To: <4521CC2F.6080508@ucsc.edu> References: <4521CC2F.6080508@ucsc.edu> Message-ID: John Rudd wrote: > Tim Boyer wrote: >> Apologies if this has been discussed ad infinitum before. I've been >> running a >> mailserver since 1996, but just heard about MailScanner Saturday, >> thanks to >> Steve Swaney's excellent talk at the Ohio LinuxFest. >> >> I've been using DNSBLs and a private blocklist with SpamAssassin, and >> ClamAV as >> milters, so when I reject an email it's rejected, not bounced back to the >> (99.999% bogus) 'From" address. >> I've heard and read that MailScanner has a 'bounce' option. Is this >> what I >> think it is - a bounce back to the 'From'? Or is it a reject before the >> connection's been dropped and the email accepted? >> > > It is a bounce back to the "From" address, not a rejection during the > connection. Mailscanner doesn't run during the SMTP session, therefore > it can't do SMTP rejections nor SMTP tempfails. And it is not a practice that is encouraged here. Bouncing has been off by default for a while in MailScanner, and can only be set on using a ruleset. From hgh at rcwm.com Tue Oct 3 03:47:53 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Tue Oct 3 03:44:12 2006 Subject: pyzor ip bad in debian install {Scanned} In-Reply-To: <4520E484.70209@teicam.com> References: <452047C0.7010002@rcwm.com> <45205066.2090104@rcwm.com> <4520E484.70209@teicam.com> Message-ID: <4521CF59.3020701@rcwm.com> Youri LACAN-BARTLEY wrote: > Henry Hollenberg wrote: > >> Has anyone else noticed the pyzor IP being bad in >> the debian install? >> >> I found a reference by a Chris Pollock where he mentioned a new IP and >> it seemed >> to work. >> >> Link: >> https://sourceforge.net/mailarchive/forum.php?thread_id=30601945&forum_id=8711 >> >> >> snippet from that post: >> >> quote: Olivier, try using this address: >> quote: >> quote: 82.94.255.100:24441 >> quote: >> quote: Milton Cyrus set this one up back in March and I've been >> using it ever >> quote: sense. Just remember that if you run "pyzor discover" you'll >> have to >> quote: re-enter it in your Pyzor server list. I've had no problems >> at all using >> quote: this server. >> quote: >> quote: HTH >> >> So I changed mine from what shipped (66.250.40.33:24441), to the IP >> above and it seemed to work. >> >> But is it safe to use??? >> >> hgh. >> > Hi, > > I ran into the same problem as you and stumbled across the same IP. > I've been running it for a few months now and haven't run into any > trouble whatsoever. > Now if it's "safe" to use is a question I couldn't answer right now. > > I'd be curious to know what IP other people from the mailing list use... > Thanks for the reply and sorry I accidentally started this thread under the "mailscanner hangs on automatic restart", guess I had a few to many windows open and got confused. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From ka at pacific.net Tue Oct 3 04:57:21 2006 From: ka at pacific.net (Ken) Date: Tue Oct 3 04:57:13 2006 Subject: Reject vs. bounce In-Reply-To: References: Message-ID: <4521DFA1.7010302@pacific.net> Tim Boyer wrote: > Apologies if this has been discussed ad infinitum before. I've been running a > mailserver since 1996, but just heard about MailScanner Saturday, thanks to > Steve Swaney's excellent talk at the Ohio LinuxFest. > > I've been using DNSBLs and a private blocklist with SpamAssassin, and ClamAV as > milters, so when I reject an email it's rejected, not bounced back to the > (99.999% bogus) 'From" address. > > I've heard and read that MailScanner has a 'bounce' option. Is this what I > think it is - a bounce back to the 'From'? Or is it a reject before the > connection's been dropped and the email accepted? > > The 'Feature' is pretty much useless, as has been mentioned here many times. I'd only add that you can do both what you are doing now AND run MailScanner to further process your mail using more aggressive spamassassin rulesets. Because MailScanner queues and scans mail with a perl process that uses the spamassassin perl api, you can run tons of SA rules, rbl and uribl tests, plugins and virus scanners as long as you dedicate sufficient resources to the process. It's much more than you can do in an smtp transaction. Most users here combine the fast milters doing some rejections, with MailScanner & SpamAssassin doing the heavy work. Ken Anderson Pacific.Net From tgc at statsbiblioteket.dk Tue Oct 3 07:14:06 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Oct 3 07:14:09 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> Message-ID: <4521FFAE.5090707@statsbiblioteket.dk> Scott Silva wrote: > > That is why old distros go off of support and die. As time passes, it takes > more and more work to keep them running. > There's plenty of life left in RHEL 2.1 yet. It won't go off support before May 31, 2009. -tgc From tgc at statsbiblioteket.dk Tue Oct 3 07:30:13 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Oct 3 07:30:16 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F979A1B@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F979A1B@isabella.herefordshire.gov.uk> Message-ID: <45220375.9010403@statsbiblioteket.dk> Randal, Phil wrote: > It would have been easier to upgrade the whole box to CentOS 3.x or 4.x > ;-) > Had that been the case I would have done so. > Your Net::DNS is really old, it might be worthwhile updating that via > CPAN. > Why? I realize that 0.59 is out but AFAIK the only requirement for Net::DNS on unix is v0.34 or newer so I fail to see the point. -tgc From drew at technologytiger.net Tue Oct 3 07:41:03 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Oct 3 07:41:11 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> Message-ID: On 2 Oct 2006, at 15:47, Douglas Ward wrote: > Is there a similar function in postfix? Yes, built in. Have a look at smtpd_sender_restrictions with reject_unverified_sender and smtpd_recipient_checks with reject_unverified_recipient more details can be found http:// www.postfix.org/ADDRESS_VERIFICATION_README.html the same principal can be used for each restriction. Drew From james at grayonline.id.au Tue Oct 3 07:16:18 2006 From: james at grayonline.id.au (James Gray) Date: Tue Oct 3 08:58:44 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: On 03/10/2006, at 10:11 AM, Dan Hollis wrote: > On Mon, 2 Oct 2006, Matt Kettler wrote: >> Dan Hollis wrote: >>> On Mon, 2 Oct 2006, Martin Hepworth wrote: >>>> Besides milter-sender there's also milter-ahead which checks the >>>> 'to' >>>> address existing on your system (if you're not using sendmail >>>> see the >>>> mailScanner wiki for your MTA on how to do this). Again using this >>>> technique you can drop over 66% of inbound traffic... >>> Is there any milter which checks the SOA of URLs in the message >>> body and >>> drops them if the SOA is in china (or pakistan, or wherever)? >> Not that I know of. >> That and you'd probably have a lot more false positives here than >> you expect. >> >> With the amount of "farming out" of basic web-presence services, >> where the >> website's DNS hosting lives really has very little to do with >> where the company >> that owns it is. >> I mean, if I get re-routed to India when I call a US-based company >> for tech >> support, why should I expect to have a US-based DNS server for >> their website? > > Why shouldn't I be able to blacklist individual known spam SOAs? Why not use the URIBL lists like "OutBlaze" and friends. Not exactly what you're after but I've found them extremely effective in combating URLs etc that link to known spammers' domains. Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2440 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/4c6310b5/smime.bin From glenn.steen at gmail.com Tue Oct 3 08:59:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 3 08:59:23 2006 Subject: 4.56.7: "max message size is '40000'" In-Reply-To: References: Message-ID: <223f97700610030059s3a734599n963615622450fbf8@mail.gmail.com> On 02/10/06, Jeff A. Earickson wrote: > Julian, > > Ok, I hang my head in shame and say that I didn't beta-test > earlier versions of 4.56. September was a busy month. > > I just upgraded from 4.55.10 to 4.56.7 on my setup (Solaris 10, > SA 3.1.5, sophos and clam, dcc 1.3.40). I ran it first in debug > mode to see what would happen (output attached). Not much. > > Then I attempted to fire up 4.56.7 in normal mode. I got zero syslog > output, and nothing seemed to happen except several MS processes > were sucking up CPU time: > > # ps -ef | grep perl > root 15405 15337 0 11:55:16 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15394 15336 2 11:55:14 ? 0:02 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15407 19023 0 11:55:16 pts/2 0:00 grep perl > root 15336 1 0 11:55:03 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15337 15336 3 11:55:03 ? 0:08 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > I did go from version 0.13 to 0.18 of Sys-Syslog, but this does > not seem to have anything to do with this. 4.55.10 works fine with > the new Sys-Syslog. > > So, 4.56.7 never gets off the ground. Any ideas? Any other Solaris 10 > users with this issue? > Hi Jeff, I'm certainly no Solaris guru, but could this have something to do with the pretty recent thread "No logging in Solaris 9 (with workaround) - question?"? Look at http://search.gmane.org/?query=No+logging+in+Solaris+9+%28with+workaround%29+-+question%3F&author=&group=gmane.mail.virus.mailscanner&sort=date&DEFAULTOP=and&xP=logging.solaris.9.workaround.question.&xFILTERS=--A ... HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Oct 3 09:11:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 3 09:12:00 2006 Subject: Panda Wrapper In-Reply-To: <45218FA4.7000800@gmx.de> References: <45218FA4.7000800@gmx.de> Message-ID: <223f97700610030111m1467df9bx8aafdfbc6102c447@mail.gmail.com> On 03/10/06, Cornelius Koelbel wrote: > Hi, > > something seems to be wrong with the panda wrapper. > > When testing the wrapper with > /usr/lib/MailScanner/panda-wrapper /opt/pavcl/usr /tmp/ > it will not return. > The call > /opt/pavcl/usr /tmp/ > opens an interactive text interface. > > Using > ame : pavcl Relocations: (not relocatable) > Version : 9.0.0 Vendor: (none) > > and > Name : mailscanner Relocations: (not relocatable) > Version : 4.55.10 Vendor: Electronics and > Computer Science, University of Southampton > > Kind regards > Cornelius Read the wrapper file and you'll find that you are probably "calling it the wrong way":-). This is what it says: ------- # To test from the command line change to the directory you wish to # check and issue this command (change paths to reflect your install) # "/opt/MailScanner/lib/panda-wrapper /usr -nsb -eng -aex -nso -aut -cmp ." # Make sure your testing dir is one directory deep (don't for get the . BTW) # example # test+ # .+ testfiles # .+ moretestfiles # execute from directory test and it will scan the testfiles and moretestfiles # directories. There should be no sub-dirs below those two, this simulates # MailScanner's process-dir->message-dir structure ------- With the latest panda out, this wrapper should be rewritten... If only one had the time...:-) I don't remember if the options still work as expected... there was something about that a while back, so check the archives. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Oct 3 09:26:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 3 09:26:42 2006 Subject: bayes problem {Scanned} In-Reply-To: <4521C9E0.3060204@rcwm.com> References: <451D2749.8050203@delodder.be> <4520630E.1010400@rcwm.com> <223f97700610020137t6c40aceci5e74f7a1138ba6af@mail.gmail.com> <45210342.2060607@rcwm.com> <223f97700610020535q3a35225fn9b34c5191a7e3a22@mail.gmail.com> <4521C9E0.3060204@rcwm.com> Message-ID: <223f97700610030126qf88d77bsbaed5452348f0cbb@mail.gmail.com> On 03/10/06, Henry Hollenberg wrote: (snip) > bastion:/var/spool/postfix# sa-learn -D --dump magic (snip) > debug: bayes: 8558 tie-ing to DB file R/O /root/.spamassassin/bayes_toks This is still root operating on roots bayes copy. > debug: bayes: 8558 tie-ing to DB file R/O /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 3 > debug: Score set 2 chosen. > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 752 0 non-token data: nspam > 0.000 0 695 0 non-token data: nham > 0.000 0 80524 0 non-token data: ntokens > 0.000 0 1141401016 0 non-token data: oldest atime > 0.000 0 1159706957 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal sync atime > 0.000 0 0 0 non-token data: last expiry atime > 0.000 0 0 0 non-token data: last expire atime delta > 0.000 0 0 0 non-token data: last expire reduction count > debug: bayes: 8558 untie-ing > debug: bayes: 8558 untie-ing db_toks > debug: bayes: 8558 untie-ing db_seen > > > And it works!!!, I think? Yes, probably. You are now learning to a bayes database in ~postfix/.spamassassin, which is good, and since you are getting a bayes score, you seem to have enough ham/spam to let it run like that. I see that the ALL_TRUSTED is firing... Which might indicate a problem, unless that really was a mail from your trusted servers/netwok(s).... Did you check/set your trusted_networks? Or perhaps your topology doesn't require you to do that. > X-gosemr-MailScanner-SpamCheck: not spam, SpamAssassin (score=-5.899, > required 6, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -2.60), not spam, SpamAssassin (score=-2.599, > required 6, autolearn=not spam, BAYES_00 -2.60) > > Halleluja, > > THankyou Glenn and of course Julian. Glad to be of what help I may. > Kicking spam butt and liking it. > :-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From keith at 12345678.org Tue Oct 3 09:28:30 2006 From: keith at 12345678.org (keith) Date: Tue Oct 3 09:28:41 2006 Subject: 4.56.7-1 & kaspersky 5.5 supported ? Message-ID: <20061003081958.M95052@12345678.org> Hi All, My mailscanner was upgraded to 4.56.7-1 in yesterday, and purchase a new license of kaspersky 5.5 for linux on a centos 4.4 machine, I have seen the MS change log was said kaspersky 5.5 is support, and I changed the mailscanner.conf to "Virus Scanners = bitdefender kaspersky f-prot clamavmodule" , but the ms only can found ClamAV, bitdefender, f-port, how can I tell the mailscanner to use the kaspersky 5.5 ? Thanks -- From martinh at solidstatelogic.com Tue Oct 3 09:28:32 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 3 09:28:49 2006 Subject: URIBL In-Reply-To: References: Message-ID: <45221F30.9030800@solidstatelogic.com> Kevin Miller wrote: > Some while back Julian added the URIBL black and greylist entries in > spam.assassin.prefs.conf but they're commented out by default. Have > they proven themselves to be pretty reliable - i.e., not a lot of false > positives? I'm inclined to enable them but am interested in some > feedback first. > > Thanks much... > > ...Kevin Kevin been using them since where in beta, no problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Oct 3 09:44:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 3 09:44:30 2006 Subject: Custom Header In-Reply-To: <9d2057cc0610010533n41b8a101t41f7a6eec72ec769@mail.gmail.com> References: <9d2057cc0610010533n41b8a101t41f7a6eec72ec769@mail.gmail.com> Message-ID: <452222D9.5070702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try: From hotmail.com and to barry@mydomain.com deliver header "X-hotmail-check: yes" You had a space after "*@" (which is unnecessary anyway) and you hadn't told it to deliver the messages. Barry Kwok wrote: > I want to add custom header based on sender's domain and recipeint > address. I add > Non Spam Actions = %rules-dir%/scan.messages.rules > into MailScanner.conf and the scan.messages.rules as: > > From: *@ hotmail.com and To: barry@mydomain.com > header "X-hotmail-check: yes" > FromOrTo: default deliver > > > But it doesn't work > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFIiLZEfZZRxQVtlQRAs3IAKCf5WWWTMB5A+0tASbp0J9QqdY+8ACfYrdT K3MdsaWtw/5W/oqR2LX7nEg= =mV+O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Oct 3 09:46:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 3 09:46:57 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <452047C0.7010002@rcwm.com> References: <452047C0.7010002@rcwm.com> Message-ID: <4522236E.1030005@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henry Hollenberg wrote: > It looks like mailscanner is hanging every time it does it's automatic > restart at 14400 sec. > > If I do a manual restart > > /etc/init.d/mailscanner restart > > the logs look like this: > > Oct 1 17:32:06 bastion MailScanner[30537]: MailScanner E-Mail Virus > Scanner version 4.41.3 starting... > Oct 1 17:32:06 bastion postfix/smtpd[30539]: connect from > c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > Oct 1 17:32:06 bastion MailScanner[30537]: Read 120 hostnames from > the phishing whitelist > Oct 1 17:32:09 bastion postfix/smtpd[30539]: NOQUEUE: reject: RCPT > from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131]: 554 Service > unavailable; Client host [69.138.210.131] blocked using > bl.spamcop.net; Blocked - see > http://www.spamcop.net/bl.shtml?69.138.210.131; > from= to= > proto=SMTP helo= > Oct 1 17:32:09 bastion postfix/smtpd[30539]: lost connection after > RCPT from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > Oct 1 17:32:09 bastion postfix/smtpd[30539]: disconnect from > c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > Oct 1 17:32:09 bastion MailScanner[30537]: Using locktype = flock What do you think is wrong there? You get a startup notice from it, followed by the locktype notice, all looks fine. Remember MailScanner doesn't have anything to do with your SMTP service. > > > Otherwise the system seems to be hammering the spam.....yeah! > > hgh. Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFIiNvEfZZRxQVtlQRAhIrAKCwWr1vXpYlJjMzqQFGw1ZMaHj2WQCgxbIz B4BvVu+50WUs/LaG7rlGieQ= =5KW0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Oct 3 09:58:35 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 3 09:58:57 2006 Subject: 4.56.7-1 & kaspersky 5.5 supported ? In-Reply-To: <20061003081958.M95052@12345678.org> References: <20061003081958.M95052@12345678.org> Message-ID: <4522263B.7040103@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE-----=0A= Hash: SHA1=0A= =0A= You almost certainly need to edit your=0A= /etc/MailScanner/virus.scanners.conf to tell it where to find kaspersky.=0A= =0A= keith wrote:=0A= > Hi All,=0A= >=0A= > My mailscanner was upgraded to 4.56.7-1 in yesterday, and purchase a new= =0A= > license of kaspersky 5.5 for linux on a centos 4.4 machine, I have seen= the=0A= > MS change log was said kaspersky 5.5 is support, and I changed the=0A= > mailscanner.conf to "Virus Scanners =3D bitdefender kaspersky f-prot=0A= > clamavmodule" , but the ms only can found ClamAV, bitdefender, f-port, ho= w can=0A= > I tell the mailscanner to use the kaspersky 5.5 ?=0A= >=0A= > Thanks=0A= > --=0A= >=0A= >=20=20=20=0A= =0A= Jules=0A= =0A= - --=20=0A= Julian Field=0A= www.MailScanner.info=0A= Buy the MailScanner book at www.MailScanner.info/store=0A= =0A= Need help customising MailScanner?=0A= Contact me!=0A= Need help fixing or optimising your systems?=0A= Contact me!=0A= Need help getting you started solving new requirements from your boss?=0A= Contact me!=0A= =0A= PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654=0A= =0A= =0A= -----BEGIN PGP SIGNATURE-----=0A= Version: PGP Desktop 9.5.0 (Build 1112)=0A= Comment: (pgp-secured)=0A= Charset: Big5=0A= =0A= wj8DBQFFIiY8EfZZRxQVtlQRAgiJAJ4rmOHlVa1hmM8PfEMzQnNDc+nf/ACguuqf=0A= 0CN8M0ngSXCMPmEYQxNNPo0=3D=0A= =3DEp+4=0A= -----END PGP SIGNATURE-----=0A= =0A= --=20=0A= This message has been scanned for viruses and=0A= dangerous content by MailScanner, and is=0A= believed to be clean.=0A= For all your IT requirements visit www.transtec.co.uk=0A= =0A= From rk at village-net.at Tue Oct 3 10:20:14 2006 From: rk at village-net.at (Rudolf Kliemstein, village-net) Date: Tue Oct 3 10:20:17 2006 Subject: Mailscanner unlinking error Message-ID: <006301c6e6cd$22c7c740$a100a8c0@villagenet.local> Hello, I have the following problem after upgrading to 4.55 Unlinking /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk92F6oIa008264 failed: No such file or directory This appears with some emails but not with all. I have greylisting and sendmail rlb checks running. Could this be related with those services? Thx Best Regards Rudi From rk at village-net.at Tue Oct 3 10:50:26 2006 From: rk at village-net.at (Rudolf Kliemstein, village-net) Date: Tue Oct 3 10:50:38 2006 Subject: AW: Mailscanner unlinking error In-Reply-To: <006301c6e6cd$22c7c740$a100a8c0@villagenet.local> Message-ID: <007101c6e6d1$5cf34d00$a100a8c0@villagenet.local> Some more extensive logs: Oct 3 11:46:32 server MailScanner[20684]: Failed to link message body between queues (/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned/dfk939kWW Q017291 --> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ017291) Oct 3 11:46:33 server MailScanner[20684]: Unlinking /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk939kWWQ017291 failed: No such file or directory Oct 3 11:46:33 server MailScanner[20684]: Unlinking /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ017291 failed: No such file or directory -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Rudolf Kliemstein, village-net Gesendet: Dienstag, 03. Oktober 2006 11:20 An: mailscanner@lists.mailscanner.info Betreff: Mailscanner unlinking error Hello, I have the following problem after upgrading to 4.55 Unlinking /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk92F6oIa008264 failed: No such file or directory This appears with some emails but not with all. I have greylisting and sendmail rlb checks running. Could this be related with those services? Thx Best Regards Rudi -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at mango.zw Tue Oct 3 11:06:50 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 3 11:04:19 2006 Subject: AW: Mailscanner unlinking error In-Reply-To: <007101c6e6d1$5cf34d00$a100a8c0@villagenet.local> Message-ID: On Tue, 3 Oct 2006, Rudolf Kliemstein, village-net wrote: > Some more extensive logs: > > Oct 3 11:46:32 server MailScanner[20684]: Failed to link message body > between queues > (/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned/dfk939kWW > Q017291 --> > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ017291) > Oct 3 11:46:33 server MailScanner[20684]: Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk939kWWQ017291 > failed: No such file or directory > Oct 3 11:46:33 server MailScanner[20684]: Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ017291 > failed: No such file or directory > > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Rudolf > Kliemstein, village-net > Gesendet: Dienstag, 03. Oktober 2006 11:20 > An: mailscanner@lists.mailscanner.info > Betreff: Mailscanner unlinking error > > > Hello, > > I have the following problem after upgrading to 4.55 > > Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk92F6oIa008264 > failed: No such file or directory > > This appears with some emails but not with all. > I have greylisting and sendmail rlb checks running. Could this be related > with those services? Look at this in MailScanner.conf: # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = posix Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From prandal at herefordshire.gov.uk Tue Oct 3 11:20:25 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Oct 3 11:26:59 2006 Subject: Installing 4.56.7 on RHEL 2.1 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> Because newer versions fix bugs? Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tom G. Christensen > Sent: 03 October 2006 07:30 > To: MailScanner discussion > Subject: Re: Installing 4.56.7 on RHEL 2.1 > > Randal, Phil wrote: > > It would have been easier to upgrade the whole box to > CentOS 3.x or 4.x > > ;-) > > > Had that been the case I would have done so. > > > Your Net::DNS is really old, it might be worthwhile > updating that via > > CPAN. > > > Why? > I realize that 0.59 is out but AFAIK the only requirement for > Net::DNS > on unix is v0.34 or newer so I fail to see the point. > > > > -tgc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Tue Oct 3 11:52:13 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 3 11:52:32 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> Message-ID: <452240DD.4070605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think SpamAssassin requires at least Net::DNS 0.48 for required features. Randal, Phil wrote: > Because newer versions fix bugs? > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Tom G. Christensen >> Sent: 03 October 2006 07:30 >> To: MailScanner discussion >> Subject: Re: Installing 4.56.7 on RHEL 2.1 >> >> Randal, Phil wrote: >> >>> It would have been easier to upgrade the whole box to >>> >> CentOS 3.x or 4.x >> >>> ;-) >>> >>> >> Had that been the case I would have done so. >> >> >>> Your Net::DNS is really old, it might be worthwhile >>> >> updating that via >> >>> CPAN. >>> >>> >> Why? >> I realize that 0.59 is out but AFAIK the only requirement for >> Net::DNS >> on unix is v0.34 or newer so I fail to see the point. >> >> >> >> -tgc >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj4DBQFFIkDeEfZZRxQVtlQRAmIVAJME/9bJ3UJlGk32SOeK0QrCGlC4AKCf/vms 472ftn4GQeaPhDjlOzhdsw== =gofn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From keith at 12345678.org Tue Oct 3 11:59:11 2006 From: keith at 12345678.org (keith) Date: Tue Oct 3 11:59:22 2006 Subject: 4.56.7-1 & kaspersky 5.5 supported ? In-Reply-To: <4522263B.7040103@ecs.soton.ac.uk> References: <20061003081958.M95052@12345678.org> <4522263B.7040103@ecs.soton.ac.uk> Message-ID: <20061003105747.M79263@12345678.org> Thank you, I was found the kaspersky 5.5 new path is changed to /opt/kav/5.5/ , I will check the result for restart service at midnight. Thanks On Tue, 03 Oct 2006 09:58:35 +0100, Julian Field wrote > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You almost certainly need to edit your > /etc/MailScanner/virus.scanners.conf to tell it where to find kaspersky. > > keith wrote: > > Hi All, > > > > My mailscanner was upgraded to 4.56.7-1 in yesterday, and purchase a new > > license of kaspersky 5.5 for linux on a centos 4.4 machine, I have seen the > > MS change log was said kaspersky 5.5 is support, and I changed the > > mailscanner.conf to "Virus Scanners = bitdefender kaspersky f-prot > > clamavmodule" , but the ms only can found ClamAV, bitdefender, f-port, how can > > I tell the mailscanner to use the kaspersky 5.5 ? > > > > Thanks > > -- > > > > > > Jules > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: Big5 > > wj8DBQFFIiY8EfZZRxQVtlQRAgiJAJ4rmOHlVa1hmM8PfEMzQnNDc+nf/ACguuqf > 0CN8M0ngSXCMPmEYQxNNPo0= > =Ep+4 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- From hgh at rcwm.com Tue Oct 3 12:07:36 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Tue Oct 3 12:03:57 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <4522236E.1030005@ecs.soton.ac.uk> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> Message-ID: <45224478.2030403@rcwm.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Henry Hollenberg wrote: > >>It looks like mailscanner is hanging every time it does it's automatic >>restart at 14400 sec. >> >>If I do a manual restart >> >>/etc/init.d/mailscanner restart >> >>the logs look like this: >> >>Oct 1 17:32:06 bastion MailScanner[30537]: MailScanner E-Mail Virus >>Scanner version 4.41.3 starting... >>Oct 1 17:32:06 bastion postfix/smtpd[30539]: connect from >>c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] >>Oct 1 17:32:06 bastion MailScanner[30537]: Read 120 hostnames from >>the phishing whitelist >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: NOQUEUE: reject: RCPT >>from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131]: 554 Service >>unavailable; Client host [69.138.210.131] blocked using >>bl.spamcop.net; Blocked - see >>http://www.spamcop.net/bl.shtml?69.138.210.131; >>from= to= >>proto=SMTP helo= >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: lost connection after >>RCPT from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: disconnect from >>c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] >>Oct 1 17:32:09 bastion MailScanner[30537]: Using locktype = flock > > What do you think is wrong there? You get a startup notice from it, > followed by the locktype notice, all looks fine. Remember MailScanner > doesn't have anything to do with your SMTP service. > > Jules > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store Are you suggesting I change the locktype? It did hang again last night, and bayesian db is working now as is pyzor and razor, so I don't think they are hanging things up. Thanks, hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From tim at denmantire.com Tue Oct 3 12:21:29 2006 From: tim at denmantire.com (Tim Boyer) Date: Tue Oct 3 12:21:53 2006 Subject: Reject vs. bounce References: <4521DFA1.7010302@pacific.net> Message-ID: On Mon, 02 Oct 2006 20:57:21 -0700, Ken wrote: >Tim Boyer wrote: >> Apologies if this has been discussed ad infinitum before. I've been running a >> mailserver since 1996, but just heard about MailScanner Saturday, thanks to >> Steve Swaney's excellent talk at the Ohio LinuxFest. >> >> I've been using DNSBLs and a private blocklist with SpamAssassin, and ClamAV as >> milters, so when I reject an email it's rejected, not bounced back to the >> (99.999% bogus) 'From" address. >> >> I've heard and read that MailScanner has a 'bounce' option. Is this what I >> think it is - a bounce back to the 'From'? Or is it a reject before the >> connection's been dropped and the email accepted? >> >> >The 'Feature' is pretty much useless, as has been mentioned here many >times. >I'd only add that you can do both what you are doing now AND run >MailScanner to further process your mail using more aggressive >spamassassin rulesets. Because MailScanner queues and scans mail with a >perl process that uses the spamassassin perl api, you can run tons of SA >rules, rbl and uribl tests, plugins and virus scanners as long as you >dedicate sufficient resources to the process. It's much more than you >can do in an smtp transaction. Most users here combine the fast milters >doing some rejections, with MailScanner & SpamAssassin doing the heavy >work. >Ken Anderson >Pacific.Net That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter - running all my SpamAssassin tests there. My fear is that if I move them from there to a post-smtp scan, I'll lose the ability to reject. For instance, we once got a legitimate sales request that scored over 19 on SA. /dev/null fodder if ever there was one, but because I reject with a 'email postmaster if you're real' message, they re-sent and it got through. If I scan afterwards, my only real options are discard it or tag it and do something with it, right? -- tim boyer tim@denmantire.com From glenn.steen at gmail.com Tue Oct 3 12:27:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 3 12:27:52 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <45224478.2030403@rcwm.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> Message-ID: <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> On 03/10/06, Henry Hollenberg wrote: > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Henry Hollenberg wrote: > > > >>It looks like mailscanner is hanging every time it does it's automatic > >>restart at 14400 sec. > >> > >>If I do a manual restart > >> > >>/etc/init.d/mailscanner restart > >> > >>the logs look like this: > >> > >>Oct 1 17:32:06 bastion MailScanner[30537]: MailScanner E-Mail Virus > >>Scanner version 4.41.3 starting... > >>Oct 1 17:32:06 bastion postfix/smtpd[30539]: connect from > >>c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > >>Oct 1 17:32:06 bastion MailScanner[30537]: Read 120 hostnames from > >>the phishing whitelist > >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: NOQUEUE: reject: RCPT > >>from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131]: 554 Service > >>unavailable; Client host [69.138.210.131] blocked using > >>bl.spamcop.net; Blocked - see > >>http://www.spamcop.net/bl.shtml?69.138.210.131; > >>from= to= > >>proto=SMTP helo= > >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: lost connection after > >>RCPT from c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > >>Oct 1 17:32:09 bastion postfix/smtpd[30539]: disconnect from > >>c-69-138-210-131.hsd1.md.comcast.net[69.138.210.131] > >>Oct 1 17:32:09 bastion MailScanner[30537]: Using locktype = flock > > > > What do you think is wrong there? You get a startup notice from it, > > followed by the locktype notice, all looks fine. Remember MailScanner > > doesn't have anything to do with your SMTP service. > > > > Jules > > > > - -- > > Julian Field > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > Are you suggesting I change the locktype? > > It did hang again last night, and bayesian db is working now as is > pyzor and razor, so I don't think they are hanging things up. > No, changing the locktype shouldn't affect your situation, since you use Postfix... What might be happening would be if some stray non-queue file end up in the hold queue. Check that that isn't happening. Depending on what you find, you should be able to determine if that is it, and if so... what is responsible for putting it there:-). Might be razor still being a bit confused where the logfile should go (fix is to make sure it knows where too put it by way of the razor-agent.conf file setting... and making sure the postfix user can write where you say it should go), or perhaps the tnef expander placing a file wrong... (don't remember the fix for that... Search the archives, it has cropped up before... Perhaps switch to the internal one). HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Oct 3 12:43:30 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 3 12:43:33 2006 Subject: Reject vs. bounce In-Reply-To: References: <4521DFA1.7010302@pacific.net> Message-ID: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> On 03/10/06, Tim Boyer wrote: (Snip good comment by Ken A) > > That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter > - running all my SpamAssassin tests there. My fear is that if I move them from > there to a post-smtp scan, I'll lose the ability to reject. Well, from a resource standpoint... You'd only be able to do rejection after DATA, so all that would land you is that you don't "take responsibility" for the NDN... You still gobble down all the message. > For instance, we once got a legitimate sales request that scored over 19 on SA. > /dev/null fodder if ever there was one, but because I reject with a 'email > postmaster if you're real' message, they re-sent and it got through. If I scan > afterwards, my only real options are discard it or tag it and do something with > it, right? To be able to do that type of thing, you'd be needing "bounces" yes. Or use a quarantine, perhaps with a very short retention period (perhaps only viable for smaller setups, like mine:-). Then again, if the sales request ended up with 19 points, it probably hiot a lot of rules... One might argue they got what they deserved:-):-). You could alleviate that type of thing with SA whitelistings (perhaps the spf thingies, if you can use that for those senders). But the bottom line is: MailScanner doesn't do SMTP, the MTAs do that. So, in some situations you end up doing things quite differently than you would've (perhaps "not at all":-) with a more SMTP-aware product. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tgc at statsbiblioteket.dk Tue Oct 3 13:01:56 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Oct 3 13:02:01 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: <452240DD.4070605@ecs.soton.ac.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> <452240DD.4070605@ecs.soton.ac.uk> Message-ID: <45225134.6050707@statsbiblioteket.dk> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I think SpamAssassin requires at least Net::DNS 0.48 for required features. > This is taken directly from SA 3.1.5 install notes: - version 0.34 or higher on Unix systems - version 0.46 or higher on Windows systems I think It's pretty safe to say that 0.34 or newer will do the trick on Unix. I actually went to the trouble of looking through the changelog for Net::DNS and I didn't spot any fixes important enough to warrant and upgrade. -tgc From tgc at statsbiblioteket.dk Tue Oct 3 13:05:34 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Oct 3 13:05:36 2006 Subject: Installing 4.56.7 on RHEL 2.1 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F979CD5@isabella.herefordshire.gov.uk> Message-ID: <4522520E.1020808@statsbiblioteket.dk> Randal, Phil wrote: > Because newer versions fix bugs? > Yes but they also introduce new ones. -tgc > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Tom G. Christensen >> Sent: 03 October 2006 07:30 >> To: MailScanner discussion >> Subject: Re: Installing 4.56.7 on RHEL 2.1 >> >> Randal, Phil wrote: >>> It would have been easier to upgrade the whole box to >> CentOS 3.x or 4.x >>> ;-) >>> >> Had that been the case I would have done so. >> >>> Your Net::DNS is really old, it might be worthwhile >> updating that via >>> CPAN. >>> >> Why? >> I realize that 0.59 is out but AFAIK the only requirement for >> Net::DNS >> on unix is v0.34 or newer so I fail to see the point. >> >> >> >> -tgc From rk at village-net.at Tue Oct 3 13:59:05 2006 From: rk at village-net.at (Rudolf Kliemstein, village-net) Date: Tue Oct 3 13:59:14 2006 Subject: AW: AW: Mailscanner unlinking error In-Reply-To: Message-ID: <008a01c6e6eb$b5198750$a100a8c0@villagenet.local> Yeah this helped, thx a lot! Mag. Rudolf Kliemstein --------------------------------------- village-net internet services Rathausplatz 5 4701 Bad Schallerbach t.: +43-7249-48069-0 f.: +43-7249-48069-72 e.: rk@village-net.at -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Jim Holland Gesendet: Dienstag, 03. Oktober 2006 12:07 An: MailScanner discussion Betreff: Re: AW: Mailscanner unlinking error On Tue, 3 Oct 2006, Rudolf Kliemstein, village-net wrote: > Some more extensive logs: > > Oct 3 11:46:32 server MailScanner[20684]: Failed to link message body > between queues > (/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned/dfk > 939kWW > Q017291 --> > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ01 > 7291) Oct 3 11:46:33 server MailScanner[20684]: Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk939kWWQ01 > 7291 > failed: No such file or directory > Oct 3 11:46:33 server MailScanner[20684]: Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/dfk939kWWQ01 > 7291 > failed: No such file or directory > > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von > Rudolf Kliemstein, village-net > Gesendet: Dienstag, 03. Oktober 2006 11:20 > An: mailscanner@lists.mailscanner.info > Betreff: Mailscanner unlinking error > > > Hello, > > I have the following problem after upgrading to 4.55 > > Unlinking > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue/qfk92F6oIa00 > 8264 > failed: No such file or directory > > This appears with some emails but not with all. > I have greylisting and sendmail rlb checks running. Could this be > related with those services? Look at this in MailScanner.conf: # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = posix Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brian.duncan at kattenlaw.com Tue Oct 3 14:43:17 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue Oct 3 14:43:25 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spam scoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A3D@CHI-US-EXCH-01.us.kmz.com> For those of us that are environments that support MS Exchange and Outlook 2003+ at the desktop, the capability to support MS IMF (MS Exchange Intelligent Message Filter scoring) from the network edge is very beneficial. Most organizations that have SpamAssassin/Mailscanner at the edge of their network rely on custom created rules on clients to move the SpamAssassin tagged messages into their local "Junk-Mail" folder or Spam folder - Or delete them right away. This leads to support issues in large organizations. Creating custom exceptions etc, usually in most companies these local users cannot manage the rules efficiently. MS in the last year has released a free add-on for Exchange that works very similarly to SpamAssassin it assigns a Score to a message that looks to be in the headers. Exchange will then automatically put messages based on the local Outlook clients preference level into their local Junk Mail folder. The great thing with this is that users can just right click on messages and add to their "white list" or do complete domains. No custom scripts to create, much easier to support in a large environment. If SpamAssassin/Mailscanner could support adding the IMF headers at the edge, then those that would still like to leverage a SpamAssassin (or any product for that matter, as long as it used the IMF score header) solution at the edge of their network they could do so easily. You could tune your MS Exchange servers to not be reactive and the SpamAssasin edge products would dictate what was Spam and what was not. Microsoft with Exchange 12 is pushing companies into putting Exchange at the edge of a network . I have already had this discussion in my environment and that I do not think it makes sense given that Sendmail + Mailscanner + SpamAssassin is almost rock solid. At the end of this is a previous message to this mailing list that is asking for the same thing that I am. Does anyone have anything to add to this or is this request really not that worthwhile. Just the capability of being able to add a generic header to all Spam detected messages would be a great start: X-MS-Exchange-Organization-SCL: 6.5 (I have already tested this, all headers that are added by Mailscanner seems to include additional information added to the same line) Thanks Brian Duncan brian.duncan@kattenlaw.com P.S. There is already a product that can sit on an Exchange server that will convert SpamAssassin scores to equivalent MS IMF Scores. It would be great if we could handle it from the Unix/Linux side transparently. (It's called Assassin2Exchange filter) http://www.smtptracker.com/ Previous message that went unanswered to this list: >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. >Basically, it looks for the following header(s): >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) >More details can be found at: >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2 -8509-4b25-9876-763536e77c27.mspx?mfr=true >So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: >X-MS-Exchange-Organization-SCL:5 >The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX). I see where I can add additional headers in the: >Spam Actions = deliver header "X-Spam-Status: Yes" >However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in. It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would be helpful. >Any pointers? >-- >----------------------------------------- >Mike Bacher / listacct@tulsaconnect.com >TCIS - TulsaConnect Internet Services >http://www.tulsaconnect.com >----------------------------------------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/2499d171/attachment.html From cornelius.koelbel at gmx.de Tue Oct 3 15:42:08 2006 From: cornelius.koelbel at gmx.de (Cornelius Koelbel) Date: Tue Oct 3 15:42:18 2006 Subject: Panda Wrapper In-Reply-To: <223f97700610030111m1467df9bx8aafdfbc6102c447@mail.gmail.com> References: <45218FA4.7000800@gmx.de> <223f97700610030111m1467df9bx8aafdfbc6102c447@mail.gmail.com> Message-ID: <452276C0.8010603@gmx.de> OK, thanks. Cornelius Glenn Steen schrieb: > On 03/10/06, Cornelius Koelbel wrote: >> Hi, >> >> something seems to be wrong with the panda wrapper. >> >> When testing the wrapper with >> /usr/lib/MailScanner/panda-wrapper /opt/pavcl/usr /tmp/ >> it will not return. >> The call >> /opt/pavcl/usr /tmp/ >> opens an interactive text interface. >> >> Using >> ame : pavcl Relocations: (not relocatable) >> Version : 9.0.0 Vendor: (none) >> >> and >> Name : mailscanner Relocations: (not relocatable) >> Version : 4.55.10 Vendor: Electronics and >> Computer Science, University of Southampton >> >> Kind regards >> Cornelius > > Read the wrapper file and you'll find that you are probably "calling > it the wrong way":-). This is what it says: > ------- > # To test from the command line change to the directory you wish to > # check and issue this command (change paths to reflect your install) > # "/opt/MailScanner/lib/panda-wrapper /usr -nsb -eng -aex -nso -aut -cmp ." > # Make sure your testing dir is one directory deep (don't for get the . > BTW) > # example > # test+ > # .+ testfiles > # .+ moretestfiles > # execute from directory test and it will scan the testfiles and > moretestfiles > # directories. There should be no sub-dirs below those two, this simulates > # MailScanner's process-dir->message-dir structure > ------- > > With the latest panda out, this wrapper should be rewritten... If only > one had the time...:-) > I don't remember if the options still work as expected... there was > something about that a while back, so check the archives. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3641 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/940342e2/smime.bin From ka at pacific.net Tue Oct 3 16:03:24 2006 From: ka at pacific.net (Ken A) Date: Tue Oct 3 16:01:47 2006 Subject: Reject vs. bounce In-Reply-To: References: <4521DFA1.7010302@pacific.net> Message-ID: <45227BBC.9080303@pacific.net> Tim Boyer wrote: > On Mon, 02 Oct 2006 20:57:21 -0700, Ken wrote: > >> Tim Boyer wrote: >>> Apologies if this has been discussed ad infinitum before. I've been running a >>> mailserver since 1996, but just heard about MailScanner Saturday, thanks to >>> Steve Swaney's excellent talk at the Ohio LinuxFest. >>> >>> I've been using DNSBLs and a private blocklist with SpamAssassin, and ClamAV as >>> milters, so when I reject an email it's rejected, not bounced back to the >>> (99.999% bogus) 'From" address. >>> >>> I've heard and read that MailScanner has a 'bounce' option. Is this what I >>> think it is - a bounce back to the 'From'? Or is it a reject before the >>> connection's been dropped and the email accepted? >>> >>> >> The 'Feature' is pretty much useless, as has been mentioned here many >> times. >> I'd only add that you can do both what you are doing now AND run >> MailScanner to further process your mail using more aggressive >> spamassassin rulesets. Because MailScanner queues and scans mail with a >> perl process that uses the spamassassin perl api, you can run tons of SA >> rules, rbl and uribl tests, plugins and virus scanners as long as you >> dedicate sufficient resources to the process. It's much more than you >> can do in an smtp transaction. Most users here combine the fast milters >> doing some rejections, with MailScanner & SpamAssassin doing the heavy >> work. >> Ken Anderson >> Pacific.Net > > That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter > - running all my SpamAssassin tests there. My fear is that if I move them from > there to a post-smtp scan, I'll lose the ability to reject. Is running SA in both places with different rules not possible? I'd try that if I had the time to set it up! > For instance, we once got a legitimate sales request that scored over 19 on SA. > /dev/null fodder if ever there was one, but because I reject with a 'email > postmaster if you're real' message, they re-sent and it got through. If I scan > afterwards, my only real options are discard it or tag it and do something with > it, right? Right. Ken A Pacific.Net From mkettler at evi-inc.com Tue Oct 3 16:34:51 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Oct 3 16:35:07 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: <4522831B.8030900@evi-inc.com> Dan Hollis wrote: > On Mon, 2 Oct 2006, Matt Kettler wrote: >> Dan Hollis wrote: >>> On Mon, 2 Oct 2006, Martin Hepworth wrote: >>>> Besides milter-sender there's also milter-ahead which checks the 'to' >>>> address existing on your system (if you're not using sendmail see the >>>> mailScanner wiki for your MTA on how to do this). Again using this >>>> technique you can drop over 66% of inbound traffic... >>> Is there any milter which checks the SOA of URLs in the message body and >>> drops them if the SOA is in china (or pakistan, or wherever)? >> Not that I know of. >> That and you'd probably have a lot more false positives here than you >> expect. >> >> With the amount of "farming out" of basic web-presence services, where >> the >> website's DNS hosting lives really has very little to do with where >> the company >> that owns it is. >> I mean, if I get re-routed to India when I call a US-based company for >> tech >> support, why should I expect to have a US-based DNS server for their >> website? > > Why shouldn't I be able to blacklist individual known spam SOAs? That's perfectly reasonable.. But it's not what you asked for. You asked for geographic location based blacklisting. From bpumphrey at woodmclaw.com Tue Oct 3 16:57:26 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 3 16:57:30 2006 Subject: How to tell if SpamAssassin Bayasian filtering is working In-Reply-To: <1356937812.20060929212711@bayerfamily.net> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729759@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jonathan B. Bayer > Sent: Friday, September 29, 2006 9:27 PM > To: MailScanner discussion > Subject: Re[2]: How to tell if SpamAssassin Bayasian filtering is working > > Hello Martin, > > OK. I've downloaded and installed the starter DB. How can I tell if the > Bayes is working, both the scanning and the autolearn? > > Thanks > > One way is to run this command every few minutes or longer and see if the numbers increase as emails are hopefully getting learned. sa-learn --dump magic From mailscanner at mango.zw Tue Oct 3 17:19:12 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 3 17:16:43 2006 Subject: Reject vs. bounce In-Reply-To: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> Message-ID: > On 03/10/06, Tim Boyer wrote: > (Snip good comment by Ken A) > > > > That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter > > - running all my SpamAssassin tests there. My fear is that if I move them from > > there to a post-smtp scan, I'll lose the ability to reject. > > Well, from a resource standpoint... You'd only be able to do rejection > after DATA, so all that would land you is that you don't "take > responsibility" for the NDN... You still gobble down all the message. > > > For instance, we once got a legitimate sales request that scored over 19 on SA. > > /dev/null fodder if ever there was one, but because I reject with a 'email > > postmaster if you're real' message, they re-sent and it got through. If I scan > > afterwards, my only real options are discard it or tag it and do something with > > it, right? eg quarantine it - see below. > To be able to do that type of thing, you'd be needing "bounces" yes. Bouncing should always be done at SMTP time and not by MailScanner - for reasons already stated by others. > Or use a quarantine, perhaps with a very short retention period > (perhaps only viable for smaller setups, like mine:-). Once mail has been accepted then why not quarantine all mail that is flagged as spam? An essential component of managing spam is to notify users of what has been rejected, and to quarantine the marginal mail rather than deleting it or rejecting it. We send out two separate notifications per day to our users - one that indicates the mail that has been bounced at SMTP time, with reports in the following format: Oct 2 14:56:02 sender: vczr@chrispowerz.wanadoo.co.uk recip: user@mango.zw server: dsl.static81214188253.ttnet.net.tr and the other that indicates mail that has been quarantined (where more information is available for the report): 02 Oct 2006 06:30:49 From: "PokerBot Max" Server: static-66-16-28-242.dsl.cavtel.net [66.16.28.242] Date: Sun 01 Oct 2006 23:28:06 -0600 Subject: Make Money Online with PokerBot Saved as: user@mango.zw 20061002/spam/k924USZ9020056 The server information is useful for users to quickly pick out the origin of the message and often gives a very good indication of the likelihood of the mail being genuine or not. I guess that we would probably bounce or block around 85% of incoming connections, with the remainder being split between genuine and quarantined mail. We typically quarantine only around 650 messages per day, so the storage requirement for our 2500 users is not significant - we keep it for 90 days. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From sandrews at andrewscompanies.com Tue Oct 3 17:17:19 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Oct 3 17:17:25 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? Message-ID: <1964AAFBC212F742958F9275BF63DBB0429535@winchester.andrewscompanies.com> If I read this right, that capability is already in mailscanner...take a look under your "what to do with spam" section, where it says Spam Actions = typical is deliver, but you could have "deliver header X-MS-Exchange-Organization-SCL: 6.5" in there just as well. You could give it some high SCL for the high spam that matches what you're looking for on the exchange side for the SCL. So what if it's not the PRECISE score in SCL terms, only so that it trips the trigger for the right behavior on the exchange side. Steve _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Tuesday, October 03, 2006 9:43 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? For those of us that are environments that support MS Exchange and Outlook 2003+ at the desktop, the capability to support MS IMF (MS Exchange Intelligent Message Filter scoring) from the network edge is very beneficial. Most organizations that have SpamAssassin/Mailscanner at the edge of their network rely on custom created rules on clients to move the SpamAssassin tagged messages into their local "Junk-Mail" folder or Spam folder - Or delete them right away. This leads to support issues in large organizations. Creating custom exceptions etc, usually in most companies these local users cannot manage the rules efficiently. MS in the last year has released a free add-on for Exchange that works very similarly to SpamAssassin it assigns a Score to a message that looks to be in the headers. Exchange will then automatically put messages based on the local Outlook clients preference level into their local Junk Mail folder. The great thing with this is that users can just right click on messages and add to their "white list" or do complete domains. No custom scripts to create, much easier to support in a large environment. If SpamAssassin/Mailscanner could support adding the IMF headers at the edge, then those that would still like to leverage a SpamAssassin (or any product for that matter, as long as it used the IMF score header) solution at the edge of their network they could do so easily. You could tune your MS Exchange servers to not be reactive and the SpamAssasin edge products would dictate what was Spam and what was not. Microsoft with Exchange 12 is pushing companies into putting Exchange at the edge of a network . I have already had this discussion in my environment and that I do not think it makes sense given that Sendmail + Mailscanner + SpamAssassin is almost rock solid. At the end of this is a previous message to this mailing list that is asking for the same thing that I am. Does anyone have anything to add to this or is this request really not that worthwhile. Just the capability of being able to add a generic header to all Spam detected messages would be a great start: X-MS-Exchange-Organization-SCL: 6.5 (I have already tested this, all headers that are added by Mailscanner seems to include additional information added to the same line) Thanks Brian Duncan brian.duncan@kattenlaw.com P.S. There is already a product that can sit on an Exchange server that will convert SpamAssassin scores to equivalent MS IMF Scores. It would be great if we could handle it from the Unix/Linux side transparently. (It's called Assassin2Exchange filter) http://www.smtptracker.com/ Previous message that went unanswered to this list: >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. >Basically, it looks for the following header(s): >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) >More details can be found at: >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2 -8509-4b25-9876-763536e77c27.mspx?mfr=true >So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: >X-MS-Exchange-Organization-SCL:5 >The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX). I see where I can add additional headers in the: >Spam Actions = deliver header "X-Spam-Status: Yes" >However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in. It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would be helpful. >Any pointers? >-- >----------------------------------------- >Mike Bacher / listacct@tulsaconnect.com >TCIS - TulsaConnect Internet Services >http://www.tulsaconnect.com >----------------------------------------- =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/65d6c7c1/attachment.html From mike at tc3net.com Tue Oct 3 17:35:52 2006 From: mike at tc3net.com (Michael Baird) Date: Tue Oct 3 17:33:42 2006 Subject: MailScanner settings Message-ID: <1159893352.18636.8.camel@localhost> I've got a canned hosting package which uses MailScanner (Ensim). It doesn't use spamassassin within mailscanner, but I've activated spam checks and added spam lists. My question is, with spamassassin = no do the high scoring spam actions work in relation to the spam lists (I want 2 hits of spam list to go high scoring which I want to have deleted at this point in processing). Regards Michael Baird From mailscanner at mango.zw Tue Oct 3 17:36:33 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 3 17:33:55 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spam scoring? In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A3D@CHI-US-EXCH-01.us.kmz.com> Message-ID: On Tue, 3 Oct 2006, Duncan, Brian M. wrote: > Previous message that went unanswered to this list: > > >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to > deal with spam messages identified by systems like MailScanner or other > appliance based solutions. > > >Basically, it looks for the following header(s): > > >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) > >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) > > >More details can be found at: > > >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2 > -8509-4b25-9876-763536e77c27.mspx?mfr=true > > >So, my question is -- can I add this header with MailScanner, inserting > the appropriate spam score after the header, e.g.: > > >X-MS-Exchange-Organization-SCL:5 > > >The trick is, I don't want to mess with my existing header adds, I want > to add this in addition to my normal ones (X-Spam-Score: XX). I see > where I can add additional headers in the: > > >Spam Actions = deliver header "X-Spam-Status: Yes" > > >However, it is unclear how to insert the spam score "value" in the > "value" area that it needs to be in. It is also unclear from the > Microsoft docs if the "score" can be anything other than whole numbers > (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would > be helpful. > > >Any pointers? If the MailScanner/SpamAssassin system has determined that the message is spam, why not always add a fixed header such as: X-MS-Exchange-Organization-SCL: 10 so that the message will always be quarantined by Exchange? I don't see the benefit of using variable values for the spam score at this point. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From brian.duncan at kattenlaw.com Tue Oct 3 17:50:17 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue Oct 3 17:50:27 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spam scoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A41@CHI-US-EXCH-01.us.kmz.com> Thanks, actually it looks like that is probably the best method. I was not even thinking of the use of the Spam Actions section. duh I was more focused on the section of the config for Spam Header and Mail Header for Mailscanner. Thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jim Holland Sent: Tuesday, October 03, 2006 11:37 AM To: MailScanner discussion Subject: Re: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spam scoring? On Tue, 3 Oct 2006, Duncan, Brian M. wrote: > Previous message that went unanswered to this list: > > >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it > >to > deal with spam messages identified by systems like MailScanner or > other appliance based solutions. > > >Basically, it looks for the following header(s): > > >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) > >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) > > >More details can be found at: > > >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5 > >c2 > -8509-4b25-9876-763536e77c27.mspx?mfr=true > > >So, my question is -- can I add this header with MailScanner, > >inserting > the appropriate spam score after the header, e.g.: > > >X-MS-Exchange-Organization-SCL:5 > > >The trick is, I don't want to mess with my existing header adds, I > >want > to add this in addition to my normal ones (X-Spam-Score: XX). I see > where I can add additional headers in the: > > >Spam Actions = deliver header "X-Spam-Status: Yes" > > >However, it is unclear how to insert the spam score "value" in the > "value" area that it needs to be in. It is also unclear from the > Microsoft docs if the "score" can be anything other than whole numbers > (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would > be helpful. > > >Any pointers? If the MailScanner/SpamAssassin system has determined that the message is spam, why not always add a fixed header such as: X-MS-Exchange-Organization-SCL: 10 so that the message will always be quarantined by Exchange? I don't see the benefit of using variable values for the spam score at this point. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From christian at columbiafuels.com Tue Oct 3 17:52:04 2006 From: christian at columbiafuels.com (Christian Rasmussen) Date: Tue Oct 3 17:52:14 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A3D@CHI-US-EXCH-01.us.kmz.com> Message-ID: <2023D81BC0235143A46589958FF543F502F5D9E6@bigbird.columbiafuels.com> I've been using the exchange features to assign a SCL score to any message that has the tag added by the mailscanner server. You can set it up so that all of those tagged messages go automatically to the exchange user's junk email folder. I haven't had any complaints about it and it allows for easier cleanup of those messages later. If anyone is interested, check out the following page http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html Once you have it enabled, just create a rule in your MSExchange.UceContentFilter.xml with something similar to: To tag it with any score you've set above your junk level (in the above example 8) Cheers, -Christian ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Tuesday, October 03, 2006 6:43 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? ? For those of us that are environments that support MS Exchange and Outlook 2003+ at the desktop, the capability to support MS IMF (MS Exchange Intelligent Message Filter?scoring) from?the network edge is very beneficial. ? ?Most organizations that have SpamAssassin/Mailscanner at the edge of their network rely?on custom created rules on clients to move the SpamAssassin tagged messages into their local "Junk-Mail" folder or Spam folder - Or delete them right away. ? This leads to support issues in large organizations.? Creating custom exceptions etc, usually in most companies these??local users?cannot manage the rules efficiently. ? MS in the last year has released a free add-on for Exchange that works very similarly to SpamAssassin it assigns a Score to a message that looks to be in the headers.? Exchange will then automatically put messages based on the local Outlook clients preference level into their?local Junk Mail folder. The great thing with this is that users can just right click on messages and add to their "white list" or do complete domains.? No custom scripts to create,? much easier to support in a large environment. ? If SpamAssassin/Mailscanner could support adding the IMF headers at the edge, then those that would still like to leverage a SpamAssassin (or any product for that matter, as long as it used the IMF score header) solution at the edge of their network they could do so easily.? You could tune your MS Exchange servers to not be reactive and the SpamAssasin edge products would dictate what was Spam and what was not. ? Microsoft with Exchange 12 is pushing? companies into? putting Exchange at the edge of a network?. I have already had this?discussion in my environment?and that I do not think it makes sense given that Sendmail?+ Mailscanner?+ SpamAssassin is?almost rock solid.???? ? At the end of this?is a previous message to this mailing list that is asking for the same thing that I am. ? Does anyone have anything to add to this or is this request really not that worthwhile. ? Just the capability of being able to add a generic header to all Spam detected messages would be a great start: ? X-MS-Exchange-Organization-SCL: 6.5 ? (I have already tested this, all headers that are added by Mailscanner seems to include additional information added to the same line) ? Thanks ? Brian Duncan ? brian.duncan@kattenlaw.com ? P.S. ? There is already a product that can sit on an Exchange server that will convert SpamAssassin scores to equivalent MS IMF Scores.? It would be great if we could handle it from the Unix/Linux side transparently. (It's called Assassin2Exchange filter) ? http://www.smtptracker.com/ ? Previous message that went unanswered to this list: ? >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. ? >Basically, it looks for the following header(s): ? >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) ? >More details can be found at: ? >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2-8509-4b25-9876-763536e77c27.mspx?mfr=true ? >So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: ? >X-MS-Exchange-Organization-SCL:5 ? >The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX).? I see where I can add additional headers in the: ? >Spam Actions = deliver header "X-Spam-Status: Yes" ? >However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in.? It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK).? So, a way to "round" the score would be helpful. ? >Any pointers? ? >-- ? >----------------------------------------- >Mike Bacher / listacct@tulsaconnect.com >TCIS - TulsaConnect Internet Services >http://www.tulsaconnect.com >----------------------------------------- From spamtrap71892316634 at anime.net Tue Oct 3 18:49:53 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Tue Oct 3 18:49:57 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: On Tue, 3 Oct 2006, James Gray wrote: > On 03/10/2006, at 10:11 AM, Dan Hollis wrote: >> Why shouldn't I be able to blacklist individual known spam SOAs? > Why not use the URIBL lists like "OutBlaze" and friends. Not exactly what > you're after but I've found them extremely effective in combating URLs etc > that link to known spammers' domains. The problem is that spammers are now using hundreds of totally randomized domains, making URIBL pretty useless. -Dan From mkettler at EVI-INC.COM Tue Oct 3 19:08:53 2006 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Tue Oct 3 19:09:21 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: <4522A735.4070500@evi-inc.com> Dan Hollis wrote: > On Tue, 3 Oct 2006, James Gray wrote: >> On 03/10/2006, at 10:11 AM, Dan Hollis wrote: >>> Why shouldn't I be able to blacklist individual known spam SOAs? >> Why not use the URIBL lists like "OutBlaze" and friends. Not exactly >> what you're after but I've found them extremely effective in combating >> URLs etc that link to known spammers' domains. > > The problem is that spammers are now using hundreds of totally > randomized domains, making URIBL pretty useless. > > -Dan Really? mine hit beautifully. Why do you think uribl is useless? JP has hit over 38% of the total mail volume on my server this week! Over 87 percent of my spam-tagged mail has been hit by at least one URIBL rule (uribl.com, surbl.org or sbl) Some stats: total spam: 4587 total not spam: 3383 total email examined by SA : 7970 any uribl, spam tagged 4020 any uribl, not spam tagged 110 total any uribl 4130 In the face of stats like that, how can you even begin to say the URIBLs are "pretty useless". Try the attached shell script. It assumes you log spam and nonspam results in MailScanner format to /var/log/maillog, but it should get you some basic stats on how your URIBL rules are doing. -------------- next part -------------- #!/bin/sh echo URIBL_BLACK grep URIBL_BLACK /var/log/maillog |wc -l echo URIBL_GREY grep URIBL_GREY /var/log/maillog |wc -l echo URIBL_BLACK_OVERLAP grep URIBL_BLACK_OVERLAP /var/log/maillog |wc -l echo URIBL_AB_SURBL grep URIBL_AB_SURBL /var/log/maillog |wc -l echo URIBL_JP_SURBL grep URIBL_JP_SURBL /var/log/maillog |wc -l echo URIBL_OB_SURBL grep URIBL_OB_SURBL /var/log/maillog |wc -l echo URIBL_SC_SURBL grep URIBL_SC_SURBL /var/log/maillog |wc -l echo URIBL_WS_SURBL grep URIBL_WS_SURBL /var/log/maillog |wc -l echo SURBL_MULTI1 grep SURBL_MULTI1 /var/log/maillog |wc -l echo SURBL_MULTI2 grep SURBL_MULTI2 /var/log/maillog |wc -l echo SURBL_MULTI3 grep SURBL_MULTI3 /var/log/maillog |wc -l echo SURBL_MULTI4 grep SURBL_MULTI4 /var/log/maillog |wc -l echo total spam: grep " is spam, SpamAssassin" /var/log/maillog |wc -l echo total not spam: grep " is not spam, SpamAssassin" /var/log/maillog |wc -l echo total email examined by SA : grep " spam, SpamAssassin" /var/log/maillog |wc -l echo any uribl, spam tagged grep " is spam, SpamAssassin" /var/log/maillog | grep "URIBL_" |wc -l echo any uribl, not spam tagged grep " is not spam, SpamAssassin" /var/log/maillog | grep "URIBL_" |wc -l echo total any uribl grep "URIBL_" /var/log/maillog |wc -l From Phil.Udel at SalemCorp.com Tue Oct 3 19:35:27 2006 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Oct 3 19:35:34 2006 Subject: Logwatch Update In-Reply-To: <4522A735.4070500@evi-inc.com> Message-ID: <200610031836.k93IagoW027688@cat.salemcarriers.com> Hi Not sure if anyone would like this but I just finished updating my MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, and Some other messages I cleaned up about 28 Daily **Unmatched Entries** From ssilva at sgvwater.com Tue Oct 3 19:34:08 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 3 19:36:04 2006 Subject: Reject vs. bounce In-Reply-To: References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> Message-ID: Jim Holland spake the following on 10/3/2006 9:19 AM: >> On 03/10/06, Tim Boyer wrote: >> (Snip good comment by Ken A) >>> That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter >>> - running all my SpamAssassin tests there. My fear is that if I move them from >>> there to a post-smtp scan, I'll lose the ability to reject. >> Well, from a resource standpoint... You'd only be able to do rejection >> after DATA, so all that would land you is that you don't "take >> responsibility" for the NDN... You still gobble down all the message. >> >>> For instance, we once got a legitimate sales request that scored over 19 on SA. >>> /dev/null fodder if ever there was one, but because I reject with a 'email >>> postmaster if you're real' message, they re-sent and it got through. If I scan >>> afterwards, my only real options are discard it or tag it and do something with >>> it, right? > > eg quarantine it - see below. > >> To be able to do that type of thing, you'd be needing "bounces" yes. > > Bouncing should always be done at SMTP time and not by MailScanner - for > reasons already stated by others. > >> Or use a quarantine, perhaps with a very short retention period >> (perhaps only viable for smaller setups, like mine:-). > > Once mail has been accepted then why not quarantine all mail that is > flagged as spam? > > An essential component of managing spam is to notify users of what has > been rejected, and to quarantine the marginal mail rather than deleting it > or rejecting it. We send out two separate notifications per day to our > users - one that indicates the mail that has been bounced at SMTP time, > with reports in the following format: > > Oct 2 14:56:02 > sender: vczr@chrispowerz.wanadoo.co.uk > recip: user@mango.zw > server: dsl.static81214188253.ttnet.net.tr > > and the other that indicates mail that has been quarantined (where more > information is available for the report): > > 02 Oct 2006 06:30:49 > From: "PokerBot Max" > Server: static-66-16-28-242.dsl.cavtel.net [66.16.28.242] > Date: Sun 01 Oct 2006 23:28:06 -0600 > Subject: Make Money Online with PokerBot > Saved as: user@mango.zw 20061002/spam/k924USZ9020056 > > The server information is useful for users to quickly pick out the origin > of the message and often gives a very good indication of the likelihood of > the mail being genuine or not. > > I guess that we would probably bounce or block around 85% of incoming > connections, with the remainder being split between genuine and > quarantined mail. We typically quarantine only around 650 messages per > day, so the storage requirement for our 2500 users is not significant - we > keep it for 90 days. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > Do you have any plans to share your scripts for notifying users? I know that quarantine report does the latter, but I am curious about the notifies on SMTP dropped mail. Sure, it isn't a "difficult" process, but why re-invent the wheel? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From spamtrap71892316634 at anime.net Tue Oct 3 19:51:05 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Tue Oct 3 19:51:11 2006 Subject: "Friends Only" In-Reply-To: <4522831B.8030900@evi-inc.com> References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> <4522831B.8030900@evi-inc.com> Message-ID: On Tue, 3 Oct 2006, Matt Kettler wrote: > That's perfectly reasonable.. But it's not what you asked for. You asked for > geographic location based blacklisting. Well I do block all email from china and korea. But then it's my PC. -Dan From ssilva at sgvwater.com Tue Oct 3 19:54:01 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 3 19:55:08 2006 Subject: Logwatch Update In-Reply-To: <200610031836.k93IagoW027688@cat.salemcarriers.com> References: <4522A735.4070500@evi-inc.com> <200610031836.k93IagoW027688@cat.salemcarriers.com> Message-ID: Phil Udel spake the following on 10/3/2006 11:35 AM: > > Hi > Not sure if anyone would like this but I just finished updating my > MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, > and Some other messages > I cleaned up about 28 Daily **Unmatched Entries** > > > > Great!! I have just been planning to do something with the logwatch script. I would like to also get it to report on the rejections due to greet pause, and it looks to be there, but since sendmail isn't enabled with MailScanner it doesn't seem to fire. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lodder at delodder.be Tue Oct 3 19:58:26 2006 From: lodder at delodder.be (Philippe Delodder) Date: Tue Oct 3 19:58:51 2006 Subject: Logwatch Update In-Reply-To: <200610031836.k93IagoW027688@cat.salemcarriers.com> References: <200610031836.k93IagoW027688@cat.salemcarriers.com> Message-ID: <4522B2D2.6040607@delodder.be> Phil Udel schreef: > > Hi > Not sure if anyone would like this but I just finished updating my > MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, > and Some other messages > I cleaned up about 28 Daily **Unmatched Entries** > > > > > yes i would be interested in it -- Philippe Delodder lodder@delodder.be http://www.delodder.be -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/9fc97d27/signature.bin From mkettler at evi-inc.com Tue Oct 3 20:00:35 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Oct 3 20:00:57 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> <4522831B.8030900@evi-inc.com> Message-ID: <4522B353.50509@evi-inc.com> Dan Hollis wrote: > On Tue, 3 Oct 2006, Matt Kettler wrote: >> That's perfectly reasonable.. But it's not what you asked for. You >> asked for >> geographic location based blacklisting. > > Well I do block all email from china and korea. But then it's my PC. True, I was merely pointing out that checking the SOA for a URL, and determining what country that URL was DNS hosted from would likely cause more FPs than you think. Website and DNS hosting are a very commonly outsourced thing. Not all of that hosting ends up in the same country as the company that owns the domain. From sandrews at andrewscompanies.com Tue Oct 3 20:15:52 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Oct 3 20:15:55 2006 Subject: Logwatch Update Message-ID: <1964AAFBC212F742958F9275BF63DBB0429539@winchester.andrewscompanies.com> Where can we get this magic script? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Tuesday, October 03, 2006 2:35 PM To: 'MailScanner discussion' Subject: Logwatch Update Hi Not sure if anyone would like this but I just finished updating my MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, and Some other messages I cleaned up about 28 Daily **Unmatched Entries** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Phil.Udel at SalemCorp.com Tue Oct 3 20:21:28 2006 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Oct 3 20:21:39 2006 Subject: Logwatch Update In-Reply-To: <200610031836.k93IagoW027688@cat.salemcarriers.com> Message-ID: <200610031922.k93JMhoW000686@cat.salemcarriers.com> Can I send it as a attachment to this Group? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Tuesday, October 03, 2006 2:35 PM To: 'MailScanner discussion' Subject: Logwatch Update Hi Not sure if anyone would like this but I just finished updating my MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, and Some other messages I cleaned up about 28 Daily **Unmatched Entries** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Oct 3 20:31:57 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 3 20:32:39 2006 Subject: Logwatch Update In-Reply-To: <200610031922.k93JMhoW000686@cat.salemcarriers.com> References: <200610031836.k93IagoW027688@cat.salemcarriers.com> <200610031922.k93JMhoW000686@cat.salemcarriers.com> Message-ID: Phil Udel spake the following on 10/3/2006 12:21 PM: > Can I send it as a attachment to this Group? > Yes you can, but some scripts go better if they are tar.gz'd. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Phil.Udel at SalemCorp.com Tue Oct 3 20:42:18 2006 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Oct 3 20:42:26 2006 Subject: Logwatch Update In-Reply-To: <200610031922.k93JMhoW000686@cat.salemcarriers.com> Message-ID: <200610031943.k93JhYcv003183@cat.salemcarriers.com> OK. Here is the script. Just replace the old Logwatch script with this one -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Tuesday, October 03, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Logwatch Update Can I send it as a attachment to this Group? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Tuesday, October 03, 2006 2:35 PM To: 'MailScanner discussion' Subject: Logwatch Update Hi Not sure if anyone would like this but I just finished updating my MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, and Some other messages I cleaned up about 28 Daily **Unmatched Entries** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.gz Type: application/x-gzip Size: 2285 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061003/60e0848e/mailscanner.gz From r.berber at computer.org Tue Oct 3 21:05:55 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Oct 3 21:07:07 2006 Subject: 4.56.7: "max message size is '40000'" In-Reply-To: <223f97700610030059s3a734599n963615622450fbf8@mail.gmail.com> References: <223f97700610030059s3a734599n963615622450fbf8@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 02/10/06, Jeff A. Earickson wrote: >> Julian, >> >> Ok, I hang my head in shame and say that I didn't beta-test >> earlier versions of 4.56. September was a busy month. >> >> I just upgraded from 4.55.10 to 4.56.7 on my setup (Solaris 10, >> SA 3.1.5, sophos and clam, dcc 1.3.40). I ran it first in debug >> mode to see what would happen (output attached). Not much. >> >> Then I attempted to fire up 4.56.7 in normal mode. I got zero syslog >> output, and nothing seemed to happen except several MS processes >> were sucking up CPU time: >> >> # ps -ef | grep perl >> root 15405 15337 0 11:55:16 ? 0:00 /usr/bin/perl >> -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail >> root 15394 15336 2 11:55:14 ? 0:02 /usr/bin/perl >> -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail >> root 15407 19023 0 11:55:16 pts/2 0:00 grep perl >> root 15336 1 0 11:55:03 ? 0:00 /usr/bin/perl >> -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail >> root 15337 15336 3 11:55:03 ? 0:08 /usr/bin/perl >> -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail >> >> I did go from version 0.13 to 0.18 of Sys-Syslog, but this does >> not seem to have anything to do with this. 4.55.10 works fine with >> the new Sys-Syslog. >> >> So, 4.56.7 never gets off the ground. Any ideas? Any other Solaris 10 >> users with this issue? >> > Hi Jeff, > I'm certainly no Solaris guru, but could this have something to do > with the pretty recent thread "No logging in Solaris 9 (with > workaround) - question?"? No, that was already changed in version 4.56.5 and I tested* it with Solaris 10. * OK, sort of tested it, in fact I made 2 changes to lib/MailScanner/Log.pm (and it is recorded on the thread): line 39 - use Sys::Syslog qw(:DEFAULT setlogsock); line 71 - Sys::Syslog::setlogsock('native'); The first one could be the problem in the current MS under Solaris 10; the second one just makes the syslog output come out with the normal format, the original 'udp' works fine, just not perfect ;-) -- Ren? Berber From mailscanner at mango.zw Tue Oct 3 21:30:48 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 3 21:27:58 2006 Subject: Reject vs. bounce In-Reply-To: Message-ID: On Tue, 3 Oct 2006, Scott Silva wrote: > Jim Holland spake the following on 10/3/2006 9:19 AM: > > An essential component of managing spam is to notify users of what has > > been rejected, and to quarantine the marginal mail rather than deleting it > > or rejecting it. We send out two separate notifications per day to our > > users - one that indicates the mail that has been bounced at SMTP time, > > with reports in the following format: > > > > Oct 2 14:56:02 > > sender: vczr@chrispowerz.wanadoo.co.uk > > recip: user@mango.zw > > server: dsl.static81214188253.ttnet.net.tr > > > > and the other that indicates mail that has been quarantined (where more > > information is available for the report): > > > > 02 Oct 2006 06:30:49 > > From: "PokerBot Max" > > Server: static-66-16-28-242.dsl.cavtel.net [66.16.28.242] > > Date: Sun 01 Oct 2006 23:28:06 -0600 > > Subject: Make Money Online with PokerBot > > Saved as: user@mango.zw 20061002/spam/k924USZ9020056 > > > > The server information is useful for users to quickly pick out the origin > > of the message and often gives a very good indication of the likelihood of > > the mail being genuine or not. > > > > I guess that we would probably bounce or block around 85% of incoming > > connections, with the remainder being split between genuine and > > quarantined mail. We typically quarantine only around 650 messages per > > day, so the storage requirement for our 2500 users is not significant - we > > keep it for 90 days. > Do you have any plans to share your scripts for notifying users? > I know that quarantine report does the latter, but I am curious about the > notifies on SMTP dropped mail. Sure, it isn't a "difficult" process, but why > re-invent the wheel? The two scripts I use are somewhat customised for usage here, and are specific to sendmail. They are a mixture of bash and perl and have just grown to get the job done - not very pretty and they still have a few bugs. I am just a hacker, so my programming style would probably result in much mirth from the real programmers on this list (eg bash pipes in the perl script and sections of perl scripting in the bash script). I would need to tidy them up somewhat to make them more generic. If there is any interest then I would be prepared to let others see them, if only to stimulate them to do better. One of the problems with SMTP whitelisting is that because sites can be blacklisted in so many ways in the access file I wouldn't know where to start with automating the whitelisting. For the moment I just grep the maillog file, find out how the message got blocked, and then take appropriate action in the access file - very tedious. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From jeffm at andersonlabs.com Tue Oct 3 21:27:53 2006 From: jeffm at andersonlabs.com (Jeff Meyer) Date: Tue Oct 3 21:32:16 2006 Subject: symantec scan engine Message-ID: I noticed that MailScanner has support for Symantec Scan Engine, but it doesn't appear to be working correctly. First, had to make a change to the symscanengine-wrapper: changed: prog=savsecls/savsecls to: prog=ssecls/ssecls Then when testing the wrapper: /usr/lib/MailScanner/symscanengine-wrapper /opt/SYMScan /temp eveything works, even tried on eicar test file and it found it. However, when running it with MailScanner, nothing appears to be getting logged when testing with eicar files. McAfee, Bitdefender and ClamAV all log there results, but symantec doesn't. I would like to see when symantec does catch something and when it doesn't. What do I need to do to change this. Jeff From ssilva at sgvwater.com Tue Oct 3 21:49:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 3 21:49:52 2006 Subject: Logwatch Update In-Reply-To: <200610031943.k93JhYcv003183@cat.salemcarriers.com> References: <200610031922.k93JMhoW000686@cat.salemcarriers.com> <200610031943.k93JhYcv003183@cat.salemcarriers.com> Message-ID: Phil Udel spake the following on 10/3/2006 12:42 PM: > OK. Here is the script. Just replace the old Logwatch script with this > one This is much better! Thank you. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From taz at taz-mania.com Tue Oct 3 22:03:03 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Oct 3 22:03:12 2006 Subject: Reject vs. bounce In-Reply-To: Message-ID: Actually what I do is; a lot of smtp rejections for different criteria, then I use MailScanner with SpamAssassin and ClamAV for the email that gets through the smtp phase. If the email scores high with SpamAssassin then I quarantine the email. Each night at midnight each user gets one email with a list of senders and subjects of the email that were quarantined that day and it includes a link to release it if they see from the sender and/or subject it's something they want. After 7 days the quarantined email is deleted from the quarantine. On Tue, 03 Oct 2006 07:21:29 -0400 Tim Boyer wrote: >On Mon, 02 Oct 2006 20:57:21 -0700, Ken wrote: > >>Tim Boyer wrote: >>> Apologies if this has been discussed ad infinitum before. I've been >>>running a >>> mailserver since 1996, but just heard about MailScanner Saturday, >>>thanks to >>> Steve Swaney's excellent talk at the Ohio LinuxFest. >>> >>> I've been using DNSBLs and a private blocklist with SpamAssassin, >>>and ClamAV as >>> milters, so when I reject an email it's rejected, not bounced back >>>to the >>> (99.999% bogus) 'From" address. >>> >>> I've heard and read that MailScanner has a 'bounce' option. Is this >>>what I >>> think it is - a bounce back to the 'From'? Or is it a reject before >>>the >>> connection's been dropped and the email accepted? >>> >>> >>The 'Feature' is pretty much useless, as has been mentioned here many >>times. >>I'd only add that you can do both what you are doing now AND run >>MailScanner to further process your mail using more aggressive >>spamassassin rulesets. Because MailScanner queues and scans mail with >>a >>perl process that uses the spamassassin perl api, you can run tons of >>SA >>rules, rbl and uribl tests, plugins and virus scanners as long as you >>dedicate sufficient resources to the process. It's much more than you >>can do in an smtp transaction. Most users here combine the fast >>milters >>doing some rejections, with MailScanner & SpamAssassin doing the >>heavy >>work. >>Ken Anderson >>Pacific.Net > >That's what I'm doing now, in the smtp transaction, using the >MIMEDefang milter >- running all my SpamAssassin tests there. My fear is that if I move >them from >there to a post-smtp scan, I'll lose the ability to reject. > >For instance, we once got a legitimate sales request that scored over >19 on SA. >/dev/null fodder if ever there was one, but because I reject with a >'email >postmaster if you're real' message, they re-sent and it got through. > If I scan >afterwards, my only real options are discard it or tag it and do >something with >it, right? > >-- >tim boyer >tim@denmantire.com > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From nick.smith67 at googlemail.com Tue Oct 3 22:23:18 2006 From: nick.smith67 at googlemail.com (Nick Smith) Date: Tue Oct 3 22:23:21 2006 Subject: 4.56.7: "max message size is '40000'" In-Reply-To: References: Message-ID: On 10/2/06, Jeff A. Earickson wrote: > Julian, > > Ok, I hang my head in shame and say that I didn't beta-test > earlier versions of 4.56. September was a busy month. > > I just upgraded from 4.55.10 to 4.56.7 on my setup (Solaris 10, > SA 3.1.5, sophos and clam, dcc 1.3.40). I ran it first in debug > mode to see what would happen (output attached). Not much. > > Then I attempted to fire up 4.56.7 in normal mode. I got zero syslog > output, and nothing seemed to happen except several MS processes > were sucking up CPU time: > > # ps -ef | grep perl > root 15405 15337 0 11:55:16 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15394 15336 2 11:55:14 ? 0:02 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15407 19023 0 11:55:16 pts/2 0:00 grep perl > root 15336 1 0 11:55:03 ? 0:00 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > root 15337 15336 3 11:55:03 ? 0:08 /usr/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/Mail > > I did go from version 0.13 to 0.18 of Sys-Syslog, but this does > not seem to have anything to do with this. 4.55.10 works fine with > the new Sys-Syslog. > > So, 4.56.7 never gets off the ground. Any ideas? Any other Solaris 10 > users with this issue? > > Jeff Earickson > Colby College > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > Are you running syslogd with remote mode (ie UDP) enabled? I had to comment out LOG_FROM_REMOTE=NO in /etc/default/syslogd and restart syslogd before it would work - otherwise I saw the same behaviour you describe Cheers Nick From tim at denmantire.com Wed Oct 4 01:06:11 2006 From: tim at denmantire.com (Tim Boyer) Date: Wed Oct 4 01:06:39 2006 Subject: Reject vs. bounce References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> Message-ID: On Tue, 3 Oct 2006 18:19:12 +0200 (CAT), Jim Holland wrote: > >Once mail has been accepted then why not quarantine all mail that is >flagged as spam? > >An essential component of managing spam is to notify users of what has >been rejected, and to quarantine the marginal mail rather than deleting it >or rejecting it. We send out two separate notifications per day to our >users - one that indicates the mail that has been bounced at SMTP time, >with reports in the following format: > > Oct 2 14:56:02 > sender: vczr@chrispowerz.wanadoo.co.uk > recip: user@mango.zw > server: dsl.static81214188253.ttnet.net.tr > >and the other that indicates mail that has been quarantined (where more >information is available for the report): > > 02 Oct 2006 06:30:49 > From: "PokerBot Max" > Server: static-66-16-28-242.dsl.cavtel.net [66.16.28.242] > Date: Sun 01 Oct 2006 23:28:06 -0600 > Subject: Make Money Online with PokerBot > Saved as: user@mango.zw 20061002/spam/k924USZ9020056 > >The server information is useful for users to quickly pick out the origin >of the message and often gives a very good indication of the likelihood of >the mail being genuine or not. > >I guess that we would probably bounce or block around 85% of incoming >connections, with the remainder being split between genuine and >quarantined mail. We typically quarantine only around 650 messages per >day, so the storage requirement for our 2500 users is not significant - we >keep it for 90 days. > >Regards > >Jim Holland >System Administrator >MANGO - Zimbabwe's non-profit e-mail service I'm rejecting 2,000 per day for 50 users. If I quarantined and had them go through them, it would be as time-consuming as letting them go through. -- tim boyer tim@denmantire.com From tim at denmantire.com Wed Oct 4 01:10:27 2006 From: tim at denmantire.com (Tim Boyer) Date: Wed Oct 4 01:15:11 2006 Subject: Reject vs. bounce References: <4521DFA1.7010302@pacific.net> <45227BBC.9080303@pacific.net> Message-ID: On Tue, 03 Oct 2006 08:03:24 -0700, Ken A wrote: > >Is running SA in both places with different rules not possible? I'd try >that if I had the time to set it up! > >> For instance, we once got a legitimate sales request that scored over 19 on SA. >> /dev/null fodder if ever there was one, but because I reject with a 'email >> postmaster if you're real' message, they re-sent and it got through. If I scan >> afterwards, my only real options are discard it or tag it and do something with >> it, right? > >Right. > >Ken A >Pacific.Net Hmmm.... not a bad idea at all, if I can do it. A set of quick and dirty rules at the smtp level, to reject 99% of the spam, and then another run once through - and quarantine what that tags. -- tim boyer tim@denmantire.com From derek at adcatanzaro.com Wed Oct 4 01:48:25 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 01:48:48 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing Message-ID: <452304D9.3090400@adcatanzaro.com> This morning while tailing my maillog I had roughly 200 messages waiting which is pretty normal for me. As the day progressed the number kept increasing all the way up to close to 10,000 messages waiting. I need some help in determining what is causing this or some guidance on what to look for. I have had this happen in the past and it has usually been DNS related but I can rule that out this time. I have named running and I am running a local caching name server and it is working as expected. I did notice several times throughout the day that spamassassin was timing out but I am not sure if this is the actual cause of the backup. The only other thing that has changed on my system is that I have pyzor working now (it was not working before) but that change was made a few days ago and I have not seen a backup like this until today. I have spot checked a few mail files and some emails are coming in by as much as 8 hours late, this is not going to make for a good Wednesday morning. Any suggestions on what to check for would be greatly appreciated. Fedora Core 1 MailScanner 4.49.7 spamassassin 3.1.0 Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jlmiller at mmtnetworks.com.au Wed Oct 4 02:02:53 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 4 01:54:20 2006 Subject: Help needed with mailscanner Message-ID: Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? Thanks Jon -------------- next part --------------
Can anyone help with fixing mailscanner running on a Linux server.  The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats.  Is there a command that can be issue in a terminal session that can do the updates?
 
Thanks
 
Jon
From hgh at rcwm.com Wed Oct 4 01:52:25 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Wed Oct 4 02:07:20 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> Message-ID: <452305C9.5060703@rcwm.com> >> Are you suggesting I change the locktype? >> >> It did hang again last night, and bayesian db is working now as is >> pyzor and razor, so I don't think they are hanging things up. >> > No, changing the locktype shouldn't affect your situation, since you > use Postfix... > What might be happening would be if some stray non-queue file end up > in the hold queue. Check that that isn't happening. > Depending on what you find, you should be able to determine if that is > it, and if so... what is responsible for putting it there:-). > Might be razor still being a bit confused where the logfile should go > (fix is to make sure it knows where too put it by way of the > razor-agent.conf file setting... and making sure the postfix user can > write where you say it should go), or perhaps the tnef expander > placing a file wrong... (don't remember the fix for that... Search the > archives, it has cropped up before... Perhaps switch to the internal > one). > > HtH > Oh!, like the razor-agent file? : -- bastion:/var/spool/postfix/hold# ls -R .: 0 1 2 3 4 5 6 7 8 9 A B C D E F razor-agent.log ./0: 001201623AB 023491623C5 0450A16232B 08A6216233E 09AE916235C 0BEC81623A5 0C45A1623DE 0C8C5162337 0D5561623E4 0F59B1623FD 01A6A162390 03B88162392 074FD16237D 09A571623E9 0BA031623BB 0C2E81623EC 0C67B1623B6 0CA71162364 0DE771623E8 ./1: 102CB161ED8 11253162356 13F63162401 151DF162350 154B216238F 16EFC162403 18F99162346 1AE7516236D 1D06B16239E 1EBF41623DD 10DB916234C 11A9B16236B 14E5C16235A 154201623E1 156B316239A 182E31623D3 196C816233C 1C85A161EDC 1D962162393 1ED64162385 ./2: 200C416237B 239E41623D2 255E8162335 270A9162372 28067162336 287B9162383 29141162387 2948F16236C 2A9CC16233B 2B3F4162348 2C5C01623D6 2DC521623C8 2E5101623AA 2FDE3162343 continues with lots more queued mails..... hgh. Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Wed Oct 4 02:36:29 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Wed Oct 4 02:32:56 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <452305C9.5060703@rcwm.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> Message-ID: <4523101D.7000604@rcwm.com> Henry Hollenberg wrote: >>> Are you suggesting I change the locktype? >>> >>> It did hang again last night, and bayesian db is working now as is >>> pyzor and razor, so I don't think they are hanging things up. >>> >> No, changing the locktype shouldn't affect your situation, since you >> use Postfix... >> What might be happening would be if some stray non-queue file end up >> in the hold queue. Check that that isn't happening. >> Depending on what you find, you should be able to determine if that is >> it, and if so... what is responsible for putting it there:-). >> Might be razor still being a bit confused where the logfile should go >> (fix is to make sure it knows where too put it by way of the >> razor-agent.conf file setting... > Oh!, like the razor-agent file? : > > > -- bastion:/var/spool/postfix/hold# ls -R > .: > 0 1 2 3 4 5 6 7 8 9 A B C D E F razor-agent.log > > ./0: > 001201623AB 023491623C5 0450A16232B 08A6216233E 09AE916235C > 0BEC81623A5 0C45A1623DE 0C8C5162337 0D5561623E4 0F59B1623FD Ok, I found a new version of the razor-agent.log file in /var/spool/postfix/.razor/* so I deleted the older /var/spool/postfix/razor-agent.log file. We'll see tonight if that does the trick. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Wed Oct 4 03:18:14 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Wed Oct 4 03:14:31 2006 Subject: Reporting SPAM {Scanned} Message-ID: <452319E6.3000102@rcwm.com> Hey gang, Now that I have this slick mailscanner setup and am not quite so overwhelmed by the sheer volume of SPAM I thought I would try to start reporting some SPAM to the clearing houses using: spamassassin -r SPAM_mail_file Which I understand will not only train my Bayes DB but also submit the email as SPAM to some clearing houses. To start with I wanted to choose some clear cut SPAM and and one good way for me to differentiate from a potential legit organization such as Amazon, or LLBean and a blatant spammer is what I have been calling a dictionary attack..... or an attempt to confuse the BAYES engine with a bunch of words that are thrown together that don't make any real sense usually at the end of a SPAM. To me no legitimate outfit would ever use this scheme/technique. Does that sound reasonable? hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From hgh at rcwm.com Wed Oct 4 03:34:05 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Wed Oct 4 03:30:25 2006 Subject: Reporting SPAM {Scanned} In-Reply-To: <452319E6.3000102@rcwm.com> References: <452319E6.3000102@rcwm.com> Message-ID: <45231D9D.60807@rcwm.com> Henry Hollenberg wrote: > Hey gang, > > Now that I have this slick mailscanner setup and am not > quite so overwhelmed by the sheer volume of SPAM I thought > I would try to start reporting some SPAM to the clearing houses > using: > > spamassassin -r SPAM_mail_file > > Which I understand will not only train my Bayes DB but also > submit the email as SPAM to some clearing houses. > > To start with I wanted to choose some clear cut SPAM and > and one good way for me to differentiate from a potential > legit organization such as Amazon, or LLBean and a blatant > spammer is what I have been calling a dictionary attack..... > or an attempt to confuse the BAYES engine with a bunch of > words that are thrown together that don't make any real sense > usually at the end of a SPAM. > > To me no legitimate outfit would ever use this scheme/technique. > > Does that sound reasonable? > > hgh. > Tried one, yuck, not too good on those attempts. Try again tommorrow. postfix@bastion:~$ spamassassin -r /home/hgh/BAYES/PURE_SPAM/1159729706.M527050P3438V0000000000003005I0005A3DA_18.mail,S=5256:2,S Created user preferences file: /var/spool/postfix/.spamassassin/user_prefs Pyzor -> report failed: Exited with non-zero exit code 1 razor2 report failed: No such file or directory Razor2 report requires authentication at /usr/share/perl5/Mail/SpamAssassin/Reporter.pm line 148. SpamCop -> message older than 2 days, not reporting 1 message(s) examined. postfix@bastion:/home/hgh/BAYES/PURE_SPAM$ spamassassin -r /home/hgh/BAYES/PURE_SPAM/1159925366.M785409P10172V0000000000003005I0005A44F_75.mail,S=51525:2,S Pyzor -> report failed: Exited with non-zero exit code 1 razor2 report failed: No such file or directory Razor2 report requires authentication at /usr/share/perl5/Mail/SpamAssassin/Reporter.pm line 148. SpamCop -> report to vmx1.spamcop.net failed: Net::SMTP error SpamCop -> report to vmx2.spamcop.net failed: Net::SMTP error 1 message(s) examined. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mike at vesol.com Wed Oct 4 03:30:49 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 4 03:34:05 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <452304D9.3090400@adcatanzaro.com> Message-ID: Are you running a local caching-only nameserver? Are you doing RBL checks from within spamassassin or at the MTA? Any custom SA rulesets? Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek Catanzaro Sent: Tuesday, October 03, 2006 7:48 PM To: MailScanner discussion Subject: New Batch: found 200 messages waiting, Number keeps increasing This morning while tailing my maillog I had roughly 200 messages waiting which is pretty normal for me. As the day progressed the number kept increasing all the way up to close to 10,000 messages waiting. I need some help in determining what is causing this or some guidance on what to look for. I have had this happen in the past and it has usually been DNS related but I can rule that out this time. I have named running and I am running a local caching name server and it is working as expected. I did notice several times throughout the day that spamassassin was timing out but I am not sure if this is the actual cause of the backup. The only other thing that has changed on my system is that I have pyzor working now (it was not working before) but that change was made a few days ago and I have not seen a backup like this until today. I have spot checked a few mail files and some emails are coming in by as much as 8 hours late, this is not going to make for a good Wednesday morning. Any suggestions on what to check for would be greatly appreciated. Fedora Core 1 MailScanner 4.49.7 spamassassin 3.1.0 Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From derek at adcatanzaro.com Wed Oct 4 04:21:08 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 04:21:43 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: References: Message-ID: <452328A4.5060204@adcatanzaro.com> -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek > Catanzaro > Sent: Tuesday, October 03, 2006 7:48 PM > To: MailScanner discussion > Subject: New Batch: found 200 messages waiting, Number keeps increasing > > This morning while tailing my maillog I had roughly 200 messages waiting > which is pretty normal for me. As the day progressed the number kept > increasing all the way up to close to 10,000 messages waiting. I need > some help in determining what is causing this or some guidance on what > to look for. I have had this happen in the past and it has usually been > DNS related but I can rule that out this time. I have named running and > I am running a local caching name server and it is working as expected. > > I did notice several times throughout the day that spamassassin was > timing out but I am not sure if this is the actual cause of the backup. > > The only other thing that has changed on my system is that I have pyzor > working now (it was not working before) but that change was made a few > days ago and I have not seen a backup like this until today. > > I have spot checked a few mail files and some emails are coming in by as > much as 8 hours late, this is not going to make for a good Wednesday > morning. Any suggestions on what to check for would be greatly > appreciated. > > Fedora Core 1 > MailScanner 4.49.7 > spamassassin 3.1.0 > Mike Kercher wrote: > Are you running a local caching-only nameserver? Are you doing RBL > checks from within spamassassin or at the MTA? Any custom SA rulesets? > > Mike > I am caching DNS entries locally for the sake of performance. I do however have my ISP's DNS servers listed as well in case the local machine does not have a name cached. RBL checks are not occurring at the MTA (sendmail) level. The only other rules I have added myself would be the 70_sare_stocks.cf and one other german ruleset to stop german spam, that's all.* *One other thing I have noticed in the log is the following message: "stat=timeout waiting for input during message collect". I am going to see what I can find out about that error. If anyone has any input on that I would appreciate it. Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at vesol.com Wed Oct 4 04:33:15 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 4 04:36:30 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <452328A4.5060204@adcatanzaro.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Derek >> Catanzaro >> Sent: Tuesday, October 03, 2006 7:48 PM >> To: MailScanner discussion >> Subject: New Batch: found 200 messages waiting, Number keeps >> increasing >> >> This morning while tailing my maillog I had roughly 200 messages >> waiting which is pretty normal for me. As the day progressed the >> number kept increasing all the way up to close to 10,000 messages >> waiting. I need some help in determining what is causing > this or some >> guidance on what to look for. I have had this happen in > the past and >> it has usually been DNS related but I can rule that out > this time. I >> have named running and I am running a local caching name > server and it is working as expected. >> >> I did notice several times throughout the day that spamassassin was >> timing out but I am not sure if this is the actual cause of > the backup. >> >> The only other thing that has changed on my system is that I have >> pyzor working now (it was not working before) but that > change was made >> a few days ago and I have not seen a backup like this until today. >> >> I have spot checked a few mail files and some emails are > coming in by >> as much as 8 hours late, this is not going to make for a good >> Wednesday morning. Any suggestions on what to check for would be >> greatly appreciated. >> >> Fedora Core 1 >> MailScanner 4.49.7 >> spamassassin 3.1.0 >> > > Mike Kercher wrote: >> Are you running a local caching-only nameserver? Are you doing RBL >> checks from within spamassassin or at the MTA? Any custom > SA rulesets? >> >> Mike >> > > I am caching DNS entries locally for the sake of performance. > I do however have my ISP's DNS servers listed as well in > case the local machine does not have a name cached. RBL > checks are not occurring at the MTA (sendmail) level. The > only other rules I have added myself would be the > 70_sare_stocks.cf and one other german ruleset to stop german > spam, that's all.* > > *One other thing I have noticed in the log is the following message: > "stat=timeout waiting for input during message collect". I > am going to see what I can find out about that error. If > anyone has any input on that I would appreciate it. > > Derek > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. What kind of firewall do you have in place? Mike From mike at vesol.com Wed Oct 4 04:35:53 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 4 04:39:04 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <452328A4.5060204@adcatanzaro.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Derek >> Catanzaro >> Sent: Tuesday, October 03, 2006 7:48 PM >> To: MailScanner discussion >> Subject: New Batch: found 200 messages waiting, Number keeps >> increasing >> >> This morning while tailing my maillog I had roughly 200 messages >> waiting which is pretty normal for me. As the day progressed the >> number kept increasing all the way up to close to 10,000 messages >> waiting. I need some help in determining what is causing > this or some >> guidance on what to look for. I have had this happen in > the past and >> it has usually been DNS related but I can rule that out > this time. I >> have named running and I am running a local caching name > server and it is working as expected. >> >> I did notice several times throughout the day that spamassassin was >> timing out but I am not sure if this is the actual cause of > the backup. >> >> The only other thing that has changed on my system is that I have >> pyzor working now (it was not working before) but that > change was made >> a few days ago and I have not seen a backup like this until today. >> >> I have spot checked a few mail files and some emails are > coming in by >> as much as 8 hours late, this is not going to make for a good >> Wednesday morning. Any suggestions on what to check for would be >> greatly appreciated. >> >> Fedora Core 1 >> MailScanner 4.49.7 >> spamassassin 3.1.0 >> > > Mike Kercher wrote: >> Are you running a local caching-only nameserver? Are you doing RBL >> checks from within spamassassin or at the MTA? Any custom > SA rulesets? >> >> Mike >> > > I am caching DNS entries locally for the sake of performance. > I do however have my ISP's DNS servers listed as well in > case the local machine does not have a name cached. RBL > checks are not occurring at the MTA (sendmail) level. The > only other rules I have added myself would be the > 70_sare_stocks.cf and one other german ruleset to stop german > spam, that's all.* > > *One other thing I have noticed in the log is the following message: > "stat=timeout waiting for input during message collect". I > am going to see what I can find out about that error. If > anyone has any input on that I would appreciate it. > > Derek > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. You might also try adding to sendmail.mc: define(`confTO_IDENT',`0s')dnl rebuild your sendmail.cf, restart MailScanner and see if that helps. Mike From derek at adcatanzaro.com Wed Oct 4 04:48:00 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 04:48:25 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: References: Message-ID: <45232EF0.8050409@adcatanzaro.com> Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >> -----Original Message----- >> >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On >>> >> Behalf Of Derek >> >>> Catanzaro >>> Sent: Tuesday, October 03, 2006 7:48 PM >>> To: MailScanner discussion >>> Subject: New Batch: found 200 messages waiting, Number keeps >>> increasing >>> >>> This morning while tailing my maillog I had roughly 200 messages >>> waiting which is pretty normal for me. As the day progressed the >>> number kept increasing all the way up to close to 10,000 messages >>> waiting. I need some help in determining what is causing >>> >> this or some >> >>> guidance on what to look for. I have had this happen in >>> >> the past and >> >>> it has usually been DNS related but I can rule that out >>> >> this time. I >> >>> have named running and I am running a local caching name >>> >> server and it is working as expected. >> >>> I did notice several times throughout the day that spamassassin was >>> timing out but I am not sure if this is the actual cause of >>> >> the backup. >> >>> The only other thing that has changed on my system is that I have >>> pyzor working now (it was not working before) but that >>> >> change was made >> >>> a few days ago and I have not seen a backup like this until today. >>> >>> I have spot checked a few mail files and some emails are >>> >> coming in by >> >>> as much as 8 hours late, this is not going to make for a good >>> Wednesday morning. Any suggestions on what to check for would be >>> greatly appreciated. >>> >>> Fedora Core 1 >>> MailScanner 4.49.7 >>> spamassassin 3.1.0 >>> >>> >> Mike Kercher wrote: >> >>> Are you running a local caching-only nameserver? Are you doing RBL >>> checks from within spamassassin or at the MTA? Any custom >>> >> SA rulesets? >> >>> Mike >>> >>> >> I am caching DNS entries locally for the sake of performance. >> I do however have my ISP's DNS servers listed as well in >> case the local machine does not have a name cached. RBL >> checks are not occurring at the MTA (sendmail) level. The >> only other rules I have added myself would be the >> 70_sare_stocks.cf and one other german ruleset to stop german >> spam, that's all.* >> >> *One other thing I have noticed in the log is the following message: >> "stat=timeout waiting for input during message collect". I >> am going to see what I can find out about that error. If >> anyone has any input on that I would appreciate it. >> >> Derek >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> > > What kind of firewall do you have in place? > > Mike > -- > No firewall running on my linux box. Security is administered elsewhere by my WAN group. I have the following ports opened for this server: * Regular tcp SMTP port (25) (of course...) * Razor2 tcp ports 2703 and 7 (outgoing) * Pyzor udp port 24441 (outgoing) * DCC udp port 6277 (outgoing) * Of course, DNS ports (outgoing) Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at vesol.com Wed Oct 4 04:50:28 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 4 04:53:45 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <45232EF0.8050409@adcatanzaro.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : >>> >> >> What kind of firewall do you have in place? >> >> Mike >> -- >> > No firewall running on my linux box. Security is > administered elsewhere by my WAN group. I have the following > ports opened for this server: > > * > Regular tcp SMTP port (25) (of course...) > * > Razor2 tcp ports 2703 and 7 (outgoing) > * > Pyzor udp port 24441 (outgoing) > * > DCC udp port 6277 (outgoing) > * > Of course, DNS ports (outgoing) > > Derek > > I wonder if that might be part of your problem. I've read where certain PIX firewalls and Cisco routers with older IOS versions can cause problems such as your timeout issues. I'd also suspect that the spamassassin timeouts are due to sluggish DNS queries. Are you using any RBL's in your MailScanner.conf? If so, try disabling those and see if your queue processes any faster. Mike From derek at adcatanzaro.com Wed Oct 4 05:07:59 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 05:08:24 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: References: Message-ID: <4523339F.2050601@adcatanzaro.com> Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >>> What kind of firewall do you have in place? >>> >>> Mike >>> -- >>> >>> >> No firewall running on my linux box. Security is >> administered elsewhere by my WAN group. I have the following >> ports opened for this server: >> >> * >> Regular tcp SMTP port (25) (of course...) >> * >> Razor2 tcp ports 2703 and 7 (outgoing) >> * >> Pyzor udp port 24441 (outgoing) >> * >> DCC udp port 6277 (outgoing) >> * >> Of course, DNS ports (outgoing) >> >> Derek >> >> >> > > I wonder if that might be part of your problem. I've read where certain > PIX firewalls and Cisco routers with older IOS versions can cause > problems such as your timeout issues. I'd also suspect that the > spamassassin timeouts are due to sluggish DNS queries. Are you using > any RBL's in your MailScanner.conf? If so, try disabling those and see > if your queue processes any faster. > > Mike > -- > I will see how things go in the morning. Right now I'm back down to about 150 messages waiting which is normal for me. It took most of the day and some of the night for it to chew through the nearly 10,000 that accumulated through the day. I have not had an issue like this for some time and prior to this it was DNS queries causing the problem, that is when I implemented the local caching name server and it has been pretty solid since then. I am using the following in MailScanner.conf. Spam List = ORDB-RBL SBL+XBL I will try your suggestions if the problem occurs again. I appreciate the feedback. Thanks for your help. Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mgt at stellarcore.net Wed Oct 4 05:19:55 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Wed Oct 4 05:20:10 2006 Subject: Logwatch Update (Phil Udel) In-Reply-To: <200610040234.k942YkCw009554@bkserver.blacknight.ie> References: <200610040234.k942YkCw009554@bkserver.blacknight.ie> Message-ID: <4523366B.9090105@stellarcore.net> The logwatch script you used as your base was pretty old # $Id: mailscanner,v 1.4 2004/06/21 14:59:05 kirk Exp $ The most recent is # $Id: mailscanner,v 1.24 2006/04/06 14:01:31 mike Exp $ I generally keep a current copy here http://www.stellarcore.net/downloads/mailscanner Or you can always get in out of cvs at logwatch.org. Having said that I'll see if I can roll your changes into the current version. I'd also encourge you [and everyone who uses logwatch] to upgrade to the 7.3.1 release it. -Mike From glenn.steen at gmail.com Wed Oct 4 08:18:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 4 08:18:43 2006 Subject: Reject vs. bounce In-Reply-To: References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> Message-ID: <223f97700610040018u7ef9db3bi50a6fbd87c998aca@mail.gmail.com> On 03/10/06, Jim Holland wrote: > > On 03/10/06, Tim Boyer wrote: > > (Snip good comment by Ken A) > > > > > > That's what I'm doing now, in the smtp transaction, using the MIMEDefang milter > > > - running all my SpamAssassin tests there. My fear is that if I move them from > > > there to a post-smtp scan, I'll lose the ability to reject. > > > > Well, from a resource standpoint... You'd only be able to do rejection > > after DATA, so all that would land you is that you don't "take > > responsibility" for the NDN... You still gobble down all the message. > > > > > For instance, we once got a legitimate sales request that scored over 19 on SA. > > > /dev/null fodder if ever there was one, but because I reject with a 'email > > > postmaster if you're real' message, they re-sent and it got through. If I scan > > > afterwards, my only real options are discard it or tag it and do something with > > > it, right? > > eg quarantine it - see below. As was one of my points... > > To be able to do that type of thing, you'd be needing "bounces" yes. > > Bouncing should always be done at SMTP time and not by MailScanner - for > reasons already stated by others. Jim, who are you trying to convince?;) I'm part on the choir on this one (although I prefer to refer to SMTP time "bounces" as the rejections they really are;-). On the straight question from Tim though, he is correct that if you have accepted the message, you need bounce it to mimic the same behaviour. That it is icky and error-prone and that Jules nice informative bounces are not really helping for general wholesale bouncing is another matter. > > > Or use a quarantine, perhaps with a very short retention period > > (perhaps only viable for smaller setups, like mine:-). > > Once mail has been accepted then why not quarantine all mail that is > flagged as spam? Yes, this is exactly what I do. If the quarantine grows out of proportion, I will employ different retention periods for high/low scoring spam... but so far that has not been needed (for me). Hence my suggestion. > > An essential component of managing spam is to notify users of what has > been rejected, and to quarantine the marginal mail rather than deleting it > or rejecting it. (snip nice policy-dependant suggestions/descriptions) > I guess that we would probably bounce or block around 85% of incoming > connections, with the remainder being split between genuine and > quarantined mail. We typically quarantine only around 650 messages per > day, so the storage requirement for our 2500 users is not significant - we > keep it for 90 days. On any day, I see typically the same number of quarantined messages, for our very much fewer users. So far that has been manageable (I do have the same default retention period as you have... Well, actually 93 days:). The policy I toil under (which is in a large part driven by applicaple law (for .gov in Sweden)) doesn't come out and say that it is the recipients that need inspect the quarantine though, so we only have a few people doing that (with MailWatch, no less:-). So (as with everything) it comes down to law, standard and policy regarding what you can do, and how... as usual:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 4 08:26:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 4 08:26:07 2006 Subject: Reject vs. bounce In-Reply-To: References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> Message-ID: <223f97700610040026k412065e9md61050b85ab943b5@mail.gmail.com> On 04/10/06, Tim Boyer wrote: (snip) > > I'm rejecting 2,000 per day for 50 users. If I quarantined and had them go > through them, it would be as time-consuming as letting them go through. > But are all 2000 SA-driven? Could you perhaps use "other measures" (like rfc strictness, only accepting valid addresses, greet_pause, graylist, whatever) to slim that down (assuming you don't do all/any of that already:-)? Might make quarantining a more palatable option. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Wed Oct 4 08:28:56 2006 From: res at ausics.net (Res) Date: Wed Oct 4 08:29:02 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <4523339F.2050601@adcatanzaro.com> References: <4523339F.2050601@adcatanzaro.com> Message-ID: On Wed, 4 Oct 2006, Derek Catanzaro wrote: > I will see how things go in the morning. Right now I'm back down to about > 150 messages waiting which is normal for me. It took most of the day and > some of the night for it to chew through the nearly 10,000 that accumulated > through the day. I have not had an issue like this for some time and prior > to this it was DNS queries causing the problem, that is when I implemented > the local caching name server and it has been pretty solid since then. I am > using the following in MailScanner.conf. next time it happens disable spamassassin -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From drew at technologytiger.net Wed Oct 4 08:42:21 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 4 08:42:40 2006 Subject: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <452305C9.5060703@rcwm.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> Message-ID: <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> On Wed, October 4, 2006 01:52, Henry Hollenberg wrote: >>> Are you suggesting I change the locktype? >>> >>> It did hang again last night, and bayesian db is working now as is >>> pyzor and razor, so I don't think they are hanging things up. >>> >> No, changing the locktype shouldn't affect your situation, since you >> use Postfix... >> What might be happening would be if some stray non-queue file end up >> in the hold queue. Check that that isn't happening. >> Depending on what you find, you should be able to determine if that is >> it, and if so... what is responsible for putting it there:-). >> Might be razor still being a bit confused where the logfile should go >> (fix is to make sure it knows where too put it by way of the >> razor-agent.conf file setting... and making sure the postfix user can >> write where you say it should go), or perhaps the tnef expander >> placing a file wrong... (don't remember the fix for that... Search the >> archives, it has cropped up before... Perhaps switch to the internal >> one). >> >> HtH >> > > Oh!, like the razor-agent file? : Yup, just like that. Never one to say told you so but... :-) Having said that, you have fixed the cause so delete that one (Oh I see from your next message you have. Nice to see you are continuing the tradition of Postfix users replying to themselves ;-) Keep up the good work :-> ) You shuld now have few (No?) problems and a damn sight less Spam. Regards Drew From MailScanner at ecs.soton.ac.uk Wed Oct 4 08:52:23 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 08:52:44 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spam scoring? In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A3D@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A3D@CHI-US-EXCH-01.us.kmz.com> Message-ID: <45236837.20409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Duncan, Brian M. wrote: > > For those of us that are environments that support MS Exchange and > Outlook 2003+ at the desktop, the capability to support MS IMF (MS > Exchange Intelligent Message Filter scoring) from the network edge is > very beneficial. > > Most organizations that have SpamAssassin/Mailscanner at the edge of > their network rely on custom created rules on clients to move the > SpamAssassin tagged messages into their local "Junk-Mail" folder or > Spam folder - Or delete them right away. > > This leads to support issues in large organizations. Creating custom > exceptions etc, usually in most companies these local users cannot > manage the rules efficiently. > > MS in the last year has released a free add-on for Exchange that works > very similarly to SpamAssassin it assigns a Score to a message that > looks to be in the headers. Exchange will then automatically put > messages based on the local Outlook clients preference level into > their local Junk Mail folder. The great thing with this is that users > can just right click on messages and add to their "white list" or do > complete domains. No custom scripts to create, much easier to > support in a large environment. > > If SpamAssassin/Mailscanner could support adding the IMF headers at > the edge, then those that would still like to leverage a SpamAssassin > (or any product for that matter, as long as it used the IMF score > header) solution at the edge of their network they could do so > easily. You could tune your MS Exchange servers to not be reactive > and the SpamAssasin edge products would dictate what was Spam and what > was not. > > Microsoft with Exchange 12 is pushing companies into putting > Exchange at the edge of a network . I have already had this discussion > in my environment and that I do not think it makes sense given that > Sendmail + Mailscanner + SpamAssassin is almost rock solid. > > At the end of this is a previous message to this mailing list that is > asking for the same thing that I am. > > Does anyone have anything to add to this or is this request really not > that worthwhile. > > Just the capability of being able to add a generic header to all Spam > detected messages would be a great start: > > X-MS-Exchange-Organization-SCL: 6.5 Read the docs. Check out "Spam Actions" and the "header" action. > > (I have already tested this, all headers that are added by Mailscanner > seems to include additional information added to the same line) > > Thanks > > Brian Duncan > > brian.duncan@kattenlaw.com > > P.S. > > There is already a product that can sit on an Exchange server that > will convert SpamAssassin scores to equivalent MS IMF Scores. It > would be great if we could handle it from the Unix/Linux side > transparently. (It's called Assassin2Exchange filter) > > http://www.smtptracker.com/ > > Previous message that went unanswered to this list: > > >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it > to deal with spam messages identified by systems like MailScanner or > other appliance based solutions. > > >Basically, it looks for the following header(s): > > >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) > >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) > > >More details can be found at: > > >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2-8509-4b25-9876-763536e77c27.mspx?mfr=true > > >So, my question is -- can I add this header with MailScanner, > inserting the appropriate spam score after the header, e.g.: > > >X-MS-Exchange-Organization-SCL:5 > > >The trick is, I don't want to mess with my existing header adds, I > want to add this in addition to my normal ones (X-Spam-Score: XX). I > see where I can add additional headers in the: > > >Spam Actions = deliver header "X-Spam-Status: Yes" > > >However, it is unclear how to insert the spam score "value" in the > "value" area that it needs to be in. It is also unclear from the > Microsoft docs if the "score" can be anything other than whole numbers > (e.g. can't be 5.5 but 5 is OK). So, a way to "round" the score would > be helpful. > > >Any pointers? > > >-- > > >----------------------------------------- > >Mike Bacher / listacct@tulsaconnect.com > > >TCIS - TulsaConnect Internet Services > >http://www.tulsaconnect.com > >----------------------------------------- > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice > Before the Internal Revenue Service, any tax advice contained herein > is not intended or written to be used and cannot be used by a taxpayer > for the purpose of avoiding tax penalties that may be imposed on the > taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain > information intended for the exclusive use of the individual or entity > to whom it is addressed and may contain information that is > proprietary, privileged, confidential and/or exempt from disclosure > under applicable law. If you are not the intended recipient, you are > hereby notified that any viewing, copying, disclosure or distribution > of this information may be subject to legal restriction or sanction. > Please notify the sender, by electronic mail or telephone, of any > unintended recipients and delete the original message without making > any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited > liability partnership that has elected to be governed by the Illinois > Uniform Partnership Act (1997). > =========================================================== > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFI2g3EfZZRxQVtlQRApmeAKDY2TS57caPkJJWBNGp6PsnVAuhhQCgzUeP SzU9gPH/s2ubwKh+r6awq/Q= =+mJt -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 4 08:53:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 08:53:36 2006 Subject: MailScanner settings In-Reply-To: <1159893352.18636.8.camel@localhost> References: <1159893352.18636.8.camel@localhost> Message-ID: <4523686C.2030201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, they do. Michael Baird wrote: > I've got a canned hosting package which uses MailScanner (Ensim). It > doesn't use spamassassin within mailscanner, but I've activated spam > checks and added spam lists. My question is, with spamassassin = no do > the high scoring spam actions work in relation to the spam lists (I want > 2 hits of spam list to go high scoring which I want to have deleted at > this point in processing). > > Regards > Michael Baird > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFI2hsEfZZRxQVtlQRAvKrAKD9EmXiSA1vyUrly6FkvzuiaZUubgCgnReP /5Ox0mcv53vIIofkFCn1qSM= =ibsr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Wed Oct 4 08:54:01 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 4 08:54:11 2006 Subject: "Friends Only" In-Reply-To: References: <4520E3E1.1050600@statsbiblioteket.dk> <45211153.3030509@jlewiscooper.com> <45212506.8060906@coders.co.uk> <45212855.2030102@solidstatelogic.com> <45218A81.20503@evi-inc.com> Message-ID: <45236899.3040708@solidstatelogic.com> Dan Hollis wrote: > On Tue, 3 Oct 2006, James Gray wrote: >> On 03/10/2006, at 10:11 AM, Dan Hollis wrote: >>> Why shouldn't I be able to blacklist individual known spam SOAs? >> Why not use the URIBL lists like "OutBlaze" and friends. Not exactly >> what you're after but I've found them extremely effective in combating >> URLs etc that link to known spammers' domains. > > The problem is that spammers are now using hundreds of totally > randomized domains, making URIBL pretty useless. > > -Dan Dan I'd agree with Matt here - the URI-BLs are wonderful at trapping expectially JP and the URIBLACK added in with MailScanner's mailscanner.cf. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Wed Oct 4 08:56:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 4 08:56:21 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <4523691D.601@solidstatelogic.com> Jon Miller wrote: > Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? > > Thanks > > Jon > > > ------------------------------------------------------------------------ > > > > > > >
Can anyone help with fixing mailscanner running on a Linux server.  > The main problem seems that I cannot get the web page to display (console) so I > can do the updates and view the stats.  Is there a command that can be > issue in a terminal session that can do the updates?
>
 
>
Thanks
>
 
>
Jon
> Jon MailScanner doesn't come with a html interface, which add-on are you using? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Wed Oct 4 08:56:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 08:57:06 2006 Subject: symantec scan engine In-Reply-To: References: Message-ID: <4523693D.9070108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need to send me a fully licenced copy of the package, including any licence keys I will need to install it. I personally guarantee that I will not use it for anything other than development, and I guarantee that no-one else will get access to it. Remember, I've got a reputation to protect. Please send it all to me off-list! Jeff Meyer wrote: > I noticed that MailScanner has support for Symantec Scan Engine, but > it doesn't appear to be working correctly. > > First, had to make a change to the symscanengine-wrapper: > changed: > prog=savsecls/savsecls > to: > prog=ssecls/ssecls > > Then when testing the wrapper: > /usr/lib/MailScanner/symscanengine-wrapper /opt/SYMScan /temp > eveything works, even tried on eicar test file and it found it. > > However, when running it with MailScanner, nothing appears to be > getting logged when testing with eicar files. McAfee, Bitdefender and > ClamAV all log there results, but symantec doesn't. I would like to > see when symantec does catch something and when it doesn't. > > What do I need to do to change this. > > Jeff > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFI2k+EfZZRxQVtlQRAmjgAJ9uXuwpt7CpRybVVooicKE0qZ/TZwCgpqoN 6rhfvTQiBVB2g9yILPnBpbs= =N9Ji -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ckowarzik at email.de Wed Oct 4 09:10:53 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Wed Oct 4 09:10:49 2006 Subject: OT: spamassassin-3.1.5 sa-lean mbx-mailbox Bug Message-ID: <45236C8D.6010704@email.de> Just for those of you - using mbx-mailbox format and - want to update to spamassassin 3.1.5 => sa-lean in 3.1.5 is broken for mbx-mailbox format for references and patch check http://thread.gmane.org/gmane.mail.spam.spamassassin.general/87109/focus=87134 http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5101 christian From MailScanner at ecs.soton.ac.uk Wed Oct 4 09:31:02 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 09:31:26 2006 Subject: OT: MailScanner-MRTG config Message-ID: <45237146.5020600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just installed it from RPM and I get the error message: You are seeing this message because your apache install is not configured correctly for MailScanner-MRTG. Please ensure that mod_include is loaded by apache I have a stock RHEL4 install, which appears to have mod_include loaded by default, so why isn't it working? Never did understand Apache installs, too damn complicated by half. Thanks folks! Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFI3FHEfZZRxQVtlQRAsyYAJ9jsL8CHJINfV63UsagFea6qhSXGwCfU3TN JiZ+EgFxTjchpZ2sTOkrnLs= =nXcu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jethro.binks at strath.ac.uk Wed Oct 4 09:56:29 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Oct 4 09:56:34 2006 Subject: Reject vs. bounce In-Reply-To: <223f97700610040018u7ef9db3bi50a6fbd87c998aca@mail.gmail.com> References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> <223f97700610040018u7ef9db3bi50a6fbd87c998aca@mail.gmail.com> Message-ID: <20061004092246.J3389@defjam.cc.strath.ac.uk> On Wed, 4 Oct 2006, Glenn Steen wrote: > > > To be able to do that type of thing, you'd be needing "bounces" yes. > > > > Bouncing should always be done at SMTP time and not by MailScanner - for > > reasons already stated by others. > Jim, who are you trying to convince?;) I'm part on the choir on this > one (although I prefer to refer to SMTP time "bounces" as the > rejections they really are;-). While I think 'bounces' is fairly clear, I always felt that 'reject' was slightly ambiguous: is that reject before receiving (at SMTP time), or afterwards (by bouncing)? Hence, I try and force myself to say "refuse to accept" instead, which is also clearer when explaining things to the end user (failed sender or potential receiver). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From martin.lyberg at gmail.com Wed Oct 4 10:15:52 2006 From: martin.lyberg at gmail.com (Martin) Date: Wed Oct 4 10:16:55 2006 Subject: Logwatch Update In-Reply-To: <200610031836.k93IagoW027688@cat.salemcarriers.com> References: <4522A735.4070500@evi-inc.com> <200610031836.k93IagoW027688@cat.salemcarriers.com> Message-ID: Phil Udel wrote: > > Hi > Not sure if anyone would like this but I just finished updating my > MS Logwatch Script. I add Mailwatch, Whitelist SQL, Blacklist SQL, Clamav, > and Some other messages > I cleaned up about 28 Daily **Unmatched Entries** This looks interesting. But beeing a noob, how do i use this? :) Thank you From jlmiller at mmtnetworks.com.au Wed Oct 4 11:12:31 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 4 11:03:57 2006 Subject: Help needed with mailscanner Message-ID: MailWatch I'm assuming as I did not put this system together another engineer did and now he is in the states. Supposedly it has MailScanner, MailWatch, Sophos as the AntiVirus component and Spam Assassin as the Spam filter. Thanks >>> martinh@solidstatelogic.com 3:56:13 pm 4/10/2006 >>> Jon Miller wrote: > Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? > > Thanks > > Jon > > > ------------------------------------------------------------------------ > > > > > > >
Can anyone help with fixing mailscanner running on a Linux server.  > The main problem seems that I cannot get the web page to display (console) so I > can do the updates and view the stats.  Is there a command that can be > issue in a terminal session that can do the updates?
>
 
>
Thanks
>
 
>
Jon
> Jon MailScanner doesn't come with a html interface, which add-on are you using? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Oct 4 11:10:22 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 4 11:10:38 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <4523888E.9070907@solidstatelogic.com> Jon Miller wrote: > MailWatch I'm assuming as I did not put this system together another engineer did and now he is in the states. > Supposedly it has MailScanner, MailWatch, Sophos as the AntiVirus component and Spam Assassin as the Spam filter. > > Thanks > >>>> martinh@solidstatelogic.com 3:56:13 pm 4/10/2006 >>> > Jon Miller wrote: >> Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? >> >> Thanks >> >> Jon >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >>
Can anyone help with fixing mailscanner running on a Linux server.  >> The main problem seems that I cannot get the web page to display (console) so I >> can do the updates and view the stats.  Is there a command that can be >> issue in a terminal session that can do the updates?
>>
 
>>
Thanks
>>
 
>>
Jon
>> > Jon > > MailScanner doesn't come with a html interface, which add-on are you using? > Jon ah - ask on the MailWatch mailing list...a bit more ontopic there ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From a.peacock at chime.ucl.ac.uk Wed Oct 4 11:26:29 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Oct 4 11:27:06 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <45238C55.20907@chime.ucl.ac.uk> Hi Jon, Jon Miller wrote: > MailWatch I'm assuming as I did not put this system together another engineer did and now he is in the states. > Supposedly it has MailScanner, MailWatch, Sophos as the AntiVirus component and Spam Assassin as the Spam filter. > > Thanks > >>>> martinh@solidstatelogic.com 3:56:13 pm 4/10/2006 >>> > Jon Miller wrote: >> Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? >> >> Thanks >> >> Jon >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >>
Can anyone help with fixing mailscanner running on a Linux server.  >> The main problem seems that I cannot get the web page to display (console) so I >> can do the updates and view the stats.  Is there a command that can be >> issue in a terminal session that can do the updates?
>>
 
>>
Thanks
>>
 
>>
Jon
>> > Jon > > MailScanner doesn't come with a html interface, which add-on are you using? > As far as I can see there are two questions in your request. 1. How do I get the web interface to work? 2. How can I do updates without the web interface? For number 1 you probably need to ask on the MailWatch list. Before you do that though you should get a better fault description than "cannot get the web page to display", do you get an error, check the server logs to see if there is an error in there. Was this working before? What has changed since then? For number 2 you need to be more explicit in what you mean by updates. The whole system you describe is made up of many components, pulled together by Mailscanner. Each of these can be updated, but the method for each may be different. Do you want to upgrade th various components to newer versions? Do you want to make sure the virus checkers are updating their virus libraries? Do you want to update the spam detection rules of SpamAssassin? If you can be clearer about this I am sure many people on this list could help. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From hgh at rcwm.com Wed Oct 4 11:42:14 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Wed Oct 4 11:38:25 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> Message-ID: <45239006.6080905@rcwm.com> SOLVED: razor-agent.log file in mailscanner incoming queue directory /var/spool/postfix/hold was hanging mailscanner on automatic restart every 14400 seconds. Synopsis top-posted for your convenience. See reply to Drew as bottom-post below. hgh. Drew Marshall wrote: > On Wed, October 4, 2006 01:52, Henry Hollenberg wrote: > >>>>Are you suggesting I change the locktype? >>>> >>>>It did hang again last night, and bayesian db is working now as is >>>>pyzor and razor, so I don't think they are hanging things up. >>>> >>> >>>No, changing the locktype shouldn't affect your situation, since you >>>use Postfix... >>>What might be happening would be if some stray non-queue file end up >>>in the hold queue. Check that that isn't happening. >>>Depending on what you find, you should be able to determine if that is >>>it, and if so... what is responsible for putting it there:-). >>>Might be razor still being a bit confused where the logfile should go >>>(fix is to make sure it knows where too put it by way of the >>>razor-agent.conf file setting... and making sure the postfix user can >>>write where you say it should go), or perhaps the tnef expander >>>placing a file wrong... (don't remember the fix for that... Search the >>>archives, it has cropped up before... Perhaps switch to the internal >>>one). >>> >>>HtH >>> >> >>Oh!, like the razor-agent file? : > > > Yup, just like that. Never one to say told you so but... :-) > > Having said that, you have fixed the cause so delete that one (Oh I see > from your next message you have. Nice to see you are continuing the > tradition of Postfix users replying to themselves ;-) Keep up the good > work :-> ) > > You shuld now have few (No?) problems and a damn sight less Spam. > > Regards > > Drew > Talk to myself alot too, anyway, that seemed to fix it as my mailbox has 21 general emails in it (non-mailing list mails). Damn sight less than the 100+ I was waking up to. 3 were appropriately labeled as SPAM 17 slipped thru 1 valid email about a dead disk at work Thanks for all the help! -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Wed Oct 4 11:55:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 4 11:55:30 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <45239006.6080905@rcwm.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> Message-ID: <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> On 04/10/06, Henry Hollenberg wrote: > SOLVED: razor-agent.log file in mailscanner incoming queue directory > /var/spool/postfix/hold was hanging mailscanner on automatic > restart every 14400 seconds. Synopsis top-posted for your convenience. > See reply to Drew as bottom-post below. hgh. > Somewhat a known issue. Good to know what solved it for you though. > Drew Marshall wrote: > > On Wed, October 4, 2006 01:52, Henry Hollenberg wrote: (snip) > >>Oh!, like the razor-agent file? : > > > > > > Yup, just like that. Never one to say told you so but... :-) > > > > Having said that, you have fixed the cause so delete that one (Oh I see > > from your next message you have. Nice to see you are continuing the > > tradition of Postfix users replying to themselves ;-) Keep up the good > > work :-> ) > > > > You shuld now have few (No?) problems and a damn sight less Spam. > > > > Regards > > > > Drew > > > > Talk to myself alot too, anyway, that seemed to fix it > as my mailbox has 21 general emails in it (non-mailing list > mails). Damn sight less than the 100+ I was waking up to. > > 3 were appropriately labeled as SPAM > 17 slipped thru > 1 valid email about a dead disk at work Were those image type spam? I find ImageInfo (http://www.rulesemporium.com/plugins.htm) fixes that well for me... Or one could do FuzzyOcr (look at the apache spamassassin site...). > Thanks for all the help! We do what we can:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ryanw at falsehope.com Wed Oct 4 12:08:36 2006 From: ryanw at falsehope.com (Ryan Weaver) Date: Wed Oct 4 12:09:02 2006 Subject: Logwatch Update In-Reply-To: <4523366B.9090105@stellarcore.net> Message-ID: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> ----Original Message---- From: Mike Tremaine Sent: Tuesday, October 03, 2006 11:20 PM To: mailscanner@lists.mailscanner.info Subject: RE: Logwatch Update (Phil Udel) > Or you can always get in out of cvs at logwatch.org. Having said > that I'll see if I can roll your changes into the current version. > I'd also encourge you [and everyone who uses logwatch] to upgrade > to the 7.3.1 release it. > > -Mike If you are running RedHat or CentOS, the Razor's Edge RPM Repository keeps logwatch fairly up to date.... http://rpm.razorsedge.org/ Thanks, Ryan From jlmiller at mmtnetworks.com.au Wed Oct 4 12:56:57 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 4 12:48:38 2006 Subject: Help needed with mailscanner Message-ID: For number 2 you need to be more explicit in what you mean by updates. The whole system you describe is made up of many components, pulled together by Mailscanner. Each of these can be updated, but the method for each may be different. Do you want to upgrade th various components to newer versions? Do you want to make sure the virus checkers are updating their virus libraries? Do you want to update the spam detection rules of SpamAssassin? Thanks for the reply: for now until a new system is put together and tested I want to make sure that the spam detection rules of SpamAssassin are up to date. I can do the Sophos updates. Currently not interested in upgrading the MailScanner program. Thanks Jon >>> a.peacock@chime.ucl.ac.uk 6:26:29 pm 4/10/2006 >>> Hi Jon, Jon Miller wrote: > MailWatch I'm assuming as I did not put this system together another engineer did and now he is in the states. > Supposedly it has MailScanner, MailWatch, Sophos as the AntiVirus component and Spam Assassin as the Spam filter. > > Thanks > >>>> martinh@solidstatelogic.com 3:56:13 pm 4/10/2006 >>> > Jon Miller wrote: >> Can anyone help with fixing mailscanner running on a Linux server. The main problem seems that I cannot get the web page to display (console) so I can do the updates and view the stats. Is there a command that can be issue in a terminal session that can do the updates? >> >> Thanks >> >> Jon >> >> >> ------------------------------------------------------------------------ >> >> >> >> >> >> >>
Can anyone help with fixing mailscanner running on a Linux server.  >> The main problem seems that I cannot get the web page to display (console) so I >> can do the updates and view the stats.  Is there a command that can be >> issue in a terminal session that can do the updates?
>>
 
>>
Thanks
>>
 
>>
Jon
>> > Jon > > MailScanner doesn't come with a html interface, which add-on are you using? > As far as I can see there are two questions in your request. 1. How do I get the web interface to work? 2. How can I do updates without the web interface? For number 1 you probably need to ask on the MailWatch list. Before you do that though you should get a better fault description than "cannot get the web page to display", do you get an error, check the server logs to see if there is an error in there. Was this working before? What has changed since then? For number 2 you need to be more explicit in what you mean by updates. The whole system you describe is made up of many components, pulled together by Mailscanner. Each of these can be updated, but the method for each may be different. Do you want to upgrade th various components to newer versions? Do you want to make sure the virus checkers are updating their virus libraries? Do you want to update the spam detection rules of SpamAssassin? If you can be clearer about this I am sure many people on this list could help. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From a.peacock at chime.ucl.ac.uk Wed Oct 4 13:18:15 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Oct 4 13:18:34 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <4523A687.9090709@chime.ucl.ac.uk> Hi Jon, Jon Miller wrote: > For number 2 you need to be more explicit in what you mean by > updates. The whole system you describe is made up of many components, > pulled together by Mailscanner. Each of these can be updated, but > the method for each may be different. Do you want to upgrade th > various components to newer versions? Do you want to make sure the > virus checkers are updating their virus libraries? Do you want to > update the spam detection rules of SpamAssassin? > > > Thanks for the reply: for now until a new system is put together and > tested I want to make sure that the spam detection rules of > SpamAssassin are up to date. I can do the Sophos updates. Currently > not interested in upgrading the MailScanner program. This largely depends on what version you are running, run this from the command line: spamassassin -V Newer versions of SpamAssassin have a process called sa-update which downloads updated versions of the core SpamAssassin rules. There is also the add-on rules supplied by the SpamAssassin Rules Emporium (SARE) people http://www.rulesemporium.com/. These rules can be updated using the RulesDuJour program. You might also get better help if you ask your question on the spamassasin-users list which is just as friendly and helpful as this list. http://wiki.apache.org/spamassassin/MailingLists -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From jlmiller at mmtnetworks.com.au Wed Oct 4 13:47:25 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 4 13:38:55 2006 Subject: Help needed with mailscanner Message-ID: mail:/# spamassassin -V SpamAssassin version 3.0.3 running on Perl version 5.8.4 >>> a.peacock@chime.ucl.ac.uk 8:18:15 pm 4/10/2006 >>> Hi Jon, Jon Miller wrote: > For number 2 you need to be more explicit in what you mean by > updates. The whole system you describe is made up of many components, > pulled together by Mailscanner. Each of these can be updated, but > the method for each may be different. Do you want to upgrade th > various components to newer versions? Do you want to make sure the > virus checkers are updating their virus libraries? Do you want to > update the spam detection rules of SpamAssassin? > > > Thanks for the reply: for now until a new system is put together and > tested I want to make sure that the spam detection rules of > SpamAssassin are up to date. I can do the Sophos updates. Currently > not interested in upgrading the MailScanner program. This largely depends on what version you are running, run this from the command line: spamassassin -V Newer versions of SpamAssassin have a process called sa-update which downloads updated versions of the core SpamAssassin rules. There is also the add-on rules supplied by the SpamAssassin Rules Emporium (SARE) people http://www.rulesemporium.com/. These rules can be updated using the RulesDuJour program. You might also get better help if you ask your question on the spamassasin-users list which is just as friendly and helpful as this list. http://wiki.apache.org/spamassassin/MailingLists -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From a.peacock at chime.ucl.ac.uk Wed Oct 4 13:51:19 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Oct 4 13:51:45 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <4523AE47.50804@chime.ucl.ac.uk> >>>> a.peacock@chime.ucl.ac.uk 8:18:15 pm 4/10/2006 >>> > Hi Jon, > > Jon Miller wrote: >> For number 2 you need to be more explicit in what you mean by >> updates. The whole system you describe is made up of many components, >> pulled together by Mailscanner. Each of these can be updated, but >> the method for each may be different. Do you want to upgrade th >> various components to newer versions? Do you want to make sure the >> virus checkers are updating their virus libraries? Do you want to >> update the spam detection rules of SpamAssassin? >> >> >> Thanks for the reply: for now until a new system is put together and >> tested I want to make sure that the spam detection rules of >> SpamAssassin are up to date. I can do the Sophos updates. Currently >> not interested in upgrading the MailScanner program. > > This largely depends on what version you are running, run this from the > command line: > > spamassassin -V > > Newer versions of SpamAssassin have a process called sa-update which > downloads updated versions of the core SpamAssassin rules. > > There is also the add-on rules supplied by the SpamAssassin Rules > Emporium (SARE) people http://www.rulesemporium.com/. These rules can > be updated using the RulesDuJour program. > > You might also get better help if you ask your question on the > spamassasin-users list which is just as friendly and helpful as this > list. http://wiki.apache.org/spamassassin/MailingLists Jon Miller wrote: > mail:/# spamassassin -V > SpamAssassin version 3.0.3 > running on Perl version 5.8.4 > The latest version of SpamAssasin is 3.1.5. I would suggest that you upgrade and activate sa-update. How you upgrade really depends on how it was installed in the first place. Julian produces a very useful combined installation package that installs the latest versions of MailScanner, ClamAV and SpamAssassin in one go. But you can get very screwy results if you try to upgrade by a different method than the one you used in the first place. Do you know how this was installed? What OS are you on? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From jlmiller at mmtnetworks.com.au Wed Oct 4 14:29:40 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 4 14:21:31 2006 Subject: Help needed with mailscanner Message-ID: mail:/# uname -a Linux mail 2.4.25-bf2.4-lit #2 Tue Feb 24 16:40:45 WST 2004 i686 GNU/Linux mail:/# cat /etc/debian_version 3.1 I suspect that Mailscanner, Mailwatch, Perl and Sophos are on the same server and php, mysql is on another server (RH7). Jon >>> a.peacock@chime.ucl.ac.uk 8:51:19 pm 4/10/2006 >>> >>>> a.peacock@chime.ucl.ac.uk 8:18:15 pm 4/10/2006 >>> > Hi Jon, > > Jon Miller wrote: >> For number 2 you need to be more explicit in what you mean by >> updates. The whole system you describe is made up of many components, >> pulled together by Mailscanner. Each of these can be updated, but >> the method for each may be different. Do you want to upgrade th >> various components to newer versions? Do you want to make sure the >> virus checkers are updating their virus libraries? Do you want to >> update the spam detection rules of SpamAssassin? >> >> >> Thanks for the reply: for now until a new system is put together and >> tested I want to make sure that the spam detection rules of >> SpamAssassin are up to date. I can do the Sophos updates. Currently >> not interested in upgrading the MailScanner program. > > This largely depends on what version you are running, run this from the > command line: > > spamassassin -V > > Newer versions of SpamAssassin have a process called sa-update which > downloads updated versions of the core SpamAssassin rules. > > There is also the add-on rules supplied by the SpamAssassin Rules > Emporium (SARE) people http://www.rulesemporium.com/. These rules can > be updated using the RulesDuJour program. > > You might also get better help if you ask your question on the > spamassasin-users list which is just as friendly and helpful as this > list. http://wiki.apache.org/spamassassin/MailingLists Jon Miller wrote: > mail:/# spamassassin -V > SpamAssassin version 3.0.3 > running on Perl version 5.8.4 > The latest version of SpamAssasin is 3.1.5. I would suggest that you upgrade and activate sa-update. How you upgrade really depends on how it was installed in the first place. Julian produces a very useful combined installation package that installs the latest versions of MailScanner, ClamAV and SpamAssassin in one go. But you can get very screwy results if you try to upgrade by a different method than the one you used in the first place. Do you know how this was installed? What OS are you on? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From a.peacock at chime.ucl.ac.uk Wed Oct 4 14:29:53 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Oct 4 14:30:32 2006 Subject: Help needed with mailscanner In-Reply-To: References: Message-ID: <4523B751.4050304@chime.ucl.ac.uk> >>>> a.peacock@chime.ucl.ac.uk 8:51:19 pm 4/10/2006 >>> >>>>> a.peacock@chime.ucl.ac.uk 8:18:15 pm 4/10/2006 >>> >> Hi Jon, >> >> Jon Miller wrote: >>> For number 2 you need to be more explicit in what you mean by >>> updates. The whole system you describe is made up of many components, >>> pulled together by Mailscanner. Each of these can be updated, but >>> the method for each may be different. Do you want to upgrade th >>> various components to newer versions? Do you want to make sure the >>> virus checkers are updating their virus libraries? Do you want to >>> update the spam detection rules of SpamAssassin? >>> >>> >>> Thanks for the reply: for now until a new system is put together and >>> tested I want to make sure that the spam detection rules of >>> SpamAssassin are up to date. I can do the Sophos updates. Currently >>> not interested in upgrading the MailScanner program. >> This largely depends on what version you are running, run this from the >> command line: >> >> spamassassin -V >> >> Newer versions of SpamAssassin have a process called sa-update which >> downloads updated versions of the core SpamAssassin rules. >> >> There is also the add-on rules supplied by the SpamAssassin Rules >> Emporium (SARE) people http://www.rulesemporium.com/. These rules can >> be updated using the RulesDuJour program. >> >> You might also get better help if you ask your question on the >> spamassasin-users list which is just as friendly and helpful as this >> list. http://wiki.apache.org/spamassassin/MailingLists > > Jon Miller wrote: > > mail:/# spamassassin -V > > SpamAssassin version 3.0.3 > > running on Perl version 5.8.4 > > > > The latest version of SpamAssasin is 3.1.5. I would suggest that you > upgrade and activate sa-update. > > How you upgrade really depends on how it was installed in the first place. > > Julian produces a very useful combined installation package that > installs the latest versions of MailScanner, ClamAV and SpamAssassin in > one go. > > But you can get very screwy results if you try to upgrade by a different > method than the one you used in the first place. Do you know how this > was installed? What OS are you on? > Jon Miller wrote: > mail:/# uname -a > Linux mail 2.4.25-bf2.4-lit #2 Tue Feb 24 16:40:45 WST 2004 i686 GNU/Linux > mail:/# cat /etc/debian_version > 3.1 > > I suspect that Mailscanner, Mailwatch, Perl and Sophos are on the same server and php, mysql is on another server (RH7). > > Jon > > This is where I probably have to bow out. The chances are that these were installed using some form of package manager (RPM, apt-get, etc), someone with more experience of Debian will need to help with that. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From brian.duncan at kattenlaw.com Wed Oct 4 15:27:19 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 4 15:27:28 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCLSpamscoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A48@CHI-US-EXCH-01.us.kmz.com> Thanks Christian for the example of using IMF with MailScanner/SpamAssassin. It looks like as soon as the Exchange admins get IMF installed we can accomplish this today without changing anything. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christian Rasmussen Sent: Tuesday, October 03, 2006 11:52 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin support for Microsoft IMF/SCLSpamscoring? I've been using the exchange features to assign a SCL score to any message that has the tag added by the mailscanner server. You can set it up so that all of those tagged messages go automatically to the exchange user's junk email folder. I haven't had any complaints about it and it allows for easier cleanup of those messages later. If anyone is interested, check out the following page http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html Once you have it enabled, just create a rule in your MSExchange.UceContentFilter.xml with something similar to: To tag it with any score you've set above your junk level (in the above example 8) Cheers, -Christian ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Tuesday, October 03, 2006 6:43 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? ? For those of us that are environments that support MS Exchange and Outlook 2003+ at the desktop, the capability to support MS IMF (MS Exchange Intelligent Message Filter?scoring) from?the network edge is very beneficial. ? ?Most organizations that have SpamAssassin/Mailscanner at the edge of their network rely?on custom created rules on clients to move the SpamAssassin tagged messages into their local "Junk-Mail" folder or Spam folder - Or delete them right away. ? This leads to support issues in large organizations.? Creating custom exceptions etc, usually in most companies these??local users?cannot manage the rules efficiently. ? MS in the last year has released a free add-on for Exchange that works very similarly to SpamAssassin it assigns a Score to a message that looks to be in the headers.? Exchange will then automatically put messages based on the local Outlook clients preference level into their?local Junk Mail folder. The great thing with this is that users can just right click on messages and add to their "white list" or do complete domains.? No custom scripts to create,? much easier to support in a large environment. ? If SpamAssassin/Mailscanner could support adding the IMF headers at the edge, then those that would still like to leverage a SpamAssassin (or any product for that matter, as long as it used the IMF score header) solution at the edge of their network they could do so easily.? You could tune your MS Exchange servers to not be reactive and the SpamAssasin edge products would dictate what was Spam and what was not. ? Microsoft with Exchange 12 is pushing? companies into? putting Exchange at the edge of a network?. I have already had this?discussion in my environment?and that I do not think it makes sense given that Sendmail?+ Mailscanner?+ SpamAssassin is?almost rock solid.???? ? At the end of this?is a previous message to this mailing list that is asking for the same thing that I am. ? Does anyone have anything to add to this or is this request really not that worthwhile. ? Just the capability of being able to add a generic header to all Spam detected messages would be a great start: ? X-MS-Exchange-Organization-SCL: 6.5 ? (I have already tested this, all headers that are added by Mailscanner seems to include additional information added to the same line) ? Thanks ? Brian Duncan ? brian.duncan@kattenlaw.com ? P.S. ? There is already a product that can sit on an Exchange server that will convert SpamAssassin scores to equivalent MS IMF Scores.? It would be great if we could handle it from the Unix/Linux side transparently. (It's called Assassin2Exchange filter) ? http://www.smtptracker.com/ ? Previous message that went unanswered to this list: ? >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. ? >Basically, it looks for the following header(s): ? >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) ? >More details can be found at: ? >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2 >-8509-4b25-9876-763536e77c27.mspx?mfr=true ? >So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: ? >X-MS-Exchange-Organization-SCL:5 ? >The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX).? I see where I can add additional headers in the: ? >Spam Actions = deliver header "X-Spam-Status: Yes" ? >However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in.? It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK).? So, a way to "round" the score would be helpful. ? >Any pointers? ? >-- ? >----------------------------------------- >Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet >Services http://www.tulsaconnect.com >----------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From ka at pacific.net Wed Oct 4 16:07:40 2006 From: ka at pacific.net (Ken A) Date: Wed Oct 4 16:06:00 2006 Subject: SA cached timed out? Message-ID: <4523CE3C.40507@pacific.net> hmm... In the log: Oct 3 22:26:27 server MailScanner[15463]: SpamAssassin cache hit for message k945POHg026840 In the msg header: MailScanner-SpamCheck: not spam, SpamAssassin (cached, timed out) Is the SA cache saving 'timed out' results? I'd rather it not do that. There must be some room for improvement here? Ken A. Pacific.Net From campbell at cnpapers.com Wed Oct 4 16:22:08 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 4 16:22:21 2006 Subject: Logwatch Update References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> Message-ID: <000801c6e7c8$db8a0990$0705000a@DDF5DW71> ----- Original Message ----- From: "Ryan Weaver" To: "'MailScanner discussion'" Sent: Wednesday, October 04, 2006 7:08 AM Subject: RE: Logwatch Update > ----Original Message---- > From: Mike Tremaine > Sent: Tuesday, October 03, 2006 11:20 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Logwatch Update (Phil Udel) > > > >> Or you can always get in out of cvs at logwatch.org. Having said >> that I'll see if I can roll your changes into the current version. >> I'd also encourge you [and everyone who uses logwatch] to upgrade >> to the 7.3.1 release it. >> >> -Mike > > If you are running RedHat or CentOS, the Razor's Edge RPM Repository keeps > logwatch fairly up to date.... http://rpm.razorsedge.org/ > > Thanks, > Ryan > > -- I just upgraded the logwatch on my CentOS 3 machine from the link above. A general pair of questions about all of this: 1. I run the cron.daily logwatch and would like to email myself when this is run. Cron seems to want to run this and mail to root. I changed the logwatch.conf file (in a few different places) to "mailto" my address, but it still mails to root. Anyone know which of the four or five logwatch.conf files will correct this? 2. If I upgraded, what do I do with the file attached in the earlier posts? I do see ClamAV and other new stuff in the report, but will the attached file make a difference in what I get with the off-the-shelf RPM from above? Thanks Steve From brian.duncan at kattenlaw.com Wed Oct 4 16:25:09 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 4 16:25:18 2006 Subject: Mailscanner/Spam Assassin support for MicrosoftIMF/SCLSpamscoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A4C@CHI-US-EXCH-01.us.kmz.com> I spoke to soon. I looked through all the MS documentation on IMF and custom rules and you can only act on Body and Subject line phrases. It does not support acting on message headers!? We don't modify subjects incase there is a false positive. So it looks like IMF cannot move MailScanner/Spam Assassin scored messages to a users Junk Mail folder unless you do modify subject or body. I guess I will need to used something 3rd party. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Wednesday, October 04, 2006 9:27 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin support for MicrosoftIMF/SCLSpamscoring? Thanks Christian for the example of using IMF with MailScanner/SpamAssassin. It looks like as soon as the Exchange admins get IMF installed we can accomplish this today without changing anything. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christian Rasmussen Sent: Tuesday, October 03, 2006 11:52 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin support for Microsoft IMF/SCLSpamscoring? I've been using the exchange features to assign a SCL score to any message that has the tag added by the mailscanner server. You can set it up so that all of those tagged messages go automatically to the exchange user's junk email folder. I haven't had any complaints about it and it allows for easier cleanup of those messages later. If anyone is interested, check out the following page http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html Once you have it enabled, just create a rule in your MSExchange.UceContentFilter.xml with something similar to: To tag it with any score you've set above your junk level (in the above example 8) Cheers, -Christian ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Tuesday, October 03, 2006 6:43 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? ? For those of us that are environments that support MS Exchange and Outlook 2003+ at the desktop, the capability to support MS IMF (MS Exchange Intelligent Message Filter?scoring) from?the network edge is very beneficial. ? ?Most organizations that have SpamAssassin/Mailscanner at the edge of their network rely?on custom created rules on clients to move the SpamAssassin tagged messages into their local "Junk-Mail" folder or Spam folder - Or delete them right away. ? This leads to support issues in large organizations.? Creating custom exceptions etc, usually in most companies these??local users?cannot manage the rules efficiently. ? MS in the last year has released a free add-on for Exchange that works very similarly to SpamAssassin it assigns a Score to a message that looks to be in the headers.? Exchange will then automatically put messages based on the local Outlook clients preference level into their?local Junk Mail folder. The great thing with this is that users can just right click on messages and add to their "white list" or do complete domains.? No custom scripts to create,? much easier to support in a large environment. ? If SpamAssassin/Mailscanner could support adding the IMF headers at the edge, then those that would still like to leverage a SpamAssassin (or any product for that matter, as long as it used the IMF score header) solution at the edge of their network they could do so easily.? You could tune your MS Exchange servers to not be reactive and the SpamAssasin edge products would dictate what was Spam and what was not. ? Microsoft with Exchange 12 is pushing? companies into? putting Exchange at the edge of a network?. I have already had this?discussion in my environment?and that I do not think it makes sense given that Sendmail?+ Mailscanner?+ SpamAssassin is?almost rock solid.???? ? At the end of this?is a previous message to this mailing list that is asking for the same thing that I am. ? Does anyone have anything to add to this or is this request really not that worthwhile. ? Just the capability of being able to add a generic header to all Spam detected messages would be a great start: ? X-MS-Exchange-Organization-SCL: 6.5 ? (I have already tested this, all headers that are added by Mailscanner seems to include additional information added to the same line) ? Thanks ? Brian Duncan ? brian.duncan@kattenlaw.com ? P.S. ? There is already a product that can sit on an Exchange server that will convert SpamAssassin scores to equivalent MS IMF Scores.? It would be great if we could handle it from the Unix/Linux side transparently. (It's called Assassin2Exchange filter) ? http://www.smtptracker.com/ ? Previous message that went unanswered to this list: ? >Exchange 2003 SP2 has added a "Intelligent Mail Filter" to allow it to deal with spam messages identified by systems like MailScanner or other appliance based solutions. ? >Basically, it looks for the following header(s): ? >X-MS-Exchange-Organization-PCL: (Phishing Confidence Level) >X-MS-Exchange-Organization-SCL: (Spam Confidence Level) ? >More details can be found at: ? >http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/28d3a5c2 >-8509-4b25-9876-763536e77c27.mspx?mfr=true ? >So, my question is -- can I add this header with MailScanner, inserting the appropriate spam score after the header, e.g.: ? >X-MS-Exchange-Organization-SCL:5 ? >The trick is, I don't want to mess with my existing header adds, I want to add this in addition to my normal ones (X-Spam-Score: XX).? I see where I can add additional headers in the: ? >Spam Actions = deliver header "X-Spam-Status: Yes" ? >However, it is unclear how to insert the spam score "value" in the "value" area that it needs to be in.? It is also unclear from the Microsoft docs if the "score" can be anything other than whole numbers (e.g. can't be 5.5 but 5 is OK).? So, a way to "round" the score would be helpful. ? >Any pointers? ? >-- ? >----------------------------------------- >Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet >Services http://www.tulsaconnect.com >----------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Wed Oct 4 16:30:55 2006 From: ka at pacific.net (Ken A) Date: Wed Oct 4 16:29:14 2006 Subject: Logwatch Update In-Reply-To: <000801c6e7c8$db8a0990$0705000a@DDF5DW71> References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> <000801c6e7c8$db8a0990$0705000a@DDF5DW71> Message-ID: <4523D3AF.4040106@pacific.net> Steve Campbell wrote: > > ----- Original Message ----- From: "Ryan Weaver" > To: "'MailScanner discussion'" > Sent: Wednesday, October 04, 2006 7:08 AM > Subject: RE: Logwatch Update > > >> ----Original Message---- >> From: Mike Tremaine >> Sent: Tuesday, October 03, 2006 11:20 PM >> To: mailscanner@lists.mailscanner.info >> Subject: RE: Logwatch Update (Phil Udel) >> >> >> >>> Or you can always get in out of cvs at logwatch.org. Having said >>> that I'll see if I can roll your changes into the current version. >>> I'd also encourge you [and everyone who uses logwatch] to upgrade >>> to the 7.3.1 release it. >>> >>> -Mike >> >> If you are running RedHat or CentOS, the Razor's Edge RPM Repository >> keeps >> logwatch fairly up to date.... http://rpm.razorsedge.org/ >> >> Thanks, >> Ryan >> >> -- > I just upgraded the logwatch on my CentOS 3 machine from the link above. > A general pair of questions about all of this: > > 1. I run the cron.daily logwatch and would like to email myself when > this is run. Cron seems to want to run this and mail to root. I changed > the logwatch.conf file (in a few different places) to "mailto" my > address, but it still mails to root. Anyone know which of the four or > five logwatch.conf files will correct this? Add this above the logwatch cron job in your root crontab: MAILTO="you@yourdomain.com" Ken A. Pacific.Net > > 2. If I upgraded, what do I do with the file attached in the earlier > posts? I do see ClamAV and other new stuff in the report, but will the > attached file make a difference in what I get with the off-the-shelf RPM > from above? > > Thanks > > Steve > From bpumphrey at woodmclaw.com Wed Oct 4 16:29:50 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 4 16:29:54 2006 Subject: Logwatch Update In-Reply-To: <000801c6e7c8$db8a0990$0705000a@DDF5DW71> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729769@woodenex.woodmaclaw.local> > > 1. I run the cron.daily logwatch and would like to email myself when this > is > run. Cron seems to want to run this and mail to root. I changed the > logwatch.conf file (in a few different places) to "mailto" my address, but > it still mails to root. Anyone know which of the four or five > logwatch.conf > files will correct this? This may or may not help you. Remember the .forward file that will forward all roots email to someone. Simple and effective, but if you want only logwatch emails than this would not help. > > 2. If I upgraded, what do I do with the file attached in the earlier > posts? > I do see ClamAV and other new stuff in the report, but will the attached > file make a difference in what I get with the off-the-shelf RPM from > above? > > Thanks > > Steve From bpumphrey at woodmclaw.com Wed Oct 4 16:30:33 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 4 16:30:36 2006 Subject: Mailscanner/Spam Assassin support forMicrosoftIMF/SCLSpamscoring? In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A4C@CHI-US-EXCH-01.us.kmz.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D150172976A@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. > Sent: Wednesday, October 04, 2006 11:25 AM > To: MailScanner discussion > Subject: RE: Mailscanner/Spam Assassin support > forMicrosoftIMF/SCLSpamscoring? > > I spoke to soon. I looked through all the MS documentation on IMF and > custom rules and you can only act on Body and Subject line phrases. > > It does not support acting on message headers!? We don't modify subjects > incase there is a false positive. > > So it looks like IMF cannot move MailScanner/Spam Assassin scored messages > to a users Junk Mail folder unless you do modify subject or body. > > I guess I will need to used something 3rd party. > That is good to know, thanks for the research and follow up. From ssilva at sgvwater.com Wed Oct 4 16:43:30 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 4 16:46:04 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/4/2006 3:55 AM: > On 04/10/06, Henry Hollenberg wrote: >> SOLVED: razor-agent.log file in mailscanner incoming queue directory >> /var/spool/postfix/hold was hanging mailscanner on automatic >> restart every 14400 seconds. Synopsis top-posted for your convenience. >> See reply to Drew as bottom-post below. hgh. >> > Somewhat a known issue. Good to know what solved it for you though. > >> Drew Marshall wrote: >> > On Wed, October 4, 2006 01:52, Henry Hollenberg wrote: > (snip) >> >>Oh!, like the razor-agent file? : >> > >> > >> > Yup, just like that. Never one to say told you so but... :-) >> > >> > Having said that, you have fixed the cause so delete that one (Oh I see >> > from your next message you have. Nice to see you are continuing the >> > tradition of Postfix users replying to themselves ;-) Keep up the good >> > work :-> ) >> > >> > You shuld now have few (No?) problems and a damn sight less Spam. >> > >> > Regards >> > >> > Drew >> > >> >> Talk to myself alot too, anyway, that seemed to fix it >> as my mailbox has 21 general emails in it (non-mailing list >> mails). Damn sight less than the 100+ I was waking up to. >> >> 3 were appropriately labeled as SPAM >> 17 slipped thru >> 1 valid email about a dead disk at work > > Were those image type spam? I find ImageInfo > (http://www.rulesemporium.com/plugins.htm) fixes that well for me... > Or one could do FuzzyOcr (look at the apache spamassassin site...). > >> Thanks for all the help! > We do what we can:-) Hey Glenn, Does the imageinfo plugin load like the old plugins always did, or do you now have to use a load plugin line in init.pre? (Not hijacking the thread as Glenn mentioned the plugin above.) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From christian at columbiafuels.com Wed Oct 4 16:54:03 2006 From: christian at columbiafuels.com (Christian Rasmussen) Date: Wed Oct 4 16:54:14 2006 Subject: Mailscanner/Spam Assassin supportforMicrosoftIMF/SCLSpamscoring? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150172976A@woodenex.woodmaclaw.local> Message-ID: <2023D81BC0235143A46589958FF543F502F5D9EA@bigbird.columbiafuels.com> Strange, I tried to send to the list yesterday and it just went *poof* for some reason. Here's my experience with IMF/SCL and MailScanner: I've been using the exchange features to assign a SCL score to any message that has the tag added by the mailscanner server. You can set it up so that all of those tagged messages go automatically to the exchange user's junk email folder. I haven't had any complaints about it and it allows for easier cleanup of those messages later. If anyone is interested, check out the following page http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2 -IMF-v2.html Once you have it enabled, just create a rule in your MSExchange.UceContentFilter.xml with something similar to: To tag it with any score you've set above your junk level (in the above example 8) Cheers, -Christian -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey Sent: Wednesday, October 04, 2006 8:31 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin supportforMicrosoftIMF/SCLSpamscoring? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. > Sent: Wednesday, October 04, 2006 11:25 AM > To: MailScanner discussion > Subject: RE: Mailscanner/Spam Assassin support > forMicrosoftIMF/SCLSpamscoring? > > I spoke to soon. I looked through all the MS documentation on IMF and > custom rules and you can only act on Body and Subject line phrases. > > It does not support acting on message headers!? We don't modify subjects > incase there is a false positive. > > So it looks like IMF cannot move MailScanner/Spam Assassin scored messages > to a users Junk Mail folder unless you do modify subject or body. > > I guess I will need to used something 3rd party. > That is good to know, thanks for the research and follow up. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Wed Oct 4 17:21:59 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 4 17:22:19 2006 Subject: Logwatch Update References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com><000801c6e7c8$db8a0990$0705000a@DDF5DW71> <4523D3AF.4040106@pacific.net> Message-ID: <001401c6e7d1$381c07a0$0705000a@DDF5DW71> ----- Original Message ----- From: "Ken A" To: "MailScanner discussion" Sent: Wednesday, October 04, 2006 11:30 AM Subject: Re: Logwatch Update > > Steve Campbell wrote: >> >> ----- Original Message ----- From: "Ryan Weaver" >> To: "'MailScanner discussion'" >> Sent: Wednesday, October 04, 2006 7:08 AM >> Subject: RE: Logwatch Update >> >> >>> ----Original Message---- >>> From: Mike Tremaine >>> Sent: Tuesday, October 03, 2006 11:20 PM >>> To: mailscanner@lists.mailscanner.info >>> Subject: RE: Logwatch Update (Phil Udel) >>> >>> >>> >>>> Or you can always get in out of cvs at logwatch.org. Having said >>>> that I'll see if I can roll your changes into the current version. >>>> I'd also encourge you [and everyone who uses logwatch] to upgrade >>>> to the 7.3.1 release it. >>>> >>>> -Mike >>> >>> If you are running RedHat or CentOS, the Razor's Edge RPM Repository >>> keeps >>> logwatch fairly up to date.... http://rpm.razorsedge.org/ >>> >>> Thanks, >>> Ryan >>> >>> -- >> I just upgraded the logwatch on my CentOS 3 machine from the link above. >> A general pair of questions about all of this: >> >> 1. I run the cron.daily logwatch and would like to email myself when this >> is run. Cron seems to want to run this and mail to root. I changed the >> logwatch.conf file (in a few different places) to "mailto" my address, >> but it still mails to root. Anyone know which of the four or five >> logwatch.conf files will correct this? > > Add this above the logwatch cron job in your root crontab: > MAILTO="you@yourdomain.com" I'm not sure if this is the cron variable you're speaking of or not, but I don't understand where you are suggesting the line should be inserted. This job is run from cron.daily on a RH system, using a Perl script that sets a lot of variables within that script. There is a line to change the logwatch variable "mailto", but that doesn't seem to work. The script runs through all of the 4 default directories to set variables as described in the man page. The big problem is that when I set the mailto variable in the script using myname@mydomain.com, it indicates a bad variable due to the "@". I tried using another form, along with a Perl string, and that doesn't work either. I think I'll try the /etc/logwatch/conf files and see where I go with that. Thanks, though Steve > > Ken A. > Pacific.Net > > >> >> 2. If I upgraded, what do I do with the file attached in the earlier >> posts? I do see ClamAV and other new stuff in the report, but will the >> attached file make a difference in what I get with the off-the-shelf RPM >> from above? >> >> Thanks >> >> Steve >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikes at hartwellcorp.com Wed Oct 4 17:14:30 2006 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed Oct 4 17:26:57 2006 Subject: Config for Out of Office in Outlook Message-ID: <3BF93070B3D1B047BA7ABF612958950D021F81@hcex.hartwellcorp.com> This is not directly related to MailScanner but I'm hoping someone on the list can point me in the right direction. We have folks here who use Outlook's Out of Office Assistant and who wish to ensure that no automatic replies are sent to mailing lists. The mail server is running Exchange 2003. Do I need to change any settings or modify the registry to accomplish this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061004/ac8d5f06/attachment.html From MailScanner at ecs.soton.ac.uk Wed Oct 4 18:07:35 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 18:07:49 2006 Subject: Logwatch Update In-Reply-To: <001401c6e7d1$381c07a0$0705000a@DDF5DW71> References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com><000801c6e7c8$db8a0990$0705000a@DDF5DW71> <4523D3AF.4040106@pacific.net> <001401c6e7d1$381c07a0$0705000a@DDF5DW71> Message-ID: <4523EA57.9090404@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: > > ----- Original Message ----- From: "Ken A" > To: "MailScanner discussion" > Sent: Wednesday, October 04, 2006 11:30 AM > Subject: Re: Logwatch Update > > >> >> Steve Campbell wrote: >>> >>> ----- Original Message ----- From: "Ryan Weaver" >>> To: "'MailScanner discussion'" >>> Sent: Wednesday, October 04, 2006 7:08 AM >>> Subject: RE: Logwatch Update >>> >>> >>>> ----Original Message---- >>>> From: Mike Tremaine >>>> Sent: Tuesday, October 03, 2006 11:20 PM >>>> To: mailscanner@lists.mailscanner.info >>>> Subject: RE: Logwatch Update (Phil Udel) >>>> >>>> >>>> >>>>> Or you can always get in out of cvs at logwatch.org. Having said >>>>> that I'll see if I can roll your changes into the current version. >>>>> I'd also encourge you [and everyone who uses logwatch] to upgrade >>>>> to the 7.3.1 release it. >>>>> >>>>> -Mike >>>> >>>> If you are running RedHat or CentOS, the Razor's Edge RPM >>>> Repository keeps >>>> logwatch fairly up to date.... http://rpm.razorsedge.org/ >>>> >>>> Thanks, >>>> Ryan >>>> >>>> -- >>> I just upgraded the logwatch on my CentOS 3 machine from the link >>> above. A general pair of questions about all of this: >>> >>> 1. I run the cron.daily logwatch and would like to email myself when >>> this is run. Cron seems to want to run this and mail to root. I >>> changed the logwatch.conf file (in a few different places) to >>> "mailto" my address, but it still mails to root. Anyone know which >>> of the four or five logwatch.conf files will correct this? >> >> Add this above the logwatch cron job in your root crontab: >> MAILTO="you@yourdomain.com" > > I'm not sure if this is the cron variable you're speaking of or not, > but I don't understand where you are suggesting the line should be > inserted. This job is run from cron.daily on a RH system, using a Perl > script that sets a lot of variables within that script. There is a > line to change the logwatch variable "mailto", but that doesn't seem > to work. The script runs through all of the 4 default directories to > set variables as described in the man page. > > The big problem is that when I set the mailto variable in the script > using myname@mydomain.com, it indicates a bad variable due to the "@". Put a \ before the @ > I tried using another form, along with a Perl string, and that doesn't > work either. I think I'll try the /etc/logwatch/conf files and see > where I go with that. > > Thanks, though > > Steve >> >> Ken A. >> Pacific.Net >> >> >>> >>> 2. If I upgraded, what do I do with the file attached in the earlier >>> posts? I do see ClamAV and other new stuff in the report, but will >>> the attached file make a difference in what I get with the >>> off-the-shelf RPM from above? >>> >>> Thanks >>> >>> Steve >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFI+pYEfZZRxQVtlQRAlGZAJsEB8dMhzXQ+bI0x2zdK2WqHHqXYQCgusVF SAEHgSFpLLHfiUDeJz8NYNU= =PYSs -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ka at pacific.net Wed Oct 4 18:13:32 2006 From: ka at pacific.net (Ken A) Date: Wed Oct 4 18:11:51 2006 Subject: Logwatch Update In-Reply-To: <001401c6e7d1$381c07a0$0705000a@DDF5DW71> References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com><000801c6e7c8$db8a0990$0705000a@DDF5DW71> <4523D3AF.4040106@pacific.net> <001401c6e7d1$381c07a0$0705000a@DDF5DW71> Message-ID: <4523EBBC.7080503@pacific.net> Steve Campbell wrote: > > ----- Original Message ----- From: "Ken A" > To: "MailScanner discussion" > Sent: Wednesday, October 04, 2006 11:30 AM > Subject: Re: Logwatch Update > > >> >> Steve Campbell wrote: >>> >>> ----- Original Message ----- From: "Ryan Weaver" >>> To: "'MailScanner discussion'" >>> Sent: Wednesday, October 04, 2006 7:08 AM >>> Subject: RE: Logwatch Update >>> >>> >>>> ----Original Message---- >>>> From: Mike Tremaine >>>> Sent: Tuesday, October 03, 2006 11:20 PM >>>> To: mailscanner@lists.mailscanner.info >>>> Subject: RE: Logwatch Update (Phil Udel) >>>> >>>> >>>> >>>>> Or you can always get in out of cvs at logwatch.org. Having said >>>>> that I'll see if I can roll your changes into the current version. >>>>> I'd also encourge you [and everyone who uses logwatch] to upgrade >>>>> to the 7.3.1 release it. >>>>> >>>>> -Mike >>>> >>>> If you are running RedHat or CentOS, the Razor's Edge RPM Repository >>>> keeps >>>> logwatch fairly up to date.... http://rpm.razorsedge.org/ >>>> >>>> Thanks, >>>> Ryan >>>> >>>> -- >>> I just upgraded the logwatch on my CentOS 3 machine from the link >>> above. A general pair of questions about all of this: >>> >>> 1. I run the cron.daily logwatch and would like to email myself when >>> this is run. Cron seems to want to run this and mail to root. I >>> changed the logwatch.conf file (in a few different places) to >>> "mailto" my address, but it still mails to root. Anyone know which of >>> the four or five logwatch.conf files will correct this? >> >> Add this above the logwatch cron job in your root crontab: >> MAILTO="you@yourdomain.com" Sorry, I think you'd actually have to set myname\@mydomain.com in the perl script. Perl doesn't like the unescaped @. Ken Pacific.Net > I'm not sure if this is the cron variable you're speaking of or not, but > I don't understand where you are suggesting the line should be inserted. > This job is run from cron.daily on a RH system, using a Perl script that > sets a lot of variables within that script. There is a line to change > the logwatch variable "mailto", but that doesn't seem to work. The > script runs through all of the 4 default directories to set variables as > described in the man page. > > The big problem is that when I set the mailto variable in the script > using myname@mydomain.com, it indicates a bad variable due to the "@". I > tried using another form, along with a Perl string, and that doesn't > work either. I think I'll try the /etc/logwatch/conf files and see where > I go with that. > > Thanks, though > > Steve >> >> Ken A. >> Pacific.Net >> >> >>> >>> 2. If I upgraded, what do I do with the file attached in the earlier >>> posts? I do see ClamAV and other new stuff in the report, but will >>> the attached file make a difference in what I get with the >>> off-the-shelf RPM from above? >>> >>> Thanks >>> >>> Steve >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > From derek at adcatanzaro.com Wed Oct 4 18:31:05 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 18:31:19 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: References: <4523339F.2050601@adcatanzaro.com> Message-ID: <4523EFD9.8040702@adcatanzaro.com> Res wrote: > On Wed, 4 Oct 2006, Derek Catanzaro wrote: > >> I will see how things go in the morning. Right now I'm back down to >> about 150 messages waiting which is normal for me. It took most of >> the day and some of the night for it to chew through the nearly >> 10,000 that accumulated through the day. I have not had an issue >> like this for some time and prior to this it was DNS queries causing >> the problem, that is when I implemented the local caching name server >> and it has been pretty solid since then. I am using the following in >> MailScanner.conf. > > next time it happens disable spamassassin > > > The backup started occurring again this morning, reached about 1500 messages waiting. I took Res' suggestion and turned off spamassassin in the MailScanner.conf and sure enough it was only a matter of a couple minutes until the messages waiting went back down to under 200. That will at least help in preventing delayed email (thanks Res) but now spamassassin is not running which I would obviously like to have running. Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Wed Oct 4 18:46:31 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Oct 4 18:46:39 2006 Subject: 4.56: Solaris syslog issues (+workarounds) Message-ID: Julian, Thanks to postings by Nick Smith and Rene Berber on the thread, "4.56.7: max message size is 40000", I got 4.56.7 going on my Solaris 10 box. My setup: Solaris 10 6/06 + current patches, MS 4.56.7, perl 5.8.8, Sys:Syslog 0.18. Here is what I discovered: 1) Comment out the line: LOG_FROM_REMOTE=NO from /etc/default/syslogd, restart syslogd ("svcadm -v restart system-log") AND use the Log.pm file as shipped with version 4.56.7 ==> WORKS. (Suggestion thanks to Nick Smith). 2) Leave /etc/default/syslogd alone and modify Log.pm, per Rene Berber's suggestion: line 39 - use Sys::Syslog qw(:DEFAULT setlogsock); line 71 - Sys::Syslog::setlogsock('native'); This also WORKS. I had to have both changes in place for MailScanner to go. I opted for suggestion one to get going. I'm sure this will bite others later. Which way to go? Maybe add more logic to the "if ($^O =~ /solaris|sunos|irix/i)" test in Log.pm? Jeff Earickson Colby College From rob at robhq.com Wed Oct 4 18:43:39 2006 From: rob at robhq.com (rob) Date: Wed Oct 4 18:46:56 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <4523EFD9.8040702@adcatanzaro.com> References: <4523339F.2050601@adcatanzaro.com> <4523EFD9.8040702@adcatanzaro.com> Message-ID: <20061004174227.M95785@robhq.com> On Wed, 04 Oct 2006 13:31:05 -0400, Derek Catanzaro wrote > Res wrote: > > On Wed, 4 Oct 2006, Derek Catanzaro wrote: > > > >> I will see how things go in the morning. Right now I'm back down to > >> about 150 messages waiting which is normal for me. It took most of > >> the day and some of the night for it to chew through the nearly > >> 10,000 that accumulated through the day. I have not had an issue > >> like this for some time and prior to this it was DNS queries causing > >> the problem, that is when I implemented the local caching name server > >> and it has been pretty solid since then. I am using the following in > >> MailScanner.conf. > > > > next time it happens disable spamassassin > > > > > > > The backup started occurring again this morning, reached about 1500 > messages waiting. I took Res' suggestion and turned off spamassassin in > the MailScanner.conf and sure enough it was only a matter of a couple > minutes until the messages waiting went back down to under 200. That > will at least help in preventing delayed email (thanks Res) but now > spamassassin is not running which I would obviously like to have running. > > Thanks, > Derek > We ran into something like this a few months ago. Found out the machine was swapping a ton with only 1 gig of RAM installed. Once we bumped this up to 4 gigs of ram, we have not had the issue return. From campbell at cnpapers.com Wed Oct 4 19:08:24 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 4 19:08:42 2006 Subject: Logwatch Update References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com><000801c6e7c8$db8a0990$0705000a@DDF5DW71> <4523D3AF.4040106@pacific.net><001401c6e7d1$381c07a0$0705000a@DDF5DW71> <4523EA57.9090404@ecs.soton.ac.uk> Message-ID: <002d01c6e7e0$15451fa0$0705000a@DDF5DW71> Ken, Julian, ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, October 04, 2006 1:07 PM Subject: Re: Logwatch Update > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Steve Campbell wrote: >> >> ----- Original Message ----- From: "Ken A" >> To: "MailScanner discussion" >> Sent: Wednesday, October 04, 2006 11:30 AM >> Subject: Re: Logwatch Update >> >> >>> >>> Steve Campbell wrote: >>>> >>>> ----- Original Message ----- From: "Ryan Weaver" >>>> To: "'MailScanner discussion'" >>>> Sent: Wednesday, October 04, 2006 7:08 AM >>>> Subject: RE: Logwatch Update >>>> >>>> >>>>> ----Original Message---- >>>>> From: Mike Tremaine >>>>> Sent: Tuesday, October 03, 2006 11:20 PM >>>>> To: mailscanner@lists.mailscanner.info >>>>> Subject: RE: Logwatch Update (Phil Udel) >>>>> >>>>> >>>>> >>>>>> Or you can always get in out of cvs at logwatch.org. Having said >>>>>> that I'll see if I can roll your changes into the current version. >>>>>> I'd also encourge you [and everyone who uses logwatch] to upgrade >>>>>> to the 7.3.1 release it. >>>>>> >>>>>> -Mike >>>>> >>>>> If you are running RedHat or CentOS, the Razor's Edge RPM >>>>> Repository keeps >>>>> logwatch fairly up to date.... http://rpm.razorsedge.org/ >>>>> >>>>> Thanks, >>>>> Ryan >>>>> >>>>> -- >>>> I just upgraded the logwatch on my CentOS 3 machine from the link >>>> above. A general pair of questions about all of this: >>>> >>>> 1. I run the cron.daily logwatch and would like to email myself when >>>> this is run. Cron seems to want to run this and mail to root. I >>>> changed the logwatch.conf file (in a few different places) to >>>> "mailto" my address, but it still mails to root. Anyone know which >>>> of the four or five logwatch.conf files will correct this? >>> >>> Add this above the logwatch cron job in your root crontab: >>> MAILTO="you@yourdomain.com" >> >> I'm not sure if this is the cron variable you're speaking of or not, >> but I don't understand where you are suggesting the line should be >> inserted. This job is run from cron.daily on a RH system, using a Perl >> script that sets a lot of variables within that script. There is a >> line to change the logwatch variable "mailto", but that doesn't seem >> to work. The script runs through all of the 4 default directories to >> set variables as described in the man page. >> >> The big problem is that when I set the mailto variable in the script >> using myname@mydomain.com, it indicates a bad variable due to the "@". > Put a \ before the @ I tried that also with no luck. I even used a slash before the .com and it still didn't work. I think that's enough on this list though as this is a logwatch problem and not MS, so I'll try to see what I can find out somewhere else and let this list get back to its main business. I think this is all being loaded into an array (I'm still not Perl-literate) by a statement such as $Config{'mailto'} = "campbell\@cnpapers.com"; The original is: $Config('mailto'} = "root"; Thanks for all the help, though. Steve > >> I tried using another form, along with a Perl string, and that doesn't >> work either. I think I'll try the /etc/logwatch/conf files and see >> where I go with that. >> >> Thanks, though >> >> Steve >>> >>> Ken A. >>> Pacific.Net >>> >>> >>>> >>>> 2. If I upgraded, what do I do with the file attached in the earlier >>>> posts? I do see ClamAV and other new stuff in the report, but will >>>> the attached file make a difference in what I get with the >>>> off-the-shelf RPM from above? >>>> >>>> Thanks >>>> >>>> Steve >>>> >>> -- > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > From mgt at stellarcore.net Wed Oct 4 19:41:11 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Wed Oct 4 19:41:25 2006 Subject: OT: Logwatch Update In-Reply-To: <200610041738.k94HcUge002250@bkserver.blacknight.ie> References: <200610041738.k94HcUge002250@bkserver.blacknight.ie> Message-ID: <45240047.3010608@stellarcore.net> > I'm not sure if this is the cron variable you're speaking of or not, but > I don't understand where you are suggesting the line should be inserted. > This job is run from cron.daily on a RH system, using a Perl script that > sets a lot of variables within that script. There is a line to change > the logwatch variable "mailto", but that doesn't seem to work. The > script runs through all of the 4 default directories to set variables as > described in the man page. > > The big problem is that when I set the mailto variable in the script > using myname@mydomain.com, it indicates a bad variable due to the "@". I > tried using another form, along with a Perl string, and that doesn't > work either. I think I'll try the /etc/logwatch/conf files and see where > I go with that. This is obviously off topic so apologies but just to get it all down. First from logwatch 7+ the conf layout changed. There is no more /etc/log.d instead everything lives in /usr/share/logwatch with end user configs in /etc/logwatch. So for this specific question you should only be editing /etc/logwatch/conf/logwatch.conf. And yes as Julian pointed out you need to escape the @ [ <- Perl Arrays ;0 ]. For more information then you wanted the default conf are under /usr/share/logwatch/default.conf and there is another directory called dist.conf provided for distribution to make there own. dist.conf overrides default.conf /etc/logwatch/conf overrides dist.conf The rpm packages should never replace anything in /etc/logwatch/conf. Now back to our MailScanner program... -Mike From brian.duncan at kattenlaw.com Wed Oct 4 19:42:59 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 4 19:43:07 2006 Subject: Mailscanner/Spam Assassin supportforMicrosoftIMF/SCLSpamscoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A50@CHI-US-EXCH-01.us.kmz.com> No Christian, your message did make it yesterday. I was excited that someone was already doing this.. I read it and figured I would be able to do what you documented. Unfortunately, the MS IMF user configurable content filter will ONLY act on subject or body or both. NOT message headers. (From everything I have read, I even had an Exchange admin here set it up and from looking at it there is NO capability to act on the presence of a specific header) So organizations that tag Spam based on message headers it does not look like you can get Spam Assassin/Mail Scanner logic to flow through to Exchange/Outlook junk mail folder. Yet there is a possible solution, I have sent emails to this company and am awaiting a reply and an eval of the product. http://www.smtptracker.com/ Assassin2Exchange filter (SpamAssassin to Exchange Spam Confidence Level conversion utility) released with SMTPTracker version 2.0. This stand-alone utility offers custom header conversion from spamassassin spam level to Exchange 2003 scl value (more complex than current s-tracker's conversion) and is available free to registered users. If you feel like this is what you need, send questions and sugestions to info@smtptracker.com. They charge 35.00 for an enterprise unlimited license for the product, or 500 for the source code. It looks like this might work as an alternative for Those like me, that do not want subject or body modifications. I know this is the MailScanner list, and this technically is now beyond MailScanner. I just wanted to follow up on this incase anyone else was thinking it would be good to put support for this in MailScanner or Spam Assassin. (it looks like the xheader for IMF SCL score is not all that is needed anyhow, I tested today having mail scanner create the SCL header on failed Spam messages before hitting Exchange, IMF just ignored the header and re-processed the messages) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christian Rasmussen Sent: Wednesday, October 04, 2006 10:54 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin supportforMicrosoftIMF/SCLSpamscoring? Strange, I tried to send to the list yesterday and it just went *poof* for some reason. Here's my experience with IMF/SCL and MailScanner: I've been using the exchange features to assign a SCL score to any message that has the tag added by the mailscanner server. You can set it up so that all of those tagged messages go automatically to the exchange user's junk email folder. I haven't had any complaints about it and it allows for easier cleanup of those messages later. If anyone is interested, check out the following page http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2 -IMF-v2.html Once you have it enabled, just create a rule in your MSExchange.UceContentFilter.xml with something similar to: To tag it with any score you've set above your junk level (in the above example 8) Cheers, -Christian -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey Sent: Wednesday, October 04, 2006 8:31 AM To: MailScanner discussion Subject: RE: Mailscanner/Spam Assassin supportforMicrosoftIMF/SCLSpamscoring? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. > Sent: Wednesday, October 04, 2006 11:25 AM > To: MailScanner discussion > Subject: RE: Mailscanner/Spam Assassin support > forMicrosoftIMF/SCLSpamscoring? > > I spoke to soon. I looked through all the MS documentation on IMF and > custom rules and you can only act on Body and Subject line phrases. > > It does not support acting on message headers!? We don't modify subjects > incase there is a false positive. > > So it looks like IMF cannot move MailScanner/Spam Assassin scored messages > to a users Junk Mail folder unless you do modify subject or body. > > I guess I will need to used something 3rd party. > That is good to know, thanks for the research and follow up. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From derek at adcatanzaro.com Wed Oct 4 19:54:32 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 19:55:06 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <20061004174227.M95785@robhq.com> References: <4523339F.2050601@adcatanzaro.com> <4523EFD9.8040702@adcatanzaro.com> <20061004174227.M95785@robhq.com> Message-ID: <45240368.9070302@adcatanzaro.com> rob wrote: >>> >> The backup started occurring again this morning, reached about 1500 >> messages waiting. I took Res' suggestion and turned off spamassassin in >> the MailScanner.conf and sure enough it was only a matter of a couple >> minutes until the messages waiting went back down to under 200. That >> will at least help in preventing delayed email (thanks Res) but now >> spamassassin is not running which I would obviously like to have running. >> >> Thanks, >> Derek >> >> > > We ran into something like this a few months ago. Found out the machine was swapping a > ton with only 1 gig of RAM installed. Once we bumped this up to 4 gigs of ram, we have > not had the issue return. > > This is the result of a "top" taken from the machine in question. I don't think the swap file is an issue, but really not well versed in what is "good" or "bad" when referring to swap? 13:48:08 up 2:53, 2 users, load average: 6.43, 6.01, 6.17 112 processes: 109 sleeping, 3 running, 0 zombie, 0 stopped CPU states: cpu user nice system irq softirq iowait idle total 61.6% 0.0% 25.4% 0.0% 0.0% 0.0% 112.6% cpu00 29.3% 0.0% 9.5% 0.0% 0.0% 0.0% 61.1% cpu01 32.3% 0.0% 16.0% 0.0% 0.0% 0.0% 51.5% Mem: 2068504k av, 2026528k used, 41976k free, 0k shrd, 90976k buff 1132356k active, 815024k inactive Swap: 1831912k av, 8304k used, 1823608k free 326936k cached -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Wed Oct 4 20:03:17 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 4 20:03:44 2006 Subject: Logwatch Update References: <200610041738.k94HcUge002250@bkserver.blacknight.ie> <45240047.3010608@stellarcore.net> Message-ID: <001c01c6e7e7$c11f3f70$0705000a@DDF5DW71> ----- Original Message ----- From: "Mike Tremaine" To: Sent: Wednesday, October 04, 2006 2:41 PM Subject: OT: Logwatch Update > > > I'm not sure if this is the cron variable you're speaking of or not, but > > I don't understand where you are suggesting the line should be inserted. > > This job is run from cron.daily on a RH system, using a Perl script that > > sets a lot of variables within that script. There is a line to change > > the logwatch variable "mailto", but that doesn't seem to work. The > > script runs through all of the 4 default directories to set variables as > > described in the man page. > > > > The big problem is that when I set the mailto variable in the script > > using myname@mydomain.com, it indicates a bad variable due to the "@". I > > tried using another form, along with a Perl string, and that doesn't > > work either. I think I'll try the /etc/logwatch/conf files and see where > > I go with that. > > This is obviously off topic so apologies but just to get it all down. > > First from logwatch 7+ the conf layout changed. There is no more > /etc/log.d instead everything lives in /usr/share/logwatch with end user > configs in /etc/logwatch. So for this specific question you should only be > editing /etc/logwatch/conf/logwatch.conf. And yes as Julian pointed out > you need to escape the @ [ <- Perl Arrays ;0 ]. > > For more information then you wanted the default conf are under > /usr/share/logwatch/default.conf and there is another directory called > dist.conf provided for distribution to make there own. > > dist.conf overrides default.conf > /etc/logwatch/conf overrides dist.conf > > The rpm packages should never replace anything in /etc/logwatch/conf. > > Now back to our MailScanner program... > > -Mike > -- Thanks Mike, I was aware of the new directory structure, as mentioned above as the "4 default directories". Although I had tried the local /etc/logwatch/conf/logwatch.conf file earlier, I had the format wrong, as I now have it working with an entry in the local logwatch.conf file. I used the following: MailTo = campbell@cnpapers.com with no escapements or quotation marks and it works fine. Just thought I would let anyone else know. Thanks for all the help from everyone. Steve From matt at coders.co.uk Wed Oct 4 20:13:08 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Oct 4 20:13:30 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <45240368.9070302@adcatanzaro.com> References: <4523339F.2050601@adcatanzaro.com> <4523EFD9.8040702@adcatanzaro.com> <20061004174227.M95785@robhq.com> <45240368.9070302@adcatanzaro.com> Message-ID: <452407C4.8060203@coders.co.uk> Derek Catanzaro wrote: > This is the result of a "top" taken from the machine in question. I > don't think the swap file is an issue, but really not well versed in > what is "good" or "bad" when referring to swap? > Top doesn't give you a good enough picture vmstat is your friend read the man page and check for the "si" and "so" columns. Does anyone know if MailScanner causes swapping? matt From cplists at princeservices.com Wed Oct 4 20:30:56 2006 From: cplists at princeservices.com (Cameron B. Prince) Date: Wed Oct 4 20:29:09 2006 Subject: Bouncing Specific Addresses With Mailer Table Setup Message-ID: <014b01c6e7eb$9d9f6e40$1901a8c0@PSLAPTOP1> Hey guys, I have a client who is using MailScanner as a front-end for CommuniGate via mailertable. We have old, long since removed addresses that are constantly being spammed. We would like to maintain a list of those bad addresses on the MailScanner side that would cause them to be bounced before even being processed by MailScanner. Could anyway tell me if this is possible? Basically I would like to mimic the behavior of the "error:nouser User Unknown" entry in the virtusertable of a normal configuration. Thanks, Cameron From chen at hhmi.umbc.edu Wed Oct 4 20:35:35 2006 From: chen at hhmi.umbc.edu (Yu Chen) Date: Wed Oct 4 20:35:56 2006 Subject: 4.56.7 having trouble installing perl-Archive-Zip Message-ID: Hi, all Just trying to install a fresh copy of MailScanner 4.56.7 on a newly built RHEL 4 update 4, during the installation from install.sh, the perl-Archive-Zip failed with bad exit from /tmp/rpm-tmp...., but right after that, I used rpmbuild --rebuild the Archive-Zip.src.rpm with no problem and installed fine. Is this normal? And in MailScanner -v outputs, there is a "Missing SAVI" line, is this ok? Thanks, cy =========================================== Yu Chen Howard Hughes Medical Institute Chemistry Building, Rm 182 University of Maryland at Baltimore County 1000 Hilltop Circle Baltimore, MD 21250 phone: (410)455-6347 (primary) (410)455-2718 (secondary) fax: (410)455-1174 email: chen@hhmi.umbc.edu =========================================== From wayne at nightsol.net Wed Oct 4 21:07:22 2006 From: wayne at nightsol.net (Wayne) Date: Wed Oct 4 21:07:30 2006 Subject: Don =?iso-8859-1?q?=B9?= t change message header Message-ID: Hi guys, How can I set up MailScanner so that it makes no changes to the message headers at all? If I commend out the lines #Clean Header Value = Found to be clean #Infected Header Value = Found to be infected #Disinfected Header Value = Disinfected Changes still get made.. If I set them to Clean Header Value = Infected Header Value = Disinfected Header Value = Changes still get made.. Anybody have any ideas? Thanks, Wayne From derek at adcatanzaro.com Wed Oct 4 21:35:44 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Wed Oct 4 21:36:12 2006 Subject: New Batch: found 200 messages waiting, Number keeps increasing In-Reply-To: <452407C4.8060203@coders.co.uk> References: <4523339F.2050601@adcatanzaro.com> <4523EFD9.8040702@adcatanzaro.com> <20061004174227.M95785@robhq.com> <45240368.9070302@adcatanzaro.com> <452407C4.8060203@coders.co.uk> Message-ID: <45241B20.6050402@adcatanzaro.com> Matt Hampton wrote: > Derek Catanzaro wrote: > > >> This is the result of a "top" taken from the machine in question. I >> don't think the swap file is an issue, but really not well versed in >> what is "good" or "bad" when referring to swap? >> >> > > Top doesn't give you a good enough picture > > vmstat is your friend > > read the man page and check for the "si" and "so" columns. > > Does anyone know if MailScanner causes swapping? > > matt > Yes, I agree, this has crossed over into the OT realm. Thanks for the vmstat info, looking into it now. I appreciate the suggestions everyone has given. Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Oct 4 22:30:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 4 22:31:05 2006 Subject: 4.56.7 having trouble installing perl-Archive-Zip In-Reply-To: References: Message-ID: <4524280B.5090008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I haven't had a chance to test RHEL4u4 yet. The Missing SAVI line is harmless unless you are trying to use the Sophos SAVI module. If you aren't using the "sophossavi" scanner, it's irrelevant. Don't worry. Yu Chen wrote: > Hi, all > Just trying to install a fresh copy of MailScanner 4.56.7 on a newly > built RHEL 4 update 4, during the installation from install.sh, the > perl-Archive-Zip failed with bad exit from /tmp/rpm-tmp...., but right > after that, I used rpmbuild --rebuild the Archive-Zip.src.rpm with no > problem and installed fine. Is this normal? And in MailScanner -v > outputs, there is a "Missing SAVI" line, is this ok? > > Thanks, > > cy > > =========================================== > Yu Chen > Howard Hughes Medical Institute > Chemistry Building, Rm 182 > University of Maryland at Baltimore County > 1000 Hilltop Circle > Baltimore, MD 21250 > > phone: (410)455-6347 (primary) > (410)455-2718 (secondary) > fax: (410)455-1174 > email: chen@hhmi.umbc.edu > =========================================== Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFJCgMEfZZRxQVtlQRAsNpAJ4qaXPoU2oluFzvnk36qQGtT4lkngCdE1nM nfQuayYpC0R69gjGrl8/sOc= =w/rm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Wed Oct 4 22:38:55 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 4 22:39:31 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> Message-ID: Scott Silva spake the following on 10/4/2006 8:43 AM: > Glenn Steen spake the following on 10/4/2006 3:55 AM: >> On 04/10/06, Henry Hollenberg wrote: >>> SOLVED: razor-agent.log file in mailscanner incoming queue directory >>> /var/spool/postfix/hold was hanging mailscanner on automatic >>> restart every 14400 seconds. Synopsis top-posted for your convenience. >>> See reply to Drew as bottom-post below. hgh. >>> >> Somewhat a known issue. Good to know what solved it for you though. >> >>> Drew Marshall wrote: >>>> On Wed, October 4, 2006 01:52, Henry Hollenberg wrote: >> (snip) >>>>> Oh!, like the razor-agent file? : >>>> >>>> Yup, just like that. Never one to say told you so but... :-) >>>> >>>> Having said that, you have fixed the cause so delete that one (Oh I see >>>> from your next message you have. Nice to see you are continuing the >>>> tradition of Postfix users replying to themselves ;-) Keep up the good >>>> work :-> ) >>>> >>>> You shuld now have few (No?) problems and a damn sight less Spam. >>>> >>>> Regards >>>> >>>> Drew >>>> >>> Talk to myself alot too, anyway, that seemed to fix it >>> as my mailbox has 21 general emails in it (non-mailing list >>> mails). Damn sight less than the 100+ I was waking up to. >>> >>> 3 were appropriately labeled as SPAM >>> 17 slipped thru >>> 1 valid email about a dead disk at work >> Were those image type spam? I find ImageInfo >> (http://www.rulesemporium.com/plugins.htm) fixes that well for me... >> Or one could do FuzzyOcr (look at the apache spamassassin site...). >> >>> Thanks for all the help! >> We do what we can:-) > Hey Glenn, > Does the imageinfo plugin load like the old plugins always did, or do you now > have to use a load plugin line in init.pre? > > (Not hijacking the thread as Glenn mentioned the plugin above.) > > Never mind ... I actually RTFM. Will try to remember to do so in the future. Replying to myself ... Hmmmm... Must be running postfix somewhere. Oh yeah... Now I remember ... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From taz at taz-mania.com Wed Oct 4 22:42:56 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Oct 4 22:42:59 2006 Subject: Bouncing Specific Addresses With Mailer Table Setup In-Reply-To: <014b01c6e7eb$9d9f6e40$1901a8c0@PSLAPTOP1> Message-ID: I have the setup (sendmail/MailScanner/SpamAssassin/ClamAV/Mailwatch mail hub in front of a CommunigatePro mail server). I use SMF-SAV milter to do the user verification. It uses the mailer table and then asks Communicate if that user exists before accepting the email and if that users doesn't exist, it rejects with a "550 5.1.1 Sorry, no mailbox here with that name" error. It works really well. It can also do Sender Address Verification where it looks up the mx record for the sending email address domain and then goes and asks that mail server if the sending username really exists, if not it rejects the email. Either of those functions can be disabled and there is the ability to enter Whitelists. Hope this helps. On Wed, 4 Oct 2006 14:30:56 -0500 "Cameron B. Prince" wrote: >Hey guys, > >I have a client who is using MailScanner as a front-end for >CommuniGate via >mailertable. We have old, long since removed addresses that are >constantly >being spammed. We would like to maintain a list of those bad >addresses on >the MailScanner side that would cause them to be bounced before even >being >processed by MailScanner. Could anyway tell me if this is possible? > >Basically I would like to mimic the behavior of the "error:nouser >User >Unknown" entry in the virtusertable of a normal configuration. > >Thanks, >Cameron > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From pete at enitech.com.au Wed Oct 4 22:50:27 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Oct 4 22:50:44 2006 Subject: Config for Out of Office in Outlook In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D021F81@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D021F81@hcex.hartwellcorp.com> Message-ID: <45242CA3.7040709@enitech.com.au> Have a look at using Outlook rules. Michael St. Laurent wrote: > This is not directly related to MailScanner but I?m hoping someone on > the list can point me in the right direction. > > > > We have folks here who use Outlook?s Out of Office Assistant and who > wish to ensure that no automatic replies are sent to mailing lists. The > mail server is running Exchange 2003. Do I need to change any settings > or modify the registry to accomplish this? > From Kevin_Miller at ci.juneau.ak.us Wed Oct 4 23:03:39 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 4 23:03:49 2006 Subject: Config for Out of Office in Outlook In-Reply-To: <45242CA3.7040709@enitech.com.au> Message-ID: Peter Russell wrote: > Have a look at using Outlook rules. > > Michael St. Laurent wrote: >> This is not directly related to MailScanner but I'm hoping someone on >> the list can point me in the right direction. >> >> >> >> We have folks here who use Outlook's Out of Office Assistant and who >> wish to ensure that no automatic replies are sent to mailing lists. >> The mail server is running Exchange 2003. Do I need to change any >> settings or modify the registry to accomplish this? No, you want it set in Exchange System Manager. I forget where and am just leaving (all the fun I can handle for the day!), but google for it. If you can't find it holler and I'll dig deeper tomorrow. Somewhere in System manager is where you can set up a number of things that outta be changed, such as turn off RTF format to the internet, turn off Out of Office notifications to the internet, etc. I can set my Out of Office in Outlook, and it works fine internally, but they never leave our system. But it's a server side setting because you don't want to rely on your users to remember (or have to even agree) to turn it off in the client... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From tim at denmantire.com Thu Oct 5 00:14:04 2006 From: tim at denmantire.com (Tim Boyer) Date: Thu Oct 5 00:14:23 2006 Subject: Reject vs. bounce References: <223f97700610030443l50b5c5a0r46c8f886d8cd8eb@mail.gmail.com> <223f97700610040026k412065e9md61050b85ab943b5@mail.gmail.com> Message-ID: On Wed, 4 Oct 2006 09:26:03 +0200, "Glenn Steen" wrote: >On 04/10/06, Tim Boyer wrote: >(snip) >> >> I'm rejecting 2,000 per day for 50 users. If I quarantined and had them go >> through them, it would be as time-consuming as letting them go through. >> >But are all 2000 SA-driven? Could you perhaps use "other measures" >(like rfc strictness, only accepting valid addresses, greet_pause, >graylist, whatever) to slim that down (assuming you don't do all/any >of that already:-)? Might make quarantining a more palatable option. > >-- >-- Glenn Yup; some combination of things will probably work. I'll start checking my filters and see what gets through where. Thanks much! -- tim boyer tim@denmantire.com From glenn.steen at gmail.com Thu Oct 5 08:49:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 5 08:49:05 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> Message-ID: <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> On 04/10/06, Scott Silva wrote: (snip) > Never mind ... I actually RTFM. Will try to remember to do so in the future. ... Amazing what that can reveal, eh?:-). > Replying to myself ... Hmmmm... Must be running postfix somewhere. > Oh yeah... Now I remember ... Always knew you were a closet PF user...:-D. Somewhat back on track: I thought I'd need both ImageInfo and FuzzyOcr... But when I implemented ImageInfo (I like to change things (that work:) one small step at a time, when possible... Tweaking, not frobbing;), I fairly quickly realised it got all the image-based spam without hardly any FPs (at least not any _new_ FPs... The ones FP'ing was doing that already due to badly come together .... "marketing systems"... "solicited" spam type of things:-). So I backed off from the ocr bit (have it running on a testbed, but... will probably not introduce it into production use). What amazes me is that some of the more influential merchant banks/financial institutions have really no clue as to how to put mail together that don't look spammy... Instead they annoy us (their "users") with notes about please making exceptions _for their domain names_ ... Really no clue at all. If their communications are that important, why not make the effort to set up SPF and/or Domain Keys... Or just avoid forging senders, HTML mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at woodmclaw.com Thu Oct 5 14:12:01 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 5 14:12:06 2006 Subject: Config for Out of Office in Outlook In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729777@woodenex.woodmaclaw.local> > No, you want it set in Exchange System Manager. I forget where and am > just leaving (all the fun I can handle for the day!), but google for it. > If you can't find it holler and I'll dig deeper tomorrow. > > Somewhere in System manager is where you can set up a number of things > that outta be changed, such as turn off RTF format to the internet, turn > off Out of Office notifications to the internet, etc. > > I can set my Out of Office in Outlook, and it works fine internally, but > they never leave our system. But it's a server side setting because you > don't want to rely on your users to remember (or have to even agree) to > turn it off in the client... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- Looks like it might be this: 1. In system manager, go to Global Settings 2. Right click on Internet message Formats, click on properties 3. Go to the Advanced tab There you will see check marks for "Allow out of office responses" Is that the correct setting? From bpumphrey at woodmclaw.com Thu Oct 5 15:00:54 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 5 15:00:59 2006 Subject: Logwatch Update In-Reply-To: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729778@woodenex.woodmaclaw.local> > ----Original Message---- > From: Mike Tremaine > Sent: Tuesday, October 03, 2006 11:20 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Logwatch Update (Phil Udel) > > > > > Or you can always get in out of cvs at logwatch.org. Having said > > that I'll see if I can roll your changes into the current version. > > I'd also encourge you [and everyone who uses logwatch] to upgrade > > to the 7.3.1 release it. > > > > -Mike > > If you are running RedHat or CentOS, the Razor's Edge RPM Repository keeps > logwatch fairly up to date.... http://rpm.razorsedge.org/ > > Thanks, > Ryan > I cannot find a good link to download it. Does anyone have a good link for it? From campbell at cnpapers.com Thu Oct 5 15:22:46 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 5 15:23:16 2006 Subject: Logwatch Update References: <04D932B0071FE34FA63EBB1977B48D1501729778@woodenex.woodmaclaw.local> Message-ID: <005b01c6e889$badf5580$0705000a@DDF5DW71> ----- Original Message ----- From: "Billy A. Pumphrey" To: "MailScanner discussion" Sent: Thursday, October 05, 2006 10:00 AM Subject: RE: Logwatch Update >> ----Original Message---- >> From: Mike Tremaine >> Sent: Tuesday, October 03, 2006 11:20 PM >> To: mailscanner@lists.mailscanner.info >> Subject: RE: Logwatch Update (Phil Udel) >> >> >> >> > Or you can always get in out of cvs at logwatch.org. Having said >> > that I'll see if I can roll your changes into the current version. >> > I'd also encourge you [and everyone who uses logwatch] to upgrade >> > to the 7.3.1 release it. >> > >> > -Mike >> >> If you are running RedHat or CentOS, the Razor's Edge RPM Repository > keeps >> logwatch fairly up to date.... http://rpm.razorsedge.org/ >> >> Thanks, >> Ryan >> > > I cannot find a good link to download it. Does anyone have a good link > for it? > -- The link above worked fine for me. Steve From bpumphrey at woodmclaw.com Thu Oct 5 15:51:49 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 5 15:52:00 2006 Subject: Logwatch Update In-Reply-To: <005b01c6e889$badf5580$0705000a@DDF5DW71> Message-ID: <04D932B0071FE34FA63EBB1977B48D150172977A@woodenex.woodmaclaw.local> > > >> ----Original Message---- > >> From: Mike Tremaine > >> Sent: Tuesday, October 03, 2006 11:20 PM > >> To: mailscanner@lists.mailscanner.info > >> Subject: RE: Logwatch Update (Phil Udel) > >> > >> > >> > >> > Or you can always get in out of cvs at logwatch.org. Having said > >> > that I'll see if I can roll your changes into the current version. > >> > I'd also encourge you [and everyone who uses logwatch] to upgrade > >> > to the 7.3.1 release it. > >> > > >> > -Mike > >> > >> If you are running RedHat or CentOS, the Razor's Edge RPM Repository > > keeps > >> logwatch fairly up to date.... http://rpm.razorsedge.org/ > >> > >> Thanks, > >> Ryan > >> > > > > I cannot find a good link to download it. Does anyone have a good link > > for it? > > -- > The link above worked fine for me. > > Steve > > -- Ok, Sorry I missed the link in the thread. I was searching google. The logwatch home page seems to be nonexistent. From campbell at cnpapers.com Thu Oct 5 16:12:10 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 5 16:12:39 2006 Subject: Logwatch Update References: <04D932B0071FE34FA63EBB1977B48D150172977A@woodenex.woodmaclaw.local> Message-ID: <002201c6e890$a181c990$0705000a@DDF5DW71> ----- Original Message ----- From: "Billy A. Pumphrey" To: "MailScanner discussion" Sent: Thursday, October 05, 2006 10:51 AM Subject: RE: Logwatch Update >> >> >> ----Original Message---- >> >> From: Mike Tremaine >> >> Sent: Tuesday, October 03, 2006 11:20 PM >> >> To: mailscanner@lists.mailscanner.info >> >> Subject: RE: Logwatch Update (Phil Udel) >> >> >> >> >> >> >> >> > Or you can always get in out of cvs at logwatch.org. Having said >> >> > that I'll see if I can roll your changes into the current > version. >> >> > I'd also encourge you [and everyone who uses logwatch] to upgrade >> >> > to the 7.3.1 release it. >> >> > >> >> > -Mike >> >> >> >> If you are running RedHat or CentOS, the Razor's Edge RPM > Repository >> > keeps >> >> logwatch fairly up to date.... http://rpm.razorsedge.org/ >> >> >> >> Thanks, >> >> Ryan >> >> >> > >> > I cannot find a good link to download it. Does anyone have a good > link >> > for it? >> > -- >> The link above worked fine for me. >> >> Steve >> >> -- > > Ok, Sorry I missed the link in the thread. I was searching google. The > logwatch home page seems to be nonexistent. > > > -- The logwatch homepage uses a non-standard port (8080 or/and 81) I believe. If you have a firewall, you're probably blocking it there. Steve From cplists at princeservices.com Thu Oct 5 16:25:18 2006 From: cplists at princeservices.com (Cameron B. Prince) Date: Thu Oct 5 16:23:26 2006 Subject: Bouncing Specific Addresses With Mailer Table Setup In-Reply-To: Message-ID: <01c101c6e892$7750a180$1901a8c0@PSLAPTOP1> Hi Dennis, I believe this is exactly what we need. Thanks for the advice. Cameron > I have the setup (sendmail/MailScanner/SpamAssassin/ClamAV/Mailwatch > mail hub in front of a CommunigatePro mail server). I use SMF-SAV > milter to do the user verification. It uses the mailer table and then > asks Communicate if that user exists before accepting the email and if > that users doesn't exist, it rejects with a "550 5.1.1 Sorry, no > mailbox here with that name" error. It works really well. It can also > do Sender Address Verification where it looks up the mx record for the > sending email address domain and then goes and asks that mail server > if the sending username really exists, if not it rejects the email. > Either of those functions can be disabled and there is the ability to > enter Whitelists. > > Hope this helps. > > > On Wed, 4 Oct 2006 14:30:56 -0500 > "Cameron B. Prince" wrote: > >Hey guys, > > > >I have a client who is using MailScanner as a front-end for > >CommuniGate via > >mailertable. We have old, long since removed addresses that are > >constantly > >being spammed. We would like to maintain a list of those bad > >addresses on > >the MailScanner side that would cause them to be bounced before even > >being > >processed by MailScanner. Could anyway tell me if this is possible? > > > >Basically I would like to mimic the behavior of the "error:nouser > >User > >Unknown" entry in the virtusertable of a normal configuration. > > > >Thanks, > >Cameron > > > >-- > >MailScanner mailing list > >mailscanner@lists.mailscanner.info > >http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > >Before posting, read http://wiki.mailscanner.info/posting > > > >Support MailScanner development - buy the book off the website! > > > -------------------------------------------------- > Dennis Willson > > taz@taz-mania.com > http://www.taz-mania.com > > Ham: ka6lsw > Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, > Gas Blender > > Owner: Kepnet Internet Services > > Life should not be a journey to the grave with the intention of > arriving safely in a nice looking and well preserved body, but rather > to skid in broadside, thoroughly used up, totally worn out, and loudly > proclaiming, "WOW! WHAT A RIDE!" > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Oct 5 16:26:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 5 16:40:53 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/5/2006 12:49 AM: > On 04/10/06, Scott Silva wrote: > (snip) >> Never mind ... I actually RTFM. Will try to remember to do so in the >> future. > ... Amazing what that can reveal, eh?:-). > >> Replying to myself ... Hmmmm... Must be running postfix somewhere. >> Oh yeah... Now I remember ... > Always knew you were a closet PF user...:-D. > > Somewhat back on track: I thought I'd need both ImageInfo and > FuzzyOcr... But when I implemented ImageInfo (I like to change things > (that work:) one small step at a time, when possible... Tweaking, not > frobbing;), I fairly quickly realised it got all the image-based spam > without hardly any FPs (at least not any _new_ FPs... The ones FP'ing > was doing that already due to badly come together .... "marketing > systems"... "solicited" spam type of things:-). So I backed off from > the ocr bit (have it running on a testbed, but... will probably not > introduce it into production use). > > What amazes me is that some of the more influential merchant > banks/financial institutions have really no clue as to how to put mail > together that don't look spammy... Instead they annoy us (their > "users") with notes about please making exceptions _for their domain > names_ ... Really no clue at all. > If their communications are that important, why not make the effort to > set up SPF and/or Domain Keys... Or just avoid forging senders, HTML > mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. > > It is just like the web designers that abbreviate words into their pron-looking equivalents and set off the content filters. I had a V.P. in here wondering why the (tit)anium driver he was trying to look at was classified as objectionable. I just need a TCP/IP enabled lart! Then I could give a clue anywhere in the world! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Kevin_Miller at ci.juneau.ak.us Thu Oct 5 16:42:14 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 5 16:42:21 2006 Subject: Config for Out of Office in Outlook In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729777@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey wrote: > >> No, you want it set in Exchange System Manager. I forget where and >> am just leaving (all the fun I can handle for the day!), but google >> for it. If you can't find it holler and I'll dig deeper tomorrow. >> >> Somewhere in System manager is where you can set up a number of >> things that outta be changed, such as turn off RTF format to the >> internet, turn off Out of Office notifications to the internet, etc. >> >> I can set my Out of Office in Outlook, and it works fine internally, >> but they never leave our system. But it's a server side setting >> because you don't want to rely on your users to remember (or have to >> even agree) to turn it off in the client... >> >> ...Kevin >> -- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 >> -- > > Looks like it might be this: > 1. In system manager, go to Global Settings > 2. Right click on Internet message Formats, click on properties > 3. Go to the Advanced tab > > There you will see check marks for "Allow out of office responses" > > Is that the correct setting? Yup, thanks Billy. Although I had trouble getting there following steps 1-3. I'm probably still waiting for the morning's coffee to kick in. For me, it was: 1. In system manager, go to Global Settings 2. Left click on Internet message Formats, in the right hand pane select the Internet Message Format that talks to the internet. I have several 'formats' as I talk to other Exchange servers, but my default format talks to the internet (via my MailScanner gateways) so that's the one I operate on. Either double click it, or right click and go to properties. 3. Go to the Advanced tab 4. Select Never Use in the Exchange Rich Text Format area. I'm persuaded that RTF sucks. YMMV. Season to taste. 5. Uncheck Allow Out of Office Responses. You're done. Well, mostly. You might also want to check out these pages: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamass assin:sa-learn:msexchange (I haven't done this yet but probably will soon.) http://www.fsl.com/support/Milter-Ahead-Exchange-Settings.pdf This references milter-ahead, but I'm using smf-sav. Nonetheless, the concept is the same and running either milter is a righteous thing to do... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From bpumphrey at woodmclaw.com Thu Oct 5 16:52:12 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 5 16:52:17 2006 Subject: Config for Out of Office in Outlook In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D150172977D@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: Thursday, October 05, 2006 11:42 AM > To: MailScanner discussion > Subject: RE: Config for Out of Office in Outlook > > Billy A. Pumphrey wrote: > > > >> No, you want it set in Exchange System Manager. I forget where and > >> am just leaving (all the fun I can handle for the day!), but google > >> for it. If you can't find it holler and I'll dig deeper tomorrow. > >> > >> Somewhere in System manager is where you can set up a number of > >> things that outta be changed, such as turn off RTF format to the > >> internet, turn off Out of Office notifications to the internet, etc. > >> > >> I can set my Out of Office in Outlook, and it works fine internally, > >> but they never leave our system. But it's a server side setting > >> because you don't want to rely on your users to remember (or have to > >> even agree) to turn it off in the client... > >> > >> ...Kevin > >> -- > >> Kevin Miller Registered Linux User No: 307357 > >> CBJ MIS Dept. Network Systems Admin., Mail Admin. > >> 155 South Seward Street ph: (907) 586-0242 > >> Juneau, Alaska 99801 fax: (907 586-4500 > >> -- > > > > Looks like it might be this: > > 1. In system manager, go to Global Settings > > 2. Right click on Internet message Formats, click on properties > > 3. Go to the Advanced tab > > > > There you will see check marks for "Allow out of office responses" > > > > Is that the correct setting? > > Yup, thanks Billy. Although I had trouble getting there following steps > 1-3. I'm probably still waiting for the morning's coffee to kick in. > For me, it was: > 1. In system manager, go to Global Settings > 2. Left click on Internet message Formats, in the right hand pane select > the Internet Message Format that talks to the internet. I have several > 'formats' as I talk to other Exchange servers, but my default format > talks to the internet (via my MailScanner gateways) so that's the one I > operate on. Either double click it, or right click and go to > properties. > 3. Go to the Advanced tab > 4. Select Never Use in the Exchange Rich Text Format area. I'm > persuaded that RTF sucks. YMMV. Season to taste. > 5. Uncheck Allow Out of Office Responses. > > You're done. Well, mostly. You might also want to check out these > pages: > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamass > assin:sa-learn:msexchange (I haven't done this yet but probably will > soon.) > http://www.fsl.com/support/Milter-Ahead-Exchange-Settings.pdf This > references milter-ahead, but I'm using smf-sav. Nonetheless, the > concept is the same and running either milter is a righteous thing to > do... > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- That was me. I should have re-read it, I left out a click or two. So the out of office check box will still allow internal out of office auto replies? From Kevin_Miller at ci.juneau.ak.us Thu Oct 5 17:14:12 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 5 17:14:20 2006 Subject: Config for Out of Office in Outlook In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150172977D@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey wrote: > That was me. I should have re-read it, I left out a click or two. So > the out of office check box will still allow internal out of office > auto replies? Correct. Remember, this is just dealing with the SMTP side of things (internet messaging) so you aren't affecting non-SMTP mail. Within it's only little universe, Exchange follows it's own set of rules - it's just when the message leaves the box that the rules change. Note in my previous message that I had multiple 'formats' though. A couple of them talk to other Exchange servers, but they're outside our forest/domain but still w/in the CBJ umbrella so I communicate via SMTP with them. I explicitly didn't disable out of office on them, as I want them to receive the notices. It's just in the internet 'format' that I wanted to squelch them. I could complain that Microsoft should have turned off internet responses by default, but if they had I'd be complaining that I have to explicitly turn them on for internal messages. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Thu Oct 5 18:28:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 5 18:28:58 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <452047C0.7010002@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> Message-ID: <223f97700610051028g3a4335dl3daf9eac535621ab@mail.gmail.com> On 05/10/06, Scott Silva wrote: > Glenn Steen spake the following on 10/5/2006 12:49 AM: > > On 04/10/06, Scott Silva wrote: > > (snip) > >> Never mind ... I actually RTFM. Will try to remember to do so in the > >> future. > > ... Amazing what that can reveal, eh?:-). > > > >> Replying to myself ... Hmmmm... Must be running postfix somewhere. > >> Oh yeah... Now I remember ... > > Always knew you were a closet PF user...:-D. > > > > Somewhat back on track: I thought I'd need both ImageInfo and > > FuzzyOcr... But when I implemented ImageInfo (I like to change things > > (that work:) one small step at a time, when possible... Tweaking, not > > frobbing;), I fairly quickly realised it got all the image-based spam > > without hardly any FPs (at least not any _new_ FPs... The ones FP'ing > > was doing that already due to badly come together .... "marketing > > systems"... "solicited" spam type of things:-). So I backed off from > > the ocr bit (have it running on a testbed, but... will probably not > > introduce it into production use). > > > > What amazes me is that some of the more influential merchant > > banks/financial institutions have really no clue as to how to put mail > > together that don't look spammy... Instead they annoy us (their > > "users") with notes about please making exceptions _for their domain > > names_ ... Really no clue at all. > > If their communications are that important, why not make the effort to > > set up SPF and/or Domain Keys... Or just avoid forging senders, HTML > > mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. > > > > > It is just like the web designers that abbreviate words into their > pron-looking equivalents and set off the content filters. > I had a V.P. in here wondering why the (tit)anium driver he was trying to look > at was classified as objectionable. Ah. That problem... Closely related to OOdesign/development... "grope through the objects private parts"... :-) > I just need a TCP/IP enabled lart! Then I could give a clue anywhere in the world! Sounds like a wothwile project... Only trouble is getting the (l)users to install it:-) ... Or were you considering a change to the TCP protocol...?:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Oct 5 19:12:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 5 19:14:13 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610051028g3a4335dl3daf9eac535621ab@mail.gmail.com> References: <452047C0.7010002@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> <223f97700610051028g3a4335dl3daf9eac535621ab@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/5/2006 10:28 AM: > On 05/10/06, Scott Silva wrote: >> Glenn Steen spake the following on 10/5/2006 12:49 AM: >> > On 04/10/06, Scott Silva wrote: >> > (snip) >> >> Never mind ... I actually RTFM. Will try to remember to do so in the >> >> future. >> > ... Amazing what that can reveal, eh?:-). >> > >> >> Replying to myself ... Hmmmm... Must be running postfix somewhere. >> >> Oh yeah... Now I remember ... >> > Always knew you were a closet PF user...:-D. >> > >> > Somewhat back on track: I thought I'd need both ImageInfo and >> > FuzzyOcr... But when I implemented ImageInfo (I like to change things >> > (that work:) one small step at a time, when possible... Tweaking, not >> > frobbing;), I fairly quickly realised it got all the image-based spam >> > without hardly any FPs (at least not any _new_ FPs... The ones FP'ing >> > was doing that already due to badly come together .... "marketing >> > systems"... "solicited" spam type of things:-). So I backed off from >> > the ocr bit (have it running on a testbed, but... will probably not >> > introduce it into production use). >> > >> > What amazes me is that some of the more influential merchant >> > banks/financial institutions have really no clue as to how to put mail >> > together that don't look spammy... Instead they annoy us (their >> > "users") with notes about please making exceptions _for their domain >> > names_ ... Really no clue at all. >> > If their communications are that important, why not make the effort to >> > set up SPF and/or Domain Keys... Or just avoid forging senders, HTML >> > mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. >> > >> > >> It is just like the web designers that abbreviate words into their >> pron-looking equivalents and set off the content filters. >> I had a V.P. in here wondering why the (tit)anium driver he was trying >> to look >> at was classified as objectionable. > Ah. That problem... Closely related to OOdesign/development... "grope > through the objects private parts"... :-) > >> I just need a TCP/IP enabled lart! Then I could give a clue anywhere >> in the world! > Sounds like a wothwile project... Only trouble is getting the (l)users > to install it:-) ... Or were you considering a change to the TCP > protocol...?:-D > Should be a default daemon installed in every operating system from now to the end of time. Maybe it could be set to autorun on the extremely challenged. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Thu Oct 5 19:16:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 5 19:16:23 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <452047C0.7010002@rcwm.com> <4522236E.1030005@ecs.soton.ac.uk> <45224478.2030403@rcwm.com> <223f97700610030427t79b7414kd53125d621d9d817@mail.gmail.com> <452305C9.5060703@rcwm.com> <53767.194.70.180.170.1159947741.squirrel@www.technologytiger.net> <45239006.6080905@rcwm.com> <223f97700610040355v5a2fa625ta592c18cc42a814@mail.gmail.com> <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> Message-ID: <45254BE9.5040102@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > > I just need a TCP/IP enabled lart! Then I could give a clue anywhere in the world! > Has no-one come up with a LCP/IP (lart control protocol) ? An obvious one for next April 1st surely. Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFJUvqEfZZRxQVtlQRAqbnAKDcv3F6B4OgVeVYvOUU7Ghr2rQQvgCggr8H ycReKB1vuiYUlVWQGm1q4Hw= =V6u6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Thu Oct 5 19:33:36 2006 From: martinh at solidstatelogic.com (martinh@solidstatelogic.com) Date: Thu Oct 5 19:33:56 2006 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.1.6 available!] Message-ID: <1278.81.86.146.39.1160073216.squirrel@mail.solidstatelogic.com> ---------------------------- Original Message ---------------------------- Subject: ANNOUNCE: Apache SpamAssassin 3.1.6 available! From: "Daryl C. W. O'Shea" Date: Thu, 5 October, 2006 6:56 pm To: "SpamAssassin Users List" "SpamAssassin Devel List" "SpamAssassin Announcements List" -------------------------------------------------------------------------- Apache SpamAssassin 3.1.6 is now available! This is a maintenance release of the 3.1.x branch. Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200610050918 The release file will also be available via CPAN in the near future. md5sum of archive files: 1cf43cea76e30aec6983cdbfe2e08316 Mail-SpamAssassin-3.1.6.tar.bz2 a0acc5e63a5e3401d039cd05cd189b96 Mail-SpamAssassin-3.1.6.tar.gz aac75c43ef9a74df4c100e8a7e37a5fd Mail-SpamAssassin-3.1.6.zip sha1sum of archive files: 16575633e60177733069c1681d6bf9528c076274 Mail-SpamAssassin-3.1.6.tar.bz2 fbf7e7aac113313da3f7357260d1a295ff275eef Mail-SpamAssassin-3.1.6.tar.gz 779ea2f5174de766405bdaa6d378ed6e7a749526 Mail-SpamAssassin-3.1.6.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.1.6 includes a large number of bug fixes and documentation updates. Here is an abbreviated changelog (since 3.1.5) for major updates (see the Changes file for a complete list): - bug 4940: fixes to bug in date handling affecting DATE_IN_FUTURE_* and DATE_IN_PAST_* rules when more than one Resent-Date header is present - bug 5044: include local site config in sa-update lint checks - bug 5081: fix race condition in spamd preforking code that sometimes left one child process running after SIGHUPing spamd - bug 5076: unescape hash characters in the config - bug 5077: fix false SPF_SOFTFAIL's when SPF queries timeout - bug 5080: update RCVD_ILLEGAL_IP evaltest to properly deal with 127/8 - bug 5089: enable adding headers with single digit zero value - bug 5098: add support for ecelerity Received headers - bug 5101: fix a bug, introduced in 3.1.5, in mbx code - bug 5105: M::SA::Client doesn't always catch failed connection to spamd, fixed ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From matt at coders.co.uk Thu Oct 5 19:41:49 2006 From: matt at coders.co.uk (Matt Hampton) Date: Thu Oct 5 19:42:12 2006 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.1.6 available!] In-Reply-To: <1278.81.86.146.39.1160073216.squirrel@mail.solidstatelogic.com> References: <1278.81.86.146.39.1160073216.squirrel@mail.solidstatelogic.com> Message-ID: <452551ED.9050408@coders.co.uk> Top posting on purpose: The is a possible bug. It may just be with sa-learn but please wait until it has been confirmed. matt martinh@solidstatelogic.com wrote: > ---------------------------- Original Message ---------------------------- > Subject: ANNOUNCE: Apache SpamAssassin 3.1.6 available! > From: "Daryl C. W. O'Shea" > Date: Thu, 5 October, 2006 6:56 pm > To: "SpamAssassin Users List" > "SpamAssassin Devel List" > "SpamAssassin Announcements List" > -------------------------------------------------------------------------- > > Apache SpamAssassin 3.1.6 is now available! This is a maintenance > release of the 3.1.x branch. > > Downloads are available from: > http://spamassassin.apache.org/downloads.cgi?update=200610050918 > > The release file will also be available via CPAN in the near future. > > md5sum of archive files: > > 1cf43cea76e30aec6983cdbfe2e08316 Mail-SpamAssassin-3.1.6.tar.bz2 > a0acc5e63a5e3401d039cd05cd189b96 Mail-SpamAssassin-3.1.6.tar.gz > aac75c43ef9a74df4c100e8a7e37a5fd Mail-SpamAssassin-3.1.6.zip > > sha1sum of archive files: > 16575633e60177733069c1681d6bf9528c076274 Mail-SpamAssassin-3.1.6.tar.bz2 > fbf7e7aac113313da3f7357260d1a295ff275eef Mail-SpamAssassin-3.1.6.tar.gz > 779ea2f5174de766405bdaa6d378ed6e7a749526 Mail-SpamAssassin-3.1.6.zip > > The release files also have a .asc accompanying them. The file serves > as an external GPG signature for the given release file. The signing > key is available via the wwwkeys.pgp.net key server, as well as > http://spamassassin.apache.org/released/GPG-SIGNING-KEY > > The key information is: > > pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key > > Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B > > 3.1.6 includes a large number of bug fixes and documentation updates. > Here is an abbreviated changelog (since 3.1.5) for major updates (see > the Changes file for a complete list): > > - bug 4940: fixes to bug in date handling affecting DATE_IN_FUTURE_* > and DATE_IN_PAST_* rules when more than one Resent-Date header is > present > - bug 5044: include local site config in sa-update lint checks > - bug 5081: fix race condition in spamd preforking code that sometimes > left one child process running after SIGHUPing spamd > - bug 5076: unescape hash characters in the config > - bug 5077: fix false SPF_SOFTFAIL's when SPF queries timeout > - bug 5080: update RCVD_ILLEGAL_IP evaltest to properly deal with 127/8 > - bug 5089: enable adding headers with single digit zero value > - bug 5098: add support for ecelerity Received headers > - bug 5101: fix a bug, introduced in 3.1.5, in mbx code > - bug 5105: M::SA::Client doesn't always catch failed connection to > spamd, fixed > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From matt at coders.co.uk Thu Oct 5 20:41:34 2006 From: matt at coders.co.uk (Matt Hampton) Date: Thu Oct 5 20:42:02 2006 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.1.6 available!] In-Reply-To: <452551ED.9050408@coders.co.uk> References: <1278.81.86.146.39.1160073216.squirrel@mail.solidstatelogic.com> <452551ED.9050408@coders.co.uk> Message-ID: <45255FEE.9050900@coders.co.uk> Matt Hampton wrote: > Top posting on purpose: > > The is a possible bug. It may just be with sa-learn but please wait > until it has been confirmed. > > matt (I am pretending to be a postfix user*) http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5118 Basically the sa-update doesn't load any network test modules so if you redefine any scores that relate to network tests the lint will fail. Easiest way to get around this is to move the .cf causing the issue to .cf.old and then run sa-update. This means that you are screwed if you use sa-update for any updates as you will need to automate this process matt * replying to my own post! > > martinh@solidstatelogic.com wrote: >> ---------------------------- Original Message ---------------------------- >> Subject: ANNOUNCE: Apache SpamAssassin 3.1.6 available! >> From: "Daryl C. W. O'Shea" >> Date: Thu, 5 October, 2006 6:56 pm >> To: "SpamAssassin Users List" >> "SpamAssassin Devel List" >> "SpamAssassin Announcements List" >> -------------------------------------------------------------------------- >> >> Apache SpamAssassin 3.1.6 is now available! This is a maintenance >> release of the 3.1.x branch. >> >> Downloads are available from: >> http://spamassassin.apache.org/downloads.cgi?update=200610050918 >> >> The release file will also be available via CPAN in the near future. >> >> md5sum of archive files: >> >> 1cf43cea76e30aec6983cdbfe2e08316 Mail-SpamAssassin-3.1.6.tar.bz2 >> a0acc5e63a5e3401d039cd05cd189b96 Mail-SpamAssassin-3.1.6.tar.gz >> aac75c43ef9a74df4c100e8a7e37a5fd Mail-SpamAssassin-3.1.6.zip >> >> sha1sum of archive files: >> 16575633e60177733069c1681d6bf9528c076274 Mail-SpamAssassin-3.1.6.tar.bz2 >> fbf7e7aac113313da3f7357260d1a295ff275eef Mail-SpamAssassin-3.1.6.tar.gz >> 779ea2f5174de766405bdaa6d378ed6e7a749526 Mail-SpamAssassin-3.1.6.zip >> >> The release files also have a .asc accompanying them. The file serves >> as an external GPG signature for the given release file. The signing >> key is available via the wwwkeys.pgp.net key server, as well as >> http://spamassassin.apache.org/released/GPG-SIGNING-KEY >> >> The key information is: >> >> pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key >> >> Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B >> >> 3.1.6 includes a large number of bug fixes and documentation updates. >> Here is an abbreviated changelog (since 3.1.5) for major updates (see >> the Changes file for a complete list): >> >> - bug 4940: fixes to bug in date handling affecting DATE_IN_FUTURE_* >> and DATE_IN_PAST_* rules when more than one Resent-Date header is >> present >> - bug 5044: include local site config in sa-update lint checks >> - bug 5081: fix race condition in spamd preforking code that sometimes >> left one child process running after SIGHUPing spamd >> - bug 5076: unescape hash characters in the config >> - bug 5077: fix false SPF_SOFTFAIL's when SPF queries timeout >> - bug 5080: update RCVD_ILLEGAL_IP evaltest to properly deal with 127/8 >> - bug 5089: enable adding headers with single digit zero value >> - bug 5098: add support for ecelerity Received headers >> - bug 5101: fix a bug, introduced in 3.1.5, in mbx code >> - bug 5105: M::SA::Client doesn't always catch failed connection to >> spamd, fixed >> >> >> >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> > From ugob at camo-route.com Fri Oct 6 00:02:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Oct 6 00:03:48 2006 Subject: OT: MailScanner-MRTG config In-Reply-To: <45237146.5020600@ecs.soton.ac.uk> References: <45237146.5020600@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I just installed it from RPM and I get the error message: > > You are seeing this message because your apache install is not > configured correctly for MailScanner-MRTG. > Please ensure that mod_include is loaded by apache > > I have a stock RHEL4 install, which appears to have mod_include loaded > by default, so why isn't it working? I never bothered about this error message and always got the output I wanted. I took a look at it and, well, I guess it may be why it is still beta (0.11). Best bet would be to ask Kevin Spicer http://sourceforge.net/users/kevinspicer/ > > Never did understand Apache installs, too damn complicated by half. > > Thanks folks! > > Jules > > - -- From garry at glendown.de Fri Oct 6 05:53:40 2006 From: garry at glendown.de (Garry Glendown) Date: Fri Oct 6 05:53:43 2006 Subject: MS and SA diuffer Message-ID: <4525E154.5040007@glendown.de> Hi, I've just set up FuzzyOCR to take care of the Image spam that has increased recently ... after still receiving untagged stock spam, I've checked into the scores and stuff and noticed on a test message, that MS has a lot less rule hits (and therefore less score points) than when calling spamassassin directly ... Here's what I got originally from MS: X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) whereas the -t run from SA resulted in: X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no MailScanner.conf points to the right SA directory (/etc/mail/spamassassin), there ARE image spams that get tagged with the OCR-tags, so I don't really get it why the scoring differs this much ... also with the Bayes score ... none on MS, 99 on SA ... !? I'm still running MS 4.50, SA is 3.1.5 ... Any idea where I could look for the cause of this? Tnx! From MailScanner at ecs.soton.ac.uk Fri Oct 6 08:48:58 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 6 08:49:19 2006 Subject: SOLVED OT: MailScanner-MRTG config In-Reply-To: References: <45237146.5020600@ecs.soton.ac.uk> Message-ID: <45260A6A.1000604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In /etc/httpd/conf.d/mrtg.conf, add this at the end: AllowOverride Options then restart httpd. Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I just installed it from RPM and I get the error message: >> >> You are seeing this message because your apache install is not >> configured correctly for MailScanner-MRTG. >> Please ensure that mod_include is loaded by apache >> >> I have a stock RHEL4 install, which appears to have mod_include >> loaded by default, so why isn't it working? > > I never bothered about this error message and always got the output I > wanted. > > I took a look at it and, well, I guess it may be why it is still beta > (0.11). > > Best bet would be to ask Kevin Spicer > http://sourceforge.net/users/kevinspicer/ > > >> >> Never did understand Apache installs, too damn complicated by half. >> >> Thanks folks! >> >> Jules >> >> - -- > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFJgprEfZZRxQVtlQRAuDgAKDbr37BtD0448+YAHR7shSMo5gW1ACgiTMs rAP493xm36mxc+lfgnaO0aA= =FWIU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From edward.prendergast at netring.co.uk Fri Oct 6 09:11:09 2006 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Fri Oct 6 09:11:17 2006 Subject: OT: Logwatch Update In-Reply-To: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> Message-ID: <200610060811.k968BFcb017566@bkserver.blacknight.ie> I get These messages repeated hundreds of times in my LogWatch reports: 1GVRKT-0002IV-7z: Logged to MailWatch SQL : 1 Time(s) 1GVSrS-00008K-Ef: Logged to MailWatch SQL : 1 Time(s) 1GVFvt-0003Oj-T1: Logged to MailWatch SQL : 1 Time(s) 1GVV4N-0001DB-Uh: Logged to MailWatch SQL : 1 Time(s) 1GVU8t-0005a5-Bu: Logged to MailWatch SQL : 1 Time(s) 1GVN7O-0003MO-P7: Logged to MailWatch SQL : 1 Time(s) 1GVayX-0000O6-2t: Logged to MailWatch SQL : 1 Time(s) Does anybody else get this problem & know of a resolution? Sorry for the off-topic post - I just thought being as how we all use MailScanner and some of us use MailWatch that you'd be the best people to ask. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. From prandal at herefordshire.gov.uk Fri Oct 6 12:02:29 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Oct 6 12:09:44 2006 Subject: Bug in "Max Spamassassin Size" parameter parsing - MailScanner 4. 56.7-2 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580FC69943@isabella.herefordshire.gov.uk> I'd set Max Spamassassin Size = 40k and spamassassin was only scoring on headers, and hitting my L_MISSING_BODY rule. # must use 'rawbody' as 'body' also includes Subject: header text # see if message rawbody contains at least -one- non-blank character rawbody __MSG_RAW_EXISTS /\S/ # Nope, declare the message to be missing the body meta L_MISSING_BODY ! __MSG_RAW_EXISTS describe L_MISSING_BODY Message body empty score L_MISSING_BODY 0.5 Changing it to Max Spamassassin Size = 40000 fixes the problem. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From ms-list at alexb.ch Fri Oct 6 12:23:56 2006 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 6 12:24:09 2006 Subject: MS and SA diuffer In-Reply-To: <4525E154.5040007@glendown.de> References: <4525E154.5040007@glendown.de> Message-ID: <45263CCC.6050008@alexb.ch> On 10/6/2006 6:53 AM, Garry Glendown wrote: > Hi, > > I've just set up FuzzyOCR to take care of the Image spam that has > increased recently ... after still receiving untagged stock spam, I've > checked into the scores and stuff and noticed on a test message, that MS > has a lot less rule hits (and therefore less score points) than when > calling spamassassin directly ... > > Here's what I got originally from MS: > > X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, > benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, > HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) > > whereas the -t run from SA resulted in: > > X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, > FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, > MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no > > MailScanner.conf points to the right SA directory > (/etc/mail/spamassassin), there ARE image spams that get tagged with the > OCR-tags, so I don't really get it why the scoring differs this much ... > also with the Bayes score ... none on MS, 99 on SA ... !? > > I'm still running MS 4.50, SA is 3.1.5 ... > > Any idea where I could look for the cause of this? I know I'l be tarred & feathered by this comment (once again): I'd bet its because MS only sent part of the whole msg thru SA and cutoff too early & missed the attached images. You may have to increase the value in "Max SpamAssassin Size" to catch them. Alex From a.peacock at chime.ucl.ac.uk Fri Oct 6 12:37:00 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Oct 6 12:37:29 2006 Subject: MS and SA diuffer In-Reply-To: <45263CCC.6050008@alexb.ch> References: <4525E154.5040007@glendown.de> <45263CCC.6050008@alexb.ch> Message-ID: <45263FDC.8060301@chime.ucl.ac.uk> Hi Alex, Alex Broens wrote: > On 10/6/2006 6:53 AM, Garry Glendown wrote: >> Hi, >> >> I've just set up FuzzyOCR to take care of the Image spam that has >> increased recently ... after still receiving untagged stock spam, I've >> checked into the scores and stuff and noticed on a test message, that MS >> has a lot less rule hits (and therefore less score points) than when >> calling spamassassin directly ... >> >> Here's what I got originally from MS: >> >> X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, >> benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, >> HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) >> >> whereas the -t run from SA resulted in: >> >> X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, >> FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, >> MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no >> >> MailScanner.conf points to the right SA directory >> (/etc/mail/spamassassin), there ARE image spams that get tagged with the >> OCR-tags, so I don't really get it why the scoring differs this much ... >> also with the Bayes score ... none on MS, 99 on SA ... !? >> >> I'm still running MS 4.50, SA is 3.1.5 ... >> >> Any idea where I could look for the cause of this? > > I know I'l be tarred & feathered by this comment (once again): > > I'd bet its because MS only sent part of the whole msg thru SA and > cutoff too early & missed the attached images. > > You may have to increase the value in "Max SpamAssassin Size" to catch > them. > > Alex No tar and feathers, but I do think that you are wrong in your assumption in this case. :-) There are lots of rules different between the two tests that can't be explained by a truncated message being passed to SA. AWL, BAYES, RCVD_ tests for instance. To me this suggests that the SpamAssassin tests were run as a different user than the user that MailScanner runs as. So it picks up the BAYES databases and the AWL databases. It might also be that some tests are being disabled in the MS setup. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From ms-list at alexb.ch Fri Oct 6 14:01:33 2006 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 6 14:01:39 2006 Subject: MS and SA diuffer In-Reply-To: <45263FDC.8060301@chime.ucl.ac.uk> References: <4525E154.5040007@glendown.de> <45263CCC.6050008@alexb.ch> <45263FDC.8060301@chime.ucl.ac.uk> Message-ID: <452653AD.8070101@alexb.ch> On 10/6/2006 1:37 PM, Anthony Peacock wrote: > Hi Alex, > > Alex Broens wrote: >> On 10/6/2006 6:53 AM, Garry Glendown wrote: >>> Hi, >>> >>> I've just set up FuzzyOCR to take care of the Image spam that has >>> increased recently ... after still receiving untagged stock spam, I've >>> checked into the scores and stuff and noticed on a test message, that MS >>> has a lot less rule hits (and therefore less score points) than when >>> calling spamassassin directly ... >>> >>> Here's what I got originally from MS: >>> >>> X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, >>> benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, >>> HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) >>> >>> whereas the -t run from SA resulted in: >>> >>> X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, >>> FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, >>> MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no >>> >>> MailScanner.conf points to the right SA directory >>> (/etc/mail/spamassassin), there ARE image spams that get tagged with the >>> OCR-tags, so I don't really get it why the scoring differs this much ... >>> also with the Bayes score ... none on MS, 99 on SA ... !? >>> >>> I'm still running MS 4.50, SA is 3.1.5 ... >>> >>> Any idea where I could look for the cause of this? >> >> I know I'l be tarred & feathered by this comment (once again): >> >> I'd bet its because MS only sent part of the whole msg thru SA and >> cutoff too early & missed the attached images. >> >> You may have to increase the value in "Max SpamAssassin Size" to catch >> them. >> >> Alex > > No tar and feathers, but I do think that you are wrong in your > assumption in this case. :-) > > > There are lots of rules different between the two tests that can't be > explained by a truncated message being passed to SA. > > AWL, BAYES, RCVD_ tests for instance. > > To me this suggests that the SpamAssassin tests were run as a different > user than the user that MailScanner runs as. So it picks up the BAYES > databases and the AWL databases. It might also be that some tests are > being disabled in the MS setup. yes but: Garry asked about the missing OCR hit. SARE_GIF_ATTACH is a full rule which probably wasn't parsed due to a cutoff and the missing FUZZY_OCR score points in the same direction... and some messages are indeed scored by OCR, while other are... and if he has AWL switched off in MS, passing SA thru the command line without -C filename will ignore that setting and send msg thru AWL or it could also be a bad FUZZY_OCR install, but that I really doubt. Alex From a.peacock at chime.ucl.ac.uk Fri Oct 6 14:09:54 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Oct 6 14:10:12 2006 Subject: MS and SA diuffer In-Reply-To: <452653AD.8070101@alexb.ch> References: <4525E154.5040007@glendown.de> <45263CCC.6050008@alexb.ch> <45263FDC.8060301@chime.ucl.ac.uk> <452653AD.8070101@alexb.ch> Message-ID: <452655A2.4000500@chime.ucl.ac.uk> Alex Broens wrote: > On 10/6/2006 1:37 PM, Anthony Peacock wrote: >> Hi Alex, >> >> Alex Broens wrote: >>> On 10/6/2006 6:53 AM, Garry Glendown wrote: >>>> Hi, >>>> >>>> I've just set up FuzzyOCR to take care of the Image spam that has >>>> increased recently ... after still receiving untagged stock spam, I've >>>> checked into the scores and stuff and noticed on a test message, >>>> that MS >>>> has a lot less rule hits (and therefore less score points) than when >>>> calling spamassassin directly ... >>>> >>>> Here's what I got originally from MS: >>>> >>>> X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin >>>> (Wertung=3.905, >>>> benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, >>>> HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) >>>> >>>> whereas the -t run from SA resulted in: >>>> >>>> X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, >>>> FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, >>>> MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no >>>> >>>> MailScanner.conf points to the right SA directory >>>> (/etc/mail/spamassassin), there ARE image spams that get tagged with >>>> the >>>> OCR-tags, so I don't really get it why the scoring differs this much >>>> ... >>>> also with the Bayes score ... none on MS, 99 on SA ... !? >>>> >>>> I'm still running MS 4.50, SA is 3.1.5 ... >>>> >>>> Any idea where I could look for the cause of this? >>> >>> I know I'l be tarred & feathered by this comment (once again): >>> >>> I'd bet its because MS only sent part of the whole msg thru SA and >>> cutoff too early & missed the attached images. >>> >>> You may have to increase the value in "Max SpamAssassin Size" to >>> catch them. >>> >>> Alex >> >> No tar and feathers, but I do think that you are wrong in your >> assumption in this case. :-) >> >> >> There are lots of rules different between the two tests that can't be >> explained by a truncated message being passed to SA. >> >> AWL, BAYES, RCVD_ tests for instance. >> >> To me this suggests that the SpamAssassin tests were run as a >> different user than the user that MailScanner runs as. So it picks up >> the BAYES databases and the AWL databases. It might also be that some >> tests are being disabled in the MS setup. > > yes but: Garry asked about the missing OCR hit. SARE_GIF_ATTACH is a > full rule which probably wasn't parsed due to a cutoff and the missing > FUZZY_OCR score points in the same direction... > > and some messages are indeed scored by OCR, while other are... > > > and if he has AWL switched off in MS, passing SA thru the command line > without -C filename will ignore that setting and send msg thru AWL > > or it could also be a bad FUZZY_OCR install, but that I really doubt. > > Alex Without more information from the OP both theories are possible. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From prandal at herefordshire.gov.uk Fri Oct 6 14:05:58 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Oct 6 14:17:05 2006 Subject: MS and SA diuffer Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580FC699C7@isabella.herefordshire.gov.uk> It was this sort of problem which led me to find the bug I reported earlier. If you have Max Spamassassin Size = nnk (e.g. 40k) change it to Max Spamassassin Size = nn000 (e.g. 40000) and see if that helps. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Peacock > Sent: 06 October 2006 12:37 > To: MailScanner discussion > Subject: Re: MS and SA diuffer > > Hi Alex, > > Alex Broens wrote: > > On 10/6/2006 6:53 AM, Garry Glendown wrote: > >> Hi, > >> > >> I've just set up FuzzyOCR to take care of the Image spam that has > >> increased recently ... after still receiving untagged > stock spam, I've > >> checked into the scores and stuff and noticed on a test > message, that MS > >> has a lot less rule hits (and therefore less score points) > than when > >> calling spamassassin directly ... > >> > >> Here's what I got originally from MS: > >> > >> X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin > (Wertung=3.905, > >> benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, > >> HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) > >> > >> whereas the -t run from SA resulted in: > >> > >> X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, > >> > FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, > >> MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH > autolearn=no > >> > >> MailScanner.conf points to the right SA directory > >> (/etc/mail/spamassassin), there ARE image spams that get > tagged with the > >> OCR-tags, so I don't really get it why the scoring differs > this much ... > >> also with the Bayes score ... none on MS, 99 on SA ... !? > >> > >> I'm still running MS 4.50, SA is 3.1.5 ... > >> > >> Any idea where I could look for the cause of this? > > > > I know I'l be tarred & feathered by this comment (once again): > > > > I'd bet its because MS only sent part of the whole msg thru SA and > > cutoff too early & missed the attached images. > > > > You may have to increase the value in "Max SpamAssassin > Size" to catch > > them. > > > > Alex > > No tar and feathers, but I do think that you are wrong in your > assumption in this case. :-) > > > There are lots of rules different between the two tests that can't be > explained by a truncated message being passed to SA. > > AWL, BAYES, RCVD_ tests for instance. > > To me this suggests that the SpamAssassin tests were run as a > different > user than the user that MailScanner runs as. So it picks up > the BAYES > databases and the AWL databases. It might also be that some > tests are > being disabled in the MS setup. > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Fri Oct 6 14:28:08 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Oct 6 14:28:12 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729732@woodenex.woodmaclaw.local> Message-ID: <04D932B0071FE34FA63EBB1977B48D150172978C@woodenex.woodmaclaw.local> Will someone point me in the general direction of what needs to be done to scan outgoing mail? I do not really know what to do. I use MailScanner as a gateway to exchange. I am guessing that I need for exchange to send the email to MailScanner and from MailScanner to the internet? Would MailScanner use the same SMTP sendmail to send out the mail? Thank you Billy Pumphrey IT Manager Wooden & McLaughlin From martinh at solidstatelogic.com Fri Oct 6 14:38:40 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 6 14:38:57 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D150172978C@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D150172978C@woodenex.woodmaclaw.local> Message-ID: <45265C60.9040309@solidstatelogic.com> Billy A. Pumphrey wrote: > Will someone point me in the general direction of what needs to be done > to scan outgoing mail? I do not really know what to do. > > I use MailScanner as a gateway to exchange. I am guessing that I need > for exchange to send the email to MailScanner and from MailScanner to > the internet? > > Would MailScanner use the same SMTP sendmail to send out the mail? > Thank you > > Billy Pumphrey > IT Manager > Wooden & McLaughlin Billy yes - assuming on the 'outbound' (post mailScanner) sendmail queue you're forcinng to the MS-exch, but using DNS to route the email. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at herefordshire.gov.uk Fri Oct 6 14:35:54 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Oct 6 14:39:46 2006 Subject: Scanning outgoing mail Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580FC699EF@isabella.herefordshire.gov.uk> Yes, Just forward all emails from exchange to your MailScanner box. Make sure your firewall rulles allow the MailScanner box to talk SMTP to the outside world, and you're all set. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Billy A. Pumphrey > Sent: 06 October 2006 14:28 > To: MailScanner discussion > Subject: OT: Scanning outgoing mail > > Will someone point me in the general direction of what needs > to be done > to scan outgoing mail? I do not really know what to do. > > I use MailScanner as a gateway to exchange. I am guessing that I need > for exchange to send the email to MailScanner and from MailScanner to > the internet? > > Would MailScanner use the same SMTP sendmail to send out the mail? > Thank you > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Fri Oct 6 16:26:55 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Oct 6 16:26:59 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <45265C60.9040309@solidstatelogic.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth > Sent: Friday, October 06, 2006 9:39 AM > To: MailScanner discussion > Subject: Re: OT: Scanning outgoing mail > > Billy A. Pumphrey wrote: > > Will someone point me in the general direction of what needs to be done > > to scan outgoing mail? I do not really know what to do. > > > > I use MailScanner as a gateway to exchange. I am guessing that I need > > for exchange to send the email to MailScanner and from MailScanner to > > the internet? > > > > Would MailScanner use the same SMTP sendmail to send out the mail? > > Thank you > > > > Billy Pumphrey > > IT Manager > > Wooden & McLaughlin > Billy > > yes - assuming on the 'outbound' (post mailScanner) sendmail queue > you're forcinng to the MS-exch, but using DNS to route the email. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > Does mailwatch log these messages too? If so how do these entries show up simply as: From To Subject Internal email address External email address outgoing email For you exchange admins: I could research it, but to save time is someone willing to answer this question if you know it quickly. How do you foward exchange emails to the mailscanner machine. What settings on the MailScanner machine do you have to make for it to accept them, any? I am sorry for so many questions, but I have not seen this covered. From martinh at solidstatelogic.com Fri Oct 6 16:35:52 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 6 16:36:03 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> Message-ID: <452677D8.9000708@solidstatelogic.com> Billy A. Pumphrey wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth >> Sent: Friday, October 06, 2006 9:39 AM >> To: MailScanner discussion >> Subject: Re: OT: Scanning outgoing mail >> >> Billy A. Pumphrey wrote: >>> Will someone point me in the general direction of what needs to be > done >>> to scan outgoing mail? I do not really know what to do. >>> >>> I use MailScanner as a gateway to exchange. I am guessing that I > need >>> for exchange to send the email to MailScanner and from MailScanner > to >>> the internet? >>> >>> Would MailScanner use the same SMTP sendmail to send out the mail? >>> Thank you >>> >>> Billy Pumphrey >>> IT Manager >>> Wooden & McLaughlin >> Billy >> >> yes - assuming on the 'outbound' (post mailScanner) sendmail queue >> you're forcinng to the MS-exch, but using DNS to route the email. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> > > Does mailwatch log these messages too? If so how do these entries show > up simply as: > From To > Subject > Internal email address External email address outgoing > email > > For you exchange admins: > I could research it, but to save time is someone willing to answer this > question if you know it quickly. > How do you foward exchange emails to the mailscanner machine. > > What settings on the MailScanner machine do you have to make for it to > accept them, any? > > I am sorry for so many questions, but I have not seen this covered. Why wouldn't it - it's passing through MS so it should get logged to MW. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Kevin_Miller at ci.juneau.ak.us Fri Oct 6 16:40:24 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Oct 6 16:40:28 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey wrote: > Does mailwatch log these messages too? If so how do these entries > show up simply as: > From To > Subject > Internal email address External email address outgoing > email > > For you exchange admins: > I could research it, but to save time is someone willing to answer > this question if you know it quickly. > How do you foward exchange emails to the mailscanner machine. > > What settings on the MailScanner machine do you have to make for it to > accept them, any? > > I am sorry for so many questions, but I have not seen this covered. System Manager 1. Admdinistrative group 2. First Administrative group (or which ever one you are dealing with - I only have the one) 3. Routing Group, First Routing Group (again, you may have others), Connectors 4. Pick your connector. Probably called Internet or something like that. 5. Right click, properties 6. Select 'Forward all mail through this connector to the following smart hosts', enter the hostname or IP. If you enter the IP, put it in brackets, ex: [192.168.1.1] All your outbound mail will be sent to your MailScanner box. I didn't have to make any changes on my MailScanner gateway - it treated it like any other email. I'm using sendmail, btw. You will have to have your gateway MTA set to allow relays either from your internal subnet, or at least the Exchange machine. You don't want to open up the box to any relay of course. Logging will look like what you currently have for logging on the gatewway. Mail from Exchange will land in mqueue.in, be scanned (unless you whitelist it which is probably a good idea performance wise), be processed, then moved to mqueue where it will be delivered to the remote address somewhere in internetland... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From matt at coders.co.uk Fri Oct 6 16:44:39 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Oct 6 16:44:59 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> Message-ID: <452679E7.4080303@coders.co.uk> > Does mailwatch log these messages too? If so how do these entries show > up simply as: > From To > Subject > Internal email address External email address Sort of - MailWatch doesn't know the difference between internal and externally sourced mail. It will just show up exactly the same as your exisiting mail. > > For you exchange admins: > I could research it, but to save time is someone willing to answer this > question if you know it quickly. > How do you foward exchange emails to the mailscanner machine. Your looking for the SmartHost http://www.amset.info/exchange/smtp-connector.asp gives you a step by step > > What settings on the MailScanner machine do you have to make for it to > accept them, any? In your accessmap you will need to allow your Exchange server to relay. XX.YY.AA.BB RELAY (obviously that assumes you have sendmail) > > I am sorry for so many questions, but I have not seen this covered. matt From ccampbell at brueggers.com Fri Oct 6 16:47:54 2006 From: ccampbell at brueggers.com (Christian Campbell) Date: Fri Oct 6 17:02:34 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501729797@woodenex.woodmaclaw.local> Message-ID: > > Billy A. Pumphrey wrote: > > > Will someone point me in the general direction of what needs to be > done > > > to scan outgoing mail? I do not really know what to do. > > > > > > I use MailScanner as a gateway to exchange. I am guessing that I > need > > > for exchange to send the email to MailScanner and from MailScanner > to > > > the internet? > > > > > > Would MailScanner use the same SMTP sendmail to send out the mail? > > > Thank you > > > > yes - assuming on the 'outbound' (post mailScanner) sendmail queue > > you're forcinng to the MS-exch, but using DNS to route the email. > > For you exchange admins: > I could research it, but to save time is someone willing to > answer this question if you know it quickly. > How do you foward exchange emails to the mailscanner machine. > For Exch 2003 open Exchange System Manger -- > Administrative Groups --> Routing Groups --> (your domain) --> Connectors --> Internet Mail Service Open properties. On general tab, select "Forward all mail through this connector to the following smart hosts" and enter the IP of your mailscanner box there. Do an "OK". Not sure if it requires a service restart or reboot. Christian Christian Campbell Systems Engineer, Sair LCP, A+, Network+, i-Net+ Bruegger's Enterprises Inc. Desk: 802-652-9270 Cell: 802-734-5023 Fax: 802-660-4034 Email: ccampbell at brueggers dot com PGP Public Key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." --Linus Torvalds -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061006/7ab678b5/smime.bin From ssilva at sgvwater.com Fri Oct 6 18:58:07 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 6 18:58:47 2006 Subject: OT: Logwatch Update In-Reply-To: <200610060811.k968BFcb017566@bkserver.blacknight.ie> References: <001901c6e7a5$71e45f90$ed66a8c0@corporate.grantgeo.com> <200610060811.k968BFcb017566@bkserver.blacknight.ie> Message-ID: Edward Prendergast spake the following on 10/6/2006 1:11 AM: > I get These messages repeated hundreds of times in my LogWatch reports: > > 1GVRKT-0002IV-7z: Logged to MailWatch SQL : 1 Time(s) > 1GVSrS-00008K-Ef: Logged to MailWatch SQL : 1 Time(s) > 1GVFvt-0003Oj-T1: Logged to MailWatch SQL : 1 Time(s) > 1GVV4N-0001DB-Uh: Logged to MailWatch SQL : 1 Time(s) > 1GVU8t-0005a5-Bu: Logged to MailWatch SQL : 1 Time(s) > 1GVN7O-0003MO-P7: Logged to MailWatch SQL : 1 Time(s) > 1GVayX-0000O6-2t: Logged to MailWatch SQL : 1 Time(s) > > Does anybody else get this problem & know of a resolution? > > Sorry for the off-topic post - I just thought being as how we all use > MailScanner and some of us use MailWatch that you'd be the best people to > ask. Are you running the latest logwatch? I think it is 7.3.1. It seems that this went away when I upgraded. The logwatch site seems to be down right now, but you can probably find it around. I have an rpm,and maybe source floating around somewhere. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Fri Oct 6 19:17:52 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Oct 6 19:17:57 2006 Subject: MS and SA diuffer Message-ID: <65234743FE1555428435CE39E6AC4078B38A67@CHI-US-EXCH-01.us.kmz.com> If you figure this out, please post back to the list to why it is happening. When I use either Imageinfo.pm or Fuzzyocr.pm with a .cf in the /etc/mail/spamassassin dir MailScanner seems to cause Spam Assasin to ignore these?? I JUST finished installing FuzzyOCR and all the accompanying tools to make it work on 2 different relays here. I never see any hits from test Spam messages I send from outside. For the heck of it I also installed Imageinfo.pm and installed imageinfo.cf into my /etc/mail/spamassassin directory and the same results occurred. (more later on this) Both servers are running: spamassassin-3.1.4 mailscanner-4.54.6-1 A stock spam with inline gif processed through Mailscanner: X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, SARE_GIF_ATTACH 4.25) X-MailScanner-SpamScore: sssss Saved and processed locally on the SAME mail sever with - cat test.txt | spamassassin -t Content analysis details: (12.6 hits, 6.5 required) 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 10 FUZZY_OCR BODY: Mail contains an image with common spam text inside Words found: "target" in 1 lines "symbol" in 1 lines "stock" in 1 lines "price" in 1 lines "company" in 1 lines "breaking" in 1 lines "banking" in 1 lines "news" in 1 lines (8 word occurrences found) Appropriate output regarding Fuzzy_OCR from spamassassin -D --lint: [30731] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [30731] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [30731] dbg: plugin: registered FuzzyOcr=HASH(0xa4200b4) [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements 'parse_config' [30731] dbg: FuzzyOcr: Found scan: $gocr -i $pfile [30731] dbg: FuzzyOcr: Found scan: $gocr -l 180 -d 2 -i $pfile [30731] dbg: FuzzyOcr: Found scan: $gocr -l 140 -d 2 -i $pfile [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements 'finish_parsing_end' [30731] dbg: FuzzyOcr: Using giffix => /usr/bin/giffix [30731] dbg: FuzzyOcr: Using giftext => /usr/bin/giftext [30731] dbg: FuzzyOcr: Using gifinter => /usr/bin/gifinter [30731] dbg: FuzzyOcr: Using giftopnm => /usr/bin/giftopnm [30731] dbg: FuzzyOcr: Using jpegtopnm => /usr/bin/jpegtopnm [30731] dbg: FuzzyOcr: Using pngtopnm => /usr/bin/pngtopnm [30731] dbg: FuzzyOcr: Using bmptopnm => /usr/bin/bmptopnm [30731] dbg: FuzzyOcr: Using ppmhist => /usr/bin/ppmhist [30731] dbg: FuzzyOcr: Using gocr => /usr/bin/gocr [30731] dbg: FuzzyOcr: Loaded <43> words from "/etc/mail/spamassassin/FuzzyOcr.words" [30731] dbg: FuzzyOcr: Using scan: $gocr -i $pfile [30731] dbg: FuzzyOcr: Using scan: $gocr -l 180 -d 2 -i $pfile [30731] dbg: FuzzyOcr: Using scan: $gocr -l 140 -d 2 -i $pfile I do NOT have anything set in Mailscanner.conf specific to SpamAssassin aside from site rules dir. Should I? SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib SpamAssassin Default Rules Dir = Now with a different plugin loaded, ImageInfo.pm - [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /etc/mail/spamassassin/ImageInfo.pm [2013] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /etc/mail/spamassassin/ImageInfo.pm [2013] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) A stock spam with inline gif processed through Mailscanner: X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, SARE_GIF_ATTACH 4.25) X-MailScanner-SpamScore: sssss Saved and processed locally on the SAME mail sever with - cat test.txt | spamassassin -t Content analysis details: (11.1 hits, 6.5 required) 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message 5.5 DC_IMAGE001_GIF BODY: Contains image named image001.gif 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 3.0 DC_GIF_UNO_LARGO Message contains a single large inline gif (imageinfo.cf had this specific rule I added JUST for the spam because I already knew the inline GIF was named DDT.gif) # you can match by image name body DC_IMAGE001_GIF eval:image_named('DDT.gif') describe DC_IMAGE001_GIF Contains image named image001.gif score DC_IMAGE001_GIF 5.50 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Garry Glendown Sent: Thursday, October 05, 2006 11:54 PM To: MailScanner discussion Subject: MS and SA diuffer Hi, I've just set up FuzzyOCR to take care of the Image spam that has increased recently ... after still receiving untagged stock spam, I've checked into the scores and stuff and noticed on a test message, that MS has a lot less rule hits (and therefore less score points) than when calling spamassassin directly ... Here's what I got originally from MS: X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) whereas the -t run from SA resulted in: X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no MailScanner.conf points to the right SA directory (/etc/mail/spamassassin), there ARE image spams that get tagged with the OCR-tags, so I don't really get it why the scoring differs this much ... also with the Bayes score ... none on MS, 99 on SA ... !? I'm still running MS 4.50, SA is 3.1.5 ... Any idea where I could look for the cause of this? Tnx! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From bpumphrey at woodmclaw.com Fri Oct 6 19:45:11 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Oct 6 19:45:27 2006 Subject: OT: Scanning outgoing mail In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017297A0@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: Friday, October 06, 2006 11:40 AM > To: MailScanner discussion > Subject: RE: OT: Scanning outgoing mail > > Billy A. Pumphrey wrote: > > > Does mailwatch log these messages too? If so how do these entries > > show up simply as: > > From To > > Subject > > Internal email address External email address > outgoing > > email > > > > For you exchange admins: > > I could research it, but to save time is someone willing to answer > > this question if you know it quickly. > > How do you foward exchange emails to the mailscanner machine. > > > > What settings on the MailScanner machine do you have to make for it to > > accept them, any? > > > > I am sorry for so many questions, but I have not seen this covered. > > System Manager > 1. Admdinistrative group > 2. First Administrative group (or which ever one you are dealing with - > I only have the one) > 3. Routing Group, First Routing Group (again, you may have others), > Connectors > 4. Pick your connector. Probably called Internet or something like > that. > 5. Right click, properties > 6. Select 'Forward all mail through this connector to the following > smart hosts', enter the hostname or IP. If you enter the IP, put it in > brackets, ex: [192.168.1.1] > > All your outbound mail will be sent to your MailScanner box. I didn't > have to make any changes on my MailScanner gateway - it treated it like > any other email. I'm using sendmail, btw. You will have to have your > gateway MTA set to allow relays either from your internal subnet, or at > least the Exchange machine. You don't want to open up the box to any > relay of course. > > Logging will look like what you currently have for logging on the > gatewway. Mail from Exchange will land in mqueue.in, be scanned (unless > you whitelist it which is probably a good idea performance wise), be > processed, then moved to mqueue where it will be delivered to the remote > address somewhere in internetland... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- You guys are so awesome! I have it set up now. I had to go ahead and edit the access file and add the exchange server as a relay. Also I had no connector there so I had to add a new one. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 6 21:21:43 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 6 21:21:55 2006 Subject: Bug in "Max Spamassassin Size" parameter parsing - MailScanner 4. 56.7-2 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580FC69943@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC69943@isabella.herefordshire.gov.uk> Message-ID: <4526BAD7.6060906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have added this to Sendmail. I will add it to other MTA's once someone has tested it for me. I aim to produce another beta this weekend, so please test this and I will then write it for the other MTAs but not before! Randal, Phil wrote: > I'd set > > Max Spamassassin Size = 40k > > and spamassassin was only scoring on headers, and hitting my > L_MISSING_BODY rule. > > # must use 'rawbody' as 'body' also includes Subject: header text > # see if message rawbody contains at least -one- non-blank character > rawbody __MSG_RAW_EXISTS /\S/ > # Nope, declare the message to be missing the body > meta L_MISSING_BODY ! __MSG_RAW_EXISTS > describe L_MISSING_BODY Message body empty > score L_MISSING_BODY 0.5 > > Changing it to > > Max Spamassassin Size = 40000 > > fixes the problem. > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFJrrYEfZZRxQVtlQRAl+xAKDG+RSf/Q0TVFZrUt/YDJDGBdDNnACfR18I VAjyQO6MHaS8ercyAc8x7F8= =SYi9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel.maher at ubisoft.com Fri Oct 6 21:34:35 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Oct 6 21:34:39 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: <4523366B.9090105@stellarcore.net> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D30F@UBIMAIL1.ubisoft.org> Hello all, A simple question: What version of MailScanner introduced the following configuration option? "Max Spamassassin Size" Thank you. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From garry at glendown.de Fri Oct 6 21:35:05 2006 From: garry at glendown.de (Garry Glendown) Date: Fri Oct 6 21:35:17 2006 Subject: MS and SA diuffer In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580FC699C7@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC699C7@isabella.herefordshire.gov.uk> Message-ID: <4526BDF9.1030609@glendown.de> Randal, Phil wrote: > It was this sort of problem which led me to find the bug I reported > earlier. > > If you have > > Max Spamassassin Size = nnk (e.g. 40k) > > change it to > > Max Spamassassin Size = nn000 (e.g. 40000) > > and see if that helps. Config is set to "90000" ... should have been sufficient for the spam message I tried with, which was <20k ... (and not triggering the possible bug with "k" ...) I'll keep looking into it ... any other ideas? From ssilva at sgvwater.com Fri Oct 6 21:34:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 6 21:35:25 2006 Subject: MS and SA diuffer In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A67@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A67@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 10/6/2006 11:17 AM: > If you figure this out, please post back to the list to why it is > happening. > > When I use either Imageinfo.pm or Fuzzyocr.pm with a .cf in the > /etc/mail/spamassassin dir MailScanner seems to cause Spam Assasin to > ignore these?? > > I JUST finished installing FuzzyOCR and all the accompanying tools to > make it work on 2 different relays here. I never see any hits from test > Spam messages I send from outside. > > > For the heck of it I also installed Imageinfo.pm and installed > imageinfo.cf into my /etc/mail/spamassassin directory and the same > results occurred. (more later on this) > > Both servers are running: > > > spamassassin-3.1.4 > mailscanner-4.54.6-1 > > A stock spam with inline gif processed through Mailscanner: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, > required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, > SARE_GIF_ATTACH 4.25) > X-MailScanner-SpamScore: sssss > > Saved and processed locally on the SAME mail sever with - cat test.txt | > spamassassin -t > > Content analysis details: (12.6 hits, 6.5 required) > 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > 10 FUZZY_OCR BODY: Mail contains an image with common > spam text inside > Words found: > "target" in 1 lines > "symbol" in 1 lines > "stock" in 1 lines > "price" in 1 lines > "company" in 1 lines > "breaking" in 1 lines > "banking" in 1 lines > "news" in 1 lines > (8 word occurrences found) > > > > Appropriate output regarding Fuzzy_OCR from spamassassin -D --lint: > > [30731] dbg: plugin: fixed relative path: > /etc/mail/spamassassin/FuzzyOcr.pm > [30731] dbg: plugin: loading FuzzyOcr from > /etc/mail/spamassassin/FuzzyOcr.pm > [30731] dbg: plugin: registered FuzzyOcr=HASH(0xa4200b4) > [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements 'parse_config' > [30731] dbg: FuzzyOcr: Found scan: $gocr -i $pfile > [30731] dbg: FuzzyOcr: Found scan: $gocr -l 180 -d 2 -i $pfile > [30731] dbg: FuzzyOcr: Found scan: $gocr -l 140 -d 2 -i $pfile > [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements > 'finish_parsing_end' > [30731] dbg: FuzzyOcr: Using giffix => /usr/bin/giffix > [30731] dbg: FuzzyOcr: Using giftext => /usr/bin/giftext > [30731] dbg: FuzzyOcr: Using gifinter => /usr/bin/gifinter > [30731] dbg: FuzzyOcr: Using giftopnm => /usr/bin/giftopnm > [30731] dbg: FuzzyOcr: Using jpegtopnm => /usr/bin/jpegtopnm > [30731] dbg: FuzzyOcr: Using pngtopnm => /usr/bin/pngtopnm > [30731] dbg: FuzzyOcr: Using bmptopnm => /usr/bin/bmptopnm > [30731] dbg: FuzzyOcr: Using ppmhist => /usr/bin/ppmhist > [30731] dbg: FuzzyOcr: Using gocr => /usr/bin/gocr > [30731] dbg: FuzzyOcr: Loaded <43> words from > "/etc/mail/spamassassin/FuzzyOcr.words" > [30731] dbg: FuzzyOcr: Using scan: $gocr -i $pfile > [30731] dbg: FuzzyOcr: Using scan: $gocr -l 180 -d 2 -i $pfile > [30731] dbg: FuzzyOcr: Using scan: $gocr -l 140 -d 2 -i $pfile > > I do NOT have anything set in Mailscanner.conf specific to SpamAssassin > aside from site rules dir. Should I? > > SpamAssassin Install Prefix = > > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > > SpamAssassin Local Rules Dir = > > SpamAssassin Local State Dir = # /var/lib > > SpamAssassin Default Rules Dir = > > > Now with a different plugin loaded, ImageInfo.pm - > > > [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from > /etc/mail/spamassassin/ImageInfo.pm > [2013] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) > > [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from > /etc/mail/spamassassin/ImageInfo.pm > [2013] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) > > > A stock spam with inline gif processed through Mailscanner: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, > required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, > SARE_GIF_ATTACH 4.25) > X-MailScanner-SpamScore: sssss > > Saved and processed locally on the SAME mail sever with - cat test.txt | > spamassassin -t > > Content analysis details: (11.1 hits, 6.5 required) > 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > 5.5 DC_IMAGE001_GIF BODY: Contains image named image001.gif > 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > 3.0 DC_GIF_UNO_LARGO Message contains a single large inline gif > > (imageinfo.cf had this specific rule I added JUST for the spam because I > already knew the inline GIF was named DDT.gif) > # you can match by image name > body DC_IMAGE001_GIF eval:image_named('DDT.gif') > describe DC_IMAGE001_GIF Contains image named > image001.gif > score DC_IMAGE001_GIF 5.50 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Garry > Glendown > Sent: Thursday, October 05, 2006 11:54 PM > To: MailScanner discussion > Subject: MS and SA diuffer > > Hi, > > I've just set up FuzzyOCR to take care of the Image spam that has > increased recently ... after still receiving untagged stock spam, I've > checked into the scores and stuff and noticed on a test message, that MS > has a lot less rule hits (and therefore less score points) than when > calling spamassassin directly ... > > Here's what I got originally from MS: > > X-nethinks-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=3.905, > benoetigt 5, HTML_10_20 1.35, HTML_IMAGE_ONLY_32 1.05, > HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_NUMERIC_HELO 1.50) > > whereas the -t run from SA resulted in: > > X-Spam-Status: Yes, score=25.2 required=5.0 tests=AWL,BAYES_99, > FORGED_RCVD_HELO,FUZZY_OCR,HTML_10_20,HTML_IMAGE_ONLY_32,HTML_MESSAGE, > MIME_HTML_ONLY,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH autolearn=no > > MailScanner.conf points to the right SA directory > (/etc/mail/spamassassin), there ARE image spams that get tagged with the > OCR-tags, so I don't really get it why the scoring differs this much ... > also with the Bayes score ... none on MS, 99 on SA ... !? > > I'm still running MS 4.50, SA is 3.1.5 ... > > Any idea where I could look for the cause of this? > > Tnx! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== >From what I have read, you now need a loadplugin line in init.pre (or one of the other .pre files) spamassassin only does global things from the .pre files since about 3.1.0. Read the imageinfo.pm file for better instructions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Oct 6 21:43:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 6 21:43:31 2006 Subject: MS and SA diuffer In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A67@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A67@CHI-US-EXCH-01.us.kmz.com> Message-ID: <223f97700610061343o1b27a9b0u2b475c73419a7c76@mail.gmail.com> On 06/10/06, Duncan, Brian M. wrote: > > If you figure this out, please post back to the list to why it is > happening. > > When I use either Imageinfo.pm or Fuzzyocr.pm with a .cf in the > /etc/mail/spamassassin dir MailScanner seems to cause Spam Assasin to > ignore these?? > > I JUST finished installing FuzzyOCR and all the accompanying tools to > make it work on 2 different relays here. I never see any hits from test > Spam messages I send from outside. > > For the heck of it I also installed Imageinfo.pm and installed > imageinfo.cf into my /etc/mail/spamassassin directory and the same > results occurred. (more later on this) > > Both servers are running: > > spamassassin-3.1.4 > mailscanner-4.54.6-1 > > A stock spam with inline gif processed through Mailscanner: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, > required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, > SARE_GIF_ATTACH 4.25) > X-MailScanner-SpamScore: sssss > > Saved and processed locally on the SAME mail sever with - cat test.txt | > spamassassin -t > > Content analysis details: (12.6 hits, 6.5 required) > 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > 10 FUZZY_OCR BODY: Mail contains an image with common > spam text inside > Words found: > "target" in 1 lines > "symbol" in 1 lines > "stock" in 1 lines > "price" in 1 lines > "company" in 1 lines > "breaking" in 1 lines > "banking" in 1 lines > "news" in 1 lines > (8 word occurrences found) > > > Appropriate output regarding Fuzzy_OCR from spamassassin -D --lint: > > [30731] dbg: plugin: fixed relative path: > /etc/mail/spamassassin/FuzzyOcr.pm > [30731] dbg: plugin: loading FuzzyOcr from > /etc/mail/spamassassin/FuzzyOcr.pm > [30731] dbg: plugin: registered FuzzyOcr=HASH(0xa4200b4) > [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements 'parse_config' > [30731] dbg: FuzzyOcr: Found scan: $gocr -i $pfile > [30731] dbg: FuzzyOcr: Found scan: $gocr -l 180 -d 2 -i $pfile > [30731] dbg: FuzzyOcr: Found scan: $gocr -l 140 -d 2 -i $pfile > [30731] dbg: plugin: FuzzyOcr=HASH(0xa4200b4) implements > 'finish_parsing_end' > [30731] dbg: FuzzyOcr: Using giffix => /usr/bin/giffix > [30731] dbg: FuzzyOcr: Using giftext => /usr/bin/giftext > [30731] dbg: FuzzyOcr: Using gifinter => /usr/bin/gifinter > [30731] dbg: FuzzyOcr: Using giftopnm => /usr/bin/giftopnm > [30731] dbg: FuzzyOcr: Using jpegtopnm => /usr/bin/jpegtopnm > [30731] dbg: FuzzyOcr: Using pngtopnm => /usr/bin/pngtopnm > [30731] dbg: FuzzyOcr: Using bmptopnm => /usr/bin/bmptopnm > [30731] dbg: FuzzyOcr: Using ppmhist => /usr/bin/ppmhist > [30731] dbg: FuzzyOcr: Using gocr => /usr/bin/gocr > [30731] dbg: FuzzyOcr: Loaded <43> words from > "/etc/mail/spamassassin/FuzzyOcr.words" > [30731] dbg: FuzzyOcr: Using scan: $gocr -i $pfile > [30731] dbg: FuzzyOcr: Using scan: $gocr -l 180 -d 2 -i $pfile > [30731] dbg: FuzzyOcr: Using scan: $gocr -l 140 -d 2 -i $pfile > > I do NOT have anything set in Mailscanner.conf specific to SpamAssassin > aside from site rules dir. Should I? > > SpamAssassin Install Prefix = > > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > > SpamAssassin Local Rules Dir = > > SpamAssassin Local State Dir = # /var/lib > > SpamAssassin Default Rules Dir = > > > Now with a different plugin loaded, ImageInfo.pm - > > [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from > /etc/mail/spamassassin/ImageInfo.pm > [2013] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) > > [2013] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from > /etc/mail/spamassassin/ImageInfo.pm > [2013] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95bdacc) > > > A stock spam with inline gif processed through Mailscanner: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=5.55, > required 6.5, MR_NOT_ATTRIBUTED_IP 0.10, RATWR10_MESSID 1.20, > SARE_GIF_ATTACH 4.25) > X-MailScanner-SpamScore: sssss > > Saved and processed locally on the SAME mail sever with - cat test.txt | > spamassassin -t > > Content analysis details: (11.1 hits, 6.5 required) > 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > 0.0 HTML_MESSAGE BODY: HTML included in message > 5.5 DC_IMAGE001_GIF BODY: Contains image named image001.gif > 4.2 SARE_GIF_ATTACH FULL: Email has a inline gif > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > 3.0 DC_GIF_UNO_LARGO Message contains a single large inline gif > > (imageinfo.cf had this specific rule I added JUST for the spam because I > already knew the inline GIF was named DDT.gif) > # you can match by image name > body DC_IMAGE001_GIF eval:image_named('DDT.gif') > describe DC_IMAGE001_GIF Contains image named > image001.gif > score DC_IMAGE001_GIF 5.50 > > > Good info, but you haven't addressed Anthony (or Alex') questions. Please tell us more about your setup, or we will likely not be able to help you... What MTA, OS/version etc etc. The more details the better:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Oct 6 22:42:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 6 22:43:14 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D30F@UBIMAIL1.ubisoft.org> References: <4523366B.9090105@stellarcore.net> <1E293D3FF63A3740B10AD5AAD88535D20226D30F@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher spake the following on 10/6/2006 1:34 PM: > Hello all, > > A simple question: > > What version of MailScanner introduced the following configuration option? > > "Max Spamassassin Size" > > Thank you. :) > It seems to have been there since I started using it, so it is way back to the 3.xx's -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mgt at stellarcore.net Fri Oct 6 23:24:55 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Oct 6 23:25:04 2006 Subject: OT: Logwatch Update In-Reply-To: <200610062049.k96KnO8g002655@bkserver.blacknight.ie> References: <200610062049.k96KnO8g002655@bkserver.blacknight.ie> Message-ID: <4526D7B7.7030607@stellarcore.net> Edward Prendergast spake the following on 10/6/2006 1:11 AM: > > I get These messages repeated hundreds of times in my LogWatch reports: > > > > 1GVRKT-0002IV-7z: Logged to MailWatch SQL : 1 Time(s) > > 1GVSrS-00008K-Ef: Logged to MailWatch SQL : 1 Time(s) > > 1GVFvt-0003Oj-T1: Logged to MailWatch SQL : 1 Time(s) > > 1GVV4N-0001DB-Uh: Logged to MailWatch SQL : 1 Time(s) > > 1GVU8t-0005a5-Bu: Logged to MailWatch SQL : 1 Time(s) > > 1GVN7O-0003MO-P7: Logged to MailWatch SQL : 1 Time(s) > > 1GVayX-0000O6-2t: Logged to MailWatch SQL : 1 Time(s) > > > > Does anybody else get this problem & know of a resolution? > > > > Sorry for the off-topic post - I just thought being as how we all use > > MailScanner and some of us use MailWatch that you'd be the best people to > > ask. >Are you running the latest logwatch? I think it is 7.3.1. It seems that this >went away when I upgraded. The logwatch site seems to be down right now, but >you can probably find it around. I have an rpm,and maybe source floating >around somewhere. We keep a mirror here http://logwatch.vanderkooij.org/ No idea what is going on with logwatch.org site seems down [so is cvs access so I suspect somthing bad ;) ] -Mike From lshaw at emitinc.com Sat Oct 7 00:01:33 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Sat Oct 7 00:01:44 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017297A0@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D15017297A0@woodenex.woodmaclaw.local> Message-ID: On Fri, 6 Oct 2006, Billy A. Pumphrey wrote: > You guys are so awesome! I have it set up now. I had to go ahead and > edit the access file and add the exchange server as a relay. > > Also I had no connector there so I had to add a new one. One thing I don't think anyone else has mentioned is that you probably want to look at your set of trusted hosts/networks (the "trusted_networks" setting for SpamAssassin) and think about whether your Exchange server is in that set and whether you want it to be in the set. It might already be trusted if it's on the same subnet with trusted clients. Or not, depending on how you have it set up. How it should be set up is probably a judgement call, but it'd probably be worthwhile to be intentional about whatever you choose. Including the Exchange server in the trusted_networks set will mean it won't be checked against RBLs and stuff like that. And I believe messages coming from it and going through your MailScanner machine will also get an extra negative score for ALL_TRUSTED. (Though whether any outside parties care about how you score messages as they leave your server is another question.) - Logan From brian.duncan at kattenlaw.com Sat Oct 7 01:36:53 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Sat Oct 7 01:37:03 2006 Subject: MS and SA diuffer Message-ID: <65234743FE1555428435CE39E6AC4078B38A6C@CHI-US-EXCH-01.us.kmz.com> >Good info, but you haven't addressed Anthony (or Alex') questions. >Please tell us more about your setup, or we will likely not be able to help you... What MTA, OS/version etc etc. The more details the >>> better:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se Sorry - I was not the original poster. I just happen to have the same exact problem. I am using sendmail. Linux, one box is Fedora FC3 one box is Fedora FC4. FC4 box is sendmail-8.13.8-1. FC3 box is sendmail-8.13.6-0. As far as loading the plugins for FuzzyOCR and ImageInfo.pm, I was loading them out of the init.pre file. The debug from SpamAssassin showed them loading successfully that I included before. When piping a test message through Spam Assassin locally the FuzzyOCR rules kick in and are scored, same with ImageInfo.pm. When Relayed through MailScanner, they do not. I also just realized that bayes is also not functioning through MailScanner + SpamAssasin. When I pipe the message through SpamAssassin locally it includes bayes scoring, through MailScanner, that is absent. Yet all my other .cf rules that are in my /etc/mail/spamassassin dir are applied with MailScanner. I emailed the original poster about his problem and he said his worked when he changed his max spamassassin message size from something Like 60K to 60000. I tried as high as 500000 with no effect. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From brian.duncan at kattenlaw.com Sat Oct 7 04:52:21 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Sat Oct 7 04:52:30 2006 Subject: MS and SA diuffer Message-ID: <65234743FE1555428435CE39E6AC4078B38A70@CHI-US-EXCH-01.us.kmz.com> I got my plugins working now with MailScanner. Bayes came back also. I had used a Spam Assassin FC SRPM, removed it and re-installed the newest SpamAssassin version manually with Perl and all started working. Weird though.. -D --lint showed ALL being loaded fine, all plugins and bayes. Spam Assassin locally would tag properly, just not through MailScanner. I even compared all the install dirs between the RPM SpamAssassin and the manual Perl install and they all looked the same. Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Duncan, Brian M. Sent: Friday, October 06, 2006 7:37 PM To: MailScanner discussion Subject: RE: MS and SA diuffer >Good info, but you haven't addressed Anthony (or Alex') questions. >Please tell us more about your setup, or we will likely not be able to help you... What MTA, OS/version etc etc. The more details the >>> better:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se Sorry - I was not the original poster. I just happen to have the same exact problem. I am using sendmail. Linux, one box is Fedora FC3 one box is Fedora FC4. FC4 box is sendmail-8.13.8-1. FC3 box is sendmail-8.13.6-0. As far as loading the plugins for FuzzyOCR and ImageInfo.pm, I was loading them out of the init.pre file. The debug from SpamAssassin showed them loading successfully that I included before. When piping a test message through Spam Assassin locally the FuzzyOCR rules kick in and are scored, same with ImageInfo.pm. When Relayed through MailScanner, they do not. I also just realized that bayes is also not functioning through MailScanner + SpamAssasin. When I pipe the message through SpamAssassin locally it includes bayes scoring, through MailScanner, that is absent. Yet all my other .cf rules that are in my /etc/mail/spamassassin dir are applied with MailScanner. I emailed the original poster about his problem and he said his worked when he changed his max spamassassin message size from something Like 60K to 60000. I tried as high as 500000 with no effect. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From admin at thenamegame.com Sat Oct 7 05:02:27 2006 From: admin at thenamegame.com (Michael S.) Date: Sat Oct 7 04:56:47 2006 Subject: FW: Missing /rules files from MailScanner installation from ports Message-ID: <200610070356.k973uj26008382@bkserver.blacknight.ie> There is a problem with installing MailScanner 4.55.10-3 via ports. I reported this many months ago, still the same old problem. If you install MS on a server that has never had MS it starts complaining about the following files that it can't find. About 4 or so months ago when I reported this, the port maintainer tried to tell me my port system on my Freebsd box had a problem. Since then, we have purchased 4 additional Freebsd boxes that all exhibit the same installation issue, missing files after the install. If you don't believe me, try installing MS on a Freebsd server that has never had MS installed. The following list of files will be missing from your installation; /rules/bounce.rule /rules/max.message.size.rule /mcp/mcp.spam.assassin.prefs.conf If you look at the package list, you will find the following files missing from this list, the only one there is mcp.spam.assassin.prefs.conf.sample but unless you rename it after installing MS to mcp.spam.assassin.prefs.conf your installation chokes. Shouldn't MS rename this to mcp.spam.assassin.prefs.conf like it does to all the others when you type the config command? The pgk-list tells the truth. It shows all the files that were installed. As per the partial list below, you will note there is no bounce.rule max.message.size.rule and the third one is installed as a sample so unless you know what to do you will be stuck with a failed installation unless your rename the file from a sample to a conf. So Mr port maintainer, why don't you listen to constructive criticism and take action to fix this problem when it's reported instead of being rude about it. See previous messages regarding this! I would hope that you all would want to know instead of telling me im crazy or that my installation is jacked. And last but certainly not least there are no symlinks created except for one and that is to mailscanner.cf. Freebsd does not have a cron.hourly or crond.d therefore you need to create cronjobs if you expect to run hourly crons. Nothing about this is mentioned in the DOCS or README. Maybe this should be revamped so a total idiot knows what to do. But that's just a suggestion, take it or leave it. @comment $FreeBSD: ports/mail/mailscanner/pkg-plist,v 1.31 2006/08/11 20:10:29 pav Exp $ etc/MailScanner/country.domains.conf.sample etc/MailScanner/MailScanner.conf.sample etc/MailScanner/filename.rules.conf.sample etc/MailScanner/filetype.rules.conf.sample etc/MailScanner/mcp/10_example.cf.sample etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf.sample etc/MailScanner/rules/EXAMPLES etc/MailScanner/rules/README etc/MailScanner/rules/spam.whitelist.rules.sample etc/MailScanner/phishing.safe.sites.conf.sample etc/MailScanner/spam.assassin.prefs.conf.sample Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. According to the docs; The port installs two start/stop scripts in /usr/local/etc/rc.d: mailscanner.sh mta.sh But this never happens. You have to go back to the port collections file directory and copy the shell script into the proper directory. Can you have the port maintainer correct this problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061007/70646a83/attachment.html From lday at txk.k12.ar.us Sat Oct 7 05:43:59 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Oct 7 05:44:08 2006 Subject: FW: Missing /rules files from MailScanner installation from ports In-Reply-To: <200610070356.k973uj26008382@bkserver.blacknight.ie> References: <200610070356.k973uj26008382@bkserver.blacknight.ie> Message-ID: <4527308F.2060609@txk.k12.ar.us> I just did a clean install on my FreeBSD 5.5-STABLE machine. My comments are within.. Michael S. wrote: > > There is a problem with installing MailScanner 4.55.10-3 via ports. I > reported this many months ago, still the same old problem. > > If you install MS on a server that has never had MS it starts > complaining about the following files that it can?t find. > > About 4 or so months ago when I reported this, the port maintainer > tried to tell me my port system on my Freebsd box had a problem. Since > then, we have purchased 4 additional Freebsd boxes that all exhibit > the same installation issue, missing files after the install. If you > don?t believe me, try installing MS on a Freebsd server that has never > had MS installed. The following list of files will be missing from > your installation; > > /rules/bounce.rule > > /rules/max.message.size.rule > > /mcp/mcp.spam.assassin.prefs.conf > I agree.. Oct 6 23:23:16 alms MailScanner[30703]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Oct 6 23:23:16 alms MailScanner[30703]: Could not read file /usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf Oct 6 23:23:16 alms MailScanner[30703]: Error in line 2027, file "/usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf" for mcpspamassassinprefsfile does not exist (or can not be read) Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file /usr/local/etc/MailScanner/rules/bounce.rules, No such file or directory Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file /usr/local/etc/MailScanner/rules/max.message.size.rules, No such file or directory --- snip -- > > Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. > According to the docs; > > The port installs two start/stop scripts in /usr/local/etc/rc.d: > > mailscanner.sh > > mta.sh > I disagree. They were created for me... -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh -r-xr-xr-x 1 root wheel 4412 Oct 6 23:19 mta.sh > But this never happens. You have to go back to the port collections > file directory and copy the shell script into the proper directory. > > Can you have the port maintainer correct this problem? > From admin at thenamegame.com Sat Oct 7 06:03:34 2006 From: admin at thenamegame.com (Michael S.) Date: Sat Oct 7 05:57:39 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <4527308F.2060609@txk.k12.ar.us> Message-ID: <200610070457.k974vb0H009264@bkserver.blacknight.ie> Finally somebody who has a clue!! Thanks James for verifying this. Maybe the port Maintainer can finally do something about this after telling me I was crazy. See all the NOT SO NICE messages in past threads regarding this issue. Thank you. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James L. Day Sent: Saturday, October 07, 2006 12:44 AM To: MailScanner discussion Subject: Re: FW: Missing /rules files from MailScanner installation fromports I just did a clean install on my FreeBSD 5.5-STABLE machine. My comments are within.. Michael S. wrote: > > There is a problem with installing MailScanner 4.55.10-3 via ports. I > reported this many months ago, still the same old problem. > > If you install MS on a server that has never had MS it starts > complaining about the following files that it can't find. > > About 4 or so months ago when I reported this, the port maintainer > tried to tell me my port system on my Freebsd box had a problem. Since > then, we have purchased 4 additional Freebsd boxes that all exhibit > the same installation issue, missing files after the install. If you > don't believe me, try installing MS on a Freebsd server that has never > had MS installed. The following list of files will be missing from > your installation; > > /rules/bounce.rule > > /rules/max.message.size.rule > > /mcp/mcp.spam.assassin.prefs.conf > I agree.. Oct 6 23:23:16 alms MailScanner[30703]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Oct 6 23:23:16 alms MailScanner[30703]: Could not read file /usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf Oct 6 23:23:16 alms MailScanner[30703]: Error in line 2027, file "/usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf" for mcpspamassassinprefsfile does not exist (or can not be read) Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file /usr/local/etc/MailScanner/rules/bounce.rules, No such file or directory Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file /usr/local/etc/MailScanner/rules/max.message.size.rules, No such file or directory --- snip -- > > Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. > According to the docs; > > The port installs two start/stop scripts in /usr/local/etc/rc.d: > > mailscanner.sh > > mta.sh > I disagree. They were created for me... -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh -r-xr-xr-x 1 root wheel 4412 Oct 6 23:19 mta.sh > But this never happens. You have to go back to the port collections > file directory and copy the shell script into the proper directory. > > Can you have the port maintainer correct this problem? > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From admin at thenamegame.com Sat Oct 7 06:20:26 2006 From: admin at thenamegame.com (Michael S.) Date: Sat Oct 7 06:14:27 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <4527308F.2060609@txk.k12.ar.us> Message-ID: <200610070514.k975EPu6009580@bkserver.blacknight.ie> > I disagree. They were created for me... -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh -r-xr-xr-x 1 root wheel 4412 Oct 6 23:19 mta.sh > But this never happens. You have to go back to the port collections > file directory and copy the shell script into the proper directory. > > Can you have the port maintainer correct this problem? > That's strange; because on 3 servers thus far mailscanner.sh and mta.sh were not copied to /usr/local/etc/rc.d/ where they are suppose to end up after the port installation. I had to copy them from /ports/files/mailscanner.in and mta.in to /usr/local/etc/rc.d manually. Also, what has everyone done with files such as clean.quarantine and update_virus_scanners? Since one is supposed to run hourly and the other daily did you copy them somewhere and symlink them back to /usr/local/libexec/MailScanner where all the cron jobs are or did you simply create a root cronjob? Seems like this step is missing as well. Unless you are well aware of what the setup should look like you wouldn't even know about it. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lday at txk.k12.ar.us Sat Oct 7 07:31:37 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Oct 7 07:31:42 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <200610070514.k975EPu6009580@bkserver.blacknight.ie> References: <200610070514.k975EPu6009580@bkserver.blacknight.ie> Message-ID: <452749C9.10108@txk.k12.ar.us> I use ClamAV and it's updated by "/usr/local/etc/rc.d/clamav-freshclam.sh". Since I have MailWatch installed, I have these in my "/etc/crontab" file: */5 * * * * root /usr/local/sbin/mailq.php 0 0 * * * root /usr/local/sbin/quarantine_maint.php --clean 0 0 * * * root /usr/local/sbin/quarantine_report.php 0 0 * * * root /usr/local/sbin/db_clean.php I've never had "clean.quarantine" and "update_virus_scanners" in root's crontab. They were definitely not put there for me during a MailScanner install. I ran McAfee's command line scanner for quite some time before switching to ClamAV. If I remember correctly, I had to manually add a line to root's crontab to update the McAfee definitions. Before MailWatch, I cleaned "/var/spool/MailScanner/quarantine" manually. I didn't know it was supposed to be done auto-magically.. ;-) BTW - I've installed MailScanner/SpamAssassin/ClamAV on at least 6 servers over the past 3 years and have updated or reinstalled them many times. The FreeBSD MailScanner port needs fixing.. Lynn Michael S. wrote: > That's strange; because on 3 servers thus far mailscanner.sh and mta.sh were > not copied to /usr/local/etc/rc.d/ where they are suppose to end up after > the port installation. I had to copy them from /ports/files/mailscanner.in > and mta.in to /usr/local/etc/rc.d manually. > > Also, what has everyone done with files such as clean.quarantine and > update_virus_scanners? Since one is supposed to run hourly and the other > daily did you copy them somewhere and symlink them back to > /usr/local/libexec/MailScanner where all the cron jobs are or did you simply > create a root cronjob? Seems like this step is missing as well. Unless you > are well aware of what the setup should look like you wouldn't even know > about it. > > From drew at technologytiger.net Sat Oct 7 13:07:18 2006 From: drew at technologytiger.net (Drew Marshall) Date: Sat Oct 7 13:07:35 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: <200610070457.k974vb0H009264@bkserver.blacknight.ie> References: <200610070457.k974vb0H009264@bkserver.blacknight.ie> Message-ID: <1A950111-642F-4238-8761-28AC6C51C7AF@technologytiger.net> On 7 Oct 2006, at 06:03, Michael S. wrote: > Finally somebody who has a clue!! I think that is a little harsh and along with the tone in your original e-mail you are about as likely to walk to the moon as to get this fixed. > > Thanks James for verifying this. Maybe the port Maintainer can > finally do > something about this after telling me I was crazy. See all the NOT > SO NICE > messages in past threads regarding this issue. I participated in the previous thread and I seem to remember that there were more people who had no problem than there were who had and although there was some attempt to help, you reacted with the same tone as you are now. No one owes you a working port. If you can't make it work or feel that Jan-Peter is doing a bad job then come forward and offer to help. I am sure he won't mind at all. He is a busy guy and this is open source. If you pay for it, expect it to work (I am sure you have many Microsoft products that do just that :-) ). If you are that concerned, drop Julian an e-mail and pay him to install it for you. > > Thank you. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > James L. > Day > Sent: Saturday, October 07, 2006 12:44 AM > To: MailScanner discussion > Subject: Re: FW: Missing /rules files from MailScanner installation > fromports > > I just did a clean install on my FreeBSD 5.5-STABLE machine. My > comments > are within.. > > Michael S. wrote: >> >> There is a problem with installing MailScanner 4.55.10-3 via ports. I >> reported this many months ago, still the same old problem. >> >> If you install MS on a server that has never had MS it starts >> complaining about the following files that it can't find. >> >> About 4 or so months ago when I reported this, the port maintainer >> tried to tell me my port system on my Freebsd box had a problem. >> Since >> then, we have purchased 4 additional Freebsd boxes that all exhibit >> the same installation issue, missing files after the install. If you >> don't believe me, try installing MS on a Freebsd server that has >> never >> had MS installed. The following list of files will be missing from >> your installation; >> >> /rules/bounce.rule >> >> /rules/max.message.size.rule >> >> /mcp/mcp.spam.assassin.prefs.conf >> > I agree.. > > Oct 6 23:23:16 alms MailScanner[30703]: MailScanner E-Mail Virus > Scanner > version 4.55.10 starting... > Oct 6 23:23:16 alms MailScanner[30703]: Could not read file > /usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf > Oct 6 23:23:16 alms MailScanner[30703]: Error in line 2027, file > "/usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf" for > mcpspamassassinprefsfile does not exist (or can not be read) > Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file > /usr/local/etc/MailScanner/rules/bounce.rules, No such file or > directory > Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file > /usr/local/etc/MailScanner/rules/max.message.size.rules, No such > file or > directory > > --- snip -- Because I have run the port for several years, mine are upgrades so the original are always there so I have never noticed them missing. Are the files there as .sample files? I assume you ran the scripts at the end of the install to move the .sample files? >> >> Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. >> According to the docs; >> >> The port installs two start/stop scripts in /usr/local/etc/rc.d: >> >> mailscanner.sh >> >> mta.sh >> > I disagree. They were created for me... > > -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh > -r-xr-xr-x 1 root wheel 4412 Oct 6 23:19 mta.sh And me every time I upgrade. > >> But this never happens. You have to go back to the port collections >> file directory and copy the shell script into the proper directory. >> >> Can you have the port maintainer correct this problem? The FreeBSD port is not maintained by Julian. You would be better asking (Nicely) Jan-Peter, who's e-mail address is in the Makefile in the ports tree or indeed as I have suggested else where do it yourself and offer to help him improve the current port. Regards Drew From lday at txk.k12.ar.us Sat Oct 7 16:15:47 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Oct 7 16:15:55 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: <1A950111-642F-4238-8761-28AC6C51C7AF@technologytiger.net> References: <200610070457.k974vb0H009264@bkserver.blacknight.ie> <1A950111-642F-4238-8761-28AC6C51C7AF@technologytiger.net> Message-ID: <4527C4A3.4010706@txk.k12.ar.us> Drew, The FreeBSD MailScanner port puts .sample files all over the place, but I've never seen anything in the port to remove them... The attached Makefile patch I whipped up should make the port install and run with fewer errors... >From /usr/ports/mail/mailscanner, type: patch < /path/to/Makefile.diff And yes, after running "make install" you must run "make initial-config". It would be nice if during a first-time install, the port would perform "initial-config" automatically. It could be triggered by the lack of a "/usr/local/etc/MailScanner" directory or the "MailScanner.conf" file, etc. If I were the creator of a cool application such as MailScanner and a port maintainer was causing public outcry, I'd be inclined to show him the light. I'm quite capable of making myself look bad; I don't need any help... As always, YMMV.. ;-) Lynn Drew Marshall wrote: > On 7 Oct 2006, at 06:03, Michael S. wrote: > >> Finally somebody who has a clue!! > > I think that is a little harsh and along with the tone in your > original e-mail you are about as likely to walk to the moon as to get > this fixed. > >> >> Thanks James for verifying this. Maybe the port Maintainer can >> finally do >> something about this after telling me I was crazy. See all the NOT SO >> NICE >> messages in past threads regarding this issue. > > I participated in the previous thread and I seem to remember that > there were more people who had no problem than there were who had and > although there was some attempt to help, you reacted with the same > tone as you are now. No one owes you a working port. If you can't make > it work or feel that Jan-Peter is doing a bad job then come forward > and offer to help. I am sure he won't mind at all. He is a busy guy > and this is open source. If you pay for it, expect it to work (I am > sure you have many Microsoft products that do just that :-) ). If you > are that concerned, drop Julian an e-mail and pay him to install it > for you. > >> >> Thank you. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> James L. >> Day >> Sent: Saturday, October 07, 2006 12:44 AM >> To: MailScanner discussion >> Subject: Re: FW: Missing /rules files from MailScanner installation >> fromports >> >> I just did a clean install on my FreeBSD 5.5-STABLE machine. My comments >> are within.. >> >> Michael S. wrote: >>> >>> There is a problem with installing MailScanner 4.55.10-3 via ports. I >>> reported this many months ago, still the same old problem. >>> >>> If you install MS on a server that has never had MS it starts >>> complaining about the following files that it can't find. >>> >>> About 4 or so months ago when I reported this, the port maintainer >>> tried to tell me my port system on my Freebsd box had a problem. Since >>> then, we have purchased 4 additional Freebsd boxes that all exhibit >>> the same installation issue, missing files after the install. If you >>> don't believe me, try installing MS on a Freebsd server that has never >>> had MS installed. The following list of files will be missing from >>> your installation; >>> >>> /rules/bounce.rule >>> >>> /rules/max.message.size.rule >>> >>> /mcp/mcp.spam.assassin.prefs.conf >>> >> I agree.. >> >> Oct 6 23:23:16 alms MailScanner[30703]: MailScanner E-Mail Virus Scanner >> version 4.55.10 starting... >> Oct 6 23:23:16 alms MailScanner[30703]: Could not read file >> /usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf >> Oct 6 23:23:16 alms MailScanner[30703]: Error in line 2027, file >> "/usr/local/etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf" for >> mcpspamassassinprefsfile does not exist (or can not be read) >> Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file >> /usr/local/etc/MailScanner/rules/bounce.rules, No such file or directory >> Oct 6 23:23:16 alms MailScanner[30703]: Cannot open ruleset file >> /usr/local/etc/MailScanner/rules/max.message.size.rules, No such file or >> directory >> >> --- snip -- > > Because I have run the port for several years, mine are upgrades so > the original are always there so I have never noticed them missing. > Are the files there as .sample files? I assume you ran the scripts at > the end of the install to move the .sample files? > >>> >>> Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. >>> According to the docs; >>> >>> The port installs two start/stop scripts in /usr/local/etc/rc.d: >>> >>> mailscanner.sh >>> >>> mta.sh >>> >> I disagree. They were created for me... >> >> -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh >> -r-xr-xr-x 1 root wheel 4412 Oct 6 23:19 mta.sh > > And me every time I upgrade. > >> >>> But this never happens. You have to go back to the port collections >>> file directory and copy the shell script into the proper directory. >>> >>> Can you have the port maintainer correct this problem? > > The FreeBSD port is not maintained by Julian. You would be better > asking (Nicely) Jan-Peter, who's e-mail address is in the Makefile in > the ports tree or indeed as I have suggested else where do it yourself > and offer to help him improve the current port. > > Regards > > Drew > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- --- Makefile Sat Oct 7 08:52:32 2006 +++ Makefile.jld Sat Oct 7 09:25:28 2006 @@ -112,6 +112,8 @@ spam.lists.conf virus.scanners.conf \ phishing.safe.sites.conf \ country.domains.conf +RULES_FILES= EXAMPLES README bounce.rules \ + max.message.size.rules spam.whitelist.rules MCP_FILES= mcp.spam.assassin.prefs.conf \ 10_example.cf USRLOCAL_FILES_LIB= \ @@ -236,10 +238,11 @@ ${PREFIX}/etc/MailScanner/${FILE}.sample .endfor ${MKDIR} ${PREFIX}/etc/MailScanner/rules - cd ${WRKSRC}/etc/rules && \ - ${INSTALL_DATA} EXAMPLES README ${PREFIX}/etc/MailScanner/rules - ${INSTALL_DATA} ${WRKSRC}/etc/rules/spam.whitelist.rules \ - ${PREFIX}/etc/MailScanner/rules/spam.whitelist.rules.sample + ${CHMOD} ${BINMODE} ${PREFIX}/etc/MailScanner/rules +.for FILE in ${RULES_FILES} + ${INSTALL_DATA} ${WRKSRC}/etc/rules/${FILE} \ + ${PREFIX}/etc/MailScanner/rules/${FILE}.sample +.endfor ${MKDIR} ${PREFIX}/etc/MailScanner/mcp ${CHMOD} ${BINMODE} ${PREFIX}/etc/MailScanner/mcp .for FILE in ${MCP_FILES} @@ -351,8 +354,10 @@ initial-config: renew-wrapper renew-autoupdate renew-reports cd ${WRKSRC}/etc && ${INSTALL_DATA} ${ETC_FILES} \ ${PREFIX}/etc/MailScanner - ${INSTALL_DATA} ${WRKSRC}/etc/rules/spam.whitelist.rules \ - ${PREFIX}/etc/MailScanner/rules/spam.whitelist.rules + cd ${WRKSRC}/etc/rules && ${INSTALL_DATA} ${RULES_FILES} \ + ${PREFIX}/etc/MailScanner/rules + cd ${WRKSRC}/etc/mcp && ${INSTALL_DATA} ${MCP_FILES} \ + ${PREFIX}/etc/MailScanner/mcp @${ECHO} "******************************************************************************" @${ECHO} "The provided default configuration requires several directories to be created:" @${ECHO} "/var/spool/MailScanner/incoming" From res at ausics.net Sun Oct 8 02:09:21 2006 From: res at ausics.net (Res) Date: Sun Oct 8 02:09:29 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: <1A950111-642F-4238-8761-28AC6C51C7AF@technologytiger.net> References: <200610070457.k974vb0H009264@bkserver.blacknight.ie> <1A950111-642F-4238-8761-28AC6C51C7AF@technologytiger.net> Message-ID: On Sat, 7 Oct 2006, Drew Marshall wrote: > On 7 Oct 2006, at 06:03, Michael S. wrote: > >> Finally somebody who has a clue!! > > I think that is a little harsh and along with the tone in your original > e-mail you are about as likely to walk to the moon as to get this fixed. > heh, agreed, and if he's that concerned why not do a tarball install? It also takes 2 mins to write a quick bash file to copy custom files into new MS, ill save him time and give it to him so it takes 2 seconds... #cd /opt/MailScanner-New_Version/etc # and paste all this in one hit mv MailScanner.conf MailScanner.conf.default ../bin/upgrade_MailScanner_conf /opt/MailScanner/etc/MailScanner.conf \ MailScanner.conf.default > MailScanner.conf diff /opt/MailScanner/etc/MailScanner.conf MailScanner.conf cp /opt/MailScanner/etc/filename.rules.conf . cp /opt/MailScanner/etc/filetype.rules.conf . cp /opt/MailScanner/etc/mailscanner-mrtg.conf . cp /opt/MailScanner/etc/spam.assassin.prefs.conf . cp /opt/MailScanner/etc/phishing.safe.sites.conf . cd rules/ cp /opt/MailScanner/etc/rules/bounce.rules . cp /opt/MailScanner/etc/rules/police.rules . cp /opt/MailScanner/etc/rules/reject.msg.rules . cp /opt/MailScanner/etc/rules/contentscan.rules . cp /opt/MailScanner/etc/rules/spam.whitelist.rules . cd ../reports/en cp /opt/MailScanner/etc/reports/en/sender.content.report.txt . cp /opt/MailScanner/etc/reports/en/rejection.report.txt . cp /opt/MailScanner/etc/reports/en/sender.filename.report.txt . # end thats it, all customisations in place,it might be risky copying some of the prefs files, but ive beeing doing it for a while without problem. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 12:55:56 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 12:56:02 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <200610070457.k974vb0H009264@bkserver.blacknight.ie> Message-ID: On Saturday, October 07, 2006 7:04 AM Michael S. wrote: > Finally somebody who has a clue!! Obviously the rest of the world does not. > Thanks James for verifying this. Maybe the port Maintainer can > finally do something about this after telling me I was crazy. I told you that you are crazy? I do not recall this. > See all > the NOT SO NICE messages in past threads regarding this issue. The only "NOT SO NICE" messages with a rude tone I recall came from you to be honest. And this message is no exception. If therre is a problem with the port then please by all means bring it to my attention. If (!) I can reproduce and/or understand the problem and agree with the fact that it needs some certain fix I will of course do this. However as Drew mentioned, my time is very limited and I am not earning any money with maintaining this port. Therefore if you are trying to "finally" get me to do something you might as well try it in an educated nice way. It would raise the chances of your case being heard enourmously... > Thank you. Your welcome. Kind regards, JP From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 13:00:55 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 13:00:58 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <4527308F.2060609@txk.k12.ar.us> Message-ID: On Saturday, October 07, 2006 6:44 AM James L. Day wrote: >> /rules/bounce.rule >> >> /rules/max.message.size.rule Agreed. I have not been aware of these two files. Please remember that Julian too has better things to do than telling me about every file or installation change he is doing. Therefore these things are bound to happen. I do not use bounce.rule and max.message.size.rule in my installations therefore I have never came across this. I will put it on the todo list for the next release. >> /mcp/mcp.spam.assassin.prefs.conf This should be there as .sample file. Can you please recheck? Maybe for some reason it is not copied during "initial-config" phase which it should be. >> Also, the follow files ARE NOT copied to /usr/local/etc/rc.d. >> According to the docs; >> >> The port installs two start/stop scripts in /usr/local/etc/rc.d: >> >> mailscanner.sh >> >> mta.sh >> > I disagree. They were created for me... > > -r-xr-xr-x 1 root wheel 1017 Oct 6 23:19 mailscanner.sh -r-xr-xr-x 1 > root wheel 4412 Oct 6 23:19 mta.sh Can someone please recheck? I will setup mailscanner on FreeBSD6 boxes during the next two weeks and check for myself. The creation of those files however is part of the FreeBSD port system and not necessarily my port. That and the fact that noone else has ever complained about this was the reason for suspecting something wrong in "somebodies" port system. Regards, JP From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 13:05:32 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 13:05:38 2006 Subject: FW: Missing /rules files from MailScanner installation fromports In-Reply-To: <200610070514.k975EPu6009580@bkserver.blacknight.ie> Message-ID: On Saturday, October 07, 2006 7:20 AM Michael S. wrote: > That's strange; because on 3 servers thus far mailscanner.sh and > mta.sh were not copied to /usr/local/etc/rc.d/ where they are suppose > to end up after the port installation. I had to copy them from > /ports/files/mailscanner.in and mta.in to /usr/local/etc/rc.d > manually. As I said in a previous post this is strange since it was working. Maybe some change in the port-magic results in a problem here but I need to have this verified and try it out myself. Since I am on the road next week it will probably take some time. > Also, what has everyone done with files such as clean.quarantine and > update_virus_scanners? Since one is supposed to run hourly and the > other daily did you copy them somewhere and symlink them back to > /usr/local/libexec/MailScanner where all the cron jobs are or did you > simply create a root cronjob? The latter. > Seems like this step is missing as > well. On purpose. If you guys tell me how "the majority" wants it I might be able to automatically do this. I personally prefer to do this step manually and put a remark in install instructions. > Unless you are well aware of what the setup should look like > you wouldn't even know about it. If you do not read the install instructions: Probably. Maybe it is missing there. I would very much like to improve that and am eager to hear your suggestions. But please: Specific suggestion and not "do it differently; fix it" or my personal favourite "finally fix it!". :-) As I pointed out many times: My time for this port is limited! A simple "make this better" will not help me and therefore will not help you. Regards, JP From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 13:17:38 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 13:17:46 2006 Subject: Missing /rules files from MailScanner installation from ports In-Reply-To: <200610070356.k973uj26008382@bkserver.blacknight.ie> Message-ID: On Samstag, 7. Oktober 2006 6:02 Michael S. wrote: > About 4 or so months ago when I reported this, the port maintainer > tried to tell me my port system on my Freebsd box had a problem. I was not able to reproduce your problem, others did not have it, I suggested (!) your system might have a problem and have not heard from you since. > If you look at the package list, you will find the following files > missing from this list, the only one there is > mcp.spam.assassin.prefs.conf.sample but unless you rename it after > installing MS to mcp.spam.assassin.prefs.conf your installation > chokes. Shouldn't MS rename this to mcp.spam.assassin.prefs.conf like > it does to all the others when you type the config command? It should be copied during "initial-config". If it is not (which I need to check) then this definatly is a bug. > So Mr port maintainer, why don't you listen to constructive criticism > and take action to fix this problem when it's reported instead of > being rude about it. Well Mr. S I am very open to constructive criticism as many people here will hopefully verify. And I fail to see where I am rude. You on the other hand... > See previous messages regarding this! I would > hope that you all would want to know instead of telling me im crazy > or that my installation is jacked. Just try to image how many complaints port maintainers get about their port not working. Then try to image what the percentage of real port problems is and how many installations are jacked. This is a valid assumption if only one person is complaining about something specific and if you are not able to reproduce the problem (which I was not able to!). > And last but certainly not least there are no symlinks created except > for one and that is to mailscanner.cf. Freebsd does not have a > cron.hourly or crond.d therefore you need to create cronjobs if you > expect to run hourly crons. Nothing about this is mentioned in the > DOCS or README. Maybe this should be revamped so a total idiot knows > what to do. But that's just a suggestion, take it or leave it. Wounderful. Since I do not have the time to revamp the DOCs/README: Please if someone is able to write suitable idiot-proof instructions do so and share them with me to put them in the port! > Can you have the port maintainer correct this problem? Nobody can "have" me to correct the problem. You can bring this to my attention (which you did) and I can try to fix it. If I am not able or not willing to: What do you expect this mailing list or Julian to do about it other than asking me? Sue me? Get real: The port is not a product I sell. It is something I do in my spare time. There is no legal obligation. So please stop acting like there was some. And one more hint: My time currently is so limited that I do not read the mailscanner list thouroughly. So if you need help or fixes for the port better write to me directly or at least cc me. Thanks a lot! Kind regards, JP From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 13:33:12 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 13:33:21 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: <4527C4A3.4010706@txk.k12.ar.us> Message-ID: On Saturday, October 07, 2006 5:16 PM James L. Day wrote: > The FreeBSD MailScanner port puts .sample files all over the place, > but I've never seen anything in the port to remove them... Since they are listed in pkg-plist they will get removed during make deinstall automatically. > The attached Makefile patch I whipped up should make the port install > and run with fewer errors... Thanks for the patch. I will have a look at it and integrate it in the next version if you don't mind. That is the sort of constructive criticism that really helps everybody. Sincere thanks. > And yes, after running "make install" you must run "make > initial-config". It would be nice if during a first-time install, > the port would perform "initial-config" automatically. It could be > triggered by the lack of a "/usr/local/etc/MailScanner" directory or > the "MailScanner.conf" file, etc. Up to this point the commen consensus was that a fresh MailScanner installation needs manual tweaking before you first fire up the system (due to the complexity, several supported MTAs etc. etc.). Hence the need for a manual "initial-config". If this consensus changes now I can of course try to implement this step to be automatic. I would go for the lack of "MailScanner.conf" file ${LOCALBASE}/etc/ though. > If I were the creator of a cool application such as MailScanner and a > port maintainer was causing public outcry, Public outcry? Have I been missing something? Up to this message (which was brought to my attention via e-mail) I cannot find any real complaints. And even these complaints do not qualify as "public outcry" at least not in my view of the world. That is very subjective of course. Did I just not see the irony tags or are you guys possibly exaggerating just a tiny bit? > I'd be inclined to show him the light. Meaning? Please. Enlighten me. How is Julian going to "show me the light"? These kinds of messages really are an interesting way of saying "Thank you for creating and maintaining a free port for this system". I developed this port strictly for my self and decided to share it with the FreeBSD community. I do not expect thousands of "Thank you" mails. I honestly do not expect to be "shown the light" either though. Kind regards, JP From lday at txk.k12.ar.us Sun Oct 8 17:55:45 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sun Oct 8 17:55:53 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: References: Message-ID: <45292D91.6010401@txk.k12.ar.us> Comments within.. > Since they are listed in pkg-plist they will get removed during make > deinstall automatically. > I don't want to deinstall the whole port; I just don't want the thing to install two copies of everything. I searched my system for .sample files and found a total of 633, of which 477 were put there by your port. That leaves 156 for the other 176 ports installed on my system. Yes, I know, you didn't want to wipe out any customized files. However, a "make --remove-samples" or something to that effect would be nice. > Thanks for the patch. I will have a look at it and integrate it in the > next version if you don't mind. That is the sort of constructive > criticism that really helps everybody. Sincere thanks. > That's actually the first patch I've ever created and I've been playing with Linux/FreeBSD since 1994. Yeah, like you, I've been busy doing other things... ;-) > Up to this point the commen consensus was that a fresh MailScanner > installation needs manual tweaking before you first fire up the system > (due to the complexity, several supported MTAs etc. etc.). Hence the > need for a manual "initial-config". If this consensus changes now I can > of course try to implement this step to be automatic. I would go for the > lack of "MailScanner.conf" file ${LOCALBASE}/etc/ though. > The part of your "pkg-message.in" file that talks about the need to do "make --initial-config" scrolls off the top of my screen during "make install" (and I have a big screen). This is apparently due to the later addition of the "rcwarning.txt" file. Perhaps this causes some folks to miss that step. How about adding a pause after "@${CAT} ${PKGMESSAGE}"? > Did I just not see the irony tags or are you guys possibly exaggerating > just a tiny bit? > Exaggerate? Me? No way! ;-) > > Meaning? Please. Enlighten me. How is Julian going to "show me the > light"? > I'm sure Julian is nicer than I am... ;-) > These kinds of messages really are an interesting way of saying "Thank > you for creating and maintaining a free port for this system". > I never said I didn't appreciate the port. It's the bugs that are the problem. You know what they say, one "'Oh S#$%!" wipes out all your attaboys... ;-) Use the patch as you wish; just don't give me credit for it. I can give criticism, but I can't take it.. ;-P Thanks, Lynn From admin at thenamegame.com Sun Oct 8 18:20:20 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Oct 8 18:14:06 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: Message-ID: <200610081714.k98HE4v9025168@bkserver.blacknight.ie> Obviously you're not running Freebsd because the questions you asked don't pertain to Freebsd and its file structure. But, I've already finished up a FreeBSD installer and uninstaller script that one can run immediately after installing MS from ports. It setups up MS completely. All one has to do is run it. It sets up everything including updating your MS installation if you upgrade MS from ports since there is no complete update process. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Saturday, October 07, 2006 9:09 PM To: MailScanner discussion Subject: Re: Missing /rules files from MailScanner installation fromports On Sat, 7 Oct 2006, Drew Marshall wrote: > On 7 Oct 2006, at 06:03, Michael S. wrote: > >> Finally somebody who has a clue!! > > I think that is a little harsh and along with the tone in your original > e-mail you are about as likely to walk to the moon as to get this fixed. > heh, agreed, and if he's that concerned why not do a tarball install? It also takes 2 mins to write a quick bash file to copy custom files into new MS, ill save him time and give it to him so it takes 2 seconds... #cd /opt/MailScanner-New_Version/etc # and paste all this in one hit mv MailScanner.conf MailScanner.conf.default ../bin/upgrade_MailScanner_conf /opt/MailScanner/etc/MailScanner.conf \ MailScanner.conf.default > MailScanner.conf diff /opt/MailScanner/etc/MailScanner.conf MailScanner.conf cp /opt/MailScanner/etc/filename.rules.conf . cp /opt/MailScanner/etc/filetype.rules.conf . cp /opt/MailScanner/etc/mailscanner-mrtg.conf . cp /opt/MailScanner/etc/spam.assassin.prefs.conf . cp /opt/MailScanner/etc/phishing.safe.sites.conf . cd rules/ cp /opt/MailScanner/etc/rules/bounce.rules . cp /opt/MailScanner/etc/rules/police.rules . cp /opt/MailScanner/etc/rules/reject.msg.rules . cp /opt/MailScanner/etc/rules/contentscan.rules . cp /opt/MailScanner/etc/rules/spam.whitelist.rules . cd ../reports/en cp /opt/MailScanner/etc/reports/en/sender.content.report.txt . cp /opt/MailScanner/etc/reports/en/rejection.report.txt . cp /opt/MailScanner/etc/reports/en/sender.filename.report.txt . # end thats it, all customisations in place,it might be risky copying some of the prefs files, but ive beeing doing it for a while without problem. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Sun Oct 8 18:18:58 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 8 18:20:28 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: References: Message-ID: <45293302.8020707@ecs.soton.ac.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 289 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061008/65c4da26/PGP.bin From Jan-Peter.Koopmann at seceidos.de Sun Oct 8 18:53:49 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Sun Oct 8 18:54:04 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: <45292D91.6010401@txk.k12.ar.us> Message-ID: On Sunday, October 08, 2006 6:56 PM James L. Day wrote: > I don't want to deinstall the whole port; I misunderstood. > I just don't want the thing > to install two copies of everything. I searched my system for > .sample files and found a total of 633, of which 477 were put there > by your port. That leaves 156 for the other 176 ports installed on > my system. > Yes, I know, you didn't want to wipe out any customized files. > However, a "make --remove-samples" or something to that effect would > be nice. It honestly never occured to me. This might be a problem though. If you deinstall the samples and later deinstall the port it will try to deinstall everything in pkg-plist again and will through errors/warnings. The other possibility would be to not install the .samples in the first place but creating a "make --create-samples" just like "initial-config". To be honest: I am not sure how much work this would be and when I have the time for it. > playing with Linux/FreeBSD since 1994. Yeah, like you, I've been > busy doing > other things... ;-) I hopefully did not suggest otherwise. :-) > The part of your "pkg-message.in" file that talks about the need to > do "make --initial-config" scrolls off the top of my screen during > "make install" (and I have a big screen). This is apparently due to > the later addition of the "rcwarning.txt" file. Perhaps this causes > some folks to miss that step. How about adding a pause after > "@${CAT} ${PKGMESSAGE}"? Yepp. Sounds like an idea. And I might get rid of rcwarning.txt now that it has been in there for quite a while. > I'm sure Julian is nicer than I am... ;-) I am not sure if he is nicer than you but he sure is very nice! *g* > I never said I didn't appreciate the port. Well. It came across like this or to be more exact Micheal did/does. > Use the patch as you wish; just don't give me credit for it. I can > give criticism, but I can't take it.. ;-P All the more reason to mention your support. :-) Regards, JP From alex at nkpanama.com Sun Oct 8 20:11:35 2006 From: alex at nkpanama.com (alex) Date: Sun Oct 8 20:14:05 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? In-Reply-To: <45236837.20409@ecs.soton.ac.uk> References: <45236837.20409@ecs.soton.ac.uk> Message-ID: On Wed, 04 Oct 2006 08:52:23 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Duncan, Brian M. wrote: >> Just the capability of being able to add a generic header to all Spam >> detected messages would be a great start: >> >> X-MS-Exchange-Organization-SCL: 6.5 > Read the docs. Check out "Spam Actions" and the "header" action. >> Could it be done by changing Spam Score Header from: X-%org-name%-MailScanner-SpamScore: to: X-MS-Exchange-Organization-SCL: and then adding Spam Score Number Format = %d and SpamScore Number Instead Of Stars = yes ? From wjohns at balita.ph Sun Oct 8 20:24:11 2006 From: wjohns at balita.ph (Wayne) Date: Sun Oct 8 20:40:07 2006 Subject: Header message suddenly appeared In-Reply-To: References: <45292D91.6010401@txk.k12.ar.us> Message-ID: <200610081924.k98JOCHO014923@balita.ph> For no reason (I had not edited the conf file) {Scanned} suddenly has started to appear in the headers. I have checked the two line that control this and this is what is there. Scanned Modify Subject = no Scanned Subject Text = I have done a full restart but still it is appearing at random. I am editing or looking at mailscanner.conf at /etc/mailscanner which I presume is correct. Hopefully this message will contain the {Scanned} tag :-) Wayne -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Oct 8 21:02:39 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 8 21:02:50 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? In-Reply-To: References: <45236837.20409@ecs.soton.ac.uk> Message-ID: <4529595F.20606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 alex wrote: > On Wed, 04 Oct 2006 08:52:23 +0100, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Duncan, Brian M. wrote: >> >>> Just the capability of being able to add a generic header to all Spam >>> detected messages would be a great start: >>> >>> X-MS-Exchange-Organization-SCL: 6.5 >>> >> Read the docs. Check out "Spam Actions" and the "header" action. >> > > Could it be done by changing Spam Score Header from: > X-%org-name%-MailScanner-SpamScore: > to: > X-MS-Exchange-Organization-SCL: > and then adding > Spam Score Number Format = %d > and > SpamScore Number Instead Of Stars = yes > > ? > Let me know if this works. And if it doesn't, why it doesn't. Compatibility would be good. Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: UTF-8 wj8DBQFFKVlgEfZZRxQVtlQRAtzxAJ9lb/ElsqvtsPpzwQX8HY/KS7UrbgCeIAzy WzXmGFlraeuw8nNRGc4xWkI= =BaqC -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From res at ausics.net Sun Oct 8 23:44:33 2006 From: res at ausics.net (Res) Date: Sun Oct 8 23:44:41 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: References: Message-ID: On Sun, 8 Oct 2006, Koopmann, Jan-Peter wrote: > On Saturday, October 07, 2006 5:16 PM James L. Day wrote: >> I'd be inclined to show him the light. > > Meaning? Please. Enlighten me. How is Julian going to "show me the > light"? > Maybe you can show them the light, and cease to do the port, then they will really have somthing to have there over exagerated dummy spits about wont they :P completely unappreciative jerks, if tehy dont like your way, let them do it there way. In fact most would not even bother to read anything more they said, letalone grace these morons with a reply -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Mon Oct 9 00:06:52 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 00:06:56 2006 Subject: Header message suddenly appeared In-Reply-To: <200610081924.k98JOCHO014923@balita.ph> References: <45292D91.6010401@txk.k12.ar.us> <200610081924.k98JOCHO014923@balita.ph> Message-ID: <223f97700610081606s112a11f0ofa3470363996aa70@mail.gmail.com> On 08/10/06, Wayne wrote: > For no reason (I had not edited the conf file) {Scanned} suddenly has > started to appear in the headers. I have checked the two line that > control this and this is what is there. > > Scanned Modify Subject = no > Scanned Subject Text = > > I have done a full restart but still it is appearing at random. > > I am editing or looking at mailscanner.conf at /etc/mailscanner which > I presume is correct. > > Hopefully this message will contain the {Scanned} tag :-) > > Wayne > Are you sure it is *your* MailScanner adding the tag? Look at the headers... Might have passed through some other MS first:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From wjohns at balita.ph Mon Oct 9 00:21:33 2006 From: wjohns at balita.ph (wjohns@balita.ph) Date: Mon Oct 9 00:21:39 2006 Subject: Header message suddenly appeared Message-ID: <1160349693.3814@balita.ph> Glenn Steen wrote .. I have been test mailing myself with test messages - and they contain {Scanned} however, if I send a second message with the same subject title the tag does not appear. If I send another with subject test - 100 that arrives with {Scanned} in the subject. Seems to be occuring with messages in and out ... I have even sent tests from my mac.com account all of which arrive with {Scanned} in the subject line. Many thanks - Wayne - > > > Are you sure it is *your* MailScanner adding the tag? Look at the > headers... Might have passed through some other MS first:-). > > -- > -- Glenn -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From gmane at tippingmar.com Mon Oct 9 01:23:43 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Oct 9 01:23:50 2006 Subject: OT reassemble df qf pair Message-ID: Every once in a while, in order to troubleshoot a particular delivery problem, it would be nice if I could reassemble a sendmail (qf df) pair into the original message. If someone could tell me how to do that, I would greatly appreciate it. Thanks, Mark From r.berber at computer.org Mon Oct 9 02:11:43 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 9 02:11:51 2006 Subject: OT reassemble df qf pair In-Reply-To: References: Message-ID: Mark Nienberg wrote: > Every once in a while, in order to troubleshoot a particular delivery > problem, it would be nice if I could reassemble a sendmail (qf df) pair > into the original message. If someone could tell me how to do that, I > would greatly appreciate it. In MailScanner's bin directory there is a utility called df2mbox, it may be what you are looking for. -- Ren? Berber From gmane at tippingmar.com Mon Oct 9 03:54:37 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Oct 9 03:54:44 2006 Subject: OT reassemble df qf pair In-Reply-To: References: Message-ID: Ren? Berber wrote: > Mark Nienberg wrote: > >> Every once in a while, in order to troubleshoot a particular delivery >> problem, it would be nice if I could reassemble a sendmail (qf df) pair >> into the original message. If someone could tell me how to do that, I >> would greatly appreciate it. > > In MailScanner's bin directory there is a utility called df2mbox, it may be what you are looking for. I don't think that is quite the ticket. The resulting headers are incomplete, not the same as the original message. Thanks for the suggestion though. Mark From admin at thenamegame.com Mon Oct 9 05:11:08 2006 From: admin at thenamegame.com (Michael S.) Date: Mon Oct 9 05:05:54 2006 Subject: Missing /rules files from MailScanner installation fromports In-Reply-To: Message-ID: <200610090405.k9945p9R005316@bkserver.blacknight.ie> Thanks for all you replies JP. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter Sent: Sunday, October 08, 2006 8:33 AM To: James L. Day; MailScanner discussion Subject: RE: Missing /rules files from MailScanner installation fromports On Saturday, October 07, 2006 5:16 PM James L. Day wrote: > The FreeBSD MailScanner port puts .sample files all over the place, > but I've never seen anything in the port to remove them... Since they are listed in pkg-plist they will get removed during make deinstall automatically. > The attached Makefile patch I whipped up should make the port install > and run with fewer errors... Thanks for the patch. I will have a look at it and integrate it in the next version if you don't mind. That is the sort of constructive criticism that really helps everybody. Sincere thanks. > And yes, after running "make install" you must run "make > initial-config". It would be nice if during a first-time install, > the port would perform "initial-config" automatically. It could be > triggered by the lack of a "/usr/local/etc/MailScanner" directory or > the "MailScanner.conf" file, etc. Up to this point the commen consensus was that a fresh MailScanner installation needs manual tweaking before you first fire up the system (due to the complexity, several supported MTAs etc. etc.). Hence the need for a manual "initial-config". If this consensus changes now I can of course try to implement this step to be automatic. I would go for the lack of "MailScanner.conf" file ${LOCALBASE}/etc/ though. > If I were the creator of a cool application such as MailScanner and a > port maintainer was causing public outcry, Public outcry? Have I been missing something? Up to this message (which was brought to my attention via e-mail) I cannot find any real complaints. And even these complaints do not qualify as "public outcry" at least not in my view of the world. That is very subjective of course. Did I just not see the irony tags or are you guys possibly exaggerating just a tiny bit? > I'd be inclined to show him the light. Meaning? Please. Enlighten me. How is Julian going to "show me the light"? These kinds of messages really are an interesting way of saying "Thank you for creating and maintaining a free port for this system". I developed this port strictly for my self and decided to share it with the FreeBSD community. I do not expect thousands of "Thank you" mails. I honestly do not expect to be "shown the light" either though. Kind regards, JP -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Mon Oct 9 08:11:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 08:11:21 2006 Subject: Header message suddenly appeared In-Reply-To: <1160349693.3814@balita.ph> References: <1160349693.3814@balita.ph> Message-ID: <223f97700610090011m95c51d2if74475404f68ea47@mail.gmail.com> On 09/10/06, wjohns@balita.ph wrote: > Glenn Steen wrote .. > > I have been test mailing myself with test messages - and they contain {Scanned} however, if I send a second message with the same subject title the tag does not appear. If I send another with subject test - 100 that arrives with {Scanned} in the subject. Seems to be occuring with messages in and out ... I have even sent tests from my mac.com account all of which arrive with {Scanned} in the subject line. > > Many thanks > > - Wayne - Hm. Are those messages passed through "NewsBalita" too? If so, one might note that _these_ messages aren't tagged. Is it possible that you have more than one server handling this? Looking at the DNS for balita.ph it doesn't look that way, but better to ask one question too many:-). While we're at it, why not add some more info... Like version of MS and method of install (perhaps OS too)... > > > > > Are you sure it is *your* MailScanner adding the tag? Look at the > > headers... Might have passed through some other MS first:-). > > > > -- > > -- Glenn > > -- > This message has been scanned for viruses and > dangerous content by Balita MailScanner, and is > believed to be clean. > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From DawsonA at chesterfield.ac.uk Mon Oct 9 10:06:04 2006 From: DawsonA at chesterfield.ac.uk (Dawson, Alan) Date: Mon Oct 9 10:07:36 2006 Subject: Debian Sarge, MailScanner, Exim, Spamassassin Message-ID: Hi, I'm in the process of setting up a MailScanning gateway using Debian Sarge, MailScanner, Exim, ClamAV and Spamassassin. Exim runs as user Debian-exim and group Debian-exim so I altered the Run As Group and Run as User to those also. Should I alter the SpamAssassin User State Dir = To be /home/Debian-exim/ ( or similar writeable location by Debian-exim )so that SpamAssassin can place its bayesian and auto whitelist stuff etc somewhere ? Thanks -- Alan Dawson From martinh at solidstatelogic.com Mon Oct 9 10:21:07 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Oct 9 10:21:17 2006 Subject: Debian Sarge, MailScanner, Exim, Spamassassin In-Reply-To: References: Message-ID: <452A1483.8080200@solidstatelogic.com> Dawson, Alan wrote: > Hi, I'm in the process of setting up a MailScanning gateway using Debian Sarge, MailScanner, Exim, ClamAV and Spamassassin. > > Exim runs as user Debian-exim and group Debian-exim so I altered the Run As Group and Run as User to those also. > > Should I alter the > > SpamAssassin User State Dir = > To be /home/Debian-exim/ ( or similar writeable location by Debian-exim )so that SpamAssassin can place its bayesian and auto whitelist stuff etc somewhere ? > > Thanks > -- > Alan Dawson > > > > > > > > > > > Alan in a word yes, also make sure you're running eximv4 and not the default V3 (you'll need to find this in the testing repository I think). There's an entire debian-exim maillist that you might to get onto in order to help you get the eximv4 working before you pop anything else into the mix. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at herefordshire.gov.uk Mon Oct 9 11:19:12 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Oct 9 11:21:04 2006 Subject: MS and SA diuffer Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580FC69B85@isabella.herefordshire.gov.uk> Brian Duncan said: > I emailed the original poster about his problem and he said his worked > when he changed his max spamassassin message size from something > Like 60K to 60000. That's a bug which I reported here last week: http://article.gmane.org/gmane.mail.virus.mailscanner/44811/match= Any chance of a fix, Jules? I'd guess that there's more than just two of us who have been bitten by this. Cheers, Phil From prandal at herefordshire.gov.uk Mon Oct 9 11:22:49 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Oct 9 11:30:13 2006 Subject: version of MS that has "max spamassassin size"? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> There's a parsing bug in the latest version. Use Max Spamassassin Size = 40000 in preference to MaxSpamassassin Size = 40k The latter truncates rather drastically. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Maher > Sent: 06 October 2006 21:35 > To: MailScanner discussion > Subject: version of MS that has "max spamassassin size"? > > Hello all, > > A simple question: > > What version of MailScanner introduced the following > configuration option? > > "Max Spamassassin Size" > > Thank you. :) > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From shuttlebox at gmail.com Mon Oct 9 12:17:28 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Oct 9 12:17:32 2006 Subject: DoS lack of logs Message-ID: <625385e30610090417t65abb526i7635764bc8d50c84@mail.gmail.com> I have been hit with some archive that uses all the resources and slows mail thruput to the point that the incoming queue only grows and grows. When the virus scanner times out that is logged and MailScanner records a denial of service attempt but only the MS process in shown in the syslogs. I would like the message id's of that batch in the logs, or better yet the offending message id if it's possible. It's now hard to find the message that causes this or do you guys have a good way of finding it? -- /peter From mailscanner at mango.zw Mon Oct 9 13:18:20 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 9 13:15:17 2006 Subject: DoS lack of logs In-Reply-To: <625385e30610090417t65abb526i7635764bc8d50c84@mail.gmail.com> Message-ID: On Mon, 9 Oct 2006, shuttlebox wrote: > Date: Mon, 9 Oct 2006 13:17:28 +0200 > From: shuttlebox > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: DoS lack of logs > > I have been hit with some archive that uses all the resources and > slows mail thruput to the point that the incoming queue only grows and > grows. > > When the virus scanner times out that is logged and MailScanner > records a denial of service attempt but only the MS process in shown > in the syslogs. I would like the message id's of that batch in the > logs, or better yet the offending message id if it's possible. > > It's now hard to find the message that causes this or do you guys have > a good way of finding it? I am pretty sure that this is only a problem on older versions of MailScanner and that if you update to the current version the problem will disappear. Not only does the current version minimise the chances of a denial of service problem occurring, but if it does occur it will also report more helpfully: Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871 so that you know where the problem is. The problem message will then be quarantined so that it can be dealt with manually if required and the rest of the system will carry on without interference. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From shuttlebox at gmail.com Mon Oct 9 13:22:27 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Oct 9 13:22:34 2006 Subject: DoS lack of logs In-Reply-To: References: <625385e30610090417t65abb526i7635764bc8d50c84@mail.gmail.com> Message-ID: <625385e30610090522y1fb63c4an8d5f1f45a67aa978@mail.gmail.com> On 10/9/06, Jim Holland wrote: > I am pretty sure that this is only a problem on older versions of > MailScanner and that if you update to the current version the problem will > disappear. Not only does the current version minimise the chances of a > denial of service problem occurring, but if it does occur it will also > report more helpfully: > > Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871 > > so that you know where the problem is. The problem message will then be > quarantined so that it can be dealt with manually if required and the rest > of the system will carry on without interference. That's exactly what I'm looking for. I'm still running 4.50 on those systems, I will upgrade them ASAP then. Thanks! -- /peter From mailscanner at mango.zw Mon Oct 9 14:21:15 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 9 14:18:10 2006 Subject: OT reassemble df qf pair In-Reply-To: Message-ID: On Sun, 8 Oct 2006, Mark Nienberg wrote: > Date: Sun, 08 Oct 2006 19:54:37 -0700 > From: Mark Nienberg > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: OT reassemble df qf pair > > Ren? Berber wrote: > > Mark Nienberg wrote: > > > >> Every once in a while, in order to troubleshoot a particular delivery > >> problem, it would be nice if I could reassemble a sendmail (qf df) pair > >> into the original message. If someone could tell me how to do that, I > >> would greatly appreciate it. > > > > In MailScanner's bin directory there is a utility called df2mbox, it may be what you are looking for. > > I don't think that is quite the ticket. The resulting headers are > incomplete, not the same as the original message. > Thanks for the suggestion though. I append a quick mod to Julian's script that seems to do what you want but for a single queue file pair. It recreates the original headers correctly as far as I can see. The major change is the addition of a match for header lines that start with a space as well as those that start with a tab. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service #!/bin/bash # q2msg # Converts sendmail df and qf queue file pair to RFC 822 msg format # Run this as: # q2msg [[dfile] | [qfile]] # Output is $qid.msg infile=$1 qid=`echo $infile | sed 's/^[qd]f//'` outfile=$qid.msg from=`grep '^S' qf$qid | sed 's/^S//' | tr -d '<>'` ( echo "From $from `date -R`" # Note that the long gap in the next line is a tab character! egrep '(^H\?[^\?]*\?)|(^ )|(^ )' qf$qid | sed 's/^H?[^?]*?//' \ | grep -v "Return-Path: <.g>" egrep '^R[A-Z]*:' qf$qid | sed 's/^R[A-Z]*:/X-MailScanner-Recipient: /' \ | tr -d '<>' echo cat df$qid echo ) > $outfile From MailScanner at ecs.soton.ac.uk Mon Oct 9 14:32:07 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 9 14:32:32 2006 Subject: OT reassemble df qf pair In-Reply-To: References: Message-ID: <452A4F57.1010005@ecs.soton.ac.uk> Script attached, just wrote it for you. Usage: RawSendmailToCompleteMessage qf-name df-name Or: RawSendmailToCompleteMessage df-name qf-name Or: RawSendmailToCompleteMessage message-queue-id So basically just chuck it any bits of filenames you have to hand, it will work out what you meant. It outputs the RFC-822 message on standard output, which you will probably want to redirect to a file. Example: RawSendmailToCompleteMessage g4DDWlR20454 > message.txt which will process qfg4DDWIR20454 and dfg4DDWIR20454 and put the formatted message into "message.txt". or RawSendmailToCompleteMessage *00368 | less which will process the message whose filenames end in 00368 and show you the result with "less". So hopefully it is as easy to drive as possible. Script should be attached to this message, gzipped (because that stops anything trying to put a signature on the end of the script by mistake. These damn email systems.... :-) It has taken me an hour to get right for you, so a reasonable contribution from my Amazon wish list would be much appreciated! (Or just cash in Paypal would be fine too :-) Regards, Jules. Mark Nienberg wrote: > Ren? Berber wrote: >> Mark Nienberg wrote: >> >>> Every once in a while, in order to troubleshoot a particular delivery >>> problem, it would be nice if I could reassemble a sendmail (qf df) pair >>> into the original message. If someone could tell me how to do that, I >>> would greatly appreciate it. >> >> In MailScanner's bin directory there is a utility called df2mbox, it >> may be what you are looking for. > > I don't think that is quite the ticket. The resulting headers are > incomplete, not the same as the original message. > Thanks for the suggestion though. > Mark > Jules -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: RawSendmailToCompleteMessage.gz Type: application/x-gzip Size: 543 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061009/f68853bb/RawSendmailToCompleteMessage.gz From MailScanner at ecs.soton.ac.uk Mon Oct 9 14:55:34 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 9 14:56:00 2006 Subject: MS and SA diuffer In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580FC69B85@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC69B85@isabella.herefordshire.gov.uk> Message-ID: <452A54D6.5090405@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randal, Phil wrote: > Brian Duncan said: > > >> I emailed the original poster about his problem and he said his worked >> when he changed his max spamassassin message size from something >> Like 60K to 60000. >> > > That's a bug which I reported here last week: > > http://article.gmane.org/gmane.mail.virus.mailscanner/44811/match= > > Any chance of a fix, Jules? > Done. Will be in the next release. > I'd guess that there's more than just two of us who have been bitten by > this. > > Cheers, > > Phil > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFKlTXEfZZRxQVtlQRApzFAKCreX/lgZ9G93syzRh+iGb8B4cFtQCfVNUx E36zH6/FTCc1vwaPJTeRdn8= =74pR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Oct 9 15:09:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 9 15:09:41 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> Message-ID: <452A5808.3040900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just done a fresh release with this problem fixed. Sorry :-( Wasn't having a good time then, was I? Randal, Phil wrote: > There's a parsing bug in the latest version. > > Use > > Max Spamassassin Size = 40000 > > in preference to > > MaxSpamassassin Size = 40k > > The latter truncates rather drastically. > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Daniel Maher >> Sent: 06 October 2006 21:35 >> To: MailScanner discussion >> Subject: version of MS that has "max spamassassin size"? >> >> Hello all, >> >> A simple question: >> >> What version of MailScanner introduced the following >> configuration option? >> >> "Max Spamassassin Size" >> >> Thank you. :) >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFKlgIEfZZRxQVtlQRAmrKAJ48KwAPcY37EpAVP+EU0sOSbS1GagCcCEFd N2gh9ML8loSzgBHB4X095Rs= =7hym -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From bpumphrey at woodmclaw.com Mon Oct 9 15:39:24 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Oct 9 15:39:40 2006 Subject: OT: Reverse Lookup Records for Mail Server In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F1E@woodenex.woodmaclaw.local> In the WIKI http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted The below is written. I have known this to be a good practice for sometime, but DNS gets a little confusing for me sometimes. I apologize for all of the OT that I do, but just searching the internet does not give suggestions. Have a reverse lookup that matches your HELO/EHLO. Many of these policies stem from the fact that spammers will forge addresses. When you send mail to a system that doesn't know you, you've become a potential spammer. You must show that you can be trusted before you will be trusted, and one way of doing that is to have a reverse lookup that matches what your system says it is. Unfortunately, this may be a problem in virtual hosting situations. At the very least make sure that your MX is listed in DNS as the name that will respond to the HELO. See RFC 2821 for more information on the SMTP command HELO. If the MailScanner machine is on the internal network, as in not in a DMZ, and host name ends not in the domain name, how does one set it up? Host names ends in host.domain.local. Does the host name just need to be changed to host.domaain.com? That would seemingly cause problems communicating with the internal machines, or would it? So if the host name is mailscanner.domain.com, Then the reverse dns should be mailscanner.domain.com right? Sounds right to me. What happens when the reverse DNS is mailscanner.domain.com but the actual host name is mailscanner.domain.local? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From derek at adcatanzaro.com Mon Oct 9 15:42:30 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Mon Oct 9 15:43:19 2006 Subject: Mail Backing up while SpamAssassin is in Use Message-ID: <452A5FD6.80604@adcatanzaro.com> ***I posted this thread in the spamassassin mailing list and was advised by another MailScanner user to post here for tuning tips with MS/SA*** I have been having issues with mail backing up on and off over the past week. I am using MailScanner with SpamAssassin. This morning for example, I had roughly 500 messages waiting in /var/spool/mqueue.in and that number had increased to about 2200 in less than an hour. I then tell MailScanner to stop using SpamAssassin to try and identify if the problem is with SpamAssassin or not and now I'm back down to less than 50 messages waiting in the queue in less than a matter of 10 -15 minutes. So obviously this tells me something is going on with SpamAssassin. I ran "spamassassin --lint -D" and I did not notice any problems with the output other than a dcc timeout. Then again, spamassassin has always worked well for me so I may be missing something in the output because I have really never had to troubleshoot this kind of issue with spamassassin. The recent changes I have made to try and combat the problem is to disable bayes and I turned off the auto expire for the bayes tokens just to make sure that wasn't slowing things down. I am running a local caching name server so I do not believe this to be a DNS timing issue. I can provide my spamassassin --lint -D output if anyone is interested. Fedora Core 1 SpamAssassin 3.1.0 MailScanner 4.49.7 sendmail 8.13.5 Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Oct 9 16:06:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 16:06:33 2006 Subject: OT: Reverse Lookup Records for Mail Server In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F1E@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F1E@woodenex.woodmaclaw.local> Message-ID: <223f97700610090806y724ec79aq12cf532050dc0dd0@mail.gmail.com> On 09/10/06, Billy A. Pumphrey wrote: > In the WIKI > http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted > > The below is written. I have known this to be a good practice for > sometime, but DNS gets a little confusing for me sometimes. I apologize > for all of the OT that I do, but just searching the internet does not > give suggestions. > > Have a reverse lookup that matches your HELO/EHLO. > Many of these policies stem from the fact that spammers will forge > addresses. When you send mail to a system that doesn't know you, you've > become a potential spammer. You must show that you can be trusted before > you will be trusted, and one way of doing that is to have a reverse > lookup that matches what your system says it is. Unfortunately, this may > be a problem in virtual hosting situations. At the very least make sure > that your MX is listed in DNS as the name that will respond to the HELO. > See RFC 2821 for more information on the SMTP command HELO. What this means is that if your host says it is host.example.net, looking up the IP address you are connecting as should lead to that name (and if that's not possible, for some unknowable reason... The MX pointed to for example.net should be the hostnme you helo as...). > If the MailScanner machine is on the internal network, as in not in a > DMZ, and host name ends not in the domain name, how does one set it up? > Host names ends in host.domain.local. Thing is that .local isn't a top level domain that you should "spread" to the internet. If one were to try reach your host from the internet, one would look up the MX for your domain, and go to that address... What that host "thinks" it is named is pretty irrelevant, as long as it answers in accordance to the _public_ DNS settings. So in your case, you have a _private_ DNS setup that is geared toward a (broken IMO) AD setup (the gospel according to M$... Sigh), and a _public_ DNS entry for your MX gateway. This type of "split view" is rather common. One might opt for not confusing oneself by not having two separate naming spaces, but rather the same names, but different views instead (much better:-). > Does the host name just need to be changed to host.domaain.com? That > would seemingly cause problems communicating with the internal machines, > or would it? Not really, no. It all depends on how you do things:-). As long as you can find your way to MS-exchange.example.local (and the other way around) and you have setup trusts etc, you should be fine. > So if the host name is mailscanner.domain.com, Then the reverse dns > should be mailscanner.domain.com right? Sounds right to me. > > What happens when the reverse DNS is mailscanner.domain.com but the > actual host name is mailscanner.domain.local? As long as you set it up to accept for the domains involved, I see no real problem. Handling a true split view DNS setup is rather more easy than the .local idiocy... At least to my eyes:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at woodmclaw.com Mon Oct 9 16:09:24 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Oct 9 16:09:37 2006 Subject: OT: Scanning outgoing mail In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F1F@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Logan Shaw > Sent: Friday, October 06, 2006 7:02 PM > To: MailScanner discussion > Subject: RE: OT: Scanning outgoing mail > > On Fri, 6 Oct 2006, Billy A. Pumphrey wrote: > > You guys are so awesome! I have it set up now. I had to go ahead and > > edit the access file and add the exchange server as a relay. > > > > Also I had no connector there so I had to add a new one. > > One thing I don't think anyone else has mentioned is that you > probably want to look at your set of trusted hosts/networks > (the "trusted_networks" setting for SpamAssassin) and think > about whether your Exchange server is in that set and whether > you want it to be in the set. It might already be trusted > if it's on the same subnet with trusted clients. Or not, > depending on how you have it set up. > > How it should be set up is probably a judgement call, > but it'd probably be worthwhile to be intentional about > whatever you choose. Including the Exchange server in the > trusted_networks set will mean it won't be checked against RBLs > and stuff like that. And I believe messages coming from it and > going through your MailScanner machine will also get an extra > negative score for ALL_TRUSTED. (Though whether any outside > parties care about how you score messages as they leave your > server is another question.) > > - Logan > -- Looks like it might be trusted already. I know I remember looking into this before, but I cannot find the config that the settings go into. I checked the spam.assassin.prefs.conf but not in there. Where is this setting at again? SpamAssassin Score: -2.62 Spam Report: Score Matching Rule Description cached not score=-2.625 5 required spam autolearn=not -1.80 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 0.00 HTML_MESSAGE HTML included in message 1.27 INFO_TLD Contains an URL in the INFO top-level domain 0.50 TJ_EMPTY_SUBJECT Empty subject. Could be a MyDoom bounce. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Oct 9 16:11:16 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 16:11:19 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: <452A5808.3040900@ecs.soton.ac.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> <452A5808.3040900@ecs.soton.ac.uk> Message-ID: <223f97700610090811m3d115e3ay2d7a71c20dba64af@mail.gmail.com> On 09/10/06, Julian Field wrote: (snip) > Wasn't having a good time then, was I? ... or perhaps you were.... Will implement first thing tomorrow. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Richard.Frovarp at sendit.nodak.edu Mon Oct 9 16:41:13 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Mon Oct 9 16:41:17 2006 Subject: Mail Backing up while SpamAssassin is in Use In-Reply-To: <452A5FD6.80604@adcatanzaro.com> References: <452A5FD6.80604@adcatanzaro.com> Message-ID: <452A6D99.5030005@sendit.nodak.edu> Derek Catanzaro wrote: > ***I posted this thread in the spamassassin mailing list and was > advised by another MailScanner user to post here for tuning tips with > MS/SA*** > > I have been having issues with mail backing up on and off over the > past week. I am using MailScanner with SpamAssassin. This morning > for example, I had roughly 500 messages waiting in > /var/spool/mqueue.in and that number had increased to about 2200 in > less than an hour. I then tell MailScanner to stop using SpamAssassin > to try and identify if the problem is with SpamAssassin or not and now > I'm back down to less than 50 messages waiting in the queue in less > than a matter of 10 -15 minutes. So obviously this tells me something > is going on with SpamAssassin. > > I ran "spamassassin --lint -D" and I did not notice any problems with > the output other than a dcc timeout. Then again, spamassassin has > always worked well for me so I may be missing something in the output > because I have really never had to troubleshoot this kind of issue > with spamassassin. The recent changes I have made to try and combat > the problem is to disable bayes and I turned off the auto expire for > the bayes tokens just to make sure that wasn't slowing things down. > > I am running a local caching name server so I do not believe this to > be a DNS timing issue. I can provide my spamassassin --lint -D output > if anyone is interested. > > Fedora Core 1 > SpamAssassin 3.1.0 > MailScanner 4.49.7 > sendmail 8.13.5 > > Thanks, > Derek > How long is the dcc timeout? 10 seconds? 500 messages times 10 seconds is about 83 minutes of extra processing time, since that timeout would count for each check. It would seem that you have found your problem. Richard From derek at adcatanzaro.com Mon Oct 9 17:21:15 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Mon Oct 9 17:21:34 2006 Subject: OT - Re: Mail Backing up while SpamAssassin is in Use In-Reply-To: <452A6D99.5030005@sendit.nodak.edu> References: <452A5FD6.80604@adcatanzaro.com> <452A6D99.5030005@sendit.nodak.edu> Message-ID: <452A76FB.200@adcatanzaro.com> Richard Frovarp wrote: > Derek Catanzaro wrote: >> ***I posted this thread in the spamassassin mailing list and was >> advised by another MailScanner user to post here for tuning tips with >> MS/SA*** >> >> I have been having issues with mail backing up on and off over the >> past week. I am using MailScanner with SpamAssassin. This morning >> for example, I had roughly 500 messages waiting in >> /var/spool/mqueue.in and that number had increased to about 2200 in >> less than an hour. I then tell MailScanner to stop using >> SpamAssassin to try and identify if the problem is with SpamAssassin >> or not and now I'm back down to less than 50 messages waiting in the >> queue in less than a matter of 10 -15 minutes. So obviously this >> tells me something is going on with SpamAssassin. >> >> I ran "spamassassin --lint -D" and I did not notice any problems with >> the output other than a dcc timeout. Then again, spamassassin has >> always worked well for me so I may be missing something in the output >> because I have really never had to troubleshoot this kind of issue >> with spamassassin. The recent changes I have made to try and combat >> the problem is to disable bayes and I turned off the auto expire for >> the bayes tokens just to make sure that wasn't slowing things down. >> >> I am running a local caching name server so I do not believe this to >> be a DNS timing issue. I can provide my spamassassin --lint -D >> output if anyone is interested. >> >> Fedora Core 1 >> SpamAssassin 3.1.0 >> MailScanner 4.49.7 >> sendmail 8.13.5 >> >> Thanks, >> Derek >> > How long is the dcc timeout? 10 seconds? 500 messages times 10 seconds > is about 83 minutes of extra processing time, since that timeout would > count for each check. It would seem that you have found your problem. > > Richard Where is the dcc timeout set? According to my "spamassassin --lint -D" results it is timing out after 5 seconds, so I'm assuming that is the timeout setting. dcc: check timed out after 5 seconds I have 2 MailScanner servers with the same setup, and one is able to use dcc and the other is timing out. I'm not sure why one would be timing out and the other not? They are on the same network both using local caching name server and both using the same DNS servers if it is not cached. Is there a .conf I can check to find out what IP or dns name dcc tries to connect to? Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From wjohns at balita.ph Mon Oct 9 18:02:06 2006 From: wjohns at balita.ph (Wayne) Date: Mon Oct 9 18:02:11 2006 Subject: Header message suddenly appeared In-Reply-To: <223f97700610090011m95c51d2if74475404f68ea47@mail.gmail.com > References: <1160349693.3814@balita.ph> <223f97700610090011m95c51d2if74475404f68ea47@mail.gmail.com> Message-ID: <200610091702.k99H27Wj023598@balita.ph> At 08:11 09/10/2006, you wrote: Glenn We only have one sendmail install on the server (it is Balita's own server not shared). Our MS version is MailScanner-4.55.10-3 installed from a tar file using ./install.sh OS is Red Hat Enterprise Server 3. I have noted from the daily LogWatch the following error: Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. : 18 Time(s) Enabling SpamAssassin auto-whitelist functionality... : 12 Time(s) >>> Unrecognised keyword "spamassassinprefsfile" at line 2205 : 9 Time(s) It is to be noted the error on line >>> says spamassassinprefsfile line 2205 is as follows: Line 2205 is # unsupported - code may be completely untested, a contributed dirty hack, # anything, really. # alpha - code is pretty well untested. Don't assume it will work. # beta - code is tested a bit. It should work. # supported - code *should* be reliable. # # Don't even *think* about setting this to anything other than "beta" or # "supported" on a system that receives real mail until you have tested it # yourself and are happy that it is all working as you expect it to. # Don't set it to anything other than "supported" on a system that could # ever receive important mail. # # READ and UNDERSTAND the above text BEFORE changing this. # Minimum Code Status = supported Envelope From Header = X-MailScanner-From: Envelope To Header = X-MailScanner-To: Line 2223 is reads ... SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf I have listed line 2205 to 2223 as 2223 is the only one I can see that relate to the error in my LogWatch. Whether the two problems are related I do not know. Hopefully someone can help with both. Regards Wayne >Hm. Are those messages passed through "NewsBalita" too? If so, one >might note that _these_ messages aren't tagged. >Is it possible that you have more than one server handling this? >Looking at the DNS for balita.ph it doesn't look that way, but better >to ask one question too many:-). >While we're at it, why not add some more info... Like version of MS >and method of install (perhaps OS too)... -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From derek at adcatanzaro.com Mon Oct 9 18:20:08 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Mon Oct 9 18:20:33 2006 Subject: OT - Mail Backing up while SpamAssassin is in Use In-Reply-To: <452A76FB.200@adcatanzaro.com> References: <452A5FD6.80604@adcatanzaro.com> <452A6D99.5030005@sendit.nodak.edu> <452A76FB.200@adcatanzaro.com> Message-ID: <452A84C8.6030902@adcatanzaro.com> Derek Catanzaro wrote: > Richard Frovarp wrote: >> Derek Catanzaro wrote: >>> ***I posted this thread in the spamassassin mailing list and was >>> advised by another MailScanner user to post here for tuning tips >>> with MS/SA*** >>> >>> I have been having issues with mail backing up on and off over the >>> past week. I am using MailScanner with SpamAssassin. This morning >>> for example, I had roughly 500 messages waiting in >>> /var/spool/mqueue.in and that number had increased to about 2200 in >>> less than an hour. I then tell MailScanner to stop using >>> SpamAssassin to try and identify if the problem is with SpamAssassin >>> or not and now I'm back down to less than 50 messages waiting in the >>> queue in less than a matter of 10 -15 minutes. So obviously this >>> tells me something is going on with SpamAssassin. >>> >>> I ran "spamassassin --lint -D" and I did not notice any problems >>> with the output other than a dcc timeout. Then again, spamassassin >>> has always worked well for me so I may be missing something in the >>> output because I have really never had to troubleshoot this kind of >>> issue with spamassassin. The recent changes I have made to try and >>> combat the problem is to disable bayes and I turned off the auto >>> expire for the bayes tokens just to make sure that wasn't slowing >>> things down. >>> >>> I am running a local caching name server so I do not believe this to >>> be a DNS timing issue. I can provide my spamassassin --lint -D >>> output if anyone is interested. >>> >>> Fedora Core 1 >>> SpamAssassin 3.1.0 >>> MailScanner 4.49.7 >>> sendmail 8.13.5 >>> >>> Thanks, >>> Derek >>> >> How long is the dcc timeout? 10 seconds? 500 messages times 10 >> seconds is about 83 minutes of extra processing time, since that >> timeout would count for each check. It would seem that you have found >> your problem. >> >> Richard > Where is the dcc timeout set? According to my "spamassassin --lint > -D" results it is timing out after 5 seconds, so I'm assuming that is > the timeout setting. > dcc: check timed out after 5 seconds > > I have 2 MailScanner servers with the same setup, and one is able to > use dcc and the other is timing out. I'm not sure why one would be > timing out and the other not? They are on the same network both using > local caching name server and both using the same DNS servers if it is > not cached. Is there a .conf I can check to find out what IP or dns > name dcc tries to connect to? > Derek > Well, I decided to disable the dcc checks in /etc/mail/spamassassin/mailscanner.cf and that seems to have fixed my mail backup for now. I was reading in the dcc faq's that if you are processing over 100,000 messages per day that you may run into timeout issues. I really don't think I am processing that many messages, possibly around 80,000. I do not have anything like mailscanner-MRTG or mailwatch running so I'm not certain on the exact number of messages processed per day. Is there any way for me to find out how many messages have been processed by MailScanner without implementing mailscanner-MRTG or mailwatch? Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmane at tippingmar.com Mon Oct 9 18:19:10 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Oct 9 18:23:42 2006 Subject: OT reassemble df qf pair In-Reply-To: <452A4F57.1010005@ecs.soton.ac.uk> References: <452A4F57.1010005@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Script attached, just wrote it for you. > > Usage: RawSendmailToCompleteMessage qf-name df-name > Or: RawSendmailToCompleteMessage df-name qf-name > Or: RawSendmailToCompleteMessage message-queue-id > > So basically just chuck it any bits of filenames you have to hand, it > will work out what you meant. > > It outputs the RFC-822 message on standard output, which you will > probably want to redirect to a file. > Example: > > RawSendmailToCompleteMessage g4DDWlR20454 > message.txt > which will process qfg4DDWIR20454 and dfg4DDWIR20454 and put the > formatted message into "message.txt". > > or > > RawSendmailToCompleteMessage *00368 | less > which will process the message whose filenames end in 00368 and show you > the result with "less". > > So hopefully it is as easy to drive as possible. > > > Script should be attached to this message, gzipped (because that stops > anything trying to put a signature on the end of the script by mistake. > These damn email systems.... :-) > > > It has taken me an hour to get right for you, so a reasonable > contribution from my Amazon wish list would be much appreciated! (Or > just cash in Paypal would be fine too :-) > > Regards, > Jules. It works beautifully. Thanks very much. Mark From rgreen at trayerproducts.com Mon Oct 9 18:54:34 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Mon Oct 9 18:55:45 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org Message-ID: <452A8CDA.8030005@trayerproducts.com> http://blogs.securiteam.com/index.php/archives/662 I haven't seen this mentioned here on the MS list. If this were to happen, how much of an effect do you think it will have on us anti-spam people using MS/SpamAssassin? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmane at tippingmar.com Mon Oct 9 18:51:43 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Oct 9 18:56:59 2006 Subject: OT - Mail Backing up while SpamAssassin is in Use In-Reply-To: <452A84C8.6030902@adcatanzaro.com> References: <452A5FD6.80604@adcatanzaro.com> <452A6D99.5030005@sendit.nodak.edu> <452A76FB.200@adcatanzaro.com> <452A84C8.6030902@adcatanzaro.com> Message-ID: Derek Catanzaro wrote: > processed per day. Is there any way for me to find out how many > messages have been processed by MailScanner without implementing > mailscanner-MRTG or mailwatch? [root@tesla etc]# logwatch --service mailscanner --range yesterday --print ################### Logwatch 7.3.1 (09/15/06) #################### Processing Initiated: Mon Oct 9 10:48:32 2006 Date Range Processed: yesterday ( 2006-Oct-08 ) Period is day. Detail Level of Output: 10 Type of Output: unformatted Logfiles for Host: tesla.tippingmar.com ################################################################## --------------------- MailScanner Begin ------------------------ MailScanner Status: 328 messages Scanned by MailScanner 8.1 Total MB 265 Spam messages detected by MailScanner 229 Spam messages with action(s) delete 36 Spam messages with action(s) deliver 1 hits from MailScanner SpamAssassin cache 6 Content Problems found by MailScanner 91 Messages delivered by MailScanner I can't recall which version of logwatch came with Fedora Core 1, but you'll want to upgrade to the latest version available at logwatch.org. From michele at blacknight.ie Mon Oct 9 19:01:57 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight.ie) Date: Mon Oct 9 19:02:10 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452A8CDA.8030005@trayerproducts.com> References: <452A8CDA.8030005@trayerproducts.com> Message-ID: <452A8E95.2070008@blacknight.ie> Green, Rodney wrote: > http://blogs.securiteam.com/index.php/archives/662 > > I haven't seen this mentioned here on the MS list. If this were to > happen, how much of an effect do you think it will have on us anti-spam > people using MS/SpamAssassin? The logical move would be to set it up using a non-ICANN controlled TLD.... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From gmane at tippingmar.com Mon Oct 9 19:00:16 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Oct 9 19:05:12 2006 Subject: OT reassemble df qf pair In-Reply-To: <452A4F57.1010005@ecs.soton.ac.uk> References: <452A4F57.1010005@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > It has taken me an hour to get right for you, so a reasonable > contribution from my Amazon wish list would be much appreciated! (Or > just cash in Paypal would be fine too :-) Ordered a MailScanner book this morning! Thanks again, Mark From bpumphrey at woodmclaw.com Mon Oct 9 19:35:06 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Oct 9 19:35:22 2006 Subject: OT: Reverse Lookup Records for Mail Server In-Reply-To: <223f97700610090806y724ec79aq12cf532050dc0dd0@mail.gmail.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F22@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Monday, October 09, 2006 11:06 AM > To: MailScanner discussion > Subject: Re: OT: Reverse Lookup Records for Mail Server > > On 09/10/06, Billy A. Pumphrey wrote: > > In the WIKI > > http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted > > > > The below is written. I have known this to be a good practice for > > sometime, but DNS gets a little confusing for me sometimes. I apologize > > for all of the OT that I do, but just searching the internet does not > > give suggestions. > > > > Have a reverse lookup that matches your HELO/EHLO. > > Many of these policies stem from the fact that spammers will forge > > addresses. When you send mail to a system that doesn't know you, you've > > become a potential spammer. You must show that you can be trusted before > > you will be trusted, and one way of doing that is to have a reverse > > lookup that matches what your system says it is. Unfortunately, this may > > be a problem in virtual hosting situations. At the very least make sure > > that your MX is listed in DNS as the name that will respond to the HELO. > > See RFC 2821 for more information on the SMTP command HELO. > > What this means is that if your host says it is host.example.net, > looking up the IP address you are connecting as should lead to that > name (and if that's not possible, for some unknowable reason... The MX > pointed to for example.net should be the hostnme you helo as...). > > > If the MailScanner machine is on the internal network, as in not in a > > DMZ, and host name ends not in the domain name, how does one set it up? > > Host names ends in host.domain.local. > > Thing is that .local isn't a top level domain that you should > "spread" to the internet. If one were to try reach your host from the > internet, one would look up the MX for your domain, and go to that > address... What that host "thinks" it is named is pretty irrelevant, > as long as it answers in accordance to the _public_ DNS settings. So > in your case, you have a _private_ DNS setup that is geared toward a > (broken IMO) AD setup (the gospel according to M$... Sigh), and a > _public_ DNS entry for your MX gateway. This type of "split view" is > rather common. One might opt for not confusing oneself by not having > two separate naming spaces, but rather the same names, but different > views instead (much better:-). > > > Does the host name just need to be changed to host.domaain.com? That > > would seemingly cause problems communicating with the internal machines, > > or would it? > > Not really, no. It all depends on how you do things:-). As long as you > can find your way to MS-exchange.example.local (and the other way > around) and you have setup trusts etc, you should be fine. > > > So if the host name is mailscanner.domain.com, Then the reverse dns > > should be mailscanner.domain.com right? Sounds right to me. > > > > What happens when the reverse DNS is mailscanner.domain.com but the > > actual host name is mailscanner.domain.local? > > As long as you set it up to accept for the domains involved, I see no > real problem. Handling a true split view DNS setup is rather more easy > than the .local idiocy... At least to my eyes:-). > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- Ok, thank you for the answer. One more thing and it will be clear to me I believe. Is it best practice then to have all internal host that is behind the firewall to be something like: XPclient1.domain.com XPclient2.domain.com Etc. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikea at mikea.ath.cx Mon Oct 9 20:06:02 2006 From: mikea at mikea.ath.cx (mikea) Date: Mon Oct 9 20:06:10 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452A8E95.2070008@blacknight.ie>; from michele@blacknight.ie on Mon, Oct 09, 2006 at 07:01:57PM +0100 References: <452A8CDA.8030005@trayerproducts.com> <452A8E95.2070008@blacknight.ie> Message-ID: <20061009140602.A98427@mikea.ath.cx> On Mon, Oct 09, 2006 at 07:01:57PM +0100, Michele Neylon :: Blacknight.ie wrote: > Green, Rodney wrote: > > http://blogs.securiteam.com/index.php/archives/662 > > > > I haven't seen this mentioned here on the MS list. If this were to > > happen, how much of an effect do you think it will have on us anti-spam > > people using MS/SpamAssassin? > > The logical move would be to set it up using a non-ICANN controlled TLD.... And make sure that all parts of the apparatus supporting it (e.g., DNS, registrars for the TLD and for the IP space) are non-US. Better still, in the long run, is for Spamhaus to appear in the federal court[1], to defend itself vigorously, for various major ISPs to submit _amicus curiae_ briefs outlining: o their experiences with Atriks/e360 spam; o the measures they've had to take; o how Spamhaus has helped; o and what would happen if Spamhaus were to be shut down. At the moment the judge's order states (IIRC) only that ICANN is to place a suspension or client hold on www.spamhaus.org: : 3. Until such time as defendant demonstrates : to this Court why should not be held in contempt for : its failure to comply with the order for permanent : injunction, a suspension, or client hold, shall be : placed on defendants website, which can be found at : www.Spamhaus.org. : 4. The suspension, or client hold, of : www.Spamhaus.org shall commence immediately. The Internet : Corporation for Assigned Names and Numbers (ICANN), which : was created through a Memorandum of Understanding between : the U.S. Department of Commerce and ICANN to transition : management of the Domain Name System (DNS) from the : U.S. government to the global community, and/or Tucows, : Inc., ICANN's accredited registrar for www.spamhaus.org, : is hereby ordered to suspend or place a client hold on : www.Spamhaus.org until such time as they receive a further : order from this Court that such suspension or client hold be : lifted. I strongly suspect that the judge phrased this order with *extreme* care. [1] Apparently their solicitor/barrister advised them not to, but rather to let the suit go to a default judgment; that happened, with disastrous implicaitons. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From ka at pacific.net Mon Oct 9 20:58:01 2006 From: ka at pacific.net (Ken A) Date: Mon Oct 9 20:56:17 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <20061009140602.A98427@mikea.ath.cx> References: <452A8CDA.8030005@trayerproducts.com> <452A8E95.2070008@blacknight.ie> <20061009140602.A98427@mikea.ath.cx> Message-ID: <452AA9C9.4060002@pacific.net> mikea wrote: > On Mon, Oct 09, 2006 at 07:01:57PM +0100, Michele Neylon :: Blacknight.ie wrote: >> Green, Rodney wrote: >>> http://blogs.securiteam.com/index.php/archives/662 >>> >>> I haven't seen this mentioned here on the MS list. If this were to >>> happen, how much of an effect do you think it will have on us anti-spam >>> people using MS/SpamAssassin? >> The logical move would be to set it up using a non-ICANN controlled TLD.... > And make sure that all parts of the apparatus supporting it (e.g., DNS, > registrars for the TLD and for the IP space) are non-US. > > Better still, in the long run, is for Spamhaus to appear in the federal > court[1], to defend itself vigorously, for various major ISPs to submit > _amicus curiae_ briefs outlining: > o their experiences with Atriks/e360 spam; > o the measures they've had to take; > o how Spamhaus has helped; > o and what would happen if Spamhaus were to be shut down. > > At the moment the judge's order states (IIRC) only that ICANN is to > place a suspension or client hold on www.spamhaus.org: Note this is not a signed order, just a 'proposed' order prepared BY the spammer's lawyer for the judge to sign, which probably won't happen. This is just FUD that spammers like to get the media to spread. spamhaus.org isn't going anywhere. Some district court judge in some farm field in Illinois can't order ICANN or Tucows (in Canada) to do anything. Ken A. Pacific.Net > : 3. Until such time as defendant demonstrates > : to this Court why should not be held in contempt for > : its failure to comply with the order for permanent > : injunction, a suspension, or client hold, shall be > : placed on defendants website, which can be found at > : www.Spamhaus.org. > > : 4. The suspension, or client hold, of > : www.Spamhaus.org shall commence immediately. The Internet > : Corporation for Assigned Names and Numbers (ICANN), which > : was created through a Memorandum of Understanding between > : the U.S. Department of Commerce and ICANN to transition > : management of the Domain Name System (DNS) from the > : U.S. government to the global community, and/or Tucows, > : Inc., ICANN's accredited registrar for www.spamhaus.org, > : is hereby ordered to suspend or place a client hold on > : www.Spamhaus.org until such time as they receive a further > : order from this Court that such suspension or client hold be > : lifted. > > I strongly suspect that the judge phrased this order with *extreme* > care. > > [1] Apparently their solicitor/barrister advised them not to, but > rather to let the suit go to a default judgment; that happened, > with disastrous implicaitons. > From edwardbruce at sbcglobal.net Mon Oct 9 21:13:05 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Oct 9 21:13:08 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452AA9C9.4060002@pacific.net> References: <452A8CDA.8030005@trayerproducts.com> <452A8E95.2070008@blacknight.ie> <20061009140602.A98427@mikea.ath.cx> <452AA9C9.4060002@pacific.net> Message-ID: <452AAD51.3080201@sbcglobal.net> Ken A wrote: > > Note this is not a signed order, just a 'proposed' order prepared BY > the spammer's lawyer for the judge to sign, which probably won't > happen. This is just FUD that spammers like to get the media to > spread. spamhaus.org isn't going anywhere. Some district court judge > in some farm field in Illinois can't order ICANN or Tucows (in Canada) > to do anything. The standard disclaimer about not being a lawyer, but this is a proposed order to be issued from a US District Court. I'm fairly sure this court can order ICANN to comply. Also Tucows is publically traded on the American Stock Exchange (AMEX:TCX), so I'm guessing a federal court has some clout. Further they have offices in Starkville, Mississippi. So I'm guessing somebody better act to get this resolved more in our favor then the Spammer's. From ka at pacific.net Mon Oct 9 22:04:10 2006 From: ka at pacific.net (Ken A) Date: Mon Oct 9 22:02:29 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452AAD51.3080201@sbcglobal.net> References: <452A8CDA.8030005@trayerproducts.com> <452A8E95.2070008@blacknight.ie> <20061009140602.A98427@mikea.ath.cx> <452AA9C9.4060002@pacific.net> <452AAD51.3080201@sbcglobal.net> Message-ID: <452AB94A.2010706@pacific.net> Ed Bruce wrote: > Ken A wrote: >> Note this is not a signed order, just a 'proposed' order prepared BY >> the spammer's lawyer for the judge to sign, which probably won't >> happen. This is just FUD that spammers like to get the media to >> spread. spamhaus.org isn't going anywhere. Some district court judge >> in some farm field in Illinois can't order ICANN or Tucows (in Canada) >> to do anything. > The standard disclaimer about not being a lawyer, but this is a proposed > order to be issued from a US District Court. I'm fairly sure this court > can order ICANN to comply. Also Tucows is publically traded on the > American Stock Exchange (AMEX:TCX), so I'm guessing a federal court has > some clout. Further they have offices in Starkville, Mississippi. So I'm > guessing somebody better act to get this resolved more in our favor then > the Spammer's. So, why did the US govt retain control of ICANN again? ... in other O.T. news, google just bought 1.65 billion worth of legal troubles. ..Now back to your regularly scheduled programming (in perl). Ken A Pacific.Net From brose at med.wayne.edu Mon Oct 9 22:07:59 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Oct 9 22:08:05 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452AB94A.2010706@pacific.net> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B023A1739@MED-CORE03-MS1.med.wayne.edu> I would considered RBLs to be similar to the FTC's Do Not Call list which was considered to be legal. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Monday, October 09, 2006 5:04 PM To: MailScanner discussion Subject: Re: OT: ICANN ordered by Illinois court to suspend spamhaus.org Ed Bruce wrote: > Ken A wrote: >> Note this is not a signed order, just a 'proposed' order prepared BY >> the spammer's lawyer for the judge to sign, which probably won't >> happen. This is just FUD that spammers like to get the media to >> spread. spamhaus.org isn't going anywhere. Some district court judge >> in some farm field in Illinois can't order ICANN or Tucows (in >> Canada) to do anything. > The standard disclaimer about not being a lawyer, but this is a > proposed order to be issued from a US District Court. I'm fairly sure > this court can order ICANN to comply. Also Tucows is publically traded > on the American Stock Exchange (AMEX:TCX), so I'm guessing a federal > court has some clout. Further they have offices in Starkville, > Mississippi. So I'm guessing somebody better act to get this resolved > more in our favor then the Spammer's. So, why did the US govt retain control of ICANN again? ... in other O.T. news, google just bought 1.65 billion worth of legal troubles. ..Now back to your regularly scheduled programming (in perl). Ken A Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Mon Oct 9 22:39:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 22:39:54 2006 Subject: OT: Reverse Lookup Records for Mail Server In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F22@woodenex.woodmaclaw.local> References: <223f97700610090806y724ec79aq12cf532050dc0dd0@mail.gmail.com> <04D932B0071FE34FA63EBB1977B48D1501C13F22@woodenex.woodmaclaw.local> Message-ID: <223f97700610091439u67c192e8mf1323612bc2ce8f1@mail.gmail.com> On 09/10/06, Billy A. Pumphrey wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > > Sent: Monday, October 09, 2006 11:06 AM > > To: MailScanner discussion > > Subject: Re: OT: Reverse Lookup Records for Mail Server > > > > On 09/10/06, Billy A. Pumphrey wrote: > > > In the WIKI > > > http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted > > > > > > The below is written. I have known this to be a good practice for > > > sometime, but DNS gets a little confusing for me sometimes. I > apologize > > > for all of the OT that I do, but just searching the internet does > not > > > give suggestions. > > > > > > Have a reverse lookup that matches your HELO/EHLO. > > > Many of these policies stem from the fact that spammers will forge > > > addresses. When you send mail to a system that doesn't know you, > you've > > > become a potential spammer. You must show that you can be trusted > before > > > you will be trusted, and one way of doing that is to have a reverse > > > lookup that matches what your system says it is. Unfortunately, this > may > > > be a problem in virtual hosting situations. At the very least make > sure > > > that your MX is listed in DNS as the name that will respond to the > HELO. > > > See RFC 2821 for more information on the SMTP command HELO. > > > > What this means is that if your host says it is host.example.net, > > looking up the IP address you are connecting as should lead to that > > name (and if that's not possible, for some unknowable reason... The MX > > pointed to for example.net should be the hostnme you helo as...). > > > > > If the MailScanner machine is on the internal network, as in not in > a > > > DMZ, and host name ends not in the domain name, how does one set it > up? > > > Host names ends in host.domain.local. > > > > Thing is that .local isn't a top level domain that you should > > "spread" to the internet. If one were to try reach your host from the > > internet, one would look up the MX for your domain, and go to that > > address... What that host "thinks" it is named is pretty irrelevant, > > as long as it answers in accordance to the _public_ DNS settings. So > > in your case, you have a _private_ DNS setup that is geared toward a > > (broken IMO) AD setup (the gospel according to M$... Sigh), and a > > _public_ DNS entry for your MX gateway. This type of "split view" is > > rather common. One might opt for not confusing oneself by not having > > two separate naming spaces, but rather the same names, but different > > views instead (much better:-). > > > > > Does the host name just need to be changed to host.domaain.com? > That > > > would seemingly cause problems communicating with the internal > machines, > > > or would it? > > > > Not really, no. It all depends on how you do things:-). As long as you > > can find your way to MS-exchange.example.local (and the other way > > around) and you have setup trusts etc, you should be fine. > > > > > So if the host name is mailscanner.domain.com, Then the reverse dns > > > should be mailscanner.domain.com right? Sounds right to me. > > > > > > What happens when the reverse DNS is mailscanner.domain.com but the > > > actual host name is mailscanner.domain.local? > > > > As long as you set it up to accept for the domains involved, I see no > > real problem. Handling a true split view DNS setup is rather more easy > > than the .local idiocy... At least to my eyes:-). > > > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > Ok, thank you for the answer. One more thing and it will be clear to me > I believe. Is it best practice then to have all internal host that is > behind the firewall to be something like: > XPclient1.domain.com > XPclient2.domain.com > Etc. > Yes, that is exactlty what we have. Obviously, this is something one has to set up when one creates (or recreates:-) the AD. Only thing you need keep in mind after that are resources that have different "presences" depending on if the view is from the outside (public DNS for webserver(s), MX etc might lead to one set of (public) IP addresses), or from the inside (private DNS leading to perheps other addresses... or the same. Your choice is... well, not endless, but at least up to you;-). If the inside view of example.net (for example:-) use private adresses, lets say 172.16.0.0/16 (mask 255.255.0.0), and your users need be able to reach www.example.net (with a public address like 123.123.123.123), you'll just need keep an entry in example.net (locally) to that effect (since the internal machines will be seeing the local view of the example.net domain). For stuff that need differ (for example local MX might not be exactly the same as the public MX;-), you simply have different entries locally and publicly... And for most things (that need a local, private view entry, but not a public one) you only have them locally. There just has to be loads written about this on the net... I'm just too lazy to find it for you:-). Anyway... That rather simple "problem" is what prompted a certain company (that shall not be named, but has been know to figure as the primary search result when googling for "more evil than satan himself"...:-) to invent the .local idiocy. As if that would make it any easier to live with? Just another set of problems... and perhaps a bit more onerous to cope with. Anyway, if your MX (MS) gateway is living in the DMZ, you likely have already set a public address for it, and perhaps N(P)AT to that in the firewall, so to solve your immediate problem (without rebuilding the AD:) you could just make it handle the public domain by way of naming (of the host), and the .local thing as an added domain (how to do this differ somewhat between MTAs, but IIRC (Some real Sendmail guru will correct this:-) you just need Cw for the relevant domain names... If you feel up to it/can make it so (perhaps you have a smallish AD, with friendly users:-), making it a normal sane split view thing would probably be best though. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Oct 9 22:46:23 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 22:46:26 2006 Subject: OT: Scanning outgoing mail In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F1F@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F1F@woodenex.woodmaclaw.local> Message-ID: <223f97700610091446j6064e54eq5f67121e0fe8a6f6@mail.gmail.com> On 09/10/06, Billy A. Pumphrey wrote: (snip) > > Looks like it might be trusted already. I know I remember looking into > this before, but I cannot find the config that the settings go into. I > checked the spam.assassin.prefs.conf but not in there. Where is this > setting at again? You might have set it in your local.cf ... perhaps in /etc/mail/spamassassin/ ... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Oct 9 22:50:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 22:50:46 2006 Subject: OT - Re: Mail Backing up while SpamAssassin is in Use In-Reply-To: <452A76FB.200@adcatanzaro.com> References: <452A5FD6.80604@adcatanzaro.com> <452A6D99.5030005@sendit.nodak.edu> <452A76FB.200@adcatanzaro.com> Message-ID: <223f97700610091450u4af7ae41o9ef7cddd36309cdd@mail.gmail.com> On 09/10/06, Derek Catanzaro wrote: > Richard Frovarp wrote: (snip) > > How long is the dcc timeout? 10 seconds? 500 messages times 10 seconds > > is about 83 minutes of extra processing time, since that timeout would > > count for each check. It would seem that you have found your problem. > > > > Richard > Where is the dcc timeout set? According to my "spamassassin --lint -D" > results it is timing out after 5 seconds, so I'm assuming that is the > timeout setting. > dcc: check timed out after 5 seconds > > I have 2 MailScanner servers with the same setup, and one is able to use > dcc and the other is timing out. I'm not sure why one would be timing > out and the other not? They are on the same network both using local > caching name server and both using the same DNS servers if it is not > cached. Is there a .conf I can check to find out what IP or dns name > dcc tries to connect to? > > Derek I'd start looking at your firewall rules... perhaps you only allow dcc for the one host? Then I'd try rebuilding dcc, to see if there is something up there... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Mon Oct 9 22:56:34 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Oct 9 22:56:57 2006 Subject: OT: ICANN ordered by Illinois court to suspend spamhaus.org In-Reply-To: <452A8CDA.8030005@trayerproducts.com> References: <452A8CDA.8030005@trayerproducts.com> Message-ID: <452AC592.2080608@fsl.com> Green, Rodney wrote: > http://blogs.securiteam.com/index.php/archives/662 > > I haven't seen this mentioned here on the MS list. If this were to > happen, how much of an effect do you think it will have on us anti-spam > people using MS/SpamAssassin? I've seen a message on another list from Spamhaus saying that should ICANN suspend their .org domain they will be able to quickly put up the SBL+XBL using their .org.uk domain instead. As an aside -- for those of us with servers in the UK who would like to help out in this case can do the following (this was written by Steve Linford of Spamhaus on another list): --- The best help would be to dig in your spam archive for samples of spam with the text string "Box 1132" and "60035". If any of these were sent to users in the UK (many were but we need hard copies) then we have a much stronger position. --- Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. From glenn.steen at gmail.com Mon Oct 9 23:09:01 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 9 23:09:08 2006 Subject: Header message suddenly appeared In-Reply-To: <200610091702.k99H27Wj023598@balita.ph> References: <1160349693.3814@balita.ph> <223f97700610090011m95c51d2if74475404f68ea47@mail.gmail.com> <200610091702.k99H27Wj023598@balita.ph> Message-ID: <223f97700610091509m5dcd3daehe8da76a3ea5ddfe9@mail.gmail.com> On 09/10/06, Wayne wrote: > At 08:11 09/10/2006, you wrote: > > Glenn > > We only have one sendmail install on the server (it is Balita's own > server not shared). > Our MS version is MailScanner-4.55.10-3 installed from a tar file > using ./install.sh > OS is Red Hat Enterprise Server 3. Thanks for the info. Eh, the tarball would be the rpm tarball then... (confusing, isn't it:-)... The one that installs all the needed RPMs:-)? Oh, I see you cite the version with the telltale -3, so that's probably it. Good. > I have noted from the daily LogWatch the following error: > > Aborting due to syntax errors in > /etc/MailScanner/MailScanner.conf. : 18 Time(s) > Enabling SpamAssassin auto-whitelist functionality... : 12 Time(s) > >>> Unrecognised keyword "spamassassinprefsfile" at line 2205 : 9 Time(s) > > It is to be noted the error on line >>> says spamassassinprefsfile > line 2205 is as follows: > > Line 2205 is # unsupported - code may be completely untested, a > contributed dirty hack, > # anything, really. > # alpha - code is pretty well untested. Don't assume it will work. > # beta - code is tested a bit. It should work. > # supported - code *should* be reliable. > # > # Don't even *think* about setting this to anything other than "beta" or > # "supported" on a system that receives real mail until you have tested it > # yourself and are happy that it is all working as you expect it to. > # Don't set it to anything other than "supported" on a system that could > # ever receive important mail. > # > # READ and UNDERSTAND the above text BEFORE changing this. > # > Minimum Code Status = supported > > Envelope From Header = X-MailScanner-From: > Envelope To Header = X-MailScanner-To: > Line 2223 is reads ... SpamAssassin Prefs File = > /etc/MailScanner/spam.assassin.prefs.conf > > I have listed line 2205 to 2223 as 2223 is the only one I can see > that relate to the error in my LogWatch. I have a vague recollection of this error, from a fresh install some (perhaps a lot:-) versions back (prior to 4.55.10, I think). You might find something about this if you search the archives... Just did... Seems you can probably just comment it out (line 2223). Perhaps you did an upgrade and didn't do upgrade_MailScanner_conf? > Whether the two problems are related I do not know. Don't know. Lets hope so:-). > Hopefully someone can help with both. > > Regards > > Wayne > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Tue Oct 10 01:34:32 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 10 01:36:25 2006 Subject: Double sendmail processes Message-ID: <009401c6ec03$dac5c910$3701a8c0@lapxp> Hello, On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. Every time the server is restarted, I see double sendmail processes, i.e. 2 of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. After I manually restart Mailscanner, it starts only one pair. Q1: why are double processes started? Q2: how could I fix this? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From jon.bates at summitmotors.com.au Tue Oct 10 02:22:18 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Oct 10 02:22:41 2006 Subject: File Type Checking - Excepting users to the rules Message-ID: <200610100122.k9A1MJKt003458@summitmotors.com.au> I've got filtering in place to quarantine emails with attachments of specific types (eg. videos). I need a list of users to be allowed as exceptions to these rules. _______________________________ I've tried adding this to the top of the filename.rules.conf: "FromOrTo: user@domain.com allow" ...but i'm getting syntax errors when starting MailScanner. _______________________________ I've also tried creating a ruleset for the users under "Dangerous Content Scanning", and this does work, but this is less than desirable as it obviously opens up a security hole for the exception users! Can anyone give me some guidance on how I can do this? Thanks very much for your time. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061010/31c4a8ce/attachment.html From shuttlebox at gmail.com Tue Oct 10 09:02:53 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Oct 10 09:02:57 2006 Subject: File Type Checking - Excepting users to the rules In-Reply-To: <200610100122.k9A1MJKt003458@summitmotors.com.au> References: <200610100122.k9A1MJKt003458@summitmotors.com.au> Message-ID: <625385e30610100102h6e26f415id0ae49462a1cfdc8@mail.gmail.com> On 10/10/06, Jon Bates wrote: > > I've got filtering in place to quarantine emails with attachments of > specific types (eg. videos). I need a list of users to be allowed as > exceptions to these rules. > _______________________________ > > I've tried adding this to the top of the filename.rules.conf: > > "FromOrTo: user@domain.com allow" > > ...but i'm getting syntax errors when starting MailScanner. You can't mix rulesets into the filename rules. Copy your filename.rules.conf into another file (e.g. filename.rules.video.conf) and edit the video settings in the copy. Make a ruleset pointing to the copy for some users and the original file for default (all others). FromOrTo: user@domain.com %rules-dir%/filename.rules.video.conf FromOrTo: default %rules-dir%/filename.rules.conf -- /peter From a.peacock at chime.ucl.ac.uk Tue Oct 10 09:04:44 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Oct 10 09:05:28 2006 Subject: Double sendmail processes In-Reply-To: <009401c6ec03$dac5c910$3701a8c0@lapxp> References: <009401c6ec03$dac5c910$3701a8c0@lapxp> Message-ID: <452B541C.5070300@chime.ucl.ac.uk> Hi Arthur, Check all of the files on the init directory to see if any of the others start sendmail as well. Do you have a mailscanner script in there? Arthur Sherman wrote: > Hello, > > On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. > Every time the server is restarted, I see double sendmail processes, i.e. 2 > of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > After I manually restart Mailscanner, it starts only one pair. > > Q1: why are double processes started? > Q2: how could I fix this? > > Thanks! > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From MailScanner at ecs.soton.ac.uk Tue Oct 10 09:23:36 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 09:24:10 2006 Subject: Double sendmail processes In-Reply-To: <009401c6ec03$dac5c910$3701a8c0@lapxp> References: <009401c6ec03$dac5c910$3701a8c0@lapxp> Message-ID: <452B5888.4010207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 service sendmail stop service MailScanner stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start That will sort you out. Arthur Sherman wrote: > Hello, > > On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. > Every time the server is restarted, I see double sendmail processes, i.e. 2 > of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > After I manually restart Mailscanner, it starts only one pair. > > Q1: why are double processes started? > Q2: how could I fix this? > > Thanks! > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFK1iJEfZZRxQVtlQRAk5LAKD+PwltAb/cxQwXO9LZ+n4q0mwWRQCfX9NF ztKAmhWqrE+FHKHJr9oiweQ= =Ripc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Oct 10 09:25:46 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 09:26:13 2006 Subject: File Type Checking - Excepting users to the rules In-Reply-To: <200610100122.k9A1MJKt003458@summitmotors.com.au> References: <200610100122.k9A1MJKt003458@summitmotors.com.au> Message-ID: <452B590A.5010108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is all documented on the wiki and in the book. Read this: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading Jon Bates wrote: > > I've got filtering in place to quarantine emails with attachments of > specific types (eg. videos). I need a list of users to be allowed as > exceptions to these rules. > _______________________________ > > I've tried adding this to the top of the filename.rules.conf: > > "FromOrTo: user@domain.com allow" > > ...but i'm getting syntax errors when starting MailScanner. > > _______________________________ > > I've also tried creating a ruleset for the users under "Dangerous > Content Scanning", and this *does* work, but this is less than > desirable as it obviously opens up a security hole for the exception > users! > > > Can anyone give me some guidance on how I can do this? > > Thanks very much for your time. > > - Jon Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFK1kKEfZZRxQVtlQRApEWAJ0V0frIVX8TfK5Fd8n+7uFmM77IbwCgvvS8 tuSGSwA3IxlTy4Uiud/wq20= =Ja5q -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From support-lists at petdoctors.co.uk Tue Oct 10 10:05:34 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Oct 10 10:06:00 2006 Subject: spam forwarding not working Message-ID: <008601c6ec4b$401ef1f0$04000100@support01> Hi guys, I have setup a spam mailbox on our local mail server that users can submit their unwanted stuff to - it's called 'spam@[snipped]' The 'spam' mailbox is submitted to spamassassin every night via a cron job. This works with no problems for mail that people manually forward, but I also have this line in MailScanner.conf: High Scoring Spam Actions = delete forward spam@[snipped] Unfortunately, this triggers the following emails to me (at root): ++++++++++ This is the Postfix program at ... I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. [Snip] : User unknown in virtual alias table ++++++++++ I have also tried local delivery by putting the forward address as 'spam@servername' - am I hitting problems because spam is being resubmitted to MailScanner before being forwarded, but even then why a 'user unknown' message? MailScanner is 4.55.10, PostFix is 2:2.2.10-1.RHEL4.2 on CentOS 4.4 Thanks Nigel Kendrick From tony.johansson at svenskakyrkan.se Tue Oct 10 10:08:33 2006 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Tue Oct 10 10:20:19 2006 Subject: Periodic (5min) SpamAssassin timeouts Message-ID: We're having problems with periodic SpamAssassin timeouts. We have 3 Centos 4.2 servers, running MailScanner 4.54.6 and SpamAssassin 3.1.5 The timeouts seem to hit servers individually, with numerous timeouts all coming in 5 minute (roughly) intervalls. No 5 minute cronjobs exists, timeouts seem to occur and stop for no apparent reason. Loads, network connectivity etc are the same for all 3 servers, yet timeouts aren't evenly distributed among the servers when they occur - always 1 or rarely 2 servers get hit. dcc and pyzor are disabled in spam.assassin.prefs.conf SpamAssassin Timeout = 180 in MailScanner.conf I've set ut a swatch-job that execs spamassassin --lint -D, iostat, top -b -n 1, vmstat, netstat -p whenever the timeouts occur. So far I havent been able to spot something that sticks out. Heres a cut from tonights log: Oct 10 03:12:29 mx3 MailScanner[31635]: SpamAssassin timed out and was killed (pid 6174), failure 0 of 20 Oct 10 03:17:30 mx3 MailScanner[31959]: SpamAssassin timed out and was killed (pid 8844), failure 0 of 20 Oct 10 03:22:33 mx3 MailScanner[32069]: SpamAssassin timed out and was killed (pid 11596), failure 0 of 20 Oct 10 03:30:11 mx3 MailScanner[32069]: SpamAssassin timed out and was killed (pid 15825), failure 0 of 20 Oct 10 03:35:15 mx3 MailScanner[32421]: SpamAssassin timed out and was killed (pid 18582), failure 0 of 20 Oct 10 03:40:16 mx3 MailScanner[31679]: SpamAssassin timed out and was killed (pid 21353), failure 0 of 20 Oct 10 03:45:20 mx3 MailScanner[32171]: SpamAssassin timed out and was killed (pid 24035), failure 0 of 20 Oct 10 03:50:23 mx3 MailScanner[31959]: SpamAssassin timed out and was killed (pid 26559), failure 0 of 20 Oct 10 03:55:23 mx3 MailScanner[31885]: SpamAssassin timed out and was killed (pid 28997), failure 0 of 20 Oct 10 04:00:29 mx3 MailScanner[31215]: SpamAssassin timed out and was killed (pid 31610), failure 1 of 20 Oct 10 04:05:31 mx3 MailScanner[30786]: SpamAssassin timed out and was killed (pid 1662), failure 1 of 20 No timeouts after 04:05. (pid info added to aid debugging) Any ideas on whats going on here? Any tips on how to further debug this? Regards, Tony From martinh at solidstatelogic.com Tue Oct 10 10:27:03 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 10 10:27:16 2006 Subject: Periodic (5min) SpamAssassin timeouts In-Reply-To: References: Message-ID: <452B6767.4020405@solidstatelogic.com> Tony Johansson wrote: > We're having problems with periodic SpamAssassin timeouts. > We have 3 Centos 4.2 servers, running MailScanner 4.54.6 and SpamAssassin 3.1.5 > > The timeouts seem to hit servers individually, with numerous timeouts all > coming in 5 minute (roughly) intervalls. > > No 5 minute cronjobs exists, timeouts seem to occur and stop for no apparent > reason. Loads, network connectivity etc are the same for all 3 servers, yet > timeouts aren't evenly distributed among the servers when they occur - always > 1 or rarely 2 servers get hit. > > dcc and pyzor are disabled in spam.assassin.prefs.conf > SpamAssassin Timeout = 180 in MailScanner.conf > > I've set ut a swatch-job that execs spamassassin --lint -D, iostat, top -b -n > 1, vmstat, netstat -p whenever the timeouts occur. So far I havent been able > to spot something that sticks out. > > Heres a cut from tonights log: > Oct 10 03:12:29 mx3 MailScanner[31635]: SpamAssassin timed out and was killed > (pid 6174), failure 0 of 20 > Oct 10 03:17:30 mx3 MailScanner[31959]: SpamAssassin timed out and was killed > (pid 8844), failure 0 of 20 > Oct 10 03:22:33 mx3 MailScanner[32069]: SpamAssassin timed out and was killed > (pid 11596), failure 0 of 20 > Oct 10 03:30:11 mx3 MailScanner[32069]: SpamAssassin timed out and was killed > (pid 15825), failure 0 of 20 > Oct 10 03:35:15 mx3 MailScanner[32421]: SpamAssassin timed out and was killed > (pid 18582), failure 0 of 20 > Oct 10 03:40:16 mx3 MailScanner[31679]: SpamAssassin timed out and was killed > (pid 21353), failure 0 of 20 > Oct 10 03:45:20 mx3 MailScanner[32171]: SpamAssassin timed out and was killed > (pid 24035), failure 0 of 20 > Oct 10 03:50:23 mx3 MailScanner[31959]: SpamAssassin timed out and was killed > (pid 26559), failure 0 of 20 > Oct 10 03:55:23 mx3 MailScanner[31885]: SpamAssassin timed out and was killed > (pid 28997), failure 0 of 20 > Oct 10 04:00:29 mx3 MailScanner[31215]: SpamAssassin timed out and was killed > (pid 31610), failure 1 of 20 > Oct 10 04:05:31 mx3 MailScanner[30786]: SpamAssassin timed out and was killed > (pid 1662), failure 1 of 20 > > No timeouts after 04:05. (pid info added to aid debugging) > > Any ideas on whats going on here? > > Any tips on how to further debug this? > > Regards, Tony > > > > > > Tony I'd check 1) DNS (are you running a local caching nameserver on the servers?) 2) more likely bayes issues. How are you cleaning the bayes system? Are you letting mailScanner do it (via the spam.assassin.prefs.conf/mailScanner.conf) settings, or are you doing this manually via a cron job? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Tue Oct 10 10:31:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 10:31:40 2006 Subject: spam forwarding not working In-Reply-To: <008601c6ec4b$401ef1f0$04000100@support01> References: <008601c6ec4b$401ef1f0$04000100@support01> Message-ID: <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> On 10/10/06, Nigel Kendrick wrote: > Hi guys, > > I have setup a spam mailbox on our local mail server that users can submit > their unwanted stuff to - it's called 'spam@[snipped]' > > The 'spam' mailbox is submitted to spamassassin every night via a cron job. > This works with no problems for mail that people manually forward, but I > also have this line in MailScanner.conf: > > High Scoring Spam Actions = delete forward spam@[snipped] > > Unfortunately, this triggers the following emails to me (at root): > > ++++++++++ > > This is the Postfix program at ... > > I'm sorry to have to inform you that your message could not be delivered to > one or more recipients. It's attached below. > > [Snip] > > : User unknown in virtual alias table > > ++++++++++ > > I have also tried local delivery by putting the forward address as > 'spam@servername' - am I hitting problems because spam is being resubmitted > to MailScanner before being forwarded, but even then why a 'user unknown' > message? > > MailScanner is 4.55.10, PostFix is 2:2.2.10-1.RHEL4.2 on CentOS 4.4 > > Thanks > > Nigel Kendrick > > Nigel, Virtual aliases are expanded _after_ MailScanner, so you cannot use a virtual alias in a rule like that (for addressing). Simply change it to the real address and things should work out OK:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Tue Oct 10 10:46:07 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 10 10:48:00 2006 Subject: Double sendmail processes In-Reply-To: <452B541C.5070300@chime.ucl.ac.uk> Message-ID: <00c401c6ec50$e8f77c70$3701a8c0@lapxp> Hi Anthony, I didn't find anything. Here are starting services: --- [root@ns1 init.d]# chkconfig --list | grep on autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off poprelayd 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:on 3:on 4:on 5:on 6:off DCC 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off dbrecover 0:off 1:on 2:on 3:on 4:on 5:on 6:off bluequartz 0:off 1:off 2:on 3:on 4:on 5:on 6:off microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off clamav-milter 0:off 1:off 2:on 3:on 4:on 5:on 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off admserv 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off named 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off dovecot 0:off 1:off 2:on 3:on 4:on 5:on 6:off clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off mdchk 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off cced.init 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off --- Then I grepped for sendmail pattern: --- [root@ns1 init.d]# grep sendmail * clamav-milter:# description: clamav-milter is a daemon which hooks into sendmail \ DCC:# dccm must be started before sendmail and stopped after sendmail to avoid DCC:# complaints from sendmail DCC:# can be added to /etc/rc just before sendmail is started and a line like diskdump:SENDMAIL="/usr/sbin/sendmail" poprelayd:# the pop-log-scrubber and sendmail relay db population tool. sendmail:# MailScanner, and its associated copies of sendmail. sendmail:# If you are using sendmail, Exim or Postfix, please try to avoid editing sendmail:MTA=sendmail sendmail:INPID=/var/run/sendmail.in.pid sendmail:OUTPID=/var/run/sendmail.out.pid sendmail:SENDMAIL=/usr/sbin/sendmail sendmail:# Start both the sendmail processes sendmail: elif [ $MTA = 'sendmail' ]; then sendmail: elif [ $MTA = 'sendmail' ]; then sendmail: # Start just incoming sendmail sendmail: # Start just outgoing sendmail sendmail: elif [ $MTA = "sendmail" ]; then sendmail: #killproc sendmail 2>/dev/null sendmail: elif [ $MTA = "sendmail" ]; then sendmail: #killproc /usr/sbin/sendmail 2>/dev/null sendmail: if [ $MTA = "sendmail" ]; then sendmail: # Now the incoming sendmail sendmail: echo -n ' incoming sendmail: ' sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l]: accepting connections'` sendmail: # Now the outgoing sendmail sendmail: echo -n ' outgoing sendmail: ' sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l] -q[0-9]*[mhd]|sendmail: Queue runner' | grep -v grep` --- Did I miss something? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Peacock > Sent: Tuesday, October 10, 2006 10:05 AM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > Hi Arthur, > > Check all of the files on the init directory to see if any of > the others > start sendmail as well. Do you have a mailscanner script in there? > > Arthur Sherman wrote: > > Hello, > > > > On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. > > Every time the server is restarted, I see double sendmail > processes, i.e. 2 > > of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > > After I manually restart Mailscanner, it starts only one pair. > > > > Q1: why are double processes started? > > Q2: how could I fix this? > > > > Thanks! > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > CPTeam > > > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From arturs at netvision.net.il Tue Oct 10 10:47:54 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 10 10:49:49 2006 Subject: Double sendmail processes In-Reply-To: <452B5888.4010207@ecs.soton.ac.uk> Message-ID: <00c801c6ec51$28ebb580$3701a8c0@lapxp> Hi Jules, Sendmail is actually MailScanner. It was renamed for compatibility with other apps - old trick from some forum, which used to work before. Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Tuesday, October 10, 2006 10:24 AM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > service sendmail stop > service MailScanner stop > chkconfig sendmail off > chkconfig MailScanner on > service MailScanner start > > That will sort you out. > > Arthur Sherman wrote: > > Hello, > > > > On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. > > Every time the server is restarted, I see double sendmail > processes, i.e. 2 > > of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > > After I manually restart Mailscanner, it starts only one pair. > > > > Q1: why are double processes started? > > Q2: how could I fix this? > > > > Thanks! > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > CPTeam > > > > > > Jules > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFK1iJEfZZRxQVtlQRAk5LAKD+PwltAb/cxQwXO9LZ+n4q0mwWRQCfX9NF > ztKAmhWqrE+FHKHJr9oiweQ= > =Ripc > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From a.peacock at chime.ucl.ac.uk Tue Oct 10 10:54:47 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Oct 10 10:55:00 2006 Subject: Double sendmail processes In-Reply-To: <00c401c6ec50$e8f77c70$3701a8c0@lapxp> References: <00c401c6ec50$e8f77c70$3701a8c0@lapxp> Message-ID: <452B6DE7.5090705@chime.ucl.ac.uk> Hi Arthur, Someone who knows your OS better than I will probably be able to help more. The standard mailscanner install creates a startup script for mailscanner that also starts sendmail. In this instance you would need to stop sendmail starting as well. It looks like you are doing in the other way round, ie the sendmail script starts mailscanner. Arthur Sherman wrote: > Hi Anthony, > > I didn't find anything. > > Here are starting services: > --- > [root@ns1 init.d]# chkconfig --list | grep on > autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off > haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off > poprelayd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off > syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off > xinetd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > DCC 0:off 1:off 2:on 3:on 4:on 5:on 6:off > netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off > sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off > mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off > dbrecover 0:off 1:on 2:on 3:on 4:on 5:on 6:off > bluequartz 0:off 1:off 2:on 3:on 4:on 5:on 6:off > microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off > saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > clamav-milter 0:off 1:off 2:on 3:on 4:on 5:on 6:off > lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off > admserv 0:off 1:off 2:on 3:on 4:on 5:on 6:off > network 0:off 1:off 2:on 3:on 4:on 5:on 6:off > kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off > iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off > irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off > named 0:off 1:off 2:on 3:on 4:on 5:on 6:off > mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off > crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off > httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > dovecot 0:off 1:off 2:on 3:on 4:on 5:on 6:off > clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off > readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off > cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off > messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off > mdchk 0:off 1:off 2:on 3:on 4:on 5:on 6:off > sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > cced.init 0:off 1:off 2:on 3:on 4:on 5:on 6:off > rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off > --- > > Then I grepped for sendmail pattern: > --- > [root@ns1 init.d]# grep sendmail * > clamav-milter:# description: clamav-milter is a daemon which hooks into > sendmail \ > DCC:# dccm must be started before sendmail and stopped after sendmail to > avoid > DCC:# complaints from sendmail > DCC:# can be added to /etc/rc just before sendmail is started and a line > like > diskdump:SENDMAIL="/usr/sbin/sendmail" > poprelayd:# the pop-log-scrubber and sendmail relay db > population tool. > sendmail:# MailScanner, and its associated copies of sendmail. > sendmail:# If you are using sendmail, Exim or Postfix, please try to avoid > editing > sendmail:MTA=sendmail > sendmail:INPID=/var/run/sendmail.in.pid > sendmail:OUTPID=/var/run/sendmail.out.pid > sendmail:SENDMAIL=/usr/sbin/sendmail > sendmail:# Start both the sendmail processes > sendmail: elif [ $MTA = 'sendmail' ]; then > sendmail: elif [ $MTA = 'sendmail' ]; then > sendmail: # Start just incoming sendmail > sendmail: # Start just outgoing sendmail > sendmail: elif [ $MTA = "sendmail" ]; then > sendmail: #killproc sendmail 2>/dev/null > sendmail: elif [ $MTA = "sendmail" ]; then > sendmail: #killproc /usr/sbin/sendmail 2>/dev/null > sendmail: if [ $MTA = "sendmail" ]; then > sendmail: # Now the incoming sendmail > sendmail: echo -n ' incoming sendmail: ' > sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l]: accepting > connections'` > sendmail: # Now the outgoing sendmail > sendmail: echo -n ' outgoing sendmail: ' > sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l] > -q[0-9]*[mhd]|sendmail: Queue runner' | grep -v grep` > --- > > Did I miss something? > > Thanks! > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Anthony Peacock >> Sent: Tuesday, October 10, 2006 10:05 AM >> To: MailScanner discussion >> Subject: Re: Double sendmail processes >> >> Hi Arthur, >> >> Check all of the files on the init directory to see if any of >> the others >> start sendmail as well. Do you have a mailscanner script in there? >> >> Arthur Sherman wrote: >>> Hello, >>> >>> On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. >>> Every time the server is restarted, I see double sendmail >> processes, i.e. 2 >>> of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. >>> After I manually restart Mailscanner, it starts only one pair. >>> >>> Q1: why are double processes started? >>> Q2: how could I fix this? >>> >>> Thanks! >>> >>> >>> Best, >>> >>> -- >>> Arthur Sherman >>> >>> +972-52-4878851 >>> CPTeam >>> >> >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From tony.johansson at svenskakyrkan.se Tue Oct 10 10:54:25 2006 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Tue Oct 10 10:55:38 2006 Subject: Periodic (5min) SpamAssassin timeouts References: <452B6767.4020405@solidstatelogic.com> Message-ID: > I'd check > > 1) DNS (are you running a local caching nameserver on the servers?) 1: We're running named as caching nameservers on all machines with rbldnsd for certain zones. rbldnsd zones are rsynced hourly from the sources. >From named.conf: zone "list.dsbl.org" IN { type forward; forward first; forwarders { 127.0.0.1 port 530; }; }; And from /etc/sysconfig/rbldnsd: RBLDNSD="dsbl -l/var/log/rbldnsd -r/var/lib/rbldns/data -t 21600 -q -f -c 60 \ -p /var/run/rbldnsd.pid -b127.0.0.1/530 \ list.dsbl.org:ip4set:rbldns-list.dsbl.org \ dnsbl.sorbs.net:combined:dnsbl.sorbs.net \ bulk.rhs.mailpolice.com:dnset:bulk.rhs.mailpolice.com \ fraud.rhs.mailpolice.com:dnset:fraud.rhs.mailpolice.com \ multi.surbl.org:dnset:multi.surbl.org.rbldnsd" Know of any good ways of debugging dns-lookups? Something I could add to whatever debugging i do whenever a timeout occurs? > 2) more likely bayes issues. How are you cleaning the bayes system? Are > you letting mailScanner do it (via the > spam.assassin.prefs.conf/mailScanner.conf) settings, or are you doing > this manually via a cron job? > 2: We have "Rebuild Bayes Every = 0" in MailScanner.conf 04:04 cron runs "clean.and.sa-learn": #!/bin/bash cd /root/.spamassassin rm -f /root/.spamassassin/bayes_toks.expire* /usr/bin/sa-learn --force-expire Heres the bayes dir: ls -lh in /root/.spamassassin: -rw------- 1 root root 6 Aug 12 2005 auto-whitelist.mutex -rw-rw---- 1 root root 83K Oct 10 11:47 bayes_journal -rw------- 1 root root 31K Oct 10 11:47 bayes.mutex -rw------- 1 root root 313M Oct 10 11:46 bayes_seen -rw-rw---- 1 root root 20M Oct 10 11:47 bayes_toks -rw-rw---- 1 root root 12K Jun 22 03:22 __db.bayes_toks.expire15788. -rw-rw---- 1 root root 12K Aug 15 01:40 __db.bayes_toks.expire16514. -rw-rw---- 1 root root 12K Sep 16 01:25 __db.bayes_toks.expire16812. -rw-rw---- 1 root root 12K Aug 9 01:37 __db.bayes_toks.expire17653. -rw-rw---- 1 root root 12K Aug 30 20:31 __db.bayes_toks.expire19732. -rw-rw---- 1 root root 12K Aug 28 19:24 __db.bayes_toks.expire20943. -rw-rw---- 1 root root 12K Jun 21 20:54 __db.bayes_toks.expire21074. -rw-rw---- 1 root root 12K May 17 01:00 __db.bayes_toks.expire22028. -rw-rw---- 1 root root 12K Sep 20 22:38 __db.bayes_toks.expire24240. -rw-rw---- 1 root root 12K Aug 28 23:27 __db.bayes_toks.expire29445. -rw-rw---- 1 root root 12K May 31 23:25 __db.bayes_toks.expire30243. -rw-rw---- 1 root root 12K Jun 8 03:07 __db.bayes_toks.expire3378. -rw-rw---- 1 root root 12K Jul 19 04:43 __db.bayes_toks.expire4537. -rw-r--r-- 1 root root 1.1K Jan 2 2004 user_prefs Timing seems spot on with when the last timeouts stopped but why the 5 min timeouts? Should we let MailScanner manage the rebuilds and at what settings? Regards, Tony From Andreas.Doerfler at kempten.de Tue Oct 10 11:01:42 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Tue Oct 10 11:01:50 2006 Subject: whitelist problem Message-ID: hey there, i have here problems to whitelist two newsletters. think the problem is because of the special signs ( * ) at the from adress: owner-computersl*REMOVED**REMOVED*-de@ablist.about.com owner-delphi*REMOVED**REMOVED*-de@mclist.about.com whitelist entry: From: *@ablist.about.com and To: REMOVED yes From: *@mclist.about.com and To: REMOVED yes atm that way the whistelist for the lists does not work, anyone has workaround for it avaliable ? greetings andy ASCII ribbon campaign ( ) - against HTML email X & vCards / \ From martinh at solidstatelogic.com Tue Oct 10 11:02:43 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 10 11:02:58 2006 Subject: Periodic (5min) SpamAssassin timeouts In-Reply-To: References: <452B6767.4020405@solidstatelogic.com> Message-ID: <452B6FC3.8040204@solidstatelogic.com> Tony Johansson wrote: >> I'd check >> >> 1) DNS (are you running a local caching nameserver on the servers?) > > 1: We're running named as caching nameservers on all machines with rbldnsd for > certain zones. rbldnsd zones are rsynced hourly from the sources. > >>From named.conf: > zone "list.dsbl.org" IN { > type forward; > forward first; > forwarders { > 127.0.0.1 port 530; > }; > > }; > > And from /etc/sysconfig/rbldnsd: > > RBLDNSD="dsbl -l/var/log/rbldnsd -r/var/lib/rbldns/data -t 21600 -q -f -c 60 \ > -p /var/run/rbldnsd.pid -b127.0.0.1/530 \ > list.dsbl.org:ip4set:rbldns-list.dsbl.org \ > dnsbl.sorbs.net:combined:dnsbl.sorbs.net \ > bulk.rhs.mailpolice.com:dnset:bulk.rhs.mailpolice.com \ > fraud.rhs.mailpolice.com:dnset:fraud.rhs.mailpolice.com \ > multi.surbl.org:dnset:multi.surbl.org.rbldnsd" > > Know of any good ways of debugging dns-lookups? Something I could add to > whatever debugging i do whenever a timeout occurs? > >> 2) more likely bayes issues. How are you cleaning the bayes system? Are >> you letting mailScanner do it (via the >> spam.assassin.prefs.conf/mailScanner.conf) settings, or are you doing >> this manually via a cron job? >> > > 2: We have "Rebuild Bayes Every = 0" in MailScanner.conf > 04:04 cron runs "clean.and.sa-learn": > #!/bin/bash > cd /root/.spamassassin > rm -f /root/.spamassassin/bayes_toks.expire* > /usr/bin/sa-learn --force-expire > > Heres the bayes dir: > > ls -lh in /root/.spamassassin: > -rw------- 1 root root 6 Aug 12 2005 auto-whitelist.mutex > -rw-rw---- 1 root root 83K Oct 10 11:47 bayes_journal > -rw------- 1 root root 31K Oct 10 11:47 bayes.mutex > -rw------- 1 root root 313M Oct 10 11:46 bayes_seen > -rw-rw---- 1 root root 20M Oct 10 11:47 bayes_toks > -rw-rw---- 1 root root 12K Jun 22 03:22 > __db.bayes_toks.expire15788. > -rw-rw---- 1 root root 12K Aug 15 01:40 > __db.bayes_toks.expire16514. > -rw-rw---- 1 root root 12K Sep 16 01:25 > __db.bayes_toks.expire16812. > -rw-rw---- 1 root root 12K Aug 9 01:37 > __db.bayes_toks.expire17653. > -rw-rw---- 1 root root 12K Aug 30 20:31 > __db.bayes_toks.expire19732. > -rw-rw---- 1 root root 12K Aug 28 19:24 > __db.bayes_toks.expire20943. > -rw-rw---- 1 root root 12K Jun 21 20:54 > __db.bayes_toks.expire21074. > -rw-rw---- 1 root root 12K May 17 01:00 > __db.bayes_toks.expire22028. > -rw-rw---- 1 root root 12K Sep 20 22:38 > __db.bayes_toks.expire24240. > -rw-rw---- 1 root root 12K Aug 28 23:27 > __db.bayes_toks.expire29445. > -rw-rw---- 1 root root 12K May 31 23:25 > __db.bayes_toks.expire30243. > -rw-rw---- 1 root root 12K Jun 8 03:07 > __db.bayes_toks.expire3378. > -rw-rw---- 1 root root 12K Jul 19 04:43 > __db.bayes_toks.expire4537. > -rw-r--r-- 1 root root 1.1K Jan 2 2004 user_prefs > > > > > Timing seems spot on with when the last timeouts stopped but why the 5 min > timeouts? Should we let MailScanner manage the rebuilds and at what settings? > > Regards, Tony > > > > > > > > > Tony Thought it might bayes related - it's a common issue with MS/SA.. I have.... Rebuild Bayes Every = 86400 and more importantly Wait During Bayes Rebuild = yes -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From arturs at netvision.net.il Tue Oct 10 11:42:25 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 10 11:44:23 2006 Subject: Double sendmail processes In-Reply-To: <452B6DE7.5090705@chime.ucl.ac.uk> Message-ID: <00d001c6ec58$c6f61110$3701a8c0@lapxp> Hi Anthony, It is the Mailscanner script that starts from rc.d. It has been renamed to 'sendmail' - several apps needed this, since it is CentOS based BlueQuartz appliance. So it is just what you say it should be. I am still wondering what would cause double sendmail processes... Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Peacock > Sent: Tuesday, October 10, 2006 11:55 AM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > Hi Arthur, > > Someone who knows your OS better than I will probably be able > to help more. > > The standard mailscanner install creates a startup script for > mailscanner that also starts sendmail. In this instance you > would need > to stop sendmail starting as well. > > It looks like you are doing in the other way round, ie the sendmail > script starts mailscanner. > > Arthur Sherman wrote: > > Hi Anthony, > > > > I didn't find anything. > > > > Here are starting services: > > --- > > [root@ns1 init.d]# chkconfig --list | grep on > > autofs 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > haldaemon 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > poprelayd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > readahead 0:off 1:off 2:off 3:off 4:off > 5:on 6:off > > syslog 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > xinetd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > DCC 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > netfs 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > sendmail 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > mysqld 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > dbrecover 0:off 1:on 2:on 3:on 4:on > 5:on 6:off > > bluequartz 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > microcode_ctl 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > saslauthd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > clamav-milter 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > lm_sensors 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > admserv 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > network 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > kudzu 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > iptables 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > irqbalance 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > named 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > mdmonitor 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > crond 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > httpd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > dovecot 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > clamd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > gpm 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > readahead_early 0:off 1:off 2:off 3:off 4:off > 5:on 6:off > > cpuspeed 0:off 1:on 2:on 3:on 4:on > 5:on 6:off > > messagebus 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > mdchk 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > sshd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > smartd 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > cced.init 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > rawdevices 0:off 1:off 2:off 3:on 4:on > 5:on 6:off > > --- > > > > Then I grepped for sendmail pattern: > > --- > > [root@ns1 init.d]# grep sendmail * > > clamav-milter:# description: clamav-milter is a daemon > which hooks into > > sendmail \ > > DCC:# dccm must be started before sendmail and stopped > after sendmail to > > avoid > > DCC:# complaints from sendmail > > DCC:# can be added to /etc/rc just before sendmail is > started and a line > > like > > diskdump:SENDMAIL="/usr/sbin/sendmail" > > poprelayd:# the pop-log-scrubber and sendmail relay db > > population tool. > > sendmail:# MailScanner, and its associated > copies of sendmail. > > sendmail:# If you are using sendmail, Exim or Postfix, > please try to avoid > > editing > > sendmail:MTA=sendmail > > sendmail:INPID=/var/run/sendmail.in.pid > > sendmail:OUTPID=/var/run/sendmail.out.pid > > sendmail:SENDMAIL=/usr/sbin/sendmail > > sendmail:# Start both the sendmail processes > > sendmail: elif [ $MTA = 'sendmail' ]; then > > sendmail: elif [ $MTA = 'sendmail' ]; then > > sendmail: # Start just incoming sendmail > > sendmail: # Start just outgoing sendmail > > sendmail: elif [ $MTA = "sendmail" ]; then > > sendmail: #killproc sendmail 2>/dev/null > > sendmail: elif [ $MTA = "sendmail" ]; then > > sendmail: #killproc /usr/sbin/sendmail 2>/dev/null > > sendmail: if [ $MTA = "sendmail" ]; then > > sendmail: # Now the incoming sendmail > > sendmail: echo -n ' incoming sendmail: ' > > sendmail: #pid=`ps ax | egrep > '\[sendmail\]|sendmai[l]: accepting > > connections'` > > sendmail: # Now the outgoing sendmail > > sendmail: echo -n ' outgoing sendmail: ' > > sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l] > > -q[0-9]*[mhd]|sendmail: Queue runner' | grep -v grep` > > --- > > > > Did I miss something? > > > > Thanks! > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > CPTeam > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Anthony Peacock > >> Sent: Tuesday, October 10, 2006 10:05 AM > >> To: MailScanner discussion > >> Subject: Re: Double sendmail processes > >> > >> Hi Arthur, > >> > >> Check all of the files on the init directory to see if any of > >> the others > >> start sendmail as well. Do you have a mailscanner script in there? > >> > >> Arthur Sherman wrote: > >>> Hello, > >>> > >>> On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. > >>> Every time the server is restarted, I see double sendmail > >> processes, i.e. 2 > >>> of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > >>> After I manually restart Mailscanner, it starts only one pair. > >>> > >>> Q1: why are double processes started? > >>> Q2: how could I fix this? > >>> > >>> Thanks! > >>> > >>> > >>> Best, > >>> > >>> -- > >>> Arthur Sherman > >>> > >>> +972-52-4878851 > >>> CPTeam > >>> > >> > >> -- > >> Anthony Peacock > >> CHIME, Royal Free & University College Medical School > >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > >> "If you have an apple and I have an apple and we exchange apples > >> then you and I will still each have one apple. But if you have an > >> idea and I have an idea and we exchange these ideas, then > each of us > >> will have two ideas." -- George Bernard Shaw > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Tue Oct 10 11:47:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 11:47:25 2006 Subject: spam forwarding not working In-Reply-To: <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> References: <008601c6ec4b$401ef1f0$04000100@support01> <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> Message-ID: <223f97700610100347r3bcddab5t9376b0875c2c5ab3@mail.gmail.com> On 10/10/06, Glenn Steen wrote: > On 10/10/06, Nigel Kendrick wrote: > > Hi guys, > > (snip) > > I have also tried local delivery by putting the forward address as > > 'spam@servername' - am I hitting problems because spam is being resubmitted > > to MailScanner before being forwarded, but even then why a 'user unknown' > > message? (snip) > Virtual aliases are expanded _after_ MailScanner, so you cannot use a > virtual alias in a rule like that (for addressing). > Simply change it to the real address and things should work out OK:-). (still a PF user....:) Just thought I'd add that you are probably not whitelisting local deliveries (release from quarantine etc type of thing, that one might need if using SMTP to release messages), and that is why your messages get rescanned. Either whitelist 127.0.0.1 or do something more clever... (there is some "clever" writings of mine tangenting the subject in the wiki... split mails per recipient in the howto;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From a.peacock at chime.ucl.ac.uk Tue Oct 10 11:50:58 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Oct 10 11:52:02 2006 Subject: Double sendmail processes In-Reply-To: <00d001c6ec58$c6f61110$3701a8c0@lapxp> References: <00d001c6ec58$c6f61110$3701a8c0@lapxp> Message-ID: <452B7B12.3020601@chime.ucl.ac.uk> Hi Arthur, Yes, after I sent my message I saw your reply to Jules. Sorry, I don't have detailed experience with your OS, so I am out of ideas now. I am sure someone else on this list will pop up sooner or later... Arthur Sherman wrote: > Hi Anthony, > > It is the Mailscanner script that starts from rc.d. It has been renamed to > 'sendmail' - several apps needed this, since it is CentOS based BlueQuartz > appliance. > So it is just what you say it should be. > > I am still wondering what would cause double sendmail processes... > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Anthony Peacock >> Sent: Tuesday, October 10, 2006 11:55 AM >> To: MailScanner discussion >> Subject: Re: Double sendmail processes >> >> Hi Arthur, >> >> Someone who knows your OS better than I will probably be able >> to help more. >> >> The standard mailscanner install creates a startup script for >> mailscanner that also starts sendmail. In this instance you >> would need >> to stop sendmail starting as well. >> >> It looks like you are doing in the other way round, ie the sendmail >> script starts mailscanner. >> >> Arthur Sherman wrote: >>> Hi Anthony, >>> >>> I didn't find anything. >>> >>> Here are starting services: >>> --- >>> [root@ns1 init.d]# chkconfig --list | grep on >>> autofs 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> haldaemon 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> poprelayd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> readahead 0:off 1:off 2:off 3:off 4:off >> 5:on 6:off >>> syslog 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> xinetd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> DCC 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> netfs 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> sendmail 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> mysqld 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> dbrecover 0:off 1:on 2:on 3:on 4:on >> 5:on 6:off >>> bluequartz 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> microcode_ctl 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> saslauthd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> clamav-milter 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> lm_sensors 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> admserv 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> network 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> kudzu 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> iptables 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> irqbalance 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> named 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> mdmonitor 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> crond 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> httpd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> dovecot 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> clamd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> gpm 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> readahead_early 0:off 1:off 2:off 3:off 4:off >> 5:on 6:off >>> cpuspeed 0:off 1:on 2:on 3:on 4:on >> 5:on 6:off >>> messagebus 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> mdchk 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> sshd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> smartd 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> cced.init 0:off 1:off 2:on 3:on 4:on >> 5:on 6:off >>> rawdevices 0:off 1:off 2:off 3:on 4:on >> 5:on 6:off >>> --- >>> >>> Then I grepped for sendmail pattern: >>> --- >>> [root@ns1 init.d]# grep sendmail * >>> clamav-milter:# description: clamav-milter is a daemon >> which hooks into >>> sendmail \ >>> DCC:# dccm must be started before sendmail and stopped >> after sendmail to >>> avoid >>> DCC:# complaints from sendmail >>> DCC:# can be added to /etc/rc just before sendmail is >> started and a line >>> like >>> diskdump:SENDMAIL="/usr/sbin/sendmail" >>> poprelayd:# the pop-log-scrubber and sendmail relay db >>> population tool. >>> sendmail:# MailScanner, and its associated >> copies of sendmail. >>> sendmail:# If you are using sendmail, Exim or Postfix, >> please try to avoid >>> editing >>> sendmail:MTA=sendmail >>> sendmail:INPID=/var/run/sendmail.in.pid >>> sendmail:OUTPID=/var/run/sendmail.out.pid >>> sendmail:SENDMAIL=/usr/sbin/sendmail >>> sendmail:# Start both the sendmail processes >>> sendmail: elif [ $MTA = 'sendmail' ]; then >>> sendmail: elif [ $MTA = 'sendmail' ]; then >>> sendmail: # Start just incoming sendmail >>> sendmail: # Start just outgoing sendmail >>> sendmail: elif [ $MTA = "sendmail" ]; then >>> sendmail: #killproc sendmail 2>/dev/null >>> sendmail: elif [ $MTA = "sendmail" ]; then >>> sendmail: #killproc /usr/sbin/sendmail 2>/dev/null >>> sendmail: if [ $MTA = "sendmail" ]; then >>> sendmail: # Now the incoming sendmail >>> sendmail: echo -n ' incoming sendmail: ' >>> sendmail: #pid=`ps ax | egrep >> '\[sendmail\]|sendmai[l]: accepting >>> connections'` >>> sendmail: # Now the outgoing sendmail >>> sendmail: echo -n ' outgoing sendmail: ' >>> sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l] >>> -q[0-9]*[mhd]|sendmail: Queue runner' | grep -v grep` >>> --- >>> >>> Did I miss something? >>> >>> Thanks! >>> >>> >>> Best, >>> >>> -- >>> Arthur Sherman >>> >>> +972-52-4878851 >>> CPTeam >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>>> Of Anthony Peacock >>>> Sent: Tuesday, October 10, 2006 10:05 AM >>>> To: MailScanner discussion >>>> Subject: Re: Double sendmail processes >>>> >>>> Hi Arthur, >>>> >>>> Check all of the files on the init directory to see if any of >>>> the others >>>> start sendmail as well. Do you have a mailscanner script in there? >>>> >>>> Arthur Sherman wrote: >>>>> Hello, >>>>> >>>>> On my server, Mailscanner is started as /etc/rc.d/init.d/sendmail. >>>>> Every time the server is restarted, I see double sendmail >>>> processes, i.e. 2 >>>>> of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. >>>>> After I manually restart Mailscanner, it starts only one pair. >>>>> >>>>> Q1: why are double processes started? >>>>> Q2: how could I fix this? >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> Best, >>>>> >>>>> -- >>>>> Arthur Sherman >>>>> >>>>> +972-52-4878851 >>>>> CPTeam >>>>> >>>> -- >>>> Anthony Peacock >>>> CHIME, Royal Free & University College Medical School >>>> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >>>> "If you have an apple and I have an apple and we exchange apples >>>> then you and I will still each have one apple. But if you have an >>>> idea and I have an idea and we exchange these ideas, then >> each of us >>>> will have two ideas." -- George Bernard Shaw >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >> >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Tue Oct 10 12:06:44 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 10 12:07:01 2006 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.1.7 available!] Message-ID: <452B7EC4.7070308@solidstatelogic.com> Fix for sa-update is now in... -------- Original Message -------- Subject: ANNOUNCE: Apache SpamAssassin 3.1.7 available! Date: Tue, 10 Oct 2006 11:57:38 +0100 From: jm@jmason.org (Justin Mason) To: users@SpamAssassin.apache.org, dev@SpamAssassin.apache.org, announce@SpamAssassin.apache.org Apache SpamAssassin 3.1.7 is now available! This is a maintenance release of the 3.1.x branch. Downloads will be available from: http://spamassassin.apache.org/downloads.cgi?update=200610100328 Note that it may take a hour or two for mirrors to update. The release files will also be available via CPAN in the near future. md5sum of archive files: 77242e45baa7e2b418e4d3f22a86a69e Mail-SpamAssassin-3.1.7.tar.bz2 4b342c63949d47f3ce56b3fc1c8881c1 Mail-SpamAssassin-3.1.7.tar.gz b62794d50e0921dbb9f5211a65e4dc0e Mail-SpamAssassin-3.1.7.zip sha1sum of archive files: 6660dd3aa87f4ddd3ba9b19cf232dd006c6e8219 Mail-SpamAssassin-3.1.7.tar.bz2 3d31eff0eb9a158fab308958d65cdca81b8944bc Mail-SpamAssassin-3.1.7.tar.gz 7a882fcf4e253c9c020278f126b783ab41fe31d5 Mail-SpamAssassin-3.1.7.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.1.7 is a "quick-fix" release; it contains only a fix for one bug, introduced accidentally in 3.1.6: - bug 5119: if admins had set rule scores in the site configuration in /etc, sa-update would fail. Back out this change -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Tue Oct 10 12:08:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 12:08:04 2006 Subject: Periodic (5min) SpamAssassin timeouts In-Reply-To: References: <452B6767.4020405@solidstatelogic.com> Message-ID: <223f97700610100408r5c0a3ba8j53e88eff929f36a5@mail.gmail.com> Hej Tony, On 10/10/06, Tony Johansson wrote: > > I'd check > > (snip) > > 2) more likely bayes issues. How are you cleaning the bayes system? Are > > you letting mailScanner do it (via the > > spam.assassin.prefs.conf/mailScanner.conf) settings, or are you doing > > this manually via a cron job? > > > > 2: We have "Rebuild Bayes Every = 0" in MailScanner.conf > 04:04 cron runs "clean.and.sa-learn": > #!/bin/bash > cd /root/.spamassassin > rm -f /root/.spamassassin/bayes_toks.expire* > /usr/bin/sa-learn --force-expire > That script is run from /etc/cron.daily, right? Explains why the timeouts stop at 4:05, since those scripts are likely started at 04:00 (look in /etc/crontabs). (snip) > > Timing seems spot on with when the last timeouts stopped but why the 5 min > timeouts? Should we let MailScanner manage the rebuilds and at what settings? > Can't say for sure. Matt probably knows:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hgh at rcwm.com Tue Oct 10 13:04:39 2006 From: hgh at rcwm.com (Henry Hollenberg) Date: Tue Oct 10 13:00:50 2006 Subject: spam after mailscanner what next? {Scanned} Message-ID: <452B8C57.1030207@rcwm.com> Hey gang, My mailscanner install is working very well, thanks to all on the list. I have noticed a couple of categories of remaining SPAM(ie looks_like_spam_to_me) that are getting thru: 1) probably valid companys that would honor a request for removal from their mailing lists. 2) dictionary attacks designed to beat the baysian engine/db. Number 1: I plan on cautiously contacting the lists I identify in #1 after manually screening them for controlling DNS authority and double checking them on the SPAM lists. Does this sound reasonable? Does anyone have a better way to handle these? Number 2: Have no idea how to attack these other than submitting them to spamcop or some such. Here is an example of this stuff: was the bass heavy style of Bob Marley?s new age reggae that allowed him the access to the people. He abandoned the classic stylewas the bass heavy style of Bob Marley?s new age reggae that allowed him the access to the people. He abandoned the classic style while living, Bob Marley continues to influence people 25 years after his death (African Service News). His music and lyrics worked ?If you know your history/ Then you would know where you coming from/ Then you wouldn't have to ask me/ Who the 'eck do I thinkThere are hundreds of thousands of people screaming for you on stage. The Prime Minister and leader of the opposition sit in the This stuff seems to do a pretty good job of defeating baysian, but it's funny it's instantly reconizible to me as SPAM. Maybe I need to set up a CRAY in my garage with some AI software to catch this stuff. hgh. -- Henry Hollenberg hgh@rcwm.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From martelm at quark.vsc.edu Tue Oct 10 13:01:02 2006 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Tue Oct 10 13:01:12 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: <452A5808.3040900@ecs.soton.ac.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> <452A5808.3040900@ecs.soton.ac.uk> Message-ID: --On October 9, 2006 3:09:12 PM +0100 Julian Field wrote: > I have just done a fresh release with this problem fixed. > Sorry :-( > Wasn't having a good time then, was I? Julian, the upgrade_MailScanner_conf file is missing the execute bit in the latest distribution. Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From martinh at solidstatelogic.com Tue Oct 10 13:09:21 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 10 13:09:28 2006 Subject: spam after mailscanner what next? {Scanned} In-Reply-To: <452B8C57.1030207@rcwm.com> References: <452B8C57.1030207@rcwm.com> Message-ID: <452B8D71.6030901@solidstatelogic.com> Henry Hollenberg wrote: > Hey gang, > > > My mailscanner install is working very well, thanks to all on the list. > > I have noticed a couple of categories of remaining SPAM(ie > looks_like_spam_to_me) that are getting thru: > > 1) probably valid companys that would honor a request for removal from > their mailing lists. > > 2) dictionary attacks designed to beat the baysian engine/db. > > > > Number 1: > I plan on cautiously contacting the lists I identify in #1 after > manually screening them > for controlling DNS authority and double checking them on the SPAM > lists. Does this > sound reasonable? Does anyone have a better way to handle these? > > Number 2: > Have no idea how to attack these other than submitting them to spamcop > or some such. > > > Here is an example of this stuff: > > was the bass heavy style of Bob Marley?s new age reggae that allowed him > the access to the people. He abandoned the classic stylewas the bass > heavy style of Bob Marley?s new age reggae that allowed him the access > to the people. He abandoned the classic style > while living, Bob Marley continues to influence people 25 years after > his death (African Service News). His music and lyrics worked > ?If you know your history/ Then you would know where you coming from/ > Then you wouldn't have to ask me/ Who the 'eck do I thinkThere are > hundreds of thousands of people screaming for you on stage. The Prime > Minister and leader of the opposition sit in the > > > This stuff seems to do a pretty good job of defeating baysian, but it's > funny it's instantly reconizible to me as SPAM. > Maybe I need to set up a CRAY in my garage with some AI software to > catch this stuff. > > hgh. Hi have you installed any of the rules in www.rulesemporium.com ? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Tue Oct 10 13:48:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 13:48:38 2006 Subject: spam after mailscanner what next? {Scanned} In-Reply-To: <452B8C57.1030207@rcwm.com> References: <452B8C57.1030207@rcwm.com> Message-ID: <223f97700610100548j1cbd8c17qa8f871e500f85709@mail.gmail.com> On 10/10/06, Henry Hollenberg wrote: > Hey gang, > > > My mailscanner install is working very well, thanks to all on the list. > > I have noticed a couple of categories of remaining SPAM(ie looks_like_spam_to_me) that are getting thru: > > 1) probably valid companys that would honor a request for removal from their mailing lists. > > 2) dictionary attacks designed to beat the baysian engine/db. > > > > Number 1: > I plan on cautiously contacting the lists I identify in #1 after manually screening them > for controlling DNS authority and double checking them on the SPAM lists. Does this > sound reasonable? Does anyone have a better way to handle these? > > Number 2: > Have no idea how to attack these other than submitting them to spamcop or some such. > > > Here is an example of this stuff: > > was the bass heavy style of Bob Marley's new age reggae that allowed him the access to the people. He abandoned the classic stylewas the bass heavy style of Bob Marley's new age reggae that allowed > him the access to the people. He abandoned the classic style > while living, Bob Marley continues to influence people 25 years after his death (African Service News). His music and lyrics worked > "If you know your history/ Then you would know where you coming from/ Then you wouldn't have to ask me/ Who the 'eck do I thinkThere are hundreds of thousands of people screaming for you on stage. The > Prime Minister and leader of the opposition sit in the > > > This stuff seems to do a pretty good job of defeating baysian, but it's funny it's instantly reconizible to me as SPAM. Usually there is some kind of image (or similar unwanted content) involved with these... They are pointless by themselves (as you've noted:-). Did you setup ImageInfo or FuzzyOcr (SA plugins)? Also, if someone has "washed away" the offending image/attached file, you get this type of .... crap. And then there are the broken spams... where the payload is simply missing due to spammers being klutzes:). I'm sure there are some nice rules out there to detect those... Look at www.rulesemporium.com ... > Maybe I need to set up a CRAY in my garage with some AI software to catch this stuff. Crays are overrated... Made a good sofa once upon a time though:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Tue Oct 10 14:35:56 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 14:36:30 2006 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.1.7 available!] In-Reply-To: <452B7EC4.7070308@solidstatelogic.com> References: <452B7EC4.7070308@solidstatelogic.com> Message-ID: <452BA1BC.5050300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My ClamAV+SpamAssassin package containing 3.1.7 is up for download from www.mailscanner.info. Martin Hepworth wrote: > Fix for sa-update is now in... > > -------- Original Message -------- > Subject: ANNOUNCE: Apache SpamAssassin 3.1.7 available! > Date: Tue, 10 Oct 2006 11:57:38 +0100 > From: jm@jmason.org (Justin Mason) > To: users@SpamAssassin.apache.org, dev@SpamAssassin.apache.org, > announce@SpamAssassin.apache.org > > Apache SpamAssassin 3.1.7 is now available! This is a maintenance > release of the 3.1.x branch. > > Downloads will be available from: > http://spamassassin.apache.org/downloads.cgi?update=200610100328 > > Note that it may take a hour or two for mirrors to update. > The release files will also be available via CPAN in the near future. > > md5sum of archive files: > 77242e45baa7e2b418e4d3f22a86a69e Mail-SpamAssassin-3.1.7.tar.bz2 > 4b342c63949d47f3ce56b3fc1c8881c1 Mail-SpamAssassin-3.1.7.tar.gz > b62794d50e0921dbb9f5211a65e4dc0e Mail-SpamAssassin-3.1.7.zip > > sha1sum of archive files: > 6660dd3aa87f4ddd3ba9b19cf232dd006c6e8219 > Mail-SpamAssassin-3.1.7.tar.bz2 > 3d31eff0eb9a158fab308958d65cdca81b8944bc > Mail-SpamAssassin-3.1.7.tar.gz > 7a882fcf4e253c9c020278f126b783ab41fe31d5 Mail-SpamAssassin-3.1.7.zip > > > The release files also have a .asc accompanying them. The file serves > as an external GPG signature for the given release file. The signing > key is available via the wwwkeys.pgp.net key server, as well as > http://spamassassin.apache.org/released/GPG-SIGNING-KEY > > The key information is: > > pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key > > Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F > A05B > > 3.1.7 is a "quick-fix" release; it contains only a fix for one bug, > introduced accidentally in 3.1.6: > > - bug 5119: if admins had set rule scores in the site configuration in > /etc, sa-update would fail. Back out this change > > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFK6G8EfZZRxQVtlQRAvEGAJ4mFjC2p1CrhVC4Atw+Z3/5p3AI4ACfVvSY T4LZhLlj1eJI4YVcPKBQAYc= =Nrkf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From edwardbruce at sbcglobal.net Tue Oct 10 14:36:31 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Oct 10 14:36:35 2006 Subject: spam forwarding not working In-Reply-To: <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> References: <008601c6ec4b$401ef1f0$04000100@support01> <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> Message-ID: <452BA1DF.7070407@sbcglobal.net> Glenn Steen wrote: > > Virtual aliases are expanded _after_ MailScanner, so you cannot use a > virtual alias in a rule like that (for addressing). > Simply change it to the real address and things should work out OK:-). > I'm confused, do you mean _before_ MailScanner? Wouldn't after work? From root at doctor.nl2k.ab.ca Tue Oct 10 14:41:57 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Oct 10 14:42:58 2006 Subject: MailScanner 4.58 Message-ID: <20061010134157.GG27733@doctor.nl2k.ab.ca> Any Betas available Julian? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Oct 10 14:44:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 14:45:42 2006 Subject: version of MS that has "max spamassassin size"? In-Reply-To: References: <86144ED6CE5B004DA23E1EAC0B569B580FC69B89@isabella.herefordshire.gov.uk> <452A5808.3040900@ecs.soton.ac.uk> Message-ID: <452BA3AF.8080801@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael H. Martel wrote: > --On October 9, 2006 3:09:12 PM +0100 Julian Field > wrote: > >> I have just done a fresh release with this problem fixed. >> Sorry :-( >> Wasn't having a good time then, was I? > > Julian, the upgrade_MailScanner_conf file is missing the execute bit > in the latest distribution. :-( I can't be bothered to keep fixing that version now. I have just put out a new one. > > > > Michael > > -- > > --------------------------------o--------------------------------- > Michael H. Martel | Systems Administrator > michael.martel@vsc.edu | Vermont State Colleges > http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFK6OvEfZZRxQVtlQRAkZzAKCPPNh+RdlTTCsh/379L7PWBSNIMgCgltjp NLwlIL7UVO4GyBv17lr0TJQ= =2OnS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Tue Oct 10 14:57:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 14:57:40 2006 Subject: spam forwarding not working In-Reply-To: <452BA1DF.7070407@sbcglobal.net> References: <008601c6ec4b$401ef1f0$04000100@support01> <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> <452BA1DF.7070407@sbcglobal.net> Message-ID: <223f97700610100657w71feea1bw505884d261f4e6b1@mail.gmail.com> On 10/10/06, Ed Bruce wrote: > Glenn Steen wrote: > > > > Virtual aliases are expanded _after_ MailScanner, so you cannot use a > > virtual alias in a rule like that (for addressing). > > Simply change it to the real address and things should work out OK:-). > > > I'm confused, do you mean _before_ MailScanner? Wouldn't after work? No, you aren't confused, I am:-). Of course you are correct. Bottom line: you cannot use virtual aliases in rules like that (unless they were expanded in a separate PF thingy after MS:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From binaryflow at gmail.com Tue Oct 10 14:57:41 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Tue Oct 10 14:57:44 2006 Subject: Bayesian database not learning Message-ID: I trained my bayesian database about four weeks ago with about 600 or so ham and spam messages. Spamassassin should be autolearning based on the following defaults: bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 12.0 In the four weeks since I trained the database it does not look like it has learned anything. When I run the sa-learn command the spam/ham count is the same as the day I trained it. Are these defaults to high/low? Should they be changed? From MailScanner at ecs.soton.ac.uk Tue Oct 10 14:59:35 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 15:00:04 2006 Subject: spam after mailscanner what next? {Scanned} In-Reply-To: <452B8C57.1030207@rcwm.com> References: <452B8C57.1030207@rcwm.com> Message-ID: <452BA747.3000905@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a very common type of question: "What else can I do to reduce our incoming spam?". We should come up with a simple definitive list, not necessarily in any order other than alphabetical. Note these are not performance improvements, they are spam detection rate improvements. Shall I start the ball rolling? These are in no particular order: MailScanner phishing net ClamAV for phishing detection (most effective in US, it appears) DCC Razor Pyzor (? I don't use it and don't trust it for arbitrary reasons) SpamAssassin SARE Rules Emporium Rules_Du_Jour Bayes starter database from www.fsl.com Greylisting (stops spam zombies) Milter-null (stops joe-jobs) Milter-ahead (stops dictionary attacks) Reject unknown users in Exchange 2003 All other SA plugins mentioned in /etc/mail/spamassassin/*.pre RBLs in MailScanner (maybe advise against?) Trusted Networks setting in SA What else have I forgotten? Those are the basic ones I run on my own systems, and we get virtually no spam at all now. Note that none of them require any manual maintenance, life is too short to manually maintain blacklists (which is what Microsoft do on their own corporate setup :-) Henry Hollenberg wrote: > Hey gang, > > > My mailscanner install is working very well, thanks to all on the list. > > I have noticed a couple of categories of remaining SPAM(ie > looks_like_spam_to_me) that are getting thru: > > 1) probably valid companys that would honor a request for removal from > their mailing lists. > > 2) dictionary attacks designed to beat the baysian engine/db. > > > > Number 1: > I plan on cautiously contacting the lists I identify in #1 after > manually screening them > for controlling DNS authority and double checking them on the SPAM > lists. Does this > sound reasonable? Does anyone have a better way to handle these? > > Number 2: > Have no idea how to attack these other than submitting them to spamcop > or some such. > > > Here is an example of this stuff: > > was the bass heavy style of Bob Marley?s new age reggae that allowed > him the access to the people. He abandoned the classic stylewas the > bass heavy style of Bob Marley?s new age reggae that allowed him the > access to the people. He abandoned the classic style > while living, Bob Marley continues to influence people 25 years after > his death (African Service News). His music and lyrics worked > ?If you know your history/ Then you would know where you coming from/ > Then you wouldn't have to ask me/ Who the 'eck do I thinkThere are > hundreds of thousands of people screaming for you on stage. The Prime > Minister and leader of the opposition sit in the > > > This stuff seems to do a pretty good job of defeating baysian, but > it's funny it's instantly reconizible to me as SPAM. > Maybe I need to set up a CRAY in my garage with some AI software to > catch this stuff. > > hgh. Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: windows-1252 wj8DBQFFK6dHEfZZRxQVtlQRAtglAJ98aHHFhL3p9NKg66gZVun8RmGMmACfYeVh GaLfv8nKKj/t9r8QDQ6luxQ= =VFv1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Oct 10 15:07:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 10 15:07:44 2006 Subject: MailScanner 4.58 In-Reply-To: <20061010134157.GG27733@doctor.nl2k.ab.ca> References: <20061010134157.GG27733@doctor.nl2k.ab.ca> Message-ID: <452BA914.2050006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 4.57.1-1 is up on the web site now. Has a new setting "Max Spam Check Size". Messages bigger than this are assumed to not be spam. This significantly speeds up spam checking. Spammers cannot afford to send huge messages, they want to use their bandwidth sending more smaller messages as it pays better. Default limit is 150k, which apparently is a very safe figure for this test. Please can you let me know your experience with this. It should make testing large messages a lot faster, as large messages take a long time to process with SpamAssassin. I am about to upgrade my test server to see what happens to the load average on it (currently about 8 - 10 with pretty small message batches). It doesn't start to sweat until the load average gets over 16 as it has roughly that many threads in the CPUs (quad-CPU, dual-core, hyperthreading). Regards, Jules. Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Any Betas available Julian? > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFK6kUEfZZRxQVtlQRAlBKAJ9mmsdDlJJL+ho7ZKCELg4/ePg3agCglktg PtnbffeoipK1c5c3gjRWryc= =6heE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From bpumphrey at woodmclaw.com Tue Oct 10 15:13:34 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 10 15:13:48 2006 Subject: spam.assassin.prefs.conf.rpmnew file In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F30@woodenex.woodmaclaw.local> I just noticed this file in my /etc/MailScanner directory. I do not know whether it came from MailScanner or spamassassin. I believe MailScanner. I do not remember this file being in the upgrades before. Do you renew this file is the same manner that you do with the MailScanner.conf file? Where I was looking on the WIKI on the last upgrade procedures: http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:u pgrade:rpm Billy Pumphrey IT Manager Wooden & McLaughlin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpumphrey at woodmclaw.com Tue Oct 10 15:16:38 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 10 15:16:57 2006 Subject: Bayesian database not learning In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F31@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Douglas Ward > Sent: Tuesday, October 10, 2006 9:58 AM > To: MailScanner discussion > Subject: Bayesian database not learning > > I trained my bayesian database about four weeks ago with about 600 or > so ham and spam messages. Spamassassin should be autolearning based > on the following defaults: > > bayes_auto_learn_threshold_nonspam 0.1 > bayes_auto_learn_threshold_spam 12.0 > > In the four weeks since I trained the database it does not look like > it has learned anything. When I run the sa-learn command the spam/ham > count is the same as the day I trained it. Are these defaults to > high/low? Should they be changed? > -- Make sure that you are training and looking at the correct bayes database. See the spam.assassin.prefs.conf file for the bayes database location. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ylacan at teicam.com Tue Oct 10 15:19:43 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Tue Oct 10 15:20:01 2006 Subject: Bayesian database not learning In-Reply-To: References: Message-ID: <452BABFF.4000507@teicam.com> Douglas Ward wrote: > bayes_auto_learn_threshold_nonspam 0.1 > bayes_auto_learn_threshold_spam 12.0 I'd say that 12.0 is a little too high a threshold ... But I guess that depends on the rule sets you use with SA ... But that's just my non enlightened insight to your request :) -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From dward at nccumc.org Tue Oct 10 15:20:34 2006 From: dward at nccumc.org (Douglas Ward) Date: Tue Oct 10 15:20:35 2006 Subject: Bayesian database not learning In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F31@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F31@woodenex.woodmaclaw.local> Message-ID: I did check that. Wouldn't sa-learn know which database it was using to learn? On 10/10/06, Billy A. Pumphrey wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Douglas Ward > > Sent: Tuesday, October 10, 2006 9:58 AM > > To: MailScanner discussion > > Subject: Bayesian database not learning > > > > I trained my bayesian database about four weeks ago with about 600 or > > so ham and spam messages. Spamassassin should be autolearning based > > on the following defaults: > > > > bayes_auto_learn_threshold_nonspam 0.1 > > bayes_auto_learn_threshold_spam 12.0 > > > > In the four weeks since I trained the database it does not look like > > it has learned anything. When I run the sa-learn command the spam/ham > > count is the same as the day I trained it. Are these defaults to > > high/low? Should they be changed? > > -- > > Make sure that you are training and looking at the correct bayes > database. See the spam.assassin.prefs.conf file for the bayes database > location. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Tue Oct 10 15:43:13 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 10 15:43:33 2006 Subject: Bayesian database not learning In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F33@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Douglas Ward > Sent: Tuesday, October 10, 2006 10:21 AM > To: MailScanner discussion > Subject: Re: Bayesian database not learning > > I did check that. Wouldn't sa-learn know which database it was using to > learn? > By default it will use a different database, /root/.spamassassin/ I believe. From my experience, you have to specify the -p for the conf file. I tested this by doing a sa-learn without it and then checked the bayes database with the dump command and there were no new updates. I added the -p command and the bayes was updated. Looks like you may not have to add the -p to the sa-learn dump command though, although you may want to make sure yourself. Here are my notes from when I set my learning up: sa-learn --dump magic This will show you how many emails bayes has learned http://www.annodex.net/cgi-bin/man/man2html?sa-learn+1 Good link HERE IS WHAT TO USE for the spam from exchange to linux learn: As the spam user: For spam 1. fetchmail --folder spam --all (logged in as spam) 2. Log in as root 3. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf--mbox ---no-sync --showdots --spam /var/spool/mail/spam 4. rm -f /var/spool/mail/spam 5. touch /var/spool/mail/spam 6. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --sync For ham 1. fetchmail--folder ham --all (logged in as spam) 2. Log in as root 3. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --mbox --no-sync --showdots --ham /var/spool/mail/spam 4. rm -f /var/spool/mail/spam 5. touch /var/spool/mail/spam 6. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --sync -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lodder at delodder.be Tue Oct 10 16:07:04 2006 From: lodder at delodder.be (Philippe Delodder) Date: Tue Oct 10 16:07:32 2006 Subject: dcc problem Message-ID: <452BB718.2030400@delodder.be> Hi, when i run spamassassin --lint -D i'm getting the following error: warn: config: failed to parse line, skipping: dcc_path /usr/bin/dccproc how can i solve this i installed it and i checked the config file i'm running gentoo with SpamAssassin version 3.1.3 running on Perl version 5.8.8 MailScanner E-Mail Virus Scanner version 4.54.6 postfix version 2.2.10 -- Philippe Delodder lodder@delodder.be http://www.delodder.be -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061010/933d62e6/signature.bin From martinh at solidstatelogic.com Tue Oct 10 16:15:34 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 10 16:15:45 2006 Subject: dcc problem In-Reply-To: <452BB718.2030400@delodder.be> References: <452BB718.2030400@delodder.be> Message-ID: <452BB916.9050500@solidstatelogic.com> Philippe Delodder wrote: > Hi, > > when i run spamassassin --lint -D i'm getting the following error: > warn: config: failed to parse line, skipping: dcc_path /usr/bin/dccproc > > how can i solve this i installed it and i checked the config file > > i'm running gentoo with > SpamAssassin version 3.1.3 > running on Perl version 5.8.8 > MailScanner E-Mail Virus Scanner version 4.54.6 > postfix version 2.2.10 > > Philippe is the dcc pluging installed in on of the /etc/mail/spamassassin/**.pre files? By default its commented out due to DCC licencing restrictions. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From bpumphrey at woodmclaw.com Tue Oct 10 16:17:02 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 10 16:17:15 2006 Subject: dcc problem In-Reply-To: <452BB718.2030400@delodder.be> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F34@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Philippe Delodder > Sent: Tuesday, October 10, 2006 11:07 AM > To: MailScanner discussion > Subject: dcc problem > > Hi, > > when i run spamassassin --lint -D i'm getting the following error: > warn: config: failed to parse line, skipping: dcc_path /usr/bin/dccproc > > how can i solve this i installed it and i checked the config file > > i'm running gentoo with > SpamAssassin version 3.1.3 > running on Perl version 5.8.8 > MailScanner E-Mail Virus Scanner version 4.54.6 > postfix version 2.2.10 > > -- > Philippe Delodder > lodder@delodder.be > http://www.delodder.be > You have to specify the config file. Assuming you are logged in as root, try: spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf If you are doing the lint in mailwatch, it is using a different user name. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Tue Oct 10 16:28:44 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Oct 10 16:28:57 2006 Subject: dcc problem In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F34@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F34@woodenex.woodmaclaw.local> Message-ID: <452BBC2C.90101@evi-inc.com> Billy A. Pumphrey wrote: >> -----Original Message----- > > You have to specify the config file. Assuming you are logged in as > root, try: > > spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf That's generally not needed anymore. spam.assassin.prefs.conf should be a symlink to /etc/mail/spamassassin/mailscanner.cf on any reasonably recent version of MailScanner. adding the -p is redundant, and wouldn't fix this problem anyway. Martin probably nailed it, you need to load the DCC plugin in order to use DCC options. Otherwise you'll get parse failures. > If you are doing the lint in mailwatch, it is using a different user > name. From glenn.steen at gmail.com Tue Oct 10 16:51:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 10 16:51:25 2006 Subject: spam.assassin.prefs.conf.rpmnew file In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F30@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F30@woodenex.woodmaclaw.local> Message-ID: <223f97700610100851p26d7c494ic996e8a1f35d89e8@mail.gmail.com> On 10/10/06, Billy A. Pumphrey wrote: > I just noticed this file in my /etc/MailScanner directory. I do not > know whether it came from MailScanner or spamassassin. I believe > MailScanner. I do not remember this file being in the upgrades before. > Do you renew this file is the same manner that you do with the > MailScanner.conf file? > > Where I was looking on the WIKI on the last upgrade procedures: > http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:u > pgrade:rpm > It is an effect of the RPM install of mailscanner, yes. Since this one is bound to differ a bit (if it gets created:-), between setups/organizations, and not being that huge... you get to manage that one by yourself;-). Just diff it (or manually compare) and merge in the settings you like into/out from spam.assassin.prefs.conf ... then remove the rpmnew file. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From eneal at dfi-intl.com Tue Oct 10 16:57:24 2006 From: eneal at dfi-intl.com (Errol Neal) Date: Tue Oct 10 16:57:30 2006 Subject: Calling All Network Administrators in the DC AREA Message-ID: My company is looking to hire a network admin. Windows, Cisco, Unix. If you have the following, want employment 60K+ let me know. __________________________________________ Errol Uriel Neal Jr. Sr. Network Administrator DFI International, Inc. 1717 Pennsylvania Ave NW, Suite 1300 Washington, DC 20006 Tel (202)452-6955 Fax (202)452-6910 eneal@dfi-intl.com www.dfi-intl.com From derek at adcatanzaro.com Tue Oct 10 17:02:47 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Tue Oct 10 17:03:11 2006 Subject: OT - Mail Backing up while SpamAssassin is in Use In-Reply-To: References: <452A5FD6.80604@adcatanzaro.com> <452A6D99.5030005@sendit.nodak.edu> <452A76FB.200@adcatanzaro.com> <452A84C8.6030902@adcatanzaro.com> Message-ID: <452BC427.6010201@adcatanzaro.com> Mark Nienberg wrote: > Derek Catanzaro wrote: >> processed per day. Is there any way for me to find out how many >> messages have been processed by MailScanner without implementing >> mailscanner-MRTG or mailwatch? > > [root@tesla etc]# logwatch --service mailscanner --range yesterday > --print > > I can't recall which version of logwatch came with Fedora Core 1, but > you'll want to upgrade to the latest version available at logwatch.org. > Thanks for the info Mark. Worked great once I upgraded logwatch. Quick and easy way to get a snapshot of the stats without putting any extra load on the server. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dward at nccumc.org Tue Oct 10 17:09:41 2006 From: dward at nccumc.org (Douglas Ward) Date: Tue Oct 10 17:09:44 2006 Subject: Bayesian database not learning In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F33@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C13F33@woodenex.woodmaclaw.local> Message-ID: Thank you for this information. I checked /root/.spamassassin and saw a 1 kb bayes database. I assume this is the blank database created by spamassassin upon installation. My real bayes database is over 2.5 mb. Since I am not using the blank bayes db I deleted it. I then ran the following commands: sa-learn --dump magic sa-learn --dump magic -p /etc/MailScanner/spam.assassin.prefs.conf Both returned the same number of spam/ham tokens. I think the problem spam wise is that my learn value (12.0) is too high. I am curious about the low end value (0.1). Does this catch negative scores? Most of our ham scores less than zero but it is not learned either. The message that I received this morning with a score of 16.5 surely should have trained the tokens. Time for the potentially silly question: What value should bayes_auto_learn have (0 or 1)? How about bayes_auto_expire? On 10/10/06, Billy A. Pumphrey wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Douglas Ward > > Sent: Tuesday, October 10, 2006 10:21 AM > > To: MailScanner discussion > > Subject: Re: Bayesian database not learning > > > > I did check that. Wouldn't sa-learn know which database it was using > to > > learn? > > > > By default it will use a different database, /root/.spamassassin/ I > believe. From my experience, you have to specify the -p for the conf > file. I tested this by doing a sa-learn without it and then checked the > bayes database with the dump command and there were no new updates. I > added the -p command and the bayes was updated. Looks like you may not > have to add the -p to the sa-learn dump command though, although you may > want to make sure yourself. > > Here are my notes from when I set my learning up: > > sa-learn --dump magic > This will show you how many emails bayes has learned > http://www.annodex.net/cgi-bin/man/man2html?sa-learn+1 > Good link > > HERE IS WHAT TO USE for the spam from exchange to linux learn: > As the spam user: > For spam > 1. fetchmail --folder spam --all (logged in as spam) > 2. Log in as root > 3. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf--mbox > ---no-sync --showdots --spam /var/spool/mail/spam > 4. rm -f /var/spool/mail/spam > 5. touch /var/spool/mail/spam > 6. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --sync > > For ham > 1. fetchmail--folder ham --all (logged in as spam) > 2. Log in as root > 3. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --mbox > --no-sync --showdots --ham /var/spool/mail/spam > 4. rm -f /var/spool/mail/spam > 5. touch /var/spool/mail/spam > 6. sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --sync > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ylacan at teicam.com Tue Oct 10 17:31:57 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Tue Oct 10 17:32:19 2006 Subject: Bayesian database not learning In-Reply-To: References: <04D932B0071FE34FA63EBB1977B48D1501C13F33@woodenex.woodmaclaw.local> Message-ID: <452BCAFD.5050704@teicam.com> Douglas Ward wrote: > Time for the potentially silly question: What value should > bayes_auto_learn have (0 or 1)? How about bayes_auto_expire? Well I can answer for sure, that you would be interested in setting bayes_auto_learn to 1 in order to avoid manually teaching spam through sa-learn. However, I guess that in the meantime you should check that your bayes system is fully operational before switching auto-learning on. But then again, I've never had any problems with running bayes and I'm afraid I can't help you much on the issue here. Good luck ! -- Cordialement, Youri LACAN-BARTLEY PCAM Espace HERVANN 641 Chemin des terriers 06600 ANTIBES Tel: 04.93.33.26.25 Fax: 04.93.33.73.45 -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From lisa.wu at syntricity.com Tue Oct 10 18:21:24 2006 From: lisa.wu at syntricity.com (Lisa Wu) Date: Tue Oct 10 18:21:29 2006 Subject: Sophos/MailScanner Message-ID: <008f01c6ec90$83220b50$9908a8c0@syntricity.com> Hi, My server: Postfix 2.2.10 Dovecot 1.0 beta 8 Mailscanner 4.51.5 SpamAssassin 3.1.1 Once in a while the server will fail to download its updates from Sophos. (The cause being that our T1 line went down). Then the mail log starts posting MailScanner error messages every 10 seconds until a successful update occurs: Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by the "Monitors For Sophos Updates" patterns exist! Because of this error the queue starts placing all messages on hold. My solution (probably the wrong way to do this) was to create a script that runs every 10 minutes to manually release all held messages and flush the queue. I've searched Google, I've searched the MailScanner archives, and I've contacted Sophos. I went over the different configurations options in attempts to figure out a way of working around this behavior. Would I have to temporarily comment out the Mailscanner portion of my Postfix config to allow for normal internal mail flow? I know I risk the chance of viruses if I do this, which is why I was hoping there's a way of using the old Sophos IDES. Any help regarding this problem would be helpful. Thanks, Lisa Wu From taz at taz-mania.com Tue Oct 10 18:58:05 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Oct 10 18:58:10 2006 Subject: Calling All Network Administrators in the DC AREA In-Reply-To: Message-ID: I don't know about anyone else, but I find this a little too off topic. Also, I don't know about in DC, but here in the SF bay area, the Microsoft Jr admins make that much... Real network admins get twice that (and some make even more than that). On Tue, 10 Oct 2006 11:57:24 -0400 "Errol Neal" wrote: >My company is looking to hire a network admin. Windows, Cisco, Unix. >If >you have the following, want employment 60K+ let me know. > > > >__________________________________________ >Errol Uriel Neal Jr. >Sr. Network Administrator >DFI International, Inc. >1717 Pennsylvania Ave NW, Suite 1300 >Washington, DC 20006 >Tel (202)452-6955 >Fax (202)452-6910 >eneal@dfi-intl.com >www.dfi-intl.com > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mailscanner at PDSCC.COM Tue Oct 10 19:03:24 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Tue Oct 10 19:03:34 2006 Subject: procedures for getting stuff out of the quarantine on older MS version In-Reply-To: <43E77D59.1030007@ecs.soton.ac.uk> References: <200507021155.EAA08363@sheridan.sibble.net>, <200602100349.TAA26624@sheridan.sibble.net>, <43E77D59.1030007@ecs.soton.ac.uk> Message-ID: <200610101803.k9AI3Ox7008337@sinclaire.sibble.net> Julian, did this ever get released? I just checked the wiki again and don't see anything much different than last I looked On 6 Feb 2006 at 16:46, Julian Field wrote: > It's finally in beta-testing. The guy who wrote it rather tailored it to > our site unfortunately. I'll let you know when there is something > presentable for you. > > Harondel J. Sibble wrote: > > Julian, did this ever get implemented? I don't see anything in the wiki about > > this... > > > > On 30 Jun 2005 at 11:48, Julian Field wrote: > > > > > >> What may be some use is a system we are working on here that will > >> allow users to retrieve files from the quarantine, with a sysadmin > >> approving or denying each case given the relevant log entries to look > >> at. > >> > >> This may be the solution for you. The guys working on it are busy > >> with other things today, but I would hope this system will be up and > >> running within the next couple of weeks or so. So version 1 will be > >> out then, and we will develop and improve the system once we start > >> using it in production. > >> > >> This will be available free from www.mailscanner.info. > >> > >> On 30 Jun 2005, at 07:28, Harondel J. Sibble wrote: > >> > >> > >>> Forgot to mention, this is a mail relay box/frontend for the > >>> internal Samsung > >>> Contact machine that hosts all the mail and mail accounts. > >>> > >>> On 29 Jun 2005 at 23:21, Harondel J. Sibble wrote: > >>> > >>> > >>> > >>>> Have a mail relay box running an older version of MS, 4.25-14 to > >>>> be exact, > >>>> plans are to upgrade it in the next few weeks to the latest > >>>> version, however, > >>>> one small problem, wondering how other folks solved this, had a > >>>> look at the > >>>> maq's and faq's but didn't see anything specific to this: > >>>> -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From bpumphrey at woodmclaw.com Tue Oct 10 19:30:15 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Oct 10 19:30:40 2006 Subject: spam.assassin.prefs.conf.rpmnew file In-Reply-To: <223f97700610100851p26d7c494ic996e8a1f35d89e8@mail.gmail.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F36@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Tuesday, October 10, 2006 11:51 AM > To: MailScanner discussion > Subject: Re: spam.assassin.prefs.conf.rpmnew file > > On 10/10/06, Billy A. Pumphrey wrote: > > I just noticed this file in my /etc/MailScanner directory. I do not > > know whether it came from MailScanner or spamassassin. I believe > > MailScanner. I do not remember this file being in the upgrades before. > > Do you renew this file is the same manner that you do with the > > MailScanner.conf file? > > > > Where I was looking on the WIKI on the last upgrade procedures: > > http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:u > > pgrade:rpm > > > It is an effect of the RPM install of mailscanner, yes. Since this one > is bound to differ a bit (if it gets created:-), between > setups/organizations, and not being that huge... you get to manage > that one by yourself;-). > Just diff it (or manually compare) and merge in the settings you like > into/out from spam.assassin.prefs.conf ... then remove the rpmnew > file. > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- Ok, thank you -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dward at nccumc.org Tue Oct 10 19:34:54 2006 From: dward at nccumc.org (Douglas Ward) Date: Tue Oct 10 19:34:56 2006 Subject: Bayesian database not learning In-Reply-To: <452BCAFD.5050704@teicam.com> References: <04D932B0071FE34FA63EBB1977B48D1501C13F33@woodenex.woodmaclaw.local> <452BCAFD.5050704@teicam.com> Message-ID: I ran spamassassin -D --lint with no errors. The bayes_auto_learn flag is set to 1. Maybe I need to adjust the upper value down. How about the lower value? Should it stay at 0.1? On 10/10/06, Youri LACAN-BARTLEY wrote: > Douglas Ward wrote: > > Time for the potentially silly question: What value should > > bayes_auto_learn have (0 or 1)? How about bayes_auto_expire? > Well I can answer for sure, that you would be interested in setting > bayes_auto_learn to 1 in order to avoid manually teaching spam through > sa-learn. > However, I guess that in the meantime you should check that your bayes > system is fully operational before switching auto-learning on. > > But then again, I've never had any problems with running bayes and I'm > afraid I can't help you much on the issue here. > > Good luck ! > > -- > Cordialement, > > Youri LACAN-BARTLEY > > PCAM > Espace HERVANN > 641 Chemin des terriers > 06600 ANTIBES > Tel: 04.93.33.26.25 > Fax: 04.93.33.73.45 > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From eneal at dfi-intl.com Tue Oct 10 19:59:32 2006 From: eneal at dfi-intl.com (Errol Neal) Date: Tue Oct 10 19:59:38 2006 Subject: Calling All Network Administrators in the DC AREA Message-ID: Of course it was off topic. This isn't a recruiting list... Listen, I like this list. I've been subscribed to it for a number of years, I was 'trying' to help someone out who might be job searching. I aint a recruiter, I don't make money off of it. It's really just trying to do someone a favor. So if you want to start a fire storm to get my head chopped off, go right ahead. My intentions are to help a fella out... I'm sure if you weren't in SF making 120K, but in DC and trying to feed your family, you'd appreciate a bit of a lead... >> I don't know about anyone else, but I find this a little too off topic. >> Also, I don't know about in DC, but here in the SF bay area, the Microsoft Jr admins make that much... Real network >> admins get twice that (and some make even more than that). From mwilson at cobasys.com Tue Oct 10 19:57:26 2006 From: mwilson at cobasys.com (Mike Wilson) Date: Tue Oct 10 21:39:09 2006 Subject: Calling All Network Administrators in the DC AREA Message-ID: <2C7100720056A2408E0DC6795A5CDF0A01B1DA13@COBS-EXCH-01.texaco.ovonic> Not worth it, cost of living requires more than than. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis Willson Sent: Tuesday, October 10, 2006 1:58 PM To: MailScanner discussion Subject: Re: Calling All Network Administrators in the DC AREA I don't know about anyone else, but I find this a little too off topic. Also, I don't know about in DC, but here in the SF bay area, the Microsoft Jr admins make that much... Real network admins get twice that (and some make even more than that). On Tue, 10 Oct 2006 11:57:24 -0400 "Errol Neal" wrote: >My company is looking to hire a network admin. Windows, Cisco, Unix. >If >you have the following, want employment 60K+ let me know. > > > >__________________________________________ >Errol Uriel Neal Jr. >Sr. Network Administrator >DFI International, Inc. >1717 Pennsylvania Ave NW, Suite 1300 >Washington, DC 20006 >Tel (202)452-6955 >Fax (202)452-6910 >eneal@dfi-intl.com >www.dfi-intl.com > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --------------------------------------------- This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Readers of this message who are not the intended recipients, or the employees or agents responsible for delivering the message to the intended recipients, are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. --------------------------------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------- This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Readers of this message who are not the intended recipients, or the employees or agents responsible for delivering the message to the intended recipients, are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. --------------------------------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at berger.nl Tue Oct 10 21:49:21 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Tue Oct 10 21:49:45 2006 Subject: idea for next version Message-ID: <1160513361.3522@bsd4.nedport.net> Well, I am happily using mailscanner for a while now and it still works great. So I was checking mailwatch this evening and I found out that the spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is quiet logical because at daytime everybody is working and at night (well here in europe) only spammers are working. This can be used for the spamfiltering. I think if it is possible to f.e. do, "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam at night. Offcourse it will also hit ham, but as there is much less ham at night the possibility is less. Then, most off the overnight ham is mailinglist which are often whitelisted. Any ideas? Roger From campbell at cnpapers.com Tue Oct 10 22:06:40 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 10 22:06:50 2006 Subject: idea for next version References: <1160513361.3522@bsd4.nedport.net> Message-ID: <001701c6ecaf$fb659bd0$0705000a@DDF5DW71> ----- Original Message ----- From: To: Sent: Tuesday, October 10, 2006 4:49 PM Subject: idea for next version > Well, I am happily using mailscanner for a while now and it still works > great. > > So I was checking mailwatch this evening and I found out that the spam / > ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is > quiet logical because at daytime everybody is working and at night (well > here in europe) only spammers are working. This can be used for the > spamfiltering. I think if it is possible to f.e. do, "spamscore * 1.2" > between 11:00 pm and 7:00 am, it will hit more highscoring spam at night. > Offcourse it will also hit ham, but as there is much less ham at night the > possibility is less. Then, most off the overnight ham is mailinglist which > are often whitelisted. > > Any ideas? > > Roger > I tend to look at this in a different light. Spam is spam, and should be caught by rules, etc regardless of the time it arrives. Ham is the same also regardless of it's arrival time. A good set of rules should work fine any time of the day. The percentages only indicate when people are sending mail, so this is a useless figure for comparing day/night averages. For instance, if the same message that came in at night were resent during the day, how should the mail be treated? Different score and action? Steve From evan at espphotography.com Tue Oct 10 22:20:13 2006 From: evan at espphotography.com (Evan Platt) Date: Tue Oct 10 22:20:31 2006 Subject: idea for next version In-Reply-To: <1160513361.3522@bsd4.nedport.net> References: <1160513361.3522@bsd4.nedport.net> Message-ID: <200610102105.OAA20689@partners7.yack.com> At 01:49 PM 10/10/2006, you wrote: >Well, I am happily using mailscanner for a while now and it still works great. > >So I was checking mailwatch this evening and I found out that the >spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. >This is quiet logical because at daytime everybody is working and at >night (well here in europe) only spammers are working. This can be >used for the spamfiltering. I think if it is possible to f.e. do, >"spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more >highscoring spam at night. Offcourse it will also hit ham, but as >there is much less ham at night the possibility is less. Then, most >off the overnight ham is mailinglist which are often whitelisted. Day / night where? My timezone? Your timezone? Sending domain timezone? Even in the same country, this can be an issue - here in California at 10 PM at night, it's 1 AM east coast time. Likewise, at 6 AM on the east coast, it's 3 AM here. Then the problem is what about delays just because of whatever? Say someone tries to e-mail me at 5 PM, but my server is down. So their mail server tries again at 2 AM. Should that message be given a higher score because it came in at 2 AM? Just some points to ponder.... Evan From micoots at yahoo.com Tue Oct 10 22:42:34 2006 From: micoots at yahoo.com (Michael Mansour) Date: Tue Oct 10 22:42:38 2006 Subject: Virus detected: deleted store Message-ID: <20061010214234.16624.qmail@web33312.mail.mud.yahoo.com> Hi, I want to auto-delete a virus detected email but still store it in MailWatch. Do I just do this in this file: spam.actions.rules with the following statement: Virus: *@domain.com delete store ?? Thanks. Michael. ____________________________________________________ On Yahoo!7 Caller tones: Replace your ring tone with your favourite sound clip! http://callertones.yahoo7.mnetcorporation.com/ctonesmailtag From lshaw at emitinc.com Tue Oct 10 23:12:16 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Oct 10 23:12:32 2006 Subject: idea for next version In-Reply-To: <001701c6ecaf$fb659bd0$0705000a@DDF5DW71> References: <1160513361.3522@bsd4.nedport.net> <001701c6ecaf$fb659bd0$0705000a@DDF5DW71> Message-ID: Roger wrote: >> So I was checking mailwatch this evening and I found out that the spam / >> ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is quiet >> logical because at daytime everybody is working and at night (well here in >> europe) only spammers are working. This can be used for the spamfiltering. >> I think if it is possible to f.e. do, "spamscore * 1.2" between 11:00 pm >> and 7:00 am, it will hit more highscoring spam at night. Offcourse it will >> also hit ham, but as there is much less ham at night the possibility is >> less. On Tue, 10 Oct 2006, Steve Campbell wrote: > I tend to look at this in a different light. Spam is spam, and should be > caught by rules, etc regardless of the time it arrives. Ham is the same also > regardless of it's arrival time. A good set of rules should work fine any > time of the day. The percentages only indicate when people are sending mail, > so this is a useless figure for comparing day/night averages. True enough, but every other rule that SpamAssassin uses is a heuristic as well. They're all based on particular characteristics of the messages (or servers that send them) and some kind of statistical correlation between those characteristics and spamminess. > For instance, if the same message that came in at night were resent during > the day, how should the mail be treated? Different score and action? While I share the feeling that it is a little bit odd that the time a message arrives could sway its score, this is already true to some extent: real-time blacklists change over time (otherwise they wouldn't be real-time), and the score a message gets can be different one hour from what it is at the next hour. Overall, I think time of arrival could be safely used as yet another heuristic for determining if something is spam. The key thing is that the scores would need to be right, which I suspect means they'd need to be fairly low, something like 0.5 or so. SpamAssassin already handles setting scores by running a genetic algorithm (or whatever it is that it uses that replaced the GA in 3.x), but since this varies so much by site (what time zone the site is located in, what type of usage patterns it sees, etc.), there would need to be a reliable method of determining site-specific scores for this. To go in a different direction, as long as we're talking about time, another possibility is to apply time other places. For instance, you might have a time-dependent greylist. Make the greylist's delay much longer at night and shorter during the day. You'd get a lot of the effectiveness of greylisting but without as much delay during the active periods. Overall, though, I think although looking at time does give you additional information, it is not clear at all that the positives of going with it will outweigh the negatives. Time is a trait of a message (or message delivery) that has a strong correlation with spamminess, but there is also a steady stream of exceptions. So getting value out of looking at the time is likely to be that much harder because of that. - Logan From mkettler at evi-inc.com Tue Oct 10 23:19:07 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Oct 10 23:19:29 2006 Subject: idea for next version In-Reply-To: <1160513361.3522@bsd4.nedport.net> References: <1160513361.3522@bsd4.nedport.net> Message-ID: <452C1C5B.7010708@evi-inc.com> mailscanner@berger.nl wrote: > Well, I am happily using mailscanner for a while now and it still works great. > > So I was checking mailwatch this evening and I found out that the spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is quiet logical because at daytime everybody is working and at night (well here in europe) only spammers are working. This can be used for the spamfiltering. Actually, this suggestion isn't very new. It's been made dozens of times over on the SpamAssassin list. It really doesn't work out in the general case. Unfortunately, for most folks it's not as dramatic as 95/5.. and even for those it is, that's still a relatively poor spam rule. The problem being that rule scores can't be viewed in terms spam percentage. That's not how rule scoring in SA works. SA assigns rules by "fitting" the rule scores against a real-world test. In the event of overlapping hits on the same messages, this fitting winds up giving very little, if any, score to the worst-performing rule in an overlapping group. Rules with mediocre performance, like a mere 95% accuracy, often wind up finding themselves with no score because there are better rules to give the points to that cause fewer FPs. My numbers are more like 80/20, even for the "dead of night" hours: "Oct 9 00:" 81.2% spam "Oct 9 01:" 86.6% spam "Oct 9 02:" 83.5% spam ... "Oct 9 13:" 48.5% spam ... "Oct 9 21:" 72.6% spam "Oct 9 22:" 70.7% spam "Oct 9 23:" 78.3% spam A lot of what ratio you see depends highly on how "localized" your mail is. If you belong to a lot of globally-used mailing lists, your numbers at night will be little different than your numbers at noon. Ditto if you have lots of international contacts. I think if it is possible to f.e. do, "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam at night. Offcourse it will also hit ham, but as there is much less ham at night the possibility is less. Then, most off the overnight ham is mailinglist which are often whitelisted. You whitelist mailing lists? Regularly? Wow.. I don't. I only do such things for spam discussion lists. > > Any ideas? Quite frankly, geographic origin is a whole lot more accurate, and even that pretty well sucks. You might consider taking advantage of the RelayCountry plugin, and adding some rules like these (adjust scores, etc for your own geography:) # informational, mostly for checking how much these hit header RELAY_ES X-Relay-Countries=~/\bES\b/ describe RELAY_ES Relayed through Spain score RELAY_ES 0.01 header RELAY_UK X-Relay-Countries=~/\bGB\b/ describe RELAY_UK Relayed through Brittan score RELAY_UK 0.01 header RELAY_FR X-Relay-Countries=~/\bFR\b/ describe RELAY_FR Relayed through France score RELAY_FR 0.01 header RELAY_DE X-Relay-Countries=~/\bDE\b/ describe RELAY_DE Relayed through Germany score RELAY_DE 0.01 header RELAY_AT X-Relay-Countries=~/\bAT\b/ describe RELAY_AT Relayed through Austria score RELAY_AT 0.01 # these have VERY high spam volume and little legit mail # however, don't go over 3.0 or so with these. header RELAY_CN X-Relay-Countries=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.5 header RELAY_KR X-Relay-Countries=~/\bKR\b/ describe RELAY_KR Relayed through Korea score RELAY_KR 1.5 header RELAY_KP X-Relay-Countries=~/\bKP\b/ describe RELAY_KP Relayed through North Korea score RELAY_KP 1.5 #countries prone to abuse and low legit mail volume # can't score high due to some legit mail # however score bias of 0.1 to 1.5 is reasonable here # depending on the country in question header RELAY_AP X-Relay-Countries=~/\bAP\b/ describe RELAY_AP Relayed through generic AP score RELAY_AP 0.5 header RELAY_TW X-Relay-Countries=~/\bTW\b/ describe RELAY_TW Relayed through Taiwan score RELAY_TW 1.0 header RELAY_SK X-Relay-Countries=~/\bSK\b/ describe RELAY_SK Relayed through Slovakia score RELAY_TW 1.0 header RELAY_JP X-Relay-Countries=~/\bJP\b/ describe RELAY_JP Relayed through Japan score RELAY_JP 1.0 header RELAY_AR X-Relay-Countries=~/\bAR\b/ describe RELAY_AR Relayed through Argentina score RELAY_AR 1.0 header RELAY_BR X-Relay-Countries=~/\bBR\b/ describe RELAY_BR Relayed through Brazil score RELAY_BR 1.0 header RELAY_RU X-Relay-Countries=~/\bRU\b/ describe RELAY_RU Relayed through Russia score RELAY_RU 1.0 header RELAY_RO X-Relay-Countries=~/\bRO\b/ describe RELAY_RO Relayed through Romania score RELAY_RO 1.0 header RELAY_PS X-Relay-Countries=~/\bPS\b/ describe RELAY_PS Relayed through occupied Palestine score RELAY_PS 1.0 header RELAY_PL X-Relay-Countries=~/\bPL\b/ describe RELAY_PL Relayed through Poland score RELAY_PL 1.0 header RELAY_IL X-Relay-Countries=~/\bIL\b/ describe RELAY_IL Relayed through Israel score RELAY_IL 1.0 header RELAY_HU X-Relay-Countries=~/\bHU\b/ describe RELAY_HU Relayed through Hungary score RELAY_HU 1.0 header RELAY_NG X-Relay-Countries=~/\bNG\b/ describe RELAY_NG Relayed through Nigeria score RELAY_NG 1.0 header RELAY_PK X-Relay-Countries=~/\bPK\b/ describe RELAY_PK Relayed through Pakistan score RELAY_PK 1.0 header RELAY_GT X-Relay-Countries=~/\bGT\b/ describe RELAY_GT Relayed through Guatemala score RELAY_GT 1.0 From jon.bates at summitmotors.com.au Tue Oct 10 23:41:24 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Oct 10 23:41:38 2006 Subject: File Type Checking - Excepting users to the rules In-Reply-To: <200610101009.k9AA8aI7010612@bkserver.blacknight.ie> Message-ID: <200610102241.k9AMfRuZ000426@summitmotors.com.au> Julian Field Wrote: > This is all documented on the wiki and in the book. Read this: > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:ruleset s:overloading Eek! I have your book right in front of me.. I didn't look hard enough obviously! RTFMCloser! :P Thanks for the responses guys. Jon. From steve.swaney at fsl.com Tue Oct 10 23:43:06 2006 From: steve.swaney at fsl.com (Steve Swaney) Date: Tue Oct 10 23:43:09 2006 Subject: off-topic spamassassin Message-ID: <452C21FA.60403@fsl.com> This is a SpamAssassin question but I'm not on the SA list (to many lists as it is :() so if anybody can help I'd appreciate it. The spamassassin lint test issues this warning: 2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [27341] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [27341] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [27341] warn: config: failed to parse line, skipping: : The "warn" message is not that helpful but in fairness to SA - most are very helpful. Sorry for the off topic post but any help appreciated. Thanks, Steve steve@fsl.com From mkettler at evi-inc.com Wed Oct 11 00:00:03 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 11 00:00:27 2006 Subject: off-topic spamassassin In-Reply-To: <452C21FA.60403@fsl.com> References: <452C21FA.60403@fsl.com> Message-ID: <452C25F3.8040903@evi-inc.com> Steve Swaney wrote: > This is a SpamAssassin question but I'm not on the SA list (to many > lists as it is :() so if anybody can help I'd appreciate it. > > The spamassassin lint test issues this warning: > [27341] warn: config: failed to parse line, skipping: : > > The "warn" message is not that helpful but in fairness to SA - most are > very helpful. > > Sorry for the off topic post but any help appreciated. >From the looks of that, you have a line in somewhere in one of your config files that contains a single colon character. Personally, I'd start with checking all your /etc/mail/spamassassin/*.cf files. From ssilva at sgvwater.com Wed Oct 11 00:39:39 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 11 00:40:10 2006 Subject: idea for next version In-Reply-To: References: <1160513361.3522@bsd4.nedport.net> <001701c6ecaf$fb659bd0$0705000a@DDF5DW71> Message-ID: Logan Shaw spake the following on 10/10/2006 3:12 PM: > Roger wrote: >>> So I was checking mailwatch this evening and I found out that the >>> spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. >>> This is quiet logical because at daytime everybody is working and at >>> night (well here in europe) only spammers are working. This can be >>> used for the spamfiltering. I think if it is possible to f.e. do, >>> "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more >>> highscoring spam at night. Offcourse it will also hit ham, but as >>> there is much less ham at night the possibility is less. > > On Tue, 10 Oct 2006, Steve Campbell wrote: >> I tend to look at this in a different light. Spam is spam, and should >> be caught by rules, etc regardless of the time it arrives. Ham is the >> same also regardless of it's arrival time. A good set of rules should >> work fine any time of the day. The percentages only indicate when >> people are sending mail, so this is a useless figure for comparing >> day/night averages. > > True enough, but every other rule that SpamAssassin uses > is a heuristic as well. They're all based on particular > characteristics of the messages (or servers that send them) > and some kind of statistical correlation between those > characteristics and spamminess. > >> For instance, if the same message that came in at night were resent >> during the day, how should the mail be treated? Different score and >> action? > > While I share the feeling that it is a little bit odd that the > time a message arrives could sway its score, this is already > true to some extent: real-time blacklists change over time > (otherwise they wouldn't be real-time), and the score a message > gets can be different one hour from what it is at the next hour. > > Overall, I think time of arrival could be safely used as > yet another heuristic for determining if something is spam. > The key thing is that the scores would need to be right, which > I suspect means they'd need to be fairly low, something like > 0.5 or so. SpamAssassin already handles setting scores by > running a genetic algorithm (or whatever it is that it uses > that replaced the GA in 3.x), but since this varies so much > by site (what time zone the site is located in, what type > of usage patterns it sees, etc.), there would need to be a > reliable method of determining site-specific scores for this. > > To go in a different direction, as long as we're talking about > time, another possibility is to apply time other places. > For instance, you might have a time-dependent greylist. > Make the greylist's delay much longer at night and shorter > during the day. You'd get a lot of the effectiveness of > greylisting but without as much delay during the active periods. > > Overall, though, I think although looking at time does give > you additional information, it is not clear at all that > the positives of going with it will outweigh the negatives. > Time is a trait of a message (or message delivery) that has a > strong correlation with spamminess, but there is also a steady > stream of exceptions. So getting value out of looking at the > time is likely to be that much harder because of that. > > - Logan But many companies regularly have exec's and others working late, or from home. So you will be placing these people in the spammer class just because they work late? Or how about someone in Hawaii mailing something to New York at 5:00 Pm Hawaii time. That would be in the wee hours in New York, but not necessarily spam. Or if Julian sent me a message at 8:00AM in the UK, it would be about midnight here in the west coast of the US. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.swaney at fsl.com Wed Oct 11 01:24:33 2006 From: steve.swaney at fsl.com (Steve Swaney) Date: Wed Oct 11 01:24:35 2006 Subject: off-topic spamassassin In-Reply-To: <452C25F3.8040903@evi-inc.com> References: <452C21FA.60403@fsl.com> <452C25F3.8040903@evi-inc.com> Message-ID: <452C39C1.8040102@fsl.com> Matt Kettler wrote: > Steve Swaney wrote: > >> This is a SpamAssassin question but I'm not on the SA list (to many >> lists as it is :() so if anybody can help I'd appreciate it. >> >> The spamassassin lint test issues this warning: >> > > >> [27341] warn: config: failed to parse line, skipping: : >> >> The "warn" message is not that helpful but in fairness to SA - most are >> very helpful. >> >> Sorry for the off topic post but any help appreciated. >> > > >From the looks of that, you have a line in somewhere in one of your config files > that contains a single colon character. > > > Personally, I'd start with checking all your /etc/mail/spamassassin/*.cf files. > > > Matt, > > Thats why I posted to this list :) > > grep -l "^:" > > Showed up the offending line : > > mail:/etc/mail/spamassassin # grep -l "^:" * > > 70_sare_adult.cf > > There was a line that started with ":#" > > The error message was absolutely accurate! I just didn't parse it correctly. > > Many thanks - problem solved > > > Steve > > > From support-lists at petdoctors.co.uk Wed Oct 11 01:35:47 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Oct 11 01:34:59 2006 Subject: spam forwarding not working In-Reply-To: <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> Message-ID: <001b01c6eccd$32bfcfc0$04000100@support01> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, October 10, 2006 10:32 AM To: MailScanner discussion Subject: Re: spam forwarding not working On 10/10/06, Nigel Kendrick wrote: > Hi guys, > > I have setup a spam mailbox on our local mail server that users can > submit their unwanted stuff to - it's called 'spam@[snipped]' > > The 'spam' mailbox is submitted to spamassassin every night via a cron job. > This works with no problems for mail that people manually forward, but > I also have this line in MailScanner.conf: > > High Scoring Spam Actions = delete forward spam@[snipped] > > Unfortunately, this triggers the following emails to me (at root): > > ++++++++++ > > This is the Postfix program at ... > > I'm sorry to have to inform you that your message could not be > delivered to one or more recipients. It's attached below. > > [Snip] > > : User unknown in virtual alias table > > ++++++++++ > > I have also tried local delivery by putting the forward address as > 'spam@servername' - am I hitting problems because spam is being > resubmitted to MailScanner before being forwarded, but even then why a 'user unknown' > message? > > MailScanner is 4.55.10, PostFix is 2:2.2.10-1.RHEL4.2 on CentOS 4.4 > > Thanks > > Nigel Kendrick > > Nigel, Virtual aliases are expanded _after_ MailScanner, so you cannot use a virtual alias in a rule like that (for addressing). Simply change it to the real address and things should work out OK:-). Sorry Glen - me being thick here - all our addresses are setup in a virtual alias list so what constitutes a 'real address' in this respect. From campbell at cnpapers.com Wed Oct 11 03:17:52 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 11 03:18:20 2006 Subject: idea for next version In-Reply-To: References: <1160513361.3522@bsd4.nedport.net> <001701c6ecaf$fb659bd0$0705000a@DDF5DW71> Message-ID: <1160533072.452c5450da9c7@perdition.cnpapers.net> Quoting Scott Silva : > Logan Shaw spake the following on 10/10/2006 3:12 PM: > > Roger wrote: > >>> So I was checking mailwatch this evening and I found out that the > >>> spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. > >>> This is quiet logical because at daytime everybody is working and at > >>> night (well here in europe) only spammers are working. This can be > >>> used for the spamfiltering. I think if it is possible to f.e. do, > >>> "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more > >>> highscoring spam at night. Offcourse it will also hit ham, but as > >>> there is much less ham at night the possibility is less. > > > > On Tue, 10 Oct 2006, Steve Campbell wrote: > >> I tend to look at this in a different light. Spam is spam, and should > >> be caught by rules, etc regardless of the time it arrives. Ham is the > >> same also regardless of it's arrival time. A good set of rules should > >> work fine any time of the day. The percentages only indicate when > >> people are sending mail, so this is a useless figure for comparing > >> day/night averages. > > > My point here was that using percentages is only dependent on spam received. If you receive no spam, you're going to see 100% good mail. If you receive floods of spam, your percentage ratio changes. Now one or the other needs to change for the ratio to change. A good rule that blocks spam will block spam at either noon or 3:00 a.m. My reported ratio changed drastically by installing MimeDefang. My MTA still received the spam, but blocked a lot of it from MS/SA. The amount of mail reaching the MTA did not change. Percentages have always been a bad indicator of everything (except for 100% or 0%), Anything in between is relative. Would you rather receive 80% of $1.00 or 20% of $1,000.00? You have to apply the percentages in the proper context. > >> For instance, if the same message that came in at night were resent > >> during the day, how should the mail be treated? Different score and > >> action? > > > > While I share the feeling that it is a little bit odd that the > > time a message arrives could sway its score, this is already > > true to some extent: real-time blacklists change over time > > (otherwise they wouldn't be real-time), and the score a message > > gets can be different one hour from what it is at the next hour. But these lists are changing due to actual mail and the content of that mail, not because of the time of day that is current. If I were a spammer, and I discovered the fact that you are basing your score value on the time of day (or night), I would just change the time I send out my spam. This would adversely affect your system in a negative way. As a matter of fact, I am seeing more and more spam showing up during daytime hours. Nightly spam is still the more dominant norm though. I don't mind seeing that my ratio of spam to ham is high because it means I am stopping it. On the other hand, if total messages are low, the reverse ratio is OK. I'm just using CPU cycles to block all of that junk. If the total message count is high, and the spam to ham ratio is low, then I have to assume I can do better at some rules. But then, what will the ratio be whenever I have the perfect system using perfect rules? Zero spam to 100% ham!! But that won't happen, so the best I can do is try for something in between. Ultimately, you have to stop spam before it gets to the MS/SA before percentages mean anything, or accept high spam ratio. I think that is what I mean. Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From glenn.steen at gmail.com Wed Oct 11 07:31:47 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 07:31:51 2006 Subject: spam forwarding not working In-Reply-To: <001b01c6eccd$32bfcfc0$04000100@support01> References: <223f97700610100231u162922a5l4f2fcced174ccf22@mail.gmail.com> <001b01c6eccd$32bfcfc0$04000100@support01> Message-ID: <223f97700610102331k12260ba3v7be3e68911a250fd@mail.gmail.com> On 11/10/06, Nigel Kendrick wrote: > (snip) > Sorry Glen - me being thick here - all our addresses are setup in a virtual > alias list so what constitutes a 'real address' in this respect. > Well, if your virtual users are really defined as virtual _aliases_ they do have a real destination (the righthand side in the virtual alias map file (as detailed here: http://www.postfix.org/VIRTUAL_README.html#virtual_alias). If specifying one of those borks out you might need whitelist locally submitted mails. virtual _mailboxes_ are quite something else:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drew at technologytiger.net Wed Oct 11 07:56:56 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 11 07:57:09 2006 Subject: spam forwarding not working In-Reply-To: <001b01c6eccd$32bfcfc0$04000100@support01> References: <001b01c6eccd$32bfcfc0$04000100@support01> Message-ID: <4AE9EE8E-CF87-4234-9E73-3819AC1C6B90@technologytiger.net> On 11 Oct 2006, at 01:35, Nigel Kendrick wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Glenn Steen > Sent: Tuesday, October 10, 2006 10:32 AM > To: MailScanner discussion > Subject: Re: spam forwarding not working > > On 10/10/06, Nigel Kendrick wrote: >> Hi guys, >> >> I have setup a spam mailbox on our local mail server that users can >> submit their unwanted stuff to - it's called 'spam@[snipped]' >> >> The 'spam' mailbox is submitted to spamassassin every night via a >> cron > job. >> This works with no problems for mail that people manually forward, >> but >> I also have this line in MailScanner.conf: >> >> High Scoring Spam Actions = delete forward spam@[snipped] >> >> Unfortunately, this triggers the following emails to me (at root): >> >> ++++++++++ >> >> This is the Postfix program at ... >> >> I'm sorry to have to inform you that your message could not be >> delivered to one or more recipients. It's attached below. >> >> [Snip] >> >> : User unknown in virtual alias table >> >> ++++++++++ >> >> I have also tried local delivery by putting the forward address as >> 'spam@servername' - am I hitting problems because spam is being >> resubmitted to MailScanner before being forwarded, but even then >> why a > 'user unknown' >> message? >> >> MailScanner is 4.55.10, PostFix is 2:2.2.10-1.RHEL4.2 on CentOS 4.4 >> >> Thanks >> >> Nigel Kendrick >> >> > Nigel, > > Virtual aliases are expanded _after_ MailScanner, so you cannot use a > virtual alias in a rule like that (for addressing). > Simply change it to the real address and things should work out OK:-). > > > > Sorry Glen - me being thick here - all our addresses are setup in a > virtual > alias list so what constitutes a 'real address' in this respect. In this instance i would suggest you need to forward the spam to spam@.[snipped] which makes it local. Make sure you have listed your host name in main.cf under myhostname and list $myhostname under mydestination. If you have multiple servers using a central database (Such as MySQL) you can play other tricks using NFS mounts and localhost but that's for another 'lesson' :-) Drew From martinh at solidstatelogic.com Wed Oct 11 09:05:26 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 11 09:05:42 2006 Subject: idea for next version In-Reply-To: <1160513361.3522@bsd4.nedport.net> References: <1160513361.3522@bsd4.nedport.net> Message-ID: <452CA5C6.4040809@solidstatelogic.com> mailscanner@berger.nl wrote: > Well, I am happily using mailscanner for a while now and it still works great. > > So I was checking mailwatch this evening and I found out that the spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is quiet logical because at daytime everybody is working and at night (well here in europe) only spammers are working. This can be used for the spamfiltering. I think if it is possible to f.e. do, "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam at night. Offcourse it will also hit ham, but as there is much less ham at night the possibility is less. Then, most off the overnight ham is mailinglist which are often whitelisted. > > Any ideas? > > Roger > Depends, we run Tokyo->Paris->UK->New York->LA offices through our MailScanner......not to mention all the international email lists we're all on.. I tend to find spam rises around 9am EST (Eest coast US) and dies off when the US goes home for the night .... can't think of why that could be ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at berger.nl Wed Oct 11 09:35:51 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Wed Oct 11 09:36:23 2006 Subject: idea for next version In-Reply-To: Message-ID: <1160555750.41090@bsd4.nedport.net> Scott Silva wrote .. > Logan Shaw spake the following on 10/10/2006 3:12 PM: > > Roger wrote: > >>> So I was checking mailwatch this evening and I found out that the > >>> spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. > >>> This is quiet logical because at daytime everybody is working and at > >>> night (well here in europe) only spammers are working. This can be > >>> used for the spamfiltering. I think if it is possible to f.e. do, > >>> "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more > >>> highscoring spam at night. Offcourse it will also hit ham, but as > >>> there is much less ham at night the possibility is less. > > > > On Tue, 10 Oct 2006, Steve Campbell wrote: > >> I tend to look at this in a different light. Spam is spam, and should > >> be caught by rules, etc regardless of the time it arrives. Ham is the > >> same also regardless of it's arrival time. A good set of rules should > >> work fine any time of the day. The percentages only indicate when > >> people are sending mail, so this is a useless figure for comparing > >> day/night averages. > > > > True enough, but every other rule that SpamAssassin uses > > is a heuristic as well. They're all based on particular > > characteristics of the messages (or servers that send them) > > and some kind of statistical correlation between those > > characteristics and spamminess. > > > >> For instance, if the same message that came in at night were resent > >> during the day, how should the mail be treated? Different score and > >> action? > > > > While I share the feeling that it is a little bit odd that the > > time a message arrives could sway its score, this is already > > true to some extent: real-time blacklists change over time > > (otherwise they wouldn't be real-time), and the score a message > > gets can be different one hour from what it is at the next hour. > > > > Overall, I think time of arrival could be safely used as > > yet another heuristic for determining if something is spam. > > The key thing is that the scores would need to be right, which > > I suspect means they'd need to be fairly low, something like > > 0.5 or so. SpamAssassin already handles setting scores by > > running a genetic algorithm (or whatever it is that it uses > > that replaced the GA in 3.x), but since this varies so much > > by site (what time zone the site is located in, what type > > of usage patterns it sees, etc.), there would need to be a > > reliable method of determining site-specific scores for this. > > > > To go in a different direction, as long as we're talking about > > time, another possibility is to apply time other places. > > For instance, you might have a time-dependent greylist. > > Make the greylist's delay much longer at night and shorter > > during the day. You'd get a lot of the effectiveness of > > greylisting but without as much delay during the active periods. > > > > Overall, though, I think although looking at time does give > > you additional information, it is not clear at all that > > the positives of going with it will outweigh the negatives. > > Time is a trait of a message (or message delivery) that has a > > strong correlation with spamminess, but there is also a steady > > stream of exceptions. So getting value out of looking at the > > time is likely to be that much harder because of that. > > > > - Logan > But many companies regularly have exec's and others working late, or from > home. So you will be placing these people in the spammer class just because > they work late? > Or how about someone in Hawaii mailing something to New York at 5:00 Pm > Hawaii > time. That would be in the wee hours in New York, but not necessarily spam. > Or if Julian sent me a message at 8:00AM in the UK, it would be about midnight > here in the west coast of the US. > > -- > Well, as long as you can change the time. If you set 11:00Pm till 7:00 am I think you won't hit many people working late and even companies 5 hours away will be mainly closed at 6 pm. The idea is based on what I see for myself. This morning I had 51 spam mails which hit between 4(low) and 9(high). These were all real spam. Beside that I had 2 normal emails which had a score of -2,50 and whitelisted. The problem is that I had still 51 messages tagged as {Spam?} which I had to check manually. I checked a few of them and they mostly hit a score about 7 or 8. If I could multiply the spam score with f.e. 1.2 between 11pm an 7am it would 'upgrade' about 20 messages to highscoring which means I receive about 40% less spam in the morning. I won't try this at daytime because the chance of hitting ham is too big. Offcourse these are my findings. Maybe, the real thought behind it is that I have a very different ratio of spam/ham at night and at daytime, and this can be used to filter spam somehow. Or maybe, mailscanner spoiled me so far that I want too much ;-) Roger From dean.plant at roke.co.uk Wed Oct 11 09:45:08 2006 From: dean.plant at roke.co.uk (Plant, Dean) Date: Wed Oct 11 09:45:14 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCLSpamscoring? Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671A6D@rsys005a.comm.ad.roke.co.uk> alex wrote: >> >> Duncan, Brian M. wrote: >>> Just the capability of being able to add a generic header to all >>> Spam detected messages would be a great start: >>> >>> X-MS-Exchange-Organization-SCL: 6.5 >> Read the docs. Check out "Spam Actions" and the "header" action. >>> > > Could it be done by changing Spam Score Header from: > X-%org-name%-MailScanner-SpamScore: > to: > X-MS-Exchange-Organization-SCL: > and then adding > Spam Score Number Format = %d > and > SpamScore Number Instead Of Stars = yes > > ? I'm not an exchange person and I am thinking out loud here but would the "X-MS-Exchange-Organization-SCL:" header be ignored if it is added from another relay, how would it make sure that the header is genuine? I do agree that this would be a great feature to get working though, as it seems the only other way to achieve this is to use commercial software called IMF tune that allows exchange to set the SCL score from the "X-Spam-Status: Yes" header. Dean. From uxbod at splatnix.net Wed Oct 11 12:31:22 2006 From: uxbod at splatnix.net (uxbod) Date: Wed Oct 11 12:31:39 2006 Subject: Mailscanner/Spam Assassin support for MicrosoftIMF/SCLSpamscoring? In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671A6D@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671A6D@rsys005a.comm.ad.roke.co.uk> Message-ID: <8994aa0873480557ef1d632db434458e@localhost> How would Exchange know that it had been added by another relay ? It changes the headers inline when the email is received so as far as Exchange it concered the header is genuine. On Wed, 11 Oct 2006 09:45:08 +0100, "Plant, Dean" wrote: > alex wrote: >>> >>> Duncan, Brian M. wrote: >>>> Just the capability of being able to add a generic header to all >>>> Spam detected messages would be a great start: >>>> >>>> X-MS-Exchange-Organization-SCL: 6.5 >>> Read the docs. Check out "Spam Actions" and the "header" action. >>>> >> >> Could it be done by changing Spam Score Header from: >> X-%org-name%-MailScanner-SpamScore: >> to: >> X-MS-Exchange-Organization-SCL: >> and then adding >> Spam Score Number Format = %d >> and >> SpamScore Number Instead Of Stars = yes >> >> ? > > I'm not an exchange person and I am thinking out loud here but would the > "X-MS-Exchange-Organization-SCL:" header be ignored if it is added from > another relay, how would it make sure that the header is genuine? > > I do agree that this would be a great feature to get working though, as > it seems the only other way to achieve this is to use commercial > software called IMF tune that allows exchange to set the SCL score from > the "X-Spam-Status: Yes" header. > > Dean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From arturs at netvision.net.il Wed Oct 11 12:55:35 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 11 12:57:31 2006 Subject: Double sendmail processes In-Reply-To: <452B7B12.3020601@chime.ucl.ac.uk> Message-ID: <015201c6ed2c$29a54a00$3701a8c0@lapxp> Hope so. Thanks, Anthony! Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Peacock > Sent: Tuesday, October 10, 2006 12:51 PM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > Hi Arthur, > > Yes, after I sent my message I saw your reply to Jules. > > Sorry, I don't have detailed experience with your OS, so I am out of > ideas now. I am sure someone else on this list will pop up sooner or > later... > > Arthur Sherman wrote: > > Hi Anthony, > > > > It is the Mailscanner script that starts from rc.d. It has > been renamed to > > 'sendmail' - several apps needed this, since it is CentOS > based BlueQuartz > > appliance. > > So it is just what you say it should be. > > > > I am still wondering what would cause double sendmail processes... > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > CPTeam > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Anthony Peacock > >> Sent: Tuesday, October 10, 2006 11:55 AM > >> To: MailScanner discussion > >> Subject: Re: Double sendmail processes > >> > >> Hi Arthur, > >> > >> Someone who knows your OS better than I will probably be able > >> to help more. > >> > >> The standard mailscanner install creates a startup script for > >> mailscanner that also starts sendmail. In this instance you > >> would need > >> to stop sendmail starting as well. > >> > >> It looks like you are doing in the other way round, ie the > sendmail > >> script starts mailscanner. > >> > >> Arthur Sherman wrote: > >>> Hi Anthony, > >>> > >>> I didn't find anything. > >>> > >>> Here are starting services: > >>> --- > >>> [root@ns1 init.d]# chkconfig --list | grep on > >>> autofs 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> haldaemon 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> poprelayd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> readahead 0:off 1:off 2:off 3:off 4:off > >> 5:on 6:off > >>> syslog 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> xinetd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> DCC 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> netfs 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> sendmail 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> mysqld 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> dbrecover 0:off 1:on 2:on 3:on 4:on > >> 5:on 6:off > >>> bluequartz 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> microcode_ctl 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> saslauthd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> clamav-milter 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> lm_sensors 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> admserv 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> network 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> kudzu 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> iptables 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> irqbalance 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> named 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> mdmonitor 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> crond 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> httpd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> dovecot 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> clamd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> gpm 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> readahead_early 0:off 1:off 2:off 3:off 4:off > >> 5:on 6:off > >>> cpuspeed 0:off 1:on 2:on 3:on 4:on > >> 5:on 6:off > >>> messagebus 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> mdchk 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> sshd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> smartd 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> cced.init 0:off 1:off 2:on 3:on 4:on > >> 5:on 6:off > >>> rawdevices 0:off 1:off 2:off 3:on 4:on > >> 5:on 6:off > >>> --- > >>> > >>> Then I grepped for sendmail pattern: > >>> --- > >>> [root@ns1 init.d]# grep sendmail * > >>> clamav-milter:# description: clamav-milter is a daemon > >> which hooks into > >>> sendmail \ > >>> DCC:# dccm must be started before sendmail and stopped > >> after sendmail to > >>> avoid > >>> DCC:# complaints from sendmail > >>> DCC:# can be added to /etc/rc just before sendmail is > >> started and a line > >>> like > >>> diskdump:SENDMAIL="/usr/sbin/sendmail" > >>> poprelayd:# the pop-log-scrubber and sendmail relay db > >>> population tool. > >>> sendmail:# MailScanner, and its associated > >> copies of sendmail. > >>> sendmail:# If you are using sendmail, Exim or Postfix, > >> please try to avoid > >>> editing > >>> sendmail:MTA=sendmail > >>> sendmail:INPID=/var/run/sendmail.in.pid > >>> sendmail:OUTPID=/var/run/sendmail.out.pid > >>> sendmail:SENDMAIL=/usr/sbin/sendmail > >>> sendmail:# Start both the sendmail processes > >>> sendmail: elif [ $MTA = 'sendmail' ]; then > >>> sendmail: elif [ $MTA = 'sendmail' ]; then > >>> sendmail: # Start just incoming sendmail > >>> sendmail: # Start just outgoing sendmail > >>> sendmail: elif [ $MTA = "sendmail" ]; then > >>> sendmail: #killproc sendmail 2>/dev/null > >>> sendmail: elif [ $MTA = "sendmail" ]; then > >>> sendmail: #killproc /usr/sbin/sendmail 2>/dev/null > >>> sendmail: if [ $MTA = "sendmail" ]; then > >>> sendmail: # Now the incoming sendmail > >>> sendmail: echo -n ' incoming sendmail: ' > >>> sendmail: #pid=`ps ax | egrep > >> '\[sendmail\]|sendmai[l]: accepting > >>> connections'` > >>> sendmail: # Now the outgoing sendmail > >>> sendmail: echo -n ' outgoing sendmail: ' > >>> sendmail: #pid=`ps ax | egrep '\[sendmail\]|sendmai[l] > >>> -q[0-9]*[mhd]|sendmail: Queue runner' | grep -v grep` > >>> --- > >>> > >>> Did I miss something? > >>> > >>> Thanks! > >>> > >>> > >>> Best, > >>> > >>> -- > >>> Arthur Sherman > >>> > >>> +972-52-4878851 > >>> CPTeam > >>> > >>>> -----Original Message----- > >>>> From: mailscanner-bounces@lists.mailscanner.info > >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >>>> Of Anthony Peacock > >>>> Sent: Tuesday, October 10, 2006 10:05 AM > >>>> To: MailScanner discussion > >>>> Subject: Re: Double sendmail processes > >>>> > >>>> Hi Arthur, > >>>> > >>>> Check all of the files on the init directory to see if any of > >>>> the others > >>>> start sendmail as well. Do you have a mailscanner > script in there? > >>>> > >>>> Arthur Sherman wrote: > >>>>> Hello, > >>>>> > >>>>> On my server, Mailscanner is started as > /etc/rc.d/init.d/sendmail. > >>>>> Every time the server is restarted, I see double sendmail > >>>> processes, i.e. 2 > >>>>> of /var/spool/clientmqueue, and 2 of /var/spool/mqueue. > >>>>> After I manually restart Mailscanner, it starts only one pair. > >>>>> > >>>>> Q1: why are double processes started? > >>>>> Q2: how could I fix this? > >>>>> > >>>>> Thanks! > >>>>> > >>>>> > >>>>> Best, > >>>>> > >>>>> -- > >>>>> Arthur Sherman > >>>>> > >>>>> +972-52-4878851 > >>>>> CPTeam > >>>>> > >>>> -- > >>>> Anthony Peacock > >>>> CHIME, Royal Free & University College Medical School > >>>> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > >>>> "If you have an apple and I have an apple and we > exchange apples > >>>> then you and I will still each have one apple. But if > you have an > >>>> idea and I have an idea and we exchange these ideas, then > >> each of us > >>>> will have two ideas." -- George Bernard Shaw > >>>> -- > >>>> MailScanner mailing list > >>>> mailscanner@lists.mailscanner.info > >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>>> > >>>> Before posting, read http://wiki.mailscanner.info/posting > >>>> > >>>> Support MailScanner development - buy the book off the website! > >> > >> -- > >> Anthony Peacock > >> CHIME, Royal Free & University College Medical School > >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > >> "If you have an apple and I have an apple and we exchange apples > >> then you and I will still each have one apple. But if you have an > >> idea and I have an idea and we exchange these ideas, then > each of us > >> will have two ideas." -- George Bernard Shaw > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Oct 11 13:37:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 13:37:26 2006 Subject: Double sendmail processes In-Reply-To: <00c801c6ec51$28ebb580$3701a8c0@lapxp> References: <452B5888.4010207@ecs.soton.ac.uk> <00c801c6ec51$28ebb580$3701a8c0@lapxp> Message-ID: <223f97700610110537i2ac2d998v826bc8931d5d3589@mail.gmail.com> On 10/10/06, Arthur Sherman wrote: > Hi Jules, > > Sendmail is actually MailScanner. It was renamed for compatibility with > other apps - old trick from some forum, which used to work before. > Did the trick include checking that you don't get multiple start and kill script "pointers" to the actual script (nor "dangling symlinks") from the actual runlevel-specific rc-script directories? Check ls -l /etc/rc?.d/*|grep -i mail or possibly ls -l /etc/rc.d/r*/*|grep -i mail might be that you are simply ruunning the same start script twice (although one would hope that starting the second one would simply fail... subsys lock or somesuch...), perhaps with different names... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at woodmclaw.com Wed Oct 11 14:05:46 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 11 14:15:50 2006 Subject: off-topic spamassassin In-Reply-To: <452C21FA.60403@fsl.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F3D@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Swaney > Sent: Tuesday, October 10, 2006 6:43 PM > To: mailscanner@lists.mailscanner.info > Subject: off-topic spamassassin > > This is a SpamAssassin question but I'm not on the SA list (to many > lists as it is :() so if anybody can help I'd appreciate it. > > The spamassassin lint test issues this warning: > > 2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|% 20 > |[\s+&#])'i > [27341] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?( > ?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i > [27341] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. *? > )(?:$|[&#])'i > [27341] warn: config: failed to parse line, skipping: : > > The "warn" message is not that helpful but in fairness to SA - most are > very helpful. > > Sorry for the off topic post but any help appreciated. > > Thanks, > > Steve > steve@fsl.com > -- I am getting this as well, or similar: [16355] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i 0.14354 [16355] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i 0.00022 [16355] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i 0.00024 [16355] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i 0.00022 [16355] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i 0.00024 [16355] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i 0.00025 [16355] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i 0.00024 [16355] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i 0.0003 [16355] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?: $|[&#])'i 0.00038 [16355] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i 0.00036 [16355] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i 0.00042 [16355] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. *?)(?:$|[&#])'i -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at dido.ca Wed Oct 11 14:33:38 2006 From: rob at dido.ca (Rob Morin) Date: Wed Oct 11 14:33:45 2006 Subject: Bayse problem? Message-ID: <452CF2B2.7050606@dido.ca> Just wondering why i would have this as an output.... I am not really familiar with Bayes... can someone point me to some docs on how to set it up or make sure it works fine... MS version 4.53.3(installed with Julian's scripty thingy), SA version 3.11 on Debian with Postfix Thanks here is an output peter:/opt/MailScanner/etc# sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From bpumphrey at woodmclaw.com Wed Oct 11 14:33:50 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 11 14:33:57 2006 Subject: OT: Mail::SpamAssassin::Plugin::ReplaceTags In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F3D@woodenex.woodmaclaw.local> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F40@woodenex.woodmaclaw.local> In my lint test it takes 1.62 seconds for the line of: [20030] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xade3c24) implements 'finish_parsing_end' Do you use this plugin? I do not recall enabling it manually so seems to be on by default. I looked up what it does and searched the web site: http://wiki.apache.org/spamassassin/ReplaceTags Could only come up with descriptions and such. Thank you Billy Pumphrey IT Manager Wooden & McLaughlin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From daniel.maher at ubisoft.com Wed Oct 11 14:34:10 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Oct 11 14:34:14 2006 Subject: idea for next version In-Reply-To: <452C1C5B.7010708@evi-inc.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D323@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Kettler > Sent: October 10, 2006 6:19 PM > To: MailScanner discussion > Subject: Re: idea for next version > > Actually, this suggestion isn't very new. It's been made dozens of times > over on > the SpamAssassin list. It really doesn't work out in the general case. > > Unfortunately, for most folks it's not as dramatic as 95/5.. and even for > those > it is, that's still a relatively poor spam rule.> > Quite frankly, geographic origin is a whole lot more accurate, and even > that > pretty well sucks. You might consider taking advantage of the RelayCountry > plugin, and adding some rules like these (adjust scores, etc for your own > geography:) I sometimes envy those of you out there that can filter based on time, origin, relay, language, and other such features. I'm sure it cuts down on your spam quite a bit. Unfortunately for me, my incoming mail servers handle mail for time zones ranging from +10 to -8; including major offices in China and Eastern Europe. Suffice it to say that we process /a lot/ of legitimate mail that would probably otherwise be blocked by many mail servers which are English-speaking North American centric. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From arturs at netvision.net.il Wed Oct 11 14:46:24 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 11 14:48:22 2006 Subject: Double sendmail processes In-Reply-To: <223f97700610110537i2ac2d998v826bc8931d5d3589@mail.gmail.com> Message-ID: <016401c6ed3b$a49c06e0$3701a8c0@lapxp> Bingo! Output shows: [root@ns1 log]# ls -l /etc/rc?.d/*|grep -i mail lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc0.d/K30sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc1.d/K30sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc2.d/S80sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc3.d/S80sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc4.d/S80sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S80sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc6.d/K30sendmail -> ../init.d/sendmail Shall I remove them? Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: Wednesday, October 11, 2006 2:37 PM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > On 10/10/06, Arthur Sherman wrote: > > Hi Jules, > > > > Sendmail is actually MailScanner. It was renamed for > compatibility with > > other apps - old trick from some forum, which used to work before. > > > Did the trick include checking that you don't get multiple start and > kill script "pointers" to the actual script (nor "dangling symlinks") > from the actual runlevel-specific rc-script directories? > > Check > ls -l /etc/rc?.d/*|grep -i mail > or possibly > ls -l /etc/rc.d/r*/*|grep -i mail > > might be that you are simply ruunning the same start script twice > (although one would hope that starting the second one would simply > fail... subsys lock or somesuch...), perhaps with different names... > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From bpumphrey at woodmclaw.com Wed Oct 11 15:06:09 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 11 15:06:25 2006 Subject: Adding to the WIKI In-Reply-To: <452CF2B2.7050606@dido.ca> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> I want to add a section under http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_soft ware:management:mailwatch:tips For reports. I will start putting examples of report searches/syntax in there. I tried and tried to figure out how to add a page but failed. I created a login. I read the namespace link. I tried putting the page name in the URL. Will someone please answer my newb question? Billy Pumphrey IT Manager Wooden & McLaughlin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dnsadmin at 1bigthink.com Wed Oct 11 15:14:02 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Oct 11 15:14:18 2006 Subject: idea for next version In-Reply-To: <452CA5C6.4040809@solidstatelogic.com> References: <1160513361.3522@bsd4.nedport.net> <452CA5C6.4040809@solidstatelogic.com> Message-ID: <7.0.1.0.0.20061011101150.0dd9e018@1bigthink.com> At 04:05 AM 10/11/2006, you wrote: >I tend to find spam rises around 9am EST (Eest coast US) and dies >off when the US goes home for the night .... can't think of why that >could be ;-) Uh, duh, maybe all our bot infected C&C machines on Spamcast, Ver-botspam? I block 20-30 each per day. From dnsadmin at 1bigthink.com Wed Oct 11 15:18:23 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Oct 11 15:18:38 2006 Subject: idea for next version In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D323@UBIMAIL1.ubisoft. org> References: <452C1C5B.7010708@evi-inc.com> <1E293D3FF63A3740B10AD5AAD88535D20226D323@UBIMAIL1.ubisoft.org> Message-ID: <7.0.1.0.0.20061011101523.0dda0158@1bigthink.com> At 09:34 AM 10/11/2006, you wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Matt Kettler > > Sent: October 10, 2006 6:19 PM > > To: MailScanner discussion > > Subject: Re: idea for next version > > > > > Actually, this suggestion isn't very new. It's been made dozens of times > > over on > > the SpamAssassin list. It really doesn't work out in the general case. > > > > Unfortunately, for most folks it's not as dramatic as 95/5.. and even for > > those > > it is, that's still a relatively poor spam rule.> > > > Quite frankly, geographic origin is a whole lot more accurate, and even > > that > > pretty well sucks. You might consider taking advantage of the RelayCountry > > plugin, and adding some rules like these (adjust scores, etc for your own > > geography:) > >I sometimes envy those of you out there that can filter based on >time, origin, relay, language, and other such features. I'm sure it >cuts down on your spam quite a bit. > >Unfortunately for me, my incoming mail servers handle mail for time >zones ranging from +10 to -8; including major offices in China and >Eastern Europe. > >Suffice it to say that we process /a lot/ of legitimate mail that >would probably otherwise be blocked by many mail servers which are >English-speaking North American centric. > I tend to agree. Our firm could have utilized that sort of filtering two to three years ago. But now, not at all. Notice that a lot of what us North Americans used to receive in spam from hosts in China are now arriving from Botnets on North American and Mexican machines. That has changed the arrival time of the spam as well as the origin. Cheers! From glenn.steen at gmail.com Wed Oct 11 15:38:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 15:38:57 2006 Subject: Bayse problem? In-Reply-To: <452CF2B2.7050606@dido.ca> References: <452CF2B2.7050606@dido.ca> Message-ID: <223f97700610110738g1df42eafy49754a22a5c198a0@mail.gmail.com> On 11/10/06, Rob Morin wrote: > Just wondering why i would have this as an output.... > > I am not really familiar with Bayes... > can someone point me to some docs on how to set it up or make sure it > works fine... > > MS version 4.53.3(installed with Julian's scripty thingy), SA version > 3.11 on Debian with Postfix > > Thanks > > here is an output > peter:/opt/MailScanner/etc# sa-learn --dump magic Hi Rob, Since you are using postfix, chances are great that you are using a non-priviledged user (likely postfix, perhaps with the group postfix) to run MailScanner. So SpamAssassin (with bayes) isn't run as root, but rather as that user. If you make sure you have a proper bayes_path (detailing your actual "active" bays db) and perhaps a proper bayes_filemode specification in one of local.cf or mailscanner.cf (a.k.a. spam.assassin.prefs.conf ... Think that symlink was present in version 4.53.3 too) in /etc/mail/spamassassin, everything should work OK for any user with read permission on the files (make sure the postfix user has that explicitly, by making it the owner). Test things by way of becoming the postfix user and running things...: su - postfix -s /bin/bash sa-learn --dump magic spamassassin --lint -D 2>&1 | less -e Look through the above to see that SA can bind/tie to the "database", and that it seems to contain enough ham/spam. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 11 15:48:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 15:48:35 2006 Subject: Double sendmail processes In-Reply-To: <016401c6ed3b$a49c06e0$3701a8c0@lapxp> References: <223f97700610110537i2ac2d998v826bc8931d5d3589@mail.gmail.com> <016401c6ed3b$a49c06e0$3701a8c0@lapxp> Message-ID: <223f97700610110748q6e0c08a7u250b58cdba679103@mail.gmail.com> On 11/10/06, Arthur Sherman wrote: > Bingo! Sad to be dampening your enthusiasm Arther.... Look below. > > Output shows: > [root@ns1 log]# ls -l /etc/rc?.d/*|grep -i mail > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc0.d/K30sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc1.d/K30sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc2.d/S80sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc3.d/S80sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc4.d/S80sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S80sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc6.d/K30sendmail -> > ../init.d/sendmail > > Shall I remove them? > No, that would not be that great:-). Those look quite normal to me, and removing them would make them not "respond correctly" to runleve changes... What I was hoping for would've been more of the form: lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S80sendmail -> ../init.d/sendmail lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S85sendmail -> ../init.d/sendmail ... That is, more than one symlink to the same script. No luck with that:-(. What you have above shouldn't be touched manually (you manage it via chkconfig). A "tangenting idea" is that you should look through the other bootup rc-scripts, like /etc/rc.local (grep through /etc/rc.* for sendmail perhaps). Since the "doubles" happen upon reboot, it kind of must be something related to those:-). ... Or perhaps some opportunistic cron-job? Not that likely... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edwardbruce at sbcglobal.net Wed Oct 11 15:50:11 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Oct 11 15:50:17 2006 Subject: MCP Issue Message-ID: <452D04A3.3050107@sbcglobal.net> I'm running MS v 4.56.6 and just noticed a strange error today. I have MCP setup to catch a few derogotary terms. More for testing purposes then actually use. It rarely gets any hits. But today it is consistently hitting one person. The funny thing it is matching on rules in the spam rules and not the MCP rules. The last message had the following from MailWatch for Spam: cached not score=0.22 5.6 required -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 1.10 FM_MULTI_ODD2 0.00 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 0.00 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format 0.50 HTML_40_50 Message is 40% to 50% HTML 0.00 HTML_MESSAGE HTML included in message 0.22 MIME_BASE64_NO_NAME base64 attachment does not have a file name 0.00 MIME_HTML_ONLY Message only has text/html MIME parts 1.00 SUBJ_ALL_CAPS Subject is all capitals In the MCP section: MCP Score: 4.61 MCP Report: Score Matching Rule Description ALL_TRUSTED FORGED_OUTLOOK_HTML FORGED_OUTLOOK_TAGS HTML_MESSAGE MIME_HTML_ONLY SUBJ_ALL_CAPS I'm confused how the MCP section is suddenly matching my SA rules instead of the ones I created for MCP? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061011/696db771/attachment.html From glenn.steen at gmail.com Wed Oct 11 15:59:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 15:59:36 2006 Subject: Adding to the WIKI In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> References: <452CF2B2.7050606@dido.ca> <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> Message-ID: <223f97700610110759s6dc6131alfa427cd441c2466e@mail.gmail.com> On 11/10/06, Billy A. Pumphrey wrote: > I want to add a section under > http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_soft > ware:management:mailwatch:tips > > For reports. I will start putting examples of report searches/syntax in > there. I tried and tried to figure out how to add a page but failed. I > created a login. I read the namespace link. I tried putting the page > name in the URL. > > Will someone please answer my newb question? Yes. You can "create" any page (and "needed directory structure") by doing one of: 1) accessing the nonexistant entry directly through a manually entered URL 2) entering the "page path" in the search box ... and then creating the page by clicking the create page button. Note that creating documentation:related_software:management:mailwatch:tips will create a page... if you want the subdirectory created, create documentation:related_software:management:mailwatch:tips:whatever instead. Since the only way to remove directory structure is via shell access to the webserver, one should be a tad restrictive with that:-). One might also add that these tips likely would fit better in the mailwatch wiki than the mailscanner one;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From andy at tireswing.net Wed Oct 11 16:22:53 2006 From: andy at tireswing.net (Andy Norris) Date: Wed Oct 11 16:34:32 2006 Subject: LOTS of sendmail processes Message-ID: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> When I issue a service sendmail restart command, I get nine pids immediately, and it goes up from there. Way up most of the time. I have lots of email that is not being scanned by MailScanner at all, and it's just the last few days this has been happening. sendmail v8.12.11 RHEL ES v3 (Taroon update 4) Avg load somewhere around 0.25 (goes to 0.60 and higher depending on time of day) Perl v5.8.0 Using spamassassin v3.1.0 This is on a machine running Ensim Pro 4.0.3-22.rhel.3ES I'm tempted a bit to "uninstall" MailScanner and SpamAssassin -- if that's possible -- and start all over again. I know it's got to be something that was duplicated somewhere... my fault, of course. Thanks, Andy From rob at dido.ca Wed Oct 11 16:47:48 2006 From: rob at dido.ca (Rob Morin) Date: Wed Oct 11 16:47:58 2006 Subject: Bayse problem? In-Reply-To: <223f97700610110738g1df42eafy49754a22a5c198a0@mail.gmail.com> References: <452CF2B2.7050606@dido.ca> <223f97700610110738g1df42eafy49754a22a5c198a0@mail.gmail.com> Message-ID: <452D1224.4000400@dido.ca> interesting... :) postfix@peter:~$ sa-learn --dump magic bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied ERROR: Bayes dump returned an error, please re-run with -D for more information after making postfix the owner postfix@peter:~$ sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count After a few minutes.... peter:/opt/MailScanner/bayes# sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 10 0 non-token data: nspam 0.000 0 1 0 non-token data: nham 0.000 0 1974 0 non-token data: ntokens 0.000 0 1160581441 0 non-token data: oldest atime 0.000 0 1160581687 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count So should bayes learn now? or do i need to check somethign else... thanks for the quick reply! :) sorry for the long output...... postfix@peter:~$ spamassassin --lint -D 2>&1 | less -e [3673] dbg: logger: adding facilities: all [3673] dbg: logger: logging level is DBG [3673] dbg: generic: SpamAssassin version 3.1.1 [3673] dbg: config: score set 0 chosen. [3673] dbg: util: running in taint mode? yes [3673] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [3673] dbg: util: PATH included '/usr/local/bin', keeping [3673] dbg: util: PATH included '/usr/bin', keeping [3673] dbg: util: PATH included '/bin', keeping [3673] dbg: util: PATH included '/usr/bin/X11', keeping [3673] dbg: util: PATH included '/usr/games', keeping [3673] dbg: util: final PATH set to: /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games [3673] dbg: dns: is Net::DNS::Resolver available? yes [3673] dbg: dns: Net::DNS version: 0.57 [3673] dbg: diag: perl platform: 5.008004 linux [3673] dbg: diag: module installed: Digest::SHA1, version 2.10 [3673] dbg: diag: module installed: Getopt::Long, version 2.34 [3673] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3673] dbg: diag: module installed: HTTP::Date, version 1.46 [3673] dbg: diag: module installed: Archive::Tar, version 1.26 [3673] dbg: diag: module installed: IO::Zlib, version 1.04 [3673] dbg: diag: module installed: DB_File, version 1.808 [3673] dbg: diag: module installed: HTML::Parser, version 3.48 [3673] dbg: diag: module installed: MIME::Base64, version 3.04 [3673] dbg: diag: module installed: Net::DNS, version 0.57 [3673] dbg: diag: module installed: Net::SMTP, version 2.26 [3673] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [3673] dbg: diag: module installed: IP::Country::Fast, version 309.002 [3673] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [3673] dbg: diag: module not installed: Net::Ident ('require' failed) [3673] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3673] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [3673] dbg: diag: module installed: Time::HiRes, version 1.59 [3673] dbg: diag: module installed: DBI, version 1.50 [3673] dbg: ignore: using a test message to lint rules [3673] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [3673] dbg: config: read file /etc/mail/spamassassin/init.pre [3673] dbg: config: read file /etc/mail/spamassassin/v310.pre [3673] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [3673] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [3673] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [3673] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [3673] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [3673] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [3673] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [3673] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [3673] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [3673] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [3673] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [3673] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [3673] dbg: config: using "/etc/mail/spamassassin" for site rules dir [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_header.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_header0.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_header2.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_html.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu0.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu2.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu3.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf [3673] dbg: config: read file /etc/mail/spamassassin/70_sare_uri_eng.cf [3673] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [3673] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf [3673] dbg: config: read file /etc/mail/spamassassin/88_FVGT_body.cf [3673] dbg: config: read file /etc/mail/spamassassin/88_FVGT_headers.cf [3673] dbg: config: read file /etc/mail/spamassassin/88_FVGT_rawbody.cf [3673] dbg: config: read file /etc/mail/spamassassin/88_FVGT_subject.cf [3673] dbg: config: read file /etc/mail/spamassassin/88_FVGT_uri.cf [3673] dbg: config: read file /etc/mail/spamassassin/99_FVGT_meta.cf [3673] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [3673] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf [3673] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf [3673] dbg: config: read file /etc/mail/spamassassin/local.cf [3673] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [3673] dbg: config: read file /etc/mail/spamassassin/random.cf [3673] dbg: config: read file /etc/mail/spamassassin/tripwire.cf [3673] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [3673] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [3673] warn: config: cannot write to /var/spool/postfix/.spamassassin/user_prefs: Permission denied [3673] warn: config: failed to create default user preference file /var/spool/postfix/.spamassassin/user_prefs [3673] dbg: config: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x910aa44) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x90e3ecc) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x9141b54) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9148554) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [3673] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x91485b4), already registered [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [3673] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9345bd8), already registered [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /etc/mail/spamassassin/plugins/ImageInfo.pm [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [3673] dbg: dcc: network tests on, registering DCC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x91d18a0) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [3673] dbg: pyzor: network tests on, attempting Pyzor [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x91ac8f8) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [3673] dbg: razor2: razor2 is not available [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x915dcec) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [3673] dbg: reporter: network tests on, attempting SpamCop [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x9179798) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x9195ef8) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x9196eb8) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9197944) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x9198640) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [3673] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x91996e4) [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [3673] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x91993a8), already registered [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [3673] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c), already registered [3673] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [3673] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91486f8), already registered [3673] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [3673] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [3673] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [3673] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [3673] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [3673] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i [3673] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [3673] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i [3673] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i [3673] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20 |[\s+&\#])'i [3673] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$ |%22|["\s+&\#])'i [3673] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i [3673] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x91996e4) implements 'finish_parsing_end' [3673] dbg: replacetags: replacing tags [3673] dbg: replacetags: done replacing tags [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_toks [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_seen [3673] dbg: bayes: found bayes db version 3 [3673] dbg: bayes: DB journal sync: last sync: 0 [3673] dbg: bayes: not available for scanning, only 1 spam(s) in bayes DB < 200 [3673] dbg: bayes: untie-ing [3673] dbg: bayes: untie-ing db_toks [3673] dbg: bayes: untie-ing db_seen [3673] dbg: config: score set 1 chosen. [3673] dbg: message: ---- MIME PARSER START ---- [3673] dbg: message: main message type: text/plain [3673] dbg: message: parsing normal part [3673] dbg: message: added part, type: text/plain [3673] dbg: message: ---- MIME PARSER END ---- [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_toks [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_seen [3673] dbg: bayes: found bayes db version 3 [3673] dbg: bayes: DB journal sync: last sync: 0 [3673] dbg: bayes: not available for scanning, only 1 spam(s) in bayes DB < 200 [3673] dbg: bayes: untie-ing [3673] dbg: bayes: untie-ing db_toks [3673] dbg: bayes: untie-ing db_seen [3673] dbg: dns: dns_available set to yes in config file, skipping test [3673] dbg: metadata: X-Spam-Relays-Trusted: [3673] dbg: metadata: X-Spam-Relays-Untrusted: [3673] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9148554) implements 'extract_metadata' [3673] dbg: metadata: X-Relay-Countries: [3673] dbg: message: no encoding detected [3673] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x910aa44) implements 'parsed_metadata' [3673] dbg: uridnsbl: domains to query: [3673] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [3673] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [3673] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [3673] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [3673] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal [3673] dbg: dns: checking RBL combined.njabl.org., set njabl [3673] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [3673] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [3673] dbg: dns: checking RBL bl.spamcop.net., set spamcop [3673] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [3673] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal [3673] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [3673] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [3673] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [3673] dbg: check: running tests for priority: 0 [3673] dbg: rules: running header regexp tests; score so far=0 [3673] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [3673] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1160581460@lint_rules> [3673] dbg: rules: " [3673] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [3673] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [3673] dbg: rules: " [3673] dbg: rules: ran header rule __FM_NO_FROM ======> got hit: "i" [3673] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1160581460" [3673] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x90e3ecc)) [3673] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: spf: no trusted relays found, using first (untrusted) relay (if present) for SPF checks [3673] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [3673] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [3673] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9197944)) [3673] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x90e3ecc)) [3673] dbg: eval: all '*To' addrs: [3673] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: spf: no suitable relay for spf use found, skipping SPF check [3673] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: rules: ran eval rule NO_RELAYS ======> got hit [3673] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: spf: cannot get Envelope-From, cannot use SPF [3673] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [3673] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [3673] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9197944)) [3673] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit [3673] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x919888c)) [3673] dbg: spf: spf_whitelist_from: could not find useable envelope sender [3673] dbg: rules: running body-text per-line regexp tests; score so far=0.738 [3673] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [3673] dbg: uri: running uri tests; score so far=0.738 [3673] dbg: plugin: registering glue method for image_size_exact (Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174)) [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_toks [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_seen [3673] dbg: bayes: found bayes db version 3 [3673] dbg: bayes: DB journal sync: last sync: 0 [3673] dbg: bayes: not available for scanning, only 1 spam(s) in bayes DB < 200 [3673] dbg: bayes: not scoring message, returning undef [3673] dbg: bayes: DB journal sync: last sync: 0 [3673] dbg: bayes: untie-ing [3673] dbg: bayes: untie-ing db_toks [3673] dbg: bayes: untie-ing db_seen [3673] dbg: plugin: registering glue method for image_to_text_ratio (Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174)) [3673] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91486f8)) [3673] dbg: plugin: registering glue method for image_count (Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174)) [3673] dbg: plugin: registering glue method for pixel_coverage (Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174)) [3673] dbg: plugin: registering glue method for image_named (Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9125174)) [3673] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 [3673] dbg: rules: running full-text regexp tests; score so far=0.738 [3673] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0x915dcec)) [3673] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0x915dcec)) [3673] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x91ac8f8)) [3673] dbg: pyzor: pyzor is available: /usr/bin/pyzor [3673] dbg: info: entering helper-app run mode [3673] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin3673vQHtjGtmp [3792] dbg: util: setuid: ruid=103 euid=103 [3673] dbg: pyzor: [3792] finished: exit=0x0100 [3673] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 12, in ?\n pyzor.client.run()\n File "/usr/lib/pyt hon2.3/site-packages/pyzor/client.py", line 973, in run\n ExecCall().run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 174, in ru n\n os.mkdir(homedir)\nOSError: [Errno 13] Permission denied: '/var/spool/postfix/.pyzor' [3673] dbg: info: leaving helper-app run mode [3673] warn: pyzor: check failed: internal error [3673] dbg: plugin: registering glue method for check_dcc (Mail::SpamAssassin::Plugin::DCC=HASH(0x91d18a0)) [3673] dbg: dcc: dccifd is not available: no r/w dccifd socket found [3673] dbg: dcc: dccproc is available: /usr/local/bin/dccproc [3673] dbg: info: entering helper-app run mode [3673] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -R < /tmp/.spamassassin3673vQHtjGtmp [3796] dbg: util: setuid: ruid=103 euid=103 [3673] dbg: dcc: killed stale helper [3796] [3673] dbg: dcc: [3796] terminated: exit=0xf100 [3673] dbg: info: leaving helper-app run mode [3673] dbg: dcc: check timed out after 5 seconds [3673] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x910aa44) implements 'check_tick' [3673] dbg: check: running tests for priority: 500 [3673] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x910aa44) implements 'check_post_dnsbl' [3673] dbg: rules: running meta tests; score so far=0.738 [3673] dbg: rules: running header regexp tests; score so far=2.716 [3673] dbg: rules: running body-text per-line regexp tests; score so far=2.716 [3673] dbg: uri: running uri tests; score so far=2.716 [3673] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.716 [3673] dbg: rules: running full-text regexp tests; score so far=2.716 [3673] dbg: check: running tests for priority: 1000 [3673] dbg: rules: running meta tests; score so far=2.716 [3673] dbg: rules: running header regexp tests; score so far=2.716 [3673] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0x9195ef8)) [3673] dbg: rules: running body-text per-line regexp tests; score so far=2.716 [3673] dbg: uri: running uri tests; score so far=2.716 [3673] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.716 [3673] dbg: rules: running full-text regexp tests; score so far=2.716 [3673] dbg: check: is spam? score=2.716 required=5 [3673] dbg: check: tests=FM_NO_TO,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [3673] dbg: check: subtests=__FM_NO_FROM,__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Glenn Steen wrote: > On 11/10/06, Rob Morin wrote: >> Just wondering why i would have this as an output.... >> >> I am not really familiar with Bayes... >> can someone point me to some docs on how to set it up or make sure it >> works fine... >> >> MS version 4.53.3(installed with Julian's scripty thingy), SA version >> 3.11 on Debian with Postfix >> >> Thanks >> >> here is an output >> peter:/opt/MailScanner/etc# sa-learn --dump magic > Hi Rob, > > Since you are using postfix, chances are great that you are using a > non-priviledged user (likely postfix, perhaps with the group postfix) > to run MailScanner. So SpamAssassin (with bayes) isn't run as root, > but rather as that user. > > If you make sure you have a proper bayes_path (detailing your actual > "active" bays db) and perhaps a proper bayes_filemode specification in > one of local.cf or mailscanner.cf (a.k.a. spam.assassin.prefs.conf ... > Think that symlink was present in version 4.53.3 too) in > /etc/mail/spamassassin, everything should work OK for any user with > read permission on the files (make sure the postfix user has that > explicitly, by making it the owner). > > Test things by way of becoming the postfix user and running things...: > su - postfix -s /bin/bash > sa-learn --dump magic > spamassassin --lint -D 2>&1 | less -e > > > Look through the above to see that SA can bind/tie to the "database", > and that it seems to contain enough ham/spam. > From martinh at solidstatelogic.com Wed Oct 11 16:54:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 11 16:54:44 2006 Subject: Sophos/MailScanner In-Reply-To: <008f01c6ec90$83220b50$9908a8c0@syntricity.com> References: <008f01c6ec90$83220b50$9908a8c0@syntricity.com> Message-ID: <452D13B1.6000402@solidstatelogic.com> Lisa Wu wrote: > Hi, > > My server: > Postfix 2.2.10 > Dovecot 1.0 beta 8 > Mailscanner 4.51.5 > SpamAssassin 3.1.1 > > Once in a while the server will fail to download its updates from Sophos. > (The cause being that our T1 line went down). Then the mail log starts > posting MailScanner error messages every 10 seconds until a successful > update occurs: > > Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by the > "Monitors For Sophos Updates" patterns exist! > > Because of this error the queue starts placing all messages on hold. > > My solution (probably the wrong way to do this) was to create a script that > runs every 10 minutes to manually release all held messages and flush the > queue. > > I've searched Google, I've searched the MailScanner archives, and I've > contacted Sophos. I went over the different configurations options in > attempts to figure out a way of working around this behavior. Would I have > to temporarily comment out the Mailscanner portion of my Postfix config to > allow for normal internal mail flow? I know I risk the chance of viruses if > I do this, which is why I was hoping there's a way of using the old Sophos > IDES. > > Any help regarding this problem would be helpful. > > Thanks, > > Lisa Wu > Lisa how are you updating the virus defs for Sophos? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at mango.zw Wed Oct 11 16:58:44 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Oct 11 16:55:12 2006 Subject: LOTS of sendmail processes In-Reply-To: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> Message-ID: On Wed, 11 Oct 2006, Andy Norris wrote: > When I issue a service sendmail restart command, I get nine pids > immediately, and it goes up from there. Way up most of the time. Why not show us the results of "ps ax | grep sendmail" before and after the restart so we can see what is happening? > I have lots of email that is not being scanned by MailScanner at all, > and it's just the last few days this has been happening. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From vanhorn at whidbey.com Wed Oct 11 16:59:18 2006 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Wed Oct 11 16:59:23 2006 Subject: Postfix conversion In-Reply-To: <223f97700610110759s6dc6131alfa427cd441c2466e@mail.gmail.com> References: <452CF2B2.7050606@dido.ca> <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> <223f97700610110759s6dc6131alfa427cd441c2466e@mail.gmail.com> Message-ID: <452D14D6.4080002@whidbey.com> Help! For some reason my message last night hasn't gone out to the list, or at least it didn't get here, so this is a repeat - just a little more desparate. I decided to switch to Postfix and I believe I have it running, and I made the mods to the MailScanner.conf and the two postfix .cf files as per the docs on the wiki. But it doesn't look like things are working yet, and mail from outside is still not getting delivered. When I run "service MailScanner start" it still tries to launch two copies of Sendmail instead of the one copy of Postfix. I'm not sure, but I think this is my main problem. Is there a replacement startup script for MailScanner when used with Postfix? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From Kevin_Miller at ci.juneau.ak.us Wed Oct 11 17:11:42 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 11 17:11:52 2006 Subject: LOTS of sendmail processes In-Reply-To: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> Message-ID: Andy Norris wrote: > When I issue a service sendmail restart command, I get nine pids > immediately, and it goes up from there. Way up most of the time. > > I have lots of email that is not being scanned by MailScanner at all, > and it's just the last few days this has been happening. > > sendmail v8.12.11 > RHEL ES v3 (Taroon update 4) > Avg load somewhere around 0.25 (goes to 0.60 and higher depending on > time of day) > Perl v5.8.0 > Using spamassassin v3.1.0 > This is on a machine running Ensim Pro 4.0.3-22.rhel.3ES Are you using any milters? The restart option shuts down sendmail and MailScanner, pauses for some time - probably around 10 seconds - then starts them again. If there are any lingering sendmail processes it can cause, um, what's that phrase? Oh yeah, "unpredicable results". Instead of a restart, do a stop, then issue: ps aux | grep sendmail Got any running sendmail processes? Wait a few seconds and reissue the above ps command and see if they're persisting... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lisa.wu at syntricity.com Wed Oct 11 17:55:12 2006 From: lisa.wu at syntricity.com (Lisa Wu) Date: Wed Oct 11 17:55:19 2006 Subject: Sophos/MailScanner In-Reply-To: <452D13B1.6000402@solidstatelogic.com> Message-ID: <011201c6ed56$046dc170$9908a8c0@syntricity.com> Lisa Wu wrote: >> Once in a while the server will fail to download its updates from Sophos. >> (The cause being that our T1 line went down). Then the mail log starts >> posting MailScanner error messages every 10 seconds until a successful >> update occurs: >> >> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by the >> "Monitors For Sophos Updates" patterns exist! >> >> Because of this error the queue starts placing all messages on hold. Martin Hepworth wrote: >Lisa > >how are you updating the virus defs for Sophos? Martin, There is a cron job that runs the Sophos update script running once every hour. Thanks, Lisa From ssilva at sgvwater.com Wed Oct 11 18:14:02 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 11 18:16:28 2006 Subject: idea for next version In-Reply-To: <1160555750.41090@bsd4.nedport.net> References: <1160555750.41090@bsd4.nedport.net> Message-ID: mailscanner@berger.nl spake the following on 10/11/2006 1:35 AM: > Scott Silva wrote .. >> Logan Shaw spake the following on 10/10/2006 3:12 PM: >>> Roger wrote: >>>>> So I was checking mailwatch this evening and I found out that the >>>>> spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. >>>>> This is quiet logical because at daytime everybody is working and at >>>>> night (well here in europe) only spammers are working. This can be >>>>> used for the spamfiltering. I think if it is possible to f.e. do, >>>>> "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more >>>>> highscoring spam at night. Offcourse it will also hit ham, but as >>>>> there is much less ham at night the possibility is less. >>> On Tue, 10 Oct 2006, Steve Campbell wrote: >>>> I tend to look at this in a different light. Spam is spam, and should >>>> be caught by rules, etc regardless of the time it arrives. Ham is the >>>> same also regardless of it's arrival time. A good set of rules should >>>> work fine any time of the day. The percentages only indicate when >>>> people are sending mail, so this is a useless figure for comparing >>>> day/night averages. >>> True enough, but every other rule that SpamAssassin uses >>> is a heuristic as well. They're all based on particular >>> characteristics of the messages (or servers that send them) >>> and some kind of statistical correlation between those >>> characteristics and spamminess. >>> >>>> For instance, if the same message that came in at night were resent >>>> during the day, how should the mail be treated? Different score and >>>> action? >>> While I share the feeling that it is a little bit odd that the >>> time a message arrives could sway its score, this is already >>> true to some extent: real-time blacklists change over time >>> (otherwise they wouldn't be real-time), and the score a message >>> gets can be different one hour from what it is at the next hour. >>> >>> Overall, I think time of arrival could be safely used as >>> yet another heuristic for determining if something is spam. >>> The key thing is that the scores would need to be right, which >>> I suspect means they'd need to be fairly low, something like >>> 0.5 or so. SpamAssassin already handles setting scores by >>> running a genetic algorithm (or whatever it is that it uses >>> that replaced the GA in 3.x), but since this varies so much >>> by site (what time zone the site is located in, what type >>> of usage patterns it sees, etc.), there would need to be a >>> reliable method of determining site-specific scores for this. >>> >>> To go in a different direction, as long as we're talking about >>> time, another possibility is to apply time other places. >>> For instance, you might have a time-dependent greylist. >>> Make the greylist's delay much longer at night and shorter >>> during the day. You'd get a lot of the effectiveness of >>> greylisting but without as much delay during the active periods. >>> >>> Overall, though, I think although looking at time does give >>> you additional information, it is not clear at all that >>> the positives of going with it will outweigh the negatives. >>> Time is a trait of a message (or message delivery) that has a >>> strong correlation with spamminess, but there is also a steady >>> stream of exceptions. So getting value out of looking at the >>> time is likely to be that much harder because of that. >>> >>> - Logan >> But many companies regularly have exec's and others working late, or from >> home. So you will be placing these people in the spammer class just because >> they work late? >> Or how about someone in Hawaii mailing something to New York at 5:00 Pm >> Hawaii >> time. That would be in the wee hours in New York, but not necessarily spam. >> Or if Julian sent me a message at 8:00AM in the UK, it would be about midnight >> here in the west coast of the US. >> >> -- >> > Well, as long as you can change the time. If you set 11:00Pm till 7:00 am I think you won't hit many people working late and even companies 5 hours away will be mainly closed at 6 pm. > The idea is based on what I see for myself. This morning I had 51 spam mails which hit between 4(low) and 9(high). These were all real spam. Beside that I had 2 normal emails which had a score of -2,50 and whitelisted. The problem is that I had still 51 messages tagged as {Spam?} which I had to check manually. I checked a few of them and they mostly hit a score about 7 or 8. > If I could multiply the spam score with f.e. 1.2 between 11pm an 7am it would 'upgrade' about 20 messages to highscoring which means I receive about 40% less spam in the morning. > I won't try this at daytime because the chance of hitting ham is too big. > Offcourse these are my findings. > > Maybe, the real thought behind it is that I have a very different ratio of spam/ham at night and at daytime, and this can be used to filter spam somehow. > > Or maybe, mailscanner spoiled me so far that I want too much ;-) > > Roger > My setup is just so different. Maybe it is the rules I have, or the use of razor - DCC - pyzor, but I have a very small percentage of mail in the normal spam range. Most is either high scoring on ham. Looking at the current stats, I have 38.1% clean, 58.8% High scoring spam, and only 3.1% spam. I have only had one false positive in the last 2 weeks, and that was only a technicality. The sender was forwarding a joke from a yahoo mail account. I said spam, the receiver didn't care either way, and the sender probably didn't think it was spam. But I win, 'cause I'm root! Between Razor, the uribl's and the sare rules, It is pretty close to making me happy, and my bosses are happy, so I still tweak things, but not as often as I used to. I even got a message that scored 114. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Oct 11 18:26:47 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 11 18:29:00 2006 Subject: idea for next version In-Reply-To: <452CA5C6.4040809@solidstatelogic.com> References: <1160513361.3522@bsd4.nedport.net> <452CA5C6.4040809@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 10/11/2006 1:05 AM: > mailscanner@berger.nl wrote: >> Well, I am happily using mailscanner for a while now and it still >> works great. >> >> So I was checking mailwatch this evening and I found out that the spam >> / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This >> is quiet logical because at daytime everybody is working and at night >> (well here in europe) only spammers are working. This can be used for >> the spamfiltering. I think if it is possible to f.e. do, "spamscore * >> 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam >> at night. Offcourse it will also hit ham, but as there is much less >> ham at night the possibility is less. Then, most off the overnight ham >> is mailinglist which are often whitelisted. >> >> Any ideas? >> >> Roger > > Depends, we run Tokyo->Paris->UK->New York->LA offices through our > MailScanner......not to mention all the international email lists we're > all on.. > > I tend to find spam rises around 9am EST (Eest coast US) and dies off > when the US goes home for the night .... can't think of why that could > be ;-) > Maybe because there are more computers per capita in the US. And more stupid computer users that buy crap from spam mails. Spam is a game of spray as much as you can and hope you hit something. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Oct 11 18:35:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 11 18:36:40 2006 Subject: Bayse problem? In-Reply-To: <452D1224.4000400@dido.ca> References: <452CF2B2.7050606@dido.ca> <223f97700610110738g1df42eafy49754a22a5c198a0@mail.gmail.com> <452D1224.4000400@dido.ca> Message-ID: Rob Morin spake the following on 10/11/2006 8:47 AM: > interesting... :) > > postfix@peter:~$ sa-learn --dump magic > bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > ERROR: Bayes dump returned an error, please re-run with -D for more > information > > after making postfix the owner > postfix@peter:~$ sa-learn --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 0 0 non-token data: nspam > 0.000 0 0 0 non-token data: nham > 0.000 0 0 0 non-token data: ntokens > 0.000 0 0 0 non-token data: oldest atime > 0.000 0 0 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal > sync atime > 0.000 0 0 0 non-token data: last expiry atime > 0.000 0 0 0 non-token data: last expire > atime delta > 0.000 0 0 0 non-token data: last expire > reduction count > > After a few minutes.... > > peter:/opt/MailScanner/bayes# sa-learn --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 10 0 non-token data: nspam > 0.000 0 1 0 non-token data: nham > 0.000 0 1974 0 non-token data: ntokens > 0.000 0 1160581441 0 non-token data: oldest atime > 0.000 0 1160581687 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal > sync atime > 0.000 0 0 0 non-token data: last expiry atime > 0.000 0 0 0 non-token data: last expire > atime delta > 0.000 0 0 0 non-token data: last expire > reduction count > > > So should bayes learn now? or do i need to check somethign else... > thanks for the quick reply! > :) > As you can see in the nham and nspam counts above, bayes is now learning. It won't start scoring with bayes until you have 200 of each. You will either have to wait, or get a starter database from the Fortress site.. www.fsl.com/support.html It could train itself in a week or so, maybe less depending on your traffic. You can help the process by manually training things it misses. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Wed Oct 11 19:13:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 19:13:10 2006 Subject: Bayse problem? In-Reply-To: <452D1224.4000400@dido.ca> References: <452CF2B2.7050606@dido.ca> <223f97700610110738g1df42eafy49754a22a5c198a0@mail.gmail.com> <452D1224.4000400@dido.ca> Message-ID: <223f97700610111113m4c5a1a8fv5a100d523404df9c@mail.gmail.com> On 11/10/06, Rob Morin wrote: > interesting... :) > > postfix@peter:~$ sa-learn --dump magic > bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > bayes: cannot open bayes databases /opt/MailScanner/bayes/bayes_* R/O: > tie failed: Permission denied > ERROR: Bayes dump returned an error, please re-run with -D for more > information > > after making postfix the owner Good move;-) The difference between > 0.000 0 0 0 non-token data: nspam > 0.000 0 0 0 non-token data: nham and > 0.000 0 10 0 non-token data: nspam > 0.000 0 1 0 non-token data: nham show that it already is accumulating information automatically. When both reach 200 (or whatever the limit has been set to... if changed from the defaults), It'll start scoring too. You will notice that this affects a lot of rules:). > > So should bayes learn now? or do i need to check somethign else... > thanks for the quick reply! > :) It already is:). (snip) > [3673] dbg: config: using "/var/spool/postfix/.spamassassin" for user > state dir > [3673] dbg: config: using "/var/spool/postfix/.spamassassin" for user > state dir Set this in MailScanner.conf (SpamAssassin User State Dir or similar (not at work ATM:)), and/or in your local.cf (or mailscanner.cf) (I suppose one could well do this... No docs at home and my broadband imitating a 9600 modem... You look it up:-) These are further indicators that it cannot write to the standard ~postfix/.spamassassin directory (I usually "cure" this by creating this directory and chowning it to postfix:postfix ... along with .pyzor and .razor directories) > [3673] warn: config: cannot write to > /var/spool/postfix/.spamassassin/user_prefs: Permission denied > [3673] warn: config: failed to create default user preference file > /var/spool/postfix/.spamassassin/user_prefs > [3673] dbg: config: using "/var/spool/postfix/.spamassassin/user_prefs" > for user prefs file (snip) > [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_toks > [3673] dbg: bayes: tie-ing to DB file R/O /opt/MailScanner/bayes/bayes_seen > [3673] dbg: bayes: found bayes db version 3 > [3673] dbg: bayes: DB journal sync: last sync: 0 > [3673] dbg: bayes: not available for scanning, only 1 spam(s) in bayes > DB < 200 > [3673] dbg: bayes: untie-ing > [3673] dbg: bayes: untie-ing db_toks > [3673] dbg: bayes: untie-ing db_seen These, although "sinister looking" are actually a good indicator that it'll eventually start using it:-)... So... Looking good;) (snip) > [3673] dbg: plugin: registering glue method for check_pyzor > (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x91ac8f8)) > [3673] dbg: pyzor: pyzor is available: /usr/bin/pyzor > [3673] dbg: info: entering helper-app run mode > [3673] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > /tmp/.spamassassin3673vQHtjGtmp > [3792] dbg: util: setuid: ruid=103 euid=103 > [3673] dbg: pyzor: [3792] finished: exit=0x0100 > [3673] dbg: pyzor: got response: Traceback (most recent call last):\n > File "/usr/bin/pyzor", line 12, in ?\n pyzor.client.run()\n File > "/usr/lib/pyt > hon2.3/site-packages/pyzor/client.py", line 973, in run\n > ExecCall().run()\n File > "/usr/lib/python2.3/site-packages/pyzor/client.py", line 174, in ru > n\n os.mkdir(homedir)\nOSError: [Errno 13] Permission denied: > '/var/spool/postfix/.pyzor' > [3673] dbg: info: leaving helper-app run mode > [3673] warn: pyzor: check failed: internal error Yep, you need create ~postfix/.pyzor too... and make postfix own it. > [3673] dbg: plugin: registering glue method for check_dcc > (Mail::SpamAssassin::Plugin::DCC=HASH(0x91d18a0)) > [3673] dbg: dcc: dccifd is not available: no r/w dccifd socket found > [3673] dbg: dcc: dccproc is available: /usr/local/bin/dccproc > [3673] dbg: info: entering helper-app run mode > [3673] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -R < > /tmp/.spamassassin3673vQHtjGtmp > [3796] dbg: util: setuid: ruid=103 euid=103 > [3673] dbg: dcc: killed stale helper [3796] > [3673] dbg: dcc: [3796] terminated: exit=0xf100 > [3673] dbg: info: leaving helper-app run mode > [3673] dbg: dcc: check timed out after 5 seconds Hm, somethings bad with dccproc too... Needs some TLC too, it seems:-). If I get the VPN to actually accept my credentials, I'll look at that later tonight. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 11 19:25:33 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 19:25:36 2006 Subject: Postfix conversion In-Reply-To: <452D14D6.4080002@whidbey.com> References: <452CF2B2.7050606@dido.ca> <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> <223f97700610110759s6dc6131alfa427cd441c2466e@mail.gmail.com> <452D14D6.4080002@whidbey.com> Message-ID: <223f97700610111125l2b835fat4530631f9496d38f@mail.gmail.com> On 11/10/06, G. Armour Van Horn wrote: > Help! For some reason my message last night hasn't gone out to the list, > or at least it didn't get here, so this is a repeat - just a little more > desparate. > > I decided to switch to Postfix and I believe I have it running, and I > made the mods to the MailScanner.conf and the two postfix .cf files as > per the docs on the wiki. But it doesn't look like things are working > yet, and mail from outside is still not getting delivered. > > When I run "service MailScanner start" it still tries to launch two > copies of Sendmail instead of the one copy of Postfix. I'm not sure, but > I think this is my main problem. Is there a replacement startup script > for MailScanner when used with Postfix? > > Van Did you remember to change the MTA setting in MailScanner.conf (http://www.mailscanner.info/MailScanner.conf.index.html#MTA)? What version of MailScanner are we talking about? What platform/OS/whatnot...? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 11 19:41:52 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 11 19:41:55 2006 Subject: idea for next version In-Reply-To: References: <1160513361.3522@bsd4.nedport.net> <452CA5C6.4040809@solidstatelogic.com> Message-ID: <223f97700610111141p13b2a0e3jbe44461264ccfacd@mail.gmail.com> On 11/10/06, Scott Silva wrote: > Martin Hepworth spake the following on 10/11/2006 1:05 AM: > > mailscanner@berger.nl wrote: > >> Well, I am happily using mailscanner for a while now and it still > >> works great. > >> > >> So I was checking mailwatch this evening and I found out that the spam > >> / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This > >> is quiet logical because at daytime everybody is working and at night > >> (well here in europe) only spammers are working. This can be used for > >> the spamfiltering. I think if it is possible to f.e. do, "spamscore * > >> 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam > >> at night. Offcourse it will also hit ham, but as there is much less > >> ham at night the possibility is less. Then, most off the overnight ham > >> is mailinglist which are often whitelisted. > >> > >> Any ideas? > >> > >> Roger > > > > Depends, we run Tokyo->Paris->UK->New York->LA offices through our > > MailScanner......not to mention all the international email lists we're > > all on.. > > > > I tend to find spam rises around 9am EST (Eest coast US) and dies off > > when the US goes home for the night .... can't think of why that could > > be ;-) > > > Maybe because there are more computers per capita in the US. And more stupid > computer users that buy crap from spam mails. > Spam is a game of spray as much as you can and hope you hit something. The US usually don't "score that high" in a "computers per capita" competition (has something to do with a very large population _not_ having computers:-)... Having said that, that same rather large, moderately computer-endowed population still makes for quite a few hackable computers:-):-). (My figures *may* be a bit dated... Not the kind of trivia one needs to lug around in ones head:-) And I guess a lot of ISPs still don't block port 25 for DUL type things (Things really quited down around here in Sweden when they did:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dnsadmin at 1bigthink.com Wed Oct 11 20:08:37 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Oct 11 20:27:21 2006 Subject: idea for next version In-Reply-To: <223f97700610111141p13b2a0e3jbe44461264ccfacd@mail.gmail.co m> References: <1160513361.3522@bsd4.nedport.net> <452CA5C6.4040809@solidstatelogic.com> <223f97700610111141p13b2a0e3jbe44461264ccfacd@mail.gmail.com> Message-ID: <7.0.1.0.0.20061011145958.060bed40@1bigthink.com> At 02:41 PM 10/11/2006, you wrote: >On 11/10/06, Scott Silva wrote: >>Martin Hepworth spake the following on 10/11/2006 1:05 AM: >> > mailscanner@berger.nl wrote: >> >> Well, I am happily using mailscanner for a while now and it still >> >> works great. >> >> >> >> So I was checking mailwatch this evening and I found out that the spam >> >> / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This >> >> is quiet logical because at daytime everybody is working and at night >> >> (well here in europe) only spammers are working. This can be used for >> >> the spamfiltering. I think if it is possible to f.e. do, "spamscore * >> >> 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam >> >> at night. Offcourse it will also hit ham, but as there is much less >> >> ham at night the possibility is less. Then, most off the overnight ham >> >> is mailinglist which are often whitelisted. >> >> >> >> Any ideas? >> >> >> >> Roger >> > >> > Depends, we run Tokyo->Paris->UK->New York->LA offices through our >> > MailScanner......not to mention all the international email lists we're >> > all on.. >> > >> > I tend to find spam rises around 9am EST (Eest coast US) and dies off >> > when the US goes home for the night .... can't think of why that could >> > be ;-) >> > >>Maybe because there are more computers per capita in the US. And more stupid >>computer users that buy crap from spam mails. >>Spam is a game of spray as much as you can and hope you hit something. >The US usually don't "score that high" in a "computers per capita" >competition (has something to do with a very large population _not_ >having computers:-)... Having said that, that same rather large, >moderately computer-endowed population still makes for quite a few >hackable computers:-):-). (My figures *may* be a bit dated... Not the >kind of trivia one needs to lug around in ones head:-) > >And I guess a lot of ISPs still don't block port 25 for DUL type >things (Things really quited down around here in Sweden when they >did:). There is a HUGE difference in the amount of spam recorded from, say Cox.net and Earthlink.net versus Comcast.net and Verizon .net here in the US due to port 25 authentication and blocks on outgoing port 25. Unfortunately Comcast and Verizon are huge and will dictate as they wish.. in fact they are paying millions of dollars to influence our legislators (via third-party; called lobbyists, here). My boss has frequently had difficulty using port 25 when in hotels across the country. I've set up port 587 in sendmail to handle the slack. From MailScanner at ecs.soton.ac.uk Wed Oct 11 19:57:49 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 11 20:49:54 2006 Subject: Virus detected: deleted store In-Reply-To: <20061010214234.16624.qmail@web33312.mail.mud.yahoo.com> References: <20061010214234.16624.qmail@web33312.mail.mud.yahoo.com> Message-ID: <452D3EAD.4060501@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mansour wrote: > Hi, > > I want to auto-delete a virus detected email but still > store it in MailWatch. > > Do I just do this in this file: > > spam.actions.rules > > with the following statement: > > Virus: *@domain.com delete store > You mean From: *@domain.com delete store > ?? > > Thanks. > > Michael. > > > > > ____________________________________________________ > On Yahoo!7 > Caller tones: Replace your ring tone with your favourite sound clip! > http://callertones.yahoo7.mnetcorporation.com/ctonesmailtag > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFLT6wEfZZRxQVtlQRAmt0AJ0WDB2z/QJjo7Qrfb73RgLvSws2TgCgyx6C QrCbebEU5RYh1eNZiMBx0g4= =5Hv0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 11 20:05:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 11 20:56:37 2006 Subject: LOTS of sendmail processes In-Reply-To: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> References: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> Message-ID: <452D405D.3070503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why are you doing a service sendmail restart on a box running MailScanner? That would explain why your mail is not being MailScanned, you are bypassing it. service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start You should *never* start the sendmail service with MailScanner on the system, as MailScanner starts up sendmail in the way that it needs to, so that the messages are queued up, then MailScanned, then delivered. service sendmail start will totally bypass this. Andy Norris wrote: > > When I issue a service sendmail restart command, I get nine pids > immediately, and it goes up from there. Way up most of the time. > > I have lots of email that is not being scanned by MailScanner at all, > and it's just the last few days this has been happening. > > sendmail v8.12.11 > RHEL ES v3 (Taroon update 4) > Avg load somewhere around 0.25 (goes to 0.60 and higher depending on > time of day) > Perl v5.8.0 > Using spamassassin v3.1.0 > This is on a machine running Ensim Pro 4.0.3-22.rhel.3ES > > I'm tempted a bit to "uninstall" MailScanner and SpamAssassin -- if > that's possible -- and start all over again. I know it's got to be > something that was duplicated somewhere... my fault, of course. > > Thanks, > > Andy > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFLUBeEfZZRxQVtlQRArEGAKDMjmdTL1KnuZumu4s7LSWWr8yYLgCgkYE/ k/l9ZcNsYIF4n8LUDQSBxRE= =PRs0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 11 19:55:57 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 11 20:56:39 2006 Subject: idea for next version In-Reply-To: <1160513361.3522@bsd4.nedport.net> References: <1160513361.3522@bsd4.nedport.net> Message-ID: <452D3E3D.3050606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could do this with a simple Custom Function that adjusted the Required SpamAssassin Score depending on the hour of the day. Pay me, and I'll write it for you. Sorry, but I have to charge for my time writing custom code for people, I've got bills to pay like everyone else :-( Otherwise it shouldn't take long to work out the hour number and look that up in an array, so you can specify a different threshold for each hour of the day. mailscanner@berger.nl wrote: > Well, I am happily using mailscanner for a while now and it still works great. > > So I was checking mailwatch this evening and I found out that the spam / ham percentage is 60% / 40% at daytime and 95% / 5% at night. This is quiet logical because at daytime everybody is working and at night (well here in europe) only spammers are working. This can be used for the spamfiltering. I think if it is possible to f.e. do, "spamscore * 1.2" between 11:00 pm and 7:00 am, it will hit more highscoring spam at night. Offcourse it will also hit ham, but as there is much less ham at night the possibility is less. Then, most off the overnight ham is mailinglist which are often whitelisted. > > Any ideas? > > Roger > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFLT5BEfZZRxQVtlQRAhsZAKClN2o2neB7saafTgj1OYqC+13BxACgxD4D NKyWpNkkYqzU4ciMM9Wy2LE= =PBcH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From paul at welshfamily.com Wed Oct 11 22:15:19 2006 From: paul at welshfamily.com (Paul Welsh) Date: Wed Oct 11 22:15:33 2006 Subject: Whitelisting In-Reply-To: <2BD3058086A2A44896622E7CB3720BC2AFBB70@DRIFTWOOD.corporate.paccoast.com> Message-ID: <200610112115.k9BLFWYF031987@bkserver.blacknight.ie> I made some changes to the mailscanner.conf yesterday in order to help me establish why more spam is getting through. I discovered that because my spam.whitelist.rules file contains domains hosted on my server, spam from spoofed addresses that use one of my server's domains are getting through so I've stopped MailScanner checking the spam.whitelist.rules file. I can see why this might lead to problems (if my customers send a message that gets wrongly tagged as spam). What are others doing? From arturs at netvision.net.il Wed Oct 11 21:59:11 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 11 22:19:52 2006 Subject: OT: SA -d --lint says 'dns: is DNS available? 0' Message-ID: <018c01c6ed78$1a63e2d0$3701a8c0@lapxp> Hi, When I run 'spamassassin -D --lint' I get 'dbg: dns: is DNS available? 0' Prefs file has a setting: 'dns_available test: 192.115.106.35 194.90.1.5 62.219.186.7 212.143.212.143' The version is 3.1.6 Anyone has met this before? If so how to deal with it? Dns servers work fine for me. Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From vanhorn at whidbey.com Wed Oct 11 21:16:35 2006 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Wed Oct 11 22:24:46 2006 Subject: Postfix conversion In-Reply-To: <223f97700610111125l2b835fat4530631f9496d38f@mail.gmail.com> References: <452CF2B2.7050606@dido.ca> <04D932B0071FE34FA63EBB1977B48D1501C13F44@woodenex.woodmaclaw.local> <223f97700610110759s6dc6131alfa427cd441c2466e@mail.gmail.com> <452D14D6.4080002@whidbey.com> <223f97700610111125l2b835fat4530631f9496d38f@mail.gmail.com> Message-ID: <452D5123.7060406@whidbey.com> Thanks! The docs I was using didn't included that, although I see on closer reading that the ones on the wiki do. Also, I had changed the queue directories from the sendmail defaults to the correct postfix ones, but somehow managed to exit MailScanner.conf without saving those. Those two things make for a lot more activity in the log! Van Glenn Steen wrote: > On 11/10/06, G. Armour Van Horn wrote: > >> Help! For some reason my message last night hasn't gone out to the list, >> or at least it didn't get here, so this is a repeat - just a little more >> desparate. >> >> I decided to switch to Postfix and I believe I have it running, and I >> made the mods to the MailScanner.conf and the two postfix .cf files as >> per the docs on the wiki. But it doesn't look like things are working >> yet, and mail from outside is still not getting delivered. >> >> When I run "service MailScanner start" it still tries to launch two >> copies of Sendmail instead of the one copy of Postfix. I'm not sure, but >> I think this is my main problem. Is there a replacement startup script >> for MailScanner when used with Postfix? >> >> Van > > > Did you remember to change the MTA setting in MailScanner.conf > (http://www.mailscanner.info/MailScanner.conf.index.html#MTA)? > > What version of MailScanner are we talking about? What > platform/OS/whatnot...? > -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From andy at tireswing.net Wed Oct 11 22:40:38 2006 From: andy at tireswing.net (Andy Norris) Date: Wed Oct 11 22:41:59 2006 Subject: LOTS of sendmail processes In-Reply-To: <452D405D.3070503@ecs.soton.ac.uk> References: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> <452D405D.3070503@ecs.soton.ac.uk> Message-ID: <6.2.3.4.2.20061011163803.02400648@mail.tireswing.net> Thanks Julian. The mail was not going through at all. For an hour it was pooling up in the queue, and status for MailScanner was OK. I'm on a box running Ensim, so I've got layers of complexity here, and it's not always clear what services / modules Ensim loads. Thanks for your continued help. Andy At 02:05 pm 2006-10-11, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Why are you doing a service sendmail restart on a box running >MailScanner? That would explain why your mail is not being MailScanned, >you are bypassing it. >service sendmail stop >chkconfig sendmail off >chkconfig MailScanner on >service MailScanner start > >You should *never* start the sendmail service with MailScanner on the >system, as MailScanner starts up sendmail in the way that it needs to, >so that the messages are queued up, then MailScanned, then delivered. > >service sendmail start will totally bypass this. > >Andy Norris wrote: > > > > When I issue a service sendmail restart command, I get nine pids > > immediately, and it goes up from there. Way up most of the time. > > > > I have lots of email that is not being scanned by MailScanner at all, > > and it's just the last few days this has been happening. > > > > sendmail v8.12.11 > > RHEL ES v3 (Taroon update 4) > > Avg load somewhere around 0.25 (goes to 0.60 and higher depending on > > time of day) > > Perl v5.8.0 > > Using spamassassin v3.1.0 > > This is on a machine running Ensim Pro 4.0.3-22.rhel.3ES > > > > I'm tempted a bit to "uninstall" MailScanner and SpamAssassin -- if > > that's possible -- and start all over again. I know it's got to be > > something that was duplicated somewhere... my fault, of course. > > > > Thanks, > > > > Andy > > > >Jules > >- -- >Julian Field >www.MailScanner.info >Buy the MailScanner book at www.MailScanner.info/store > >MailScanner customisation, or any advanced system administration help? >Contact me at Jules@Jules.FM > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >For all your IT requirements visit www.transtec.co.uk > > >-----BEGIN PGP SIGNATURE----- >Version: PGP Desktop 9.5.0 (Build 1112) >Comment: Fetch my public key foot-print from www.mailscanner.info >Charset: ISO-8859-1 > >wj8DBQFFLUBeEfZZRxQVtlQRArEGAKDMjmdTL1KnuZumu4s7LSWWr8yYLgCgkYE/ >k/l9ZcNsYIF4n8LUDQSBxRE= >=PRs0 >-----END PGP SIGNATURE----- > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >For all your IT requirements visit www.transtec.co.uk > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Oct 11 22:43:25 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 11 22:47:10 2006 Subject: Whitelisting In-Reply-To: <200610112115.k9BLFWYF031987@bkserver.blacknight.ie> References: <2BD3058086A2A44896622E7CB3720BC2AFBB70@DRIFTWOOD.corporate.paccoast.com> <200610112115.k9BLFWYF031987@bkserver.blacknight.ie> Message-ID: Paul Welsh spake the following on 10/11/2006 2:15 PM: > I made some changes to the mailscanner.conf yesterday in order to help me > establish why more spam is getting through. > > I discovered that because my spam.whitelist.rules file contains domains > hosted on my server, spam from spoofed addresses that use one of my server's > domains are getting through so I've stopped MailScanner checking the > spam.whitelist.rules file. > > I can see why this might lead to problems (if my customers send a message > that gets wrongly tagged as spam). > > What are others doing? > Use the IP address(es) of your server. That is much harder to spoof. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Wed Oct 11 22:49:52 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 11 22:50:17 2006 Subject: OT: SA -d --lint says 'dns: is DNS available? 0' In-Reply-To: <018c01c6ed78$1a63e2d0$3701a8c0@lapxp> References: <018c01c6ed78$1a63e2d0$3701a8c0@lapxp> Message-ID: <452D6700.8070908@evi-inc.com> Arthur Sherman wrote: > Hi, > > When I run 'spamassassin -D --lint' I get 'dbg: dns: is DNS available? 0' > > Prefs file has a setting: 'dns_available test: 192.115.106.35 194.90.1.5 > 62.219.186.7 212.143.212.143' > > The version is 3.1.6 In SA 3.1.6 and higher the network tests are enabled when you're running --lint, as they aren't relevant. The purpose of lint is to check your config files, not your network connectivity. From andy at tireswing.net Wed Oct 11 22:51:38 2006 From: andy at tireswing.net (Andy Norris) Date: Wed Oct 11 22:53:56 2006 Subject: LOTS of sendmail processes In-Reply-To: <452D405D.3070503@ecs.soton.ac.uk> References: <6.2.3.4.2.20061011102214.0259fab8@mail.finedaycoming.com> <452D405D.3070503@ecs.soton.ac.uk> Message-ID: <6.2.3.4.2.20061011164752.021b4d48@mail.tireswing.net> Well, I apologize if I'm bothering this list with my problem. It looks like I need to look for help with MailScanner on an Ensim box, as when I stop sendmail, I cannot send email from my mail client through the server. The SMTP connection is not happening when I stop the sendmail service. Does anyone else on this list successfully run MailScanner on a box running Ensim? Thanks, Andy At 02:05 pm 2006-10-11, Julian Field wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Why are you doing a service sendmail restart on a box running >MailScanner? That would explain why your mail is not being MailScanned, >you are bypassing it. >service sendmail stop >chkconfig sendmail off >chkconfig MailScanner on >service MailScanner start > >You should *never* start the sendmail service with MailScanner on the >system, as MailScanner starts up sendmail in the way that it needs to, >so that the messages are queued up, then MailScanned, then delivered. > >service sendmail start will totally bypass this. > >Andy Norris wrote: > > > > When I issue a service sendmail restart command, I get nine pids > > immediately, and it goes up from there. Way up most of the time. > > > > I have lots of email that is not being scanned by MailScanner at all, > > and it's just the last few days this has been happening. > > > > sendmail v8.12.11 > > RHEL ES v3 (Taroon update 4) > > Avg load somewhere around 0.25 (goes to 0.60 and higher depending on > > time of day) > > Perl v5.8.0 > > Using spamassassin v3.1.0 > > This is on a machine running Ensim Pro 4.0.3-22.rhel.3ES > > > > I'm tempted a bit to "uninstall" MailScanner and SpamAssassin -- if > > that's possible -- and start all over again. I know it's got to be > > something that was duplicated somewhere... my fault, of course. > > > > Thanks, > > > > Andy > > > >Jules > >- -- >Julian Field >www.MailScanner.info >Buy the MailScanner book at www.MailScanner.info/store > >MailScanner customisation, or any advanced system administration help? >Contact me at Jules@Jules.FM > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >For all your IT requirements visit www.transtec.co.uk > > >-----BEGIN PGP SIGNATURE----- >Version: PGP Desktop 9.5.0 (Build 1112) >Comment: Fetch my public key foot-print from www.mailscanner.info >Charset: ISO-8859-1 > >wj8DBQFFLUBeEfZZRxQVtlQRArEGAKDMjmdTL1KnuZumu4s7LSWWr8yYLgCgkYE/ >k/l9ZcNsYIF4n8LUDQSBxRE= >=PRs0 >-----END PGP SIGNATURE----- > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >For all your IT requirements visit www.transtec.co.uk > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Wed Oct 11 23:24:13 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Oct 11 23:24:22 2006 Subject: OT: SA -d --lint says 'dns: is DNS available? 0' In-Reply-To: <452D6700.8070908@evi-inc.com> Message-ID: <0b1e01c6ed83$fb557be0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Kettler > Sent: Wednesday, October 11, 2006 5:50 PM > To: MailScanner discussion > Subject: Re: OT: SA -d --lint says 'dns: is DNS available? 0' > > Arthur Sherman wrote: > > Hi, > > > > When I run 'spamassassin -D --lint' I get 'dbg: dns: is DNS available? > 0' > > > > Prefs file has a setting: 'dns_available test: 192.115.106.35 194.90.1.5 > > 62.219.186.7 212.143.212.143' > > > > The version is 3.1.6 > > In SA 3.1.6 and higher the network tests are enabled when you're running - > -lint, > as they aren't relevant. The purpose of lint is to check your config > files, not > your network connectivity. > > Did you mean? In SA 3.1.6 and higher the network tests are >NOT< enabled when you're running --lint, as they aren't relevant. The purpose of lint is to check your config files, not your network connectivity. Which would explain why I was going crazy today trying to find out why only the local checks (spamassassin -L) were running ! Still would be nice to have a flag to enable network checks when you need to. spamassassin -N --lint :) Thanks for the info. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From arturs at netvision.net.il Wed Oct 11 23:31:16 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 11 23:33:16 2006 Subject: OT: SA -d --lint says 'dns: is DNS available? 0' In-Reply-To: <452D6700.8070908@evi-inc.com> Message-ID: <019001c6ed84$f83c5f90$3701a8c0@lapxp> Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Kettler > Sent: Wednesday, October 11, 2006 11:50 PM > To: MailScanner discussion > Subject: Re: OT: SA -d --lint says 'dns: is DNS available? 0' > > Arthur Sherman wrote: > > Hi, > > > > When I run 'spamassassin -D --lint' I get 'dbg: dns: is DNS > available? 0' > > > > Prefs file has a setting: 'dns_available test: > 192.115.106.35 194.90.1.5 > > 62.219.186.7 212.143.212.143' > > > > The version is 3.1.6 > > In SA 3.1.6 and higher the network tests are enabled when > you're running --lint, > as they aren't relevant. The purpose of lint is to check your > config files, not > your network connectivity. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Wed Oct 11 23:38:15 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 11 23:38:32 2006 Subject: OT: SA -d --lint says 'dns: is DNS available? 0' In-Reply-To: <0b1e01c6ed83$fb557be0$287ba8c0@office.fsl> References: <0b1e01c6ed83$fb557be0$287ba8c0@office.fsl> Message-ID: <452D7257.7010104@evi-inc.com> Stephen Swaney wrote: > Did you mean? > > In SA 3.1.6 and higher the network tests are >NOT< enabled when you're > running --lint, as they aren't relevant. The purpose of lint is to check > your config files, not your network connectivity. > > Which would explain why I was going crazy today trying to find out why only > the local checks (spamassassin -L) were running ! > > Still would be nice to have a flag to enable network checks when you need > to. > > spamassassin -N --lint :) Why? enabling network checks on the --lint is pointless, the headers of the dummy lint message are not complete enough to be a useful test. For example, the message used by lint doesn't even have *ANY* Received: headers, so no RBL tests will even try to run. If SA supported -N --lint you'd just be fooling yourself into thinking you're testing something that's enabled, but not really being tested in any useful way. I suggest not using lint for this purpose at all, and instead use a message file and redirect it into SA. ie: spamassassin Message-ID: <0b2601c6ed8a$074b6850$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Kettler > Sent: Wednesday, October 11, 2006 6:38 PM > To: MailScanner discussion > Subject: Re: OT: SA -d --lint says 'dns: is DNS available? 0' > > Stephen Swaney wrote: > > > Did you mean? > > > > In SA 3.1.6 and higher the network tests are >NOT< enabled when you're > > running --lint, as they aren't relevant. The purpose of lint is to check > > your config files, not your network connectivity. > > > > Which would explain why I was going crazy today trying to find out why > only > > the local checks (spamassassin -L) were running ! > > > > Still would be nice to have a flag to enable network checks when you > need > > to. > > > > spamassassin -N --lint :) > > > Why? enabling network checks on the --lint is pointless, the headers of > the > dummy lint message are not complete enough to be a useful test. > > For example, the message used by lint doesn't even have *ANY* Received: > headers, > so no RBL tests will even try to run. If SA supported -N --lint you'd just > be > fooling yourself into thinking you're testing something that's enabled, > but not > really being tested in any useful way. > > I suggest not using lint for this purpose at all, and instead use a > message file > and redirect it into SA. ie: spamassassin Actually it did show whether Pyzor, Razor, DCC were working or timing out but your suggestion should do the same thing. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From arturs at netvision.net.il Thu Oct 12 01:02:27 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Oct 12 01:04:28 2006 Subject: Double sendmail processes In-Reply-To: <223f97700610110748q6e0c08a7u250b58cdba679103@mail.gmail.com> Message-ID: <01a101c6ed91$b6a89460$3701a8c0@lapxp> Oh, I see. Grepping through /etc/rc.* provided nothing. I continue to investigate this issue - will post here if I find anything. Thanks again! Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: Wednesday, October 11, 2006 4:49 PM > To: MailScanner discussion > Subject: Re: Double sendmail processes > > On 11/10/06, Arthur Sherman wrote: > > Bingo! > > Sad to be dampening your enthusiasm Arther.... Look below. > > > > Output shows: > > [root@ns1 log]# ls -l /etc/rc?.d/*|grep -i mail > > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc0.d/K30sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc1.d/K30sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc2.d/S80sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc3.d/S80sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc4.d/S80sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S80sendmail -> > > ../init.d/sendmail > > lrwxrwxrwx 1 root root 18 May 25 23:10 /etc/rc6.d/K30sendmail -> > > ../init.d/sendmail > > > > Shall I remove them? > > > No, that would not be that great:-). Those look quite normal to me, > and removing them would make them not "respond correctly" to runleve > changes... What I was hoping for would've been more of the form: > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S80sendmail -> > ../init.d/sendmail > lrwxrwxrwx 1 root root 18 Oct 10 02:56 /etc/rc5.d/S85sendmail -> > ../init.d/sendmail > ... That is, more than one symlink to the same script. No > luck with that:-(. > What you have above shouldn't be touched manually (you manage > it via chkconfig). > > A "tangenting idea" is that you should look through the other bootup > rc-scripts, like /etc/rc.local (grep through /etc/rc.* for sendmail > perhaps). > Since the "doubles" happen upon reboot, it kind of must be something > related to those:-). ... Or perhaps some opportunistic cron-job? Not > that likely... > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From febrianto at sioenasia.com Thu Oct 12 04:08:52 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Thu Oct 12 04:04:29 2006 Subject: OT: Mail::SpamAssassin::Plugin::ReplaceTags In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C13F40@woodenex.woodmaclaw.local> Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 10/11/2006 08:33:50 PM: > In my lint test it takes 1.62 seconds for the line of: > > [20030] dbg: plugin: > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xade3c24) implements > 'finish_parsing_end' > > Do you use this plugin? I do not recall enabling it manually so seems > to be on by default. I looked up what it does and searched the web > site: > http://wiki.apache.org/spamassassin/ReplaceTags > > Could only come up with descriptions and such. > > Thank you > > > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > > -- I have similiar problem. In my lint test they are 2 test that take more than 1 second. They are: [4938] dbg: diag: perl platform: 5.008005 linux 1.04575 [4938] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xb0ba6d8) implements 'finish_parsing_end' 2.64879 But I run MailScanner in Celeron 2.66 processor with 512 MB Ram, maybe that the problem :). But my emails are less than 10k /day. Best Regards From martinh at solidstatelogic.com Thu Oct 12 09:08:00 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Oct 12 09:08:19 2006 Subject: Sophos/MailScanner In-Reply-To: <011201c6ed56$046dc170$9908a8c0@syntricity.com> References: <011201c6ed56$046dc170$9908a8c0@syntricity.com> Message-ID: <452DF7E0.5040706@solidstatelogic.com> Lisa Wu wrote: > Lisa Wu wrote: > >>> Once in a while the server will fail to download its updates from Sophos. >>> (The cause being that our T1 line went down). Then the mail log starts >>> posting MailScanner error messages every 10 seconds until a successful >>> update occurs: >>> >>> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by the >>> "Monitors For Sophos Updates" patterns exist! >>> >>> Because of this error the queue starts placing all messages on hold. > > Martin Hepworth wrote: > >> Lisa >> >> how are you updating the virus defs for Sophos? > > > Martin, > > There is a cron job that runs the Sophos update script running once every > hour. > > Thanks, > Lisa > > Lisa Can you give a bit more info. Which cron job? is should be update_virus_scanners which will do all the scanners you've defined in MailScanner.conf. This script is reasonbly failure proof as it downloads the updates into a separate folder and only on success does it move the 'new' to 'live' folders as it were. Also i presume your using the MailScanner Sophos.Install script to install your Sophos as well..?? AS mailScanner expects Sophos V4 to be in a non-default Sophos Directory. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From support-lists at petdoctors.co.uk Thu Oct 12 13:38:00 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Oct 12 13:38:40 2006 Subject: spam forwarding not working In-Reply-To: <4AE9EE8E-CF87-4234-9E73-3819AC1C6B90@technologytiger.net> Message-ID: <008901c6edfb$40cd2c00$0202fea9@support01> > >In this instance i would suggest you need to forward the spam to spam@.[snipped] which makes it local. Make sure you have listed your host name in >main.cf under myhostname and list $myhostname under mydestination. If you have multiple servers using a central database (Such as MySQL) you can play >other tricks using NFS mounts and localhost but that's for another 'lesson' :-) > >Drew Hi Drew, I did already think of that, but when I tried it I got pretty much the same type of error - I'll revisit this and see whether the name's in mydestination though. Nigel From colin at mainline.co.uk Thu Oct 12 14:11:37 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Oct 12 14:10:49 2006 Subject: Whitelist rules Message-ID: Please could someone give me a pointer I want to allow all mail for particular domain through without being scanned. Am I right in saying that I cannot use wildcards in the spam.whitelist.rules like FromOrTo: *@domain.com yes If so, how do I do it? Many thanks Colin From Mailscanner at mailing.kaufland-informationssysteme.com Thu Oct 12 14:19:04 2006 From: Mailscanner at mailing.kaufland-informationssysteme.com (Matthias Sutter) Date: Thu Oct 12 14:19:06 2006 Subject: Exim with Mailscanner and retry problem Message-ID: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> Hello, I use Mailscanner with Exim and now we get some problems with graylisting. Is it correct that the Mailscanner start the exim outgouing deamon? Because I set in the initscritp / sysconfig /Mailscaner the option -q10m but we do not see an retry attemp ... Can sombody help me how give teh exim the retry option ? Thanks a lot Matthias Sutter From joost at waversveld.nl Thu Oct 12 15:06:45 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Thu Oct 12 15:07:06 2006 Subject: Whitelist rules In-Reply-To: References: Message-ID: <452E4BF5.20007@waversveld.nl> No, you're wrong... ;-) You can use wildcards just the way you said. Keep in mind that the mail will get scanned, but will be delivered as normal, regardless of the score the message get. Regards, Joost Waversveld Colin Jack wrote: > Please could someone give me a pointer > > I want to allow all mail for particular domain through without being > scanned. > Am I right in saying that I cannot use wildcards in the > spam.whitelist.rules like > > FromOrTo: *@domain.com yes > > If so, how do I do it? > > Many thanks > > Colin > From martinh at solidstatelogic.com Thu Oct 12 15:05:49 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Oct 12 15:07:25 2006 Subject: Exim with Mailscanner and retry problem In-Reply-To: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> References: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> Message-ID: <452E4BBD.7070500@solidstatelogic.com> Matthias Sutter wrote: > Hello, > > I use Mailscanner with Exim and now we get some problems with graylisting. > Is it correct that the Mailscanner start the exim outgouing deamon? > Because I set in the initscritp / sysconfig /Mailscaner the option -q10m > but we do not see an retry attemp ... > > Can sombody help me how give teh exim the retry option ? > > Thanks a lot > > Matthias Sutter > > > Matthias Depends on how you installed MailScanner, from the rpm, the tarball???? Normally editting the MTA startup script is up to you I think?? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From bpumphrey at woodmclaw.com Thu Oct 12 15:29:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 12 15:29:44 2006 Subject: OT: Mail::SpamAssassin::Plugin::ReplaceTags In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F4A@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Budi Febrianto > Sent: Wednesday, October 11, 2006 11:09 PM > To: MailScanner discussion > Subject: Re: OT: Mail::SpamAssassin::Plugin::ReplaceTags > > > > mailscanner-bounces@lists.mailscanner.info wrote on 10/11/2006 08:33:50 > PM: > > > In my lint test it takes 1.62 seconds for the line of: > > > > [20030] dbg: plugin: > > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xade3c24) implements > > 'finish_parsing_end' > > > > Do you use this plugin? I do not recall enabling it manually so seems > > to be on by default. I looked up what it does and searched the web > > site: > > http://wiki.apache.org/spamassassin/ReplaceTags > > > > Could only come up with descriptions and such. > > > > Thank you > > > > > > > > Billy Pumphrey > > IT Manager > > Wooden & McLaughlin > > > > > > -- > > I have similiar problem. In my lint test they are 2 test that take more > than 1 second. They are: > [4938] dbg: diag: perl platform: 5.008005 linux > 1.04575 > [4938] dbg: plugin: > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xb0ba6d8) > implements 'finish_parsing_end' 2.64879 > > But I run MailScanner in Celeron 2.66 processor with 512 MB Ram, maybe > that > the problem :). But my emails are less than 10k /day. > > Best Regards > > -- Here is the time on the other one you mentioned for me: [21790] dbg: diag: perl platform: 5.008005 linux 0.23816 I have a dual Xeon 2.8, 2gig RAM machine. My load is only about 5,000 or less per day. That increase because I scan outgoing mail too. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From colin at mainline.co.uk Thu Oct 12 18:44:47 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Oct 12 18:44:07 2006 Subject: Whitelist rules Message-ID: Thanks ... well that makes life easier :) They are particularly keen that their mail shouldn't be {disarmed} ... will this work this way? Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Joost Waversveld > Sent: Thursday, October 12, 2006 3:07 PM > To: MailScanner discussion > Subject: Re: Whitelist rules > > No, you're wrong... ;-) You can use wildcards just the way you said. > > Keep in mind that the mail will get scanned, but will be > delivered as normal, regardless of the score the message get. > > Regards, > > Joost Waversveld > > Colin Jack wrote: > > Please could someone give me a pointer > > > > I want to allow all mail for particular domain through > without being > > scanned. > > Am I right in saying that I cannot use wildcards in the > > spam.whitelist.rules like > > > > FromOrTo: *@domain.com yes > > > > If so, how do I do it? > > > > Many thanks > > > > Colin > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mikea at mikea.ath.cx Thu Oct 12 19:52:53 2006 From: mikea at mikea.ath.cx (mikea) Date: Thu Oct 12 19:52:58 2006 Subject: Whitelist rules In-Reply-To: ; from colin@mainline.co.uk on Thu, Oct 12, 2006 at 06:44:47PM +0100 References: Message-ID: <20061012135253.B16530@mikea.ath.cx> On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Joost Waversveld > > Sent: Thursday, October 12, 2006 3:07 PM > > To: MailScanner discussion > > Subject: Re: Whitelist rules > > > > No, you're wrong... ;-) You can use wildcards just the way you said. > > > > Keep in mind that the mail will get scanned, but will be > > delivered as normal, regardless of the score the message get. > > > > Regards, > > > > Joost Waversveld > > > > Colin Jack wrote: > > > Please could someone give me a pointer > > > > > > I want to allow all mail for particular domain through > > without being > > > scanned. > > > Am I right in saying that I cannot use wildcards in the > > > spam.whitelist.rules like > > > > > > FromOrTo: *@domain.com yes > > > > > > If so, how do I do it? > > > > > > Many thanks > > > > > > Colin > Thanks ... well that makes life easier :) > > They are particularly keen that their mail shouldn't be {disarmed} ... > will this work this way? That's what I see here: whitelisted mail gets scanned, but there are no changes made to the mail, possibly excepting an additional header. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From itdept at fractalweb.com Thu Oct 12 20:04:16 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Oct 12 20:15:33 2006 Subject: spam getting through without even being checked Message-ID: <452E91B0.7090205@fractalweb.com> Hi Everyone, We're now having a problem where (blatant!) spam is getting through our server, apparently without even being checked by MailScanner. Our custom headers haven't been added and this is VERY spammy. That said, a lot of spam is being blocked by MailScanner. I'm not sure how to troubleshoot this. Help! Thanks, Chris From Denis.Beauchemin at USherbrooke.ca Thu Oct 12 20:16:18 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Oct 12 20:19:07 2006 Subject: OT: Preferred MTA? Message-ID: <452E9482.6050307@USherbrooke.ca> Hello all, I have been asked to evaluate what would be needed to turn our internal mail hubs into secured ones. Since I always had trouble with sendmail's documentation, I was thinking about switching to another MTA. We currently use many sendmail features such as greet_pause, conncontrol, ratecontrol and milter-greylist. We have multiple domains and use LDAP for final delivery address resolution. And of course, MS must blend just fine with the MTA. What other MTA would give me those features with less headaches whenever I need to change things? Exim? Postfix? others? I couldn't find a greylisting for Exim that shares its state table between multiple MX... but I think PF could use my existing milter-greylist as is... As for ease of configuration and quality of documentation, which do you recommend? Do you recommend using a HW load balancer (and SSL accelerator) in front of my servers? How about Cisco's? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061012/c82667dc/smime.bin From dstraka at caspercollege.edu Thu Oct 12 20:32:07 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Oct 12 20:32:49 2006 Subject: MS/SA Installed - How is it working? References: <452E91B0.7090205@fractalweb.com> Message-ID: <452E43D7.61A4.0000.0@caspercollege.edu> This kind of goes along with Chris Yuzik's post "spam getting through without even being checked" (see below). So I've got MS running with SA. It seems to be doing OK, but how do I know? Yes, I bought the book. I would like to know... How to tell if MS is running well? How to tell if SA running well? What maintenance is required? When should I tweak MS? When should I tweak SA? What are essential SA tweaks? How do I tweak SA? How about a MS/SA crash course (tips) from the experts? >>> Chris Yuzik 10/12/2006 1:04 PM >>> Hi Everyone, We're now having a problem where (blatant!) spam is getting through our server, apparently without even being checked by MailScanner. Our custom headers haven't been added and this is VERY spammy. That said, a lot of spam is being blocked by MailScanner. I'm not sure how to troubleshoot this. Help! Thanks, Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. From bpumphrey at woodmclaw.com Thu Oct 12 20:44:52 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Oct 12 20:45:06 2006 Subject: MS/SA Installed - How is it working? In-Reply-To: <452E43D7.61A4.0000.0@caspercollege.edu> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13F54@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Straka > Sent: Thursday, October 12, 2006 3:32 PM > To: mailscanner@lists.mailscanner.info > Subject: MS/SA Installed - How is it working? > > This kind of goes along with Chris Yuzik's post "spam getting through > without even being checked" (see below). > > So I've got MS running with SA. It seems to be doing OK, but how do I > know? > Yes, I bought the book. > I would like to know... > How to tell if MS is running well? The main goal is to stop viruses and spam. Use mailwatch to monitor it to see how many are getting blocked and are not getting blocked. If it is not satisfactory, use more rules and stuff. > How to tell if SA running well? Same answer as above. Lint tests show if any errors are there. > What maintenance is required? You can let it sit there if you want. Recommended to update what ever you have on it. Some things update automatically. Update MailScanner itself, spamassassin <--it has a auto update now too but not sure what all it does, update your virus scanner programs themselves - virus definitions update automatically > When should I tweak MS? All the time if you ask me, but you can leave it sat until the spam starts getting through or you just want to change the behavior. > When should I tweak SA? To add more rules or updates > What are essential SA tweaks? Rules. Decide whether to use pyzor, dcc -- more on the wiki > How do I tweak SA? Conf files. There are read me for the installs somewhere, either in MailScanner or Spamassassin read me's. > How about a MS/SA crash course (tips) from the experts? > That is a lot of information. Hopefully you will get some good feedback. I do not think that you will find the answer to all of those questions as they are talked about all of the time. I will try and answer some of it specifically probably tomorrow but until then... Make sure that you do some reading also instead of relying on everyone to answer it all. Make sure you go through the WIKI if you have not already: http://wiki.mailscanner.info/doku.php Stay subscribed to this list and you will learn a lot about those questions. If you have the book, it tells you a lot. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Thu Oct 12 20:47:14 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 12 20:47:19 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 04/10/06, Scott Silva wrote: > (snip) >> Never mind ... I actually RTFM. Will try to remember to do so in the >> future. > ... Amazing what that can reveal, eh?:-). > >> Replying to myself ... Hmmmm... Must be running postfix somewhere. >> Oh yeah... Now I remember ... > Always knew you were a closet PF user...:-D. > > Somewhat back on track: I thought I'd need both ImageInfo and > FuzzyOcr... But when I implemented ImageInfo (I like to change things > (that work:) one small step at a time, when possible... Tweaking, not > frobbing;), I fairly quickly realised it got all the image-based spam > without hardly any FPs (at least not any _new_ FPs... The ones FP'ing > was doing that already due to badly come together .... "marketing > systems"... "solicited" spam type of things:-). So I backed off from > the ocr bit (have it running on a testbed, but... will probably not > introduce it into production use). > > What amazes me is that some of the more influential merchant > banks/financial institutions have really no clue as to how to put mail > together that don't look spammy... Instead they annoy us (their > "users") with notes about please making exceptions _for their domain > names_ ... Really no clue at all. > If their communications are that important, why not make the effort to > set up SPF and/or Domain Keys... Or just avoid forging senders, HTML > mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. > Well, you probably just saved me a whole bunch of work Glenn. Was poking around getting ready to install all the dependencies for FuzzyOCR and stumbled across this post about ImageInfo. It looks much easier! I like easier. Couple of quick questions though. Did you have to make any tweaks to it, or just run it out of the box? The install instructions in ImageInfo.pm are slightly spartan - it says: # 3) add to init.pre (or v310.pre) the following line # loadplugin Mail::SpamAssassin::Plugin::ImageInfo # or if not in plugin dir.. # loadplugin Mail::SpamAssassin::Plugin::ImageInfo /path/to/plugin I didn't have a plugin directory, so just made one. For that line, should I append the filename on it too, like this: loadplugin Mail::SpamAssassin::Plugin::ImageInfo /etc/mail/spamassassin/plugin/ImageInfo.pm or just loadplugin Mail::SpamAssassin::Plugin::ImageInfo /etc/mail/spamassassin/plugin (watch the line wrap) I'm thinking the latter, but a reality check is always good. Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mike at vesol.com Thu Oct 12 20:47:55 2006 From: mike at vesol.com (Mike Kercher) Date: Thu Oct 12 20:48:10 2006 Subject: MS/SA Installed - How is it working? In-Reply-To: <452E43D7.61A4.0000.0@caspercollege.edu> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Straka > Sent: Thursday, October 12, 2006 2:32 PM > To: mailscanner@lists.mailscanner.info > Subject: MS/SA Installed - How is it working? > > This kind of goes along with Chris Yuzik's post "spam getting > through without even being checked" (see below). > > So I've got MS running with SA. It seems to be doing OK, but > how do I know? > Yes, I bought the book. > I would like to know... > How to tell if MS is running well? > How to tell if SA running well? > What maintenance is required? > When should I tweak MS? > When should I tweak SA? > What are essential SA tweaks? > How do I tweak SA? > How about a MS/SA crash course (tips) from the experts? > > > >>> Chris Yuzik 10/12/2006 1:04 PM >>> > Hi Everyone, > > We're now having a problem where (blatant!) spam is getting > through our > > server, apparently without even being checked by MailScanner. > Our custom headers haven't been added and this is VERY > spammy. That said, a lot of > > spam is being blocked by MailScanner. > > I'm not sure how to troubleshoot this. Help! > > Thanks, > Chris > -- tail -f /var/log/maillog Mike From daniel.maher at ubisoft.com Thu Oct 12 20:49:38 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Oct 12 20:49:45 2006 Subject: Preferred MTA? In-Reply-To: <452E9482.6050307@USherbrooke.ca> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin > Sent: October 12, 2006 3:16 PM > To: MailScanner > Subject: OT: Preferred MTA? > > Hello all, > > I have been asked to evaluate what would be needed to turn our internal > mail hubs into secured ones. Since I always had trouble with sendmail's > documentation, I was thinking about switching to another MTA. > > We currently use many sendmail features such as greet_pause, > conncontrol, ratecontrol and milter-greylist. We have multiple domains > and use LDAP for final delivery address resolution. And of course, MS > must blend just fine with the MTA. > > What other MTA would give me those features with less headaches whenever > I need to change things? Exim? Postfix? others? > > I couldn't find a greylisting for Exim that shares its state table > between multiple MX... but I think PF could use my existing > milter-greylist as is... > > As for ease of configuration and quality of documentation, which do you > recommend? > > Do you recommend using a HW load balancer (and SSL accelerator) in front > of my servers? How about Cisco's? > > Thanks! > > Denis For my money, qmail is the way to go. That said, MailScanner doesn't officially support qmail, so even though it's arguably the best MTA out there right now, you'll likely have to pass it by if you want to continue leveraging MailScanner as a platform. One might be able to infer from my previous statement that I'm somewhat anti-sendmail. I don't deny it. :) What I will say, however, is that one of the advantages that sendmail /does/ have over qmail is that there is an absolute tonne of 3rd party add-ons, support modules, and so forth out there for it. This, in fact, is why lean towards Postfix for MailScanner-enabled environments. Postfix balances the extensibility of sendmail with the ease of use of qmail, and even manages to be popular enough to have a good support base (though some might tell you that the lead developer can be a bit of a cranky-pants at times ;) ). Anyhoo, that's just my 2 cents... > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 p.s. c't'un jolie 'tit pingouin dans ton .sig, la. ;) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From ka at pacific.net Thu Oct 12 20:55:46 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 12 20:53:58 2006 Subject: spam getting through without even being checked In-Reply-To: <452E91B0.7090205@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> Message-ID: <452E9DC2.8040608@pacific.net> Chris Yuzik wrote: > Hi Everyone, > > We're now having a problem where (blatant!) spam is getting through our > server, apparently without even being checked by MailScanner. Our custom > headers haven't been added and this is VERY spammy. That said, a lot of > spam is being blocked by MailScanner. > > I'm not sure how to troubleshoot this. Help! did you disable sendmail? chkconfig sendmail off service sendmail stop Ken A. Pacific.Net > Thanks, > Chris From clacroix at cegep-ste-foy.qc.ca Thu Oct 12 21:04:11 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Thu Oct 12 21:04:16 2006 Subject: Preferred MTA? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> Message-ID: <200610121604.12194.clacroix@cegep-ste-foy.qc.ca> I like postfix because it's just plain simple to configure and you aren't limited as you can call external programs to to whatever postfix doesn't do outa the box. On Thursday 12 October 2006 15:49, Daniel Maher wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin > > Sent: October 12, 2006 3:16 PM > > To: MailScanner > > Subject: OT: Preferred MTA? > > > > Hello all, > > > > I have been asked to evaluate what would be needed to turn our internal > > mail hubs into secured ones. Since I always had trouble with sendmail's > > documentation, I was thinking about switching to another MTA. > > > > We currently use many sendmail features such as greet_pause, > > conncontrol, ratecontrol and milter-greylist. We have multiple domains > > and use LDAP for final delivery address resolution. And of course, MS > > must blend just fine with the MTA. > > > > What other MTA would give me those features with less headaches whenever > > I need to change things? Exim? Postfix? others? > > > > I couldn't find a greylisting for Exim that shares its state table > > between multiple MX... but I think PF could use my existing > > milter-greylist as is... > > > > As for ease of configuration and quality of documentation, which do you > > recommend? > > > > Do you recommend using a HW load balancer (and SSL accelerator) in front > > of my servers? How about Cisco's? > > > > Thanks! > > > > Denis > > For my money, qmail is the way to go. That said, MailScanner doesn't > officially support qmail, so even though it's arguably the best MTA out > there right now, you'll likely have to pass it by if you want to continue > leveraging MailScanner as a platform. > > One might be able to infer from my previous statement that I'm somewhat > anti-sendmail. I don't deny it. :) What I will say, however, is that one > of the advantages that sendmail /does/ have over qmail is that there is an > absolute tonne of 3rd party add-ons, support modules, and so forth out > there for it. > > This, in fact, is why lean towards Postfix for MailScanner-enabled > environments. Postfix balances the extensibility of sendmail with the ease > of use of qmail, and even manages to be popular enough to have a good > support base (though some might tell you that the lead developer can be a > bit of a cranky-pants at times ;) ). > > Anyhoo, that's just my 2 cents... > > > -- > > _ > > ?v? Denis Beauchemin, analyste > > /(_)\ Universit? de Sherbrooke, S.T.I. > > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > p.s. c't'un jolie 'tit pingouin dans ton .sig, la. ;) > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From gborders at jlewiscooper.com Thu Oct 12 21:14:06 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Thu Oct 12 21:15:00 2006 Subject: MS/SA Installed - How is it working? In-Reply-To: <452E43D7.61A4.0000.0@caspercollege.edu> References: <452E91B0.7090205@fractalweb.com> <452E43D7.61A4.0000.0@caspercollege.edu> Message-ID: <452EA20E.40307@jlewiscooper.com> Daniel Straka wrote: > This kind of goes along with Chris Yuzik's post "spam getting through > without even being checked" (see below). > > So I've got MS running with SA. It seems to be doing OK, but how do I > know? > Yes, I bought the book. > I would like to know... > How to tell if MS is running well? > How to tell if SA running well? > What maintenance is required? > When should I tweak MS? > When should I tweak SA? > What are essential SA tweaks? > How do I tweak SA? > How about a MS/SA crash course (tips) from the experts? > > > >>>> Chris Yuzik 10/12/2006 1:04 PM >>> >>>> > Hi Everyone, > > We're now having a problem where (blatant!) spam is getting through our > > server, apparently without even being checked by MailScanner. Our > custom > headers haven't been added and this is VERY spammy. That said, a lot of > > spam is being blocked by MailScanner. > > I'm not sure how to troubleshoot this. Help! > > Thanks, > Chris > I too had a sudden rash of excessive spam, but I soon discovered it was related to the "k" "000" bug, in Std release 4.56.7. The MailScanner.conf line Max SpamAssassin Size needs to have the zeroes. Or patch it with Jules update. Fixed the sudden sneaking thru spams really quick. Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Thu Oct 12 21:17:49 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Oct 12 21:18:07 2006 Subject: MS/SA Installed - How is it working? In-Reply-To: <452E43D7.61A4.0000.0@caspercollege.edu> References: <452E91B0.7090205@fractalweb.com> <452E43D7.61A4.0000.0@caspercollege.edu> Message-ID: <452EA2ED.8020503@evi-inc.com> Daniel Straka wrote: > This kind of goes along with Chris Yuzik's post "spam getting through > without even being checked" (see below). > > So I've got MS running with SA. It seems to be doing OK, but how do I > know? > Yes, I bought the book. > I would like to know... Well, you've got a lot of questions I could write a book about each one. However, I'll try to give you a little bit of wisdom on each. Hopefully others do the same and you'll get a lot of good advice. > How to tell if MS is running well? My suggestion: use mailscanner-mrtg, or something similar that monitors a lot of mailscanner and graphs it. Watch the inbound queue, if it starts growing, and keeps growing, somethings not working well. This also lets you watch virus and spam hit rates. After a while you'll get a feel for what's "normal". From there you'll be able to see if something is worth investigation. ie: if you normally get 10-50 viruses a day, and suddenly there's none for 2 days in a row, your virus scanning is probably broken. You can also test it periodically by emailing yourself an eicar test virus, or have a website do it for you (ie: http://www.aleph-tec.com/eicar/index.php) > How to tell if SA running well? This is a bit harder. You can watch the spam catch rate with mrtg. Spam rates are normally fairly linear, so if your SA starts missing a lot the normal triangular graph will start looking like a shallow staircase. Also keep an eye out for ".expire" files in the directory where your bayes DB lives (look for bayes_toks on your machine). These are a sign that your MailScanner is timing out SA instances during bayes database expiry. Extend your spamassassin timeout in MailScanner.conf if it crops up. > What maintenance is required? Generally speaking, little. Keep your AV updated regularly (MS will generally do this for you with most AV packages. However, some need manual updating, ie: command av, which uses passworded FTP downloads). Update SA periodically (unless there's a security hole you don't have to jump to the latest release every time, but it's advisable to keep relatively recent) > When should I tweak MS? > When should I tweak SA? When you start having problems of mis-tagging. > What are essential SA tweaks? make sure your trusted_networks is set properly. see http://wiki.apache.org/spamassassin/TrustPath Browse the /etc/mail/spamassassin/*.pre files to see if there are any plugins you want to use. Note that some of these require 3rd party software to run. (ie: SPF, DCC, Razor, pyzor), but you can find that in the manpage for the plugin. See the plugin docs at: http://spamassassin.apache.org/full/3.1.x/dist/doc/ Named Mail_SpamAssassin_Plugin_* consider using sa-update. Cautiously consider using add-on rulesets. (DO NOT use sa-blacklist or sa-blacklist-uri unless you consider 1GB a small amount of RAM) http://wiki.apache.org/spamassassin/CustomRulesets Note: don't go hog-wild with the add-ons. I'd really suggest adding no more than 3 at a time. A very common problem is someone who just downloaded SA, installed every add-on ruleset that exists, fires it up and wonders why their server is grinding to a halt. There is such a thing as too much, but you can probably safely add 10-20 files that are under 128k. The "too much" line depends a lot on how much RAM you have to spare. Each added rule takes a little extra ram. A lot of added rules take a lot of extra ram. For what it's worth I use: 53868 Apr 21 10:44 70_sare_adult.cf 24298 Oct 5 2005 70_sare_evilnum0.cf 1574 Sep 16 2005 70_sare_evilnum1.cf 45933 Dec 30 2005 70_sare_genlsubj0.cf 28066 Jun 4 01:00 70_sare_html0.cf 51886 Oct 12 2005 70_sare_obfu0.cf 18190 Dec 15 2005 70_sare_random.cf 97820 May 27 23:00 70_sare_specific.cf 52048 Apr 10 2006 70_sare_stocks.cf 17879 Oct 12 2005 70_sare_uri0.cf 1467 Apr 21 10:44 71_sare_adult_rescore.cf 57580 Sep 16 2005 99_FVGT_Tripwire.cf 10147 Jun 1 2005 99_sare_fraud_post25x.cf Along with 30-some odd custom rulesets of my own design for local needs. Most of these are very small (ie: under 1k) > How do I tweak SA? There's a million ways, from simple tweaks like the above to writing your own add-on rules and plugins. That said your common simple tweaks are: -adjusting required_score -making use of whitelist_from_rcvd -making use of sa-learn for bayes training, this helps correct spam that's getting low BAYES_xx scores, or nonspam that's getting high ones. > How about a MS/SA crash course (tips) from the experts? See above. From sconway at wlnet.com Thu Oct 12 21:21:26 2006 From: sconway at wlnet.com (Stephen Conway) Date: Thu Oct 12 21:21:31 2006 Subject: Strange Sendmail Sessions Message-ID: <01da01c6ee3b$fef6dbf0$b000a8c0@skyhawk> Hello All: I have a couple systems with the following: Intel based systems 1 GB RAM running Slackware Linux Sendmail 8.13.8 MailScanner-4.55.10 SpamAssassin version 3.1.0 Perl 5.6.1 I have a problem where I am getting a lot of sendmail sessions opening up similar to below: 0:00 sendmail: k9CJgJRU012733 c647683-42.impsat.com.co [64.76.83.42] (may be forged): DATA 0:00 sendmail: k9CJlhwE014949 movaris-nxds1-89.hicap.alink.net [67.131.237.89]: DATA A bunch of these keep coming in from various different networks, but they all stay around and eventually my MAX Daemon Children vaule is reached. The question is, can this be a network issue where these sessions are not completing? Also, how can I get sendmail to kill these old sessions after X minutes or something? Any assistance is appreciated. Thanks, Steve -- ShipMail Now 30% Faster From mikej at rogers.com Thu Oct 12 21:31:17 2006 From: mikej at rogers.com (Mike Jakubik) Date: Thu Oct 12 21:44:30 2006 Subject: OT: Preferred MTA? In-Reply-To: <452E9482.6050307@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> Message-ID: <452EA615.1070507@rogers.com> Denis Beauchemin wrote: > Hello all, > > I have been asked to evaluate what would be needed to turn our > internal mail hubs into secured ones. Since I always had trouble with > sendmail's documentation, I was thinking about switching to another MTA. > > We currently use many sendmail features such as greet_pause, > conncontrol, ratecontrol and milter-greylist. We have multiple > domains and use LDAP for final delivery address resolution. And of > course, MS must blend just fine with the MTA. > > What other MTA would give me those features with less headaches > whenever I need to change things? Exim? Postfix? others? > > I couldn't find a greylisting for Exim that shares its state table > between multiple MX... but I think PF could use my existing > milter-greylist as is... I would recommend postfix, its feature rich, very easy to configure, and has a great security record. It is also designed to be a compatible replacement for sendmail, and since version 2.3 it supports sendmail milters. From mikej at rogers.com Thu Oct 12 21:32:32 2006 From: mikej at rogers.com (Mike Jakubik) Date: Thu Oct 12 21:44:46 2006 Subject: Preferred MTA? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> Message-ID: <452EA660.80001@rogers.com> Daniel Maher wrote: > For my money, qmail is the way to go. That said, MailScanner doesn't officially support qmail, so even though it's arguably the best MTA out there right now, you'll likely have to pass it by if you want to continue leveraging MailScanner as a platform. > > One might be able to infer from my previous statement that I'm somewhat anti-sendmail. I don't deny it. :) What I will say, however, is that one of the advantages that sendmail /does/ have over qmail is that there is an absolute tonne of 3rd party add-ons, support modules, and so forth out there for it. > Thats because qmail is an obsolete and unmaintained (what, 8 years old now?) POS MTA. From daniel.maher at ubisoft.com Thu Oct 12 21:58:42 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Oct 12 21:58:46 2006 Subject: Preferred MTA? In-Reply-To: <452EA660.80001@rogers.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Mike Jakubik > Sent: October 12, 2006 4:33 PM > To: MailScanner discussion > Subject: Re: Preferred MTA? > > > Thats because qmail is an obsolete and unmaintained (what, 8 years old > now?) POS MTA. > When something is designed properly in the first place, it doesn't need to be patched constantly. Of course, we don't need to start any flame wars here. To each their own opinion... -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From Denis.Beauchemin at USherbrooke.ca Thu Oct 12 21:58:54 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Oct 12 21:59:22 2006 Subject: Strange Sendmail Sessions In-Reply-To: <01da01c6ee3b$fef6dbf0$b000a8c0@skyhawk> References: <01da01c6ee3b$fef6dbf0$b000a8c0@skyhawk> Message-ID: <452EAC8E.808@USherbrooke.ca> Stephen Conway a ?crit : > Hello All: > > I have a couple systems with the following: > > Intel based systems 1 GB RAM running Slackware Linux > Sendmail 8.13.8 > MailScanner-4.55.10 > SpamAssassin version 3.1.0 > Perl 5.6.1 > > I have a problem where I am getting a lot of sendmail sessions opening up > similar to below: > > 0:00 sendmail: k9CJgJRU012733 c647683-42.impsat.com.co [64.76.83.42] (may be > forged): DATA > 0:00 sendmail: k9CJlhwE014949 movaris-nxds1-89.hicap.alink.net > [67.131.237.89]: DATA > > A bunch of these keep coming in from various different networks, but they > all stay around and eventually my MAX Daemon Children vaule is reached. The > question is, can this be a network issue where these sessions are not > completing? Also, how can I get sendmail to kill these old sessions after X > minutes or something? > > Any assistance is appreciated. > > Thanks, > > Steve > > > Steve, I use the following in my sendmail.mc: define(`confTO_ACONNECT', `5m')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_ICONNECT', `20s')dnl define(`confTO_COMMAND', `5m')dnl define(`confTO_AUTH', `1m')dnl define(`confTO_DATABLOCK', `5m')dnl define(`confTO_DATAFINAL', `10m')dnl define(`confTO_MAIL', `5m')dnl define(`confTO_RCPT', `5m')dnl define(`confTO_RESOLVER_RETRANS_FIRST', `2s')dnl define(`confTO_RESOLVER_RETRANS_NORMAL', `10s')dnl define(`confTO_RESOLVER_RETRY_FIRST', `2')dnl define(`confTO_RESOLVER_RETRY_NORMAL', `5')dnl define(`confTO_STARTTLS', `5m')dnl I was also seeing connections that would not close, shutting my server down. Haven't seen any since I configured all the TO_ listed above. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061012/98197d2b/smime.bin From mikej at rogers.com Thu Oct 12 22:10:04 2006 From: mikej at rogers.com (Mike Jakubik) Date: Thu Oct 12 22:10:10 2006 Subject: Preferred MTA? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> Message-ID: <452EAF2C.10304@rogers.com> Daniel Maher wrote: > When something is designed properly in the first place, it doesn't need to be patched constantly. > > Right, because when qmail was written, the programmer saw the future and already integrated all the features that modern MTAs like postfix or sendmail have. How many patches and addons are there for qmail to get functionality that current MTAs already have? > Of course, we don't need to start any flame wars here. To each their own opinion... > Of course. From ka at pacific.net Thu Oct 12 22:18:30 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 12 22:16:45 2006 Subject: Preferred MTA? In-Reply-To: <452EAF2C.10304@rogers.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> <452EAF2C.10304@rogers.com> Message-ID: <452EB126.1090300@pacific.net> Mike Jakubik wrote: > Daniel Maher wrote: >> When something is designed properly in the first place, it doesn't >> need to be patched constantly. >> >> > > Right, because when qmail was written, the programmer saw the future > and already integrated all the features that modern MTAs like postfix or > sendmail have. How many patches and addons are there for qmail to get > functionality that current MTAs already have? If qmail had milter-ahead, it would know the future! :-P Hey, I like sendmail, but I wasn't about to say that in a thread with _this_ subject, since my asbestos suit is at the cleaners. Ken A. > > >> Of course, we don't need to start any flame wars here. To each their >> own opinion... >> > > Of course. > > From richard.siddall at elirion.net Thu Oct 12 22:16:24 2006 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Oct 12 22:17:24 2006 Subject: Preferred MTA? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D342@UBIMAIL1.ubisoft.org> Message-ID: <452EB0A8.7050703@elirion.net> Daniel Maher wrote: > When something is designed properly in the first place, it doesn't > need to be patched constantly. > > Of course, we don't need to start any flame wars here. To each their > own opinion... > So, Daniel, are you running an unpatched copy of qmail? (You need to patch it to support alternative queue delivery programs like you need for MailScanner, correct?) Regards, Richard Siddall From axisml at gmail.com Thu Oct 12 22:21:01 2006 From: axisml at gmail.com (Chris Stone) Date: Thu Oct 12 22:21:39 2006 Subject: Strange Sendmail Sessions In-Reply-To: <01da01c6ee3b$fef6dbf0$b000a8c0@skyhawk> References: <01da01c6ee3b$fef6dbf0$b000a8c0@skyhawk> Message-ID: <1160688061.5191.8.camel@cs.axint.net> On Thu, 2006-10-12 at 16:21 -0400, Stephen Conway wrote: > I have a problem where I am getting a lot of sendmail sessions opening up > similar to below: > > 0:00 sendmail: k9CJgJRU012733 c647683-42.impsat.com.co [64.76.83.42] (may be > forged): DATA > 0:00 sendmail: k9CJlhwE014949 movaris-nxds1-89.hicap.alink.net > [67.131.237.89]: DATA > > A bunch of these keep coming in from various different networks, but they > all stay around and eventually my MAX Daemon Children vaule is reached. The > question is, can this be a network issue where these sessions are not > completing? Also, how can I get sendmail to kill these old sessions after X > minutes or something? Started seeing this myself on my MailScanner servers (3 of them) yesterday. What I've done to mitigate the 'damage' is adding the following in my sendmail_in.mc file: FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl FEATURE(delay_checks)dnl FEATURE(`blacklist_recipients')dnl FEATURE(`ratecontrol',`nodelay',`terminate')dnl FEATURE(`conncontrol',`nodelay',`terminate')dnl And then in my access file: # connections control and throttling ClientConn: 5 ClientRate: 15 Has helped a lot. Chris -- Chris Stone AxisInternet, Inc. From lisa.wu at syntricity.com Thu Oct 12 23:10:18 2006 From: lisa.wu at syntricity.com (Lisa Wu) Date: Thu Oct 12 23:11:08 2006 Subject: Sophos/MailScanner In-Reply-To: <452DF7E0.5040706@solidstatelogic.com> Message-ID: <006501c6ee4b$33801df0$9908a8c0@syntricity.com> Martin Hepworth wrote: > >>> Once in a while the server will fail to download its updates from > Sophos. > >>> (The cause being that our T1 line went down). Then the mail log starts > >>> posting MailScanner error messages every 10 seconds until a successful > >>> update occurs: > >>> > >>> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by > the > >>> "Monitors For Sophos Updates" patterns exist! > >>> > >>> Because of this error the queue starts placing all messages on hold. > > > > > >> Lisa > >> > >> how are you updating the virus defs for Sophos? > > > > > > Martin, > > > > There is a cron job that runs the Sophos update script running once > every > > hour. > > > > Thanks, > > Lisa > > > > > > Lisa > > Can you give a bit more info. Which cron job? is should be > update_virus_scanners which will do all the scanners you've defined in > MailScanner.conf. > > This script is reasonbly failure proof as it downloads the updates into > a separate folder and only on success does it move the 'new' to 'live' > folders as it were. > > Also i presume your using the MailScanner Sophos.Install script to > install your Sophos as well..?? AS mailScanner expects Sophos V4 to be > in a non-default Sophos Directory. > Hi Martin, Here is the cron job that is running. 21 0-23/2 * * * /usr/local/updates/Sophos/savupd/savupd.sh > /dev/null I've attached a copy of the script that is being run. I did not set-up this server, so I don't know if the previous admin used the MailScanner Sophos.Install script to install Sophos. From how it looks it doesn't seem so. >From what you stated in your last e-mail, should I be setting up a cronjob that uses a preconfigured update_virus_scanners script that was part of the MailScanner Sophos install? In my MailScanner.conf file Virus Scanners = sophossavi In my virus.scanners.conf file this is the entry for sophossavi sophossavi /bin/false /tmp Let me know if there's any other info you need from me. Thanks, Lisa -------------- next part -------------- #!/bin/sh # savupd.sh - automated updating for UNIX / Linux / FreeBSD # savupd.sh shell script (savupd.sh) # email: support@sophos.com # Phone (UK): +44 (0)1235 559933 # Phone (US): +1 888 767 4679 ############################################################### ## DO NOT EDIT THIS FILE ## ############################################################### version='1.3 {20030528}' PATH=$PATH:/bin:/sbin:/opt/sfw/bin:/usr/ucb:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib export PATH LD_LIBRARY_PATH ld_var() { username=`grep -i "name" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2 }'` password=`grep -i "passwd" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2 }'` log=`grep -i "logging" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2 }'` email=`grep -i "mail" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2 }'` rcpt=`grep -i "user" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2}'` instdir=`grep -i "instdir" /etc/savupd.cfg | awk 'BEGIN {FS = "=" } { print $2 }'` loglevel=`grep -i "loglevel" /etc/savupd.cfg | awk 'BEGIN { FS = "=" } { print $2 }'` tab=" " tmp='/usr/local/updates/Sophos/savupd.tmp' fsite='http://www.sophos.com/dp/full' isite='http://www.sophos.com/downloads/ide' logfile='/var/log/sophos/savupd.log' templog='/var/log/sophos/savupd.tmp' msg='/tmp/savupd.msg' tfile='/var/log/sophos/savupd.time' tag=`date +%c` date=`date +%m` fupd=0 logit lcd=`pwd` } create_cfg() { tmpcfg='/tmp/savupd.tmp' cfg='/etc/savupd.cfg' pwd=`pwd` cronfile='/etc/savupd.cron' echo "+----------------------------------+" echo "|savupd.sh - automated updating for|" echo "| Sophos Anti-Virus |" echo "| on UNIX / Linux / FreeBSD |" echo "+----------------------------------+" echo "| Installation script. |" echo "+----------------------------------+" echo "" echo "" echo "Please enter your Sophos website username:" read username echo "name=$username" > $tmpcfg echo "" echo "Please enter your Sophos website password:" read password echo "passwd=$password" >> $tmpcfg echo "" echo "Enable logging [y/n]?" read log case "$log" in N | n) echo "logging=NO" >> $tmpcfg ;; Y | y) echo "logging=YES" >> $tmpcfg ;; *) echo "Unknown option." create_cfg exit esac if [ $log = y ]; then echo "" echo "Enable emailing of logfile [y/n]?" read email case "$email" in N | n) echo "mail=NO" >> $tmpcfg ;; Y | y) echo "mail=YES" >> $tmpcfg ;; *) echo "Unknown option." create_cfg esac if [ $email = y ]; then echo "" echo "Full logfiles will be available in '/var/log/sophos/'" echo "What reporting level would you like to be emailed?" echo "(1) Errors only (2) Monthly update only" echo "(3) Everything" read llvl case "$llvl" in 1) echo "loglevel=1" >> $tmpcfg lvl="Errors only." ;; 2) echo "loglevel=2" >> $tmpcfg lvl="Monthly update only." ;; 3) echo "loglevel=3" >> $tmpcfg lvl="Everything." ;; *) echo "Unknown option." create_cfg esac echo "" echo "Enter the email address of the log recipient:" read rcpt echo "user=$rcpt" >> $tmpcfg fi fi echo "" echo "By default Sophos will be installed to /usr/local" echo "Would you like to set a non-default installation path [y/n]?" read defpath case "$defpath" in N | n) echo "instdir=/usr/local" >>$tmpcfg instpath='/usr/local' ;; Y | y) echo "Please enter the path to the base directory." echo "Sophos will be installed in directories relative to the base directory." echo "e.g. if base directory is /home/sophos then binaries will be installed in" echo "/home/sophos/bin and libraries installed in /home/sophos/lib etc..." echo "" echo "Do not include the trailing '/' in the path." read instpath echo "instdir=$instpath" >>$tmpcfg ;; *) echo "Unknown option." create_cfg esac echo "" echo "*****************************" echo "The current configuration is:" echo "Username: $username" echo "Password: $password" echo "Logging: $log" echo "Email: $email" echo "Email logging level: $lvl" echo "Recipient: $rcpt" echo "Installation directory: $instpath" echo "*****************************" echo "" echo "Are these details correct? [y/n]" read answer case "$answer" in N | n) create_cfg ;; Y | y) cat $tmpcfg > $cfg echo "" echo "$cfg created." echo "" rm -rf $tmpcfg ;; *) echo "Unknown option." echo "Are these details correct? [y/n]" read aswr case "$aswr" in N | n) create_cfg ;; Y | y) cat $tmpcfg > $cfg echo "" echo "$cfg created." echo "" rm -rf $tmpcfg ;; *) echo "Unknown option." create_cfg esac esac } create_cron() { echo "" echo "Would you like to schedule savupd.sh to run automatically using 'cron' [y/n]?" echo "" echo "WARNING: If root already has a crontab setup, answer NO and set the crontab manually." read schdl case "$schdl" in N | n) touch $cronfile return ;; Y | y) cfg_cron ;; *) create_cron esac } cfg_cron() { echo "PATH=$lcd" > $cronfile echo "HOME=$lcd" >> $cronfile echo "" echo "How often would you would you like to check for updates?" echo "(1) Every hour (2) Every 3 hours" echo "(3) Every 6 hours (4) Every 12 hours" echo "(5) Every 24 hours " echo "" echo "e.g. Type '1' for hourly checks, '2' for 3 hourly checks etc..." read frequency case "$frequency" in 1) echo "0 0-23 * * * $pwd/savupd.sh" >>$cronfile ;; 2) echo "0 0-23/3 * * * $pwd/savupd.sh" >>$cronfile ;; 3) echo "0 0-23/6 * * * $pwd/savupd.sh" >>$cronfile ;; 4) echo "0 0,12 * * * $pwd/savupd.sh" >>$cronfile ;; 5) echo "0 0 * * * $pwd/savupd.sh" >>$cronfile ;; *) cfg_cron esac echo "Configuring root's crontab..." crontab -u root $cronfile >/dev/null 2>&1 && echo "Crontab configured. To re-configure the schedule, remove '/etc/savupd.cron' and run 'savupd.sh'" || error_cron echo "" echo "savupd will now download and update your Sophos Anti Virus installation." echo "If this is the first time savupd has run, this may take several minutes..." sleep 2 } chk_sysfile() { echo "Checking for required commands." >> $templog for c in awk cat mkdir mv ps rm grep sleep tar wget unzip mail; do which $c >/dev/null || error_sysfile done echo "All required commands OK." >> $templog } chk_tfile() { echo "Checking last download date." >>$templog if [ -f "$tfile" ]; then echo "Timestamp detected." >>$templog lastdate=`cat $tfile` if [ "$lastdate" -eq "$date" ]; then echo "Updating IDEs only." >>$templog flag=1 else echo "Updating full version." >>$templog flag=0 fi else echo "No timestamp detected. Updating full version." >>$templog flag=0 fi } which_file() { if [ "$flag" -eq "1" ]; then downloadfile='ides.zip' else case "`uname -s`,`uname -m`" in OSF1,alpha) platform=digitalunix downloadfile='digitalunix.tar.Z' ;; SunOS,sun4*) platform=solaris.sparc downloadfile='solaris.sparc.tar.Z' ;; SunOS,i86pc) platform=solaris.intel downloadfile='solaris.intel.tar.Z' ;; Linux,*86) platform=linux.intel test -e /lib/libc.so.5 && downloadfile='linux.intel.libc5.tar.Z' test -e /lib/libc.so.6 && downloadfile='linux.intel.libc6.tar.Z' islinux=yes ;; Linux,alpha) platform=linux.alpha downloadfile='linux.alpha.tar.Z' islinux=yes ;; Linux,ppc*) platform=linux.ppc downloadfile='' ;; FreeBSD,i386) platform=freebsd product_name="FreeBSD/Intel" freebsd_ver=`uname -r | cut -c1` ;; AIX,*) platform=aix downloadfile='aix.tar.Z' ;; SCO_SV,i386) platform=scoopenserver downloadfile='scoopenserver.tar.Z' ;; UnixWare,i386) platform=scounixware downloadfile='scounixware.tar.Z' ;; HP-UX,9000*) platform=hpux downloadfile='hptux.tar.Z' ;; *) error_host esac if [ $platform = freebsd ]; then if [ $freebsd_ver -eq 2 ]; then downloadfile='freebsd.aout.tar.Z' else downloadfile='freebsd.elf.tar.Z' fi fi echo "Platform detected: $platform" >> $templog echo "File to be downloaded: $downloadfile" >> $templog fi } mktmp() { echo "Creating temporary directory." >>$templog if [ -d $tmp ]; then rm -rf $tmp || error_temp mkdir $tmp || error_temp else mkdir $tmp || error_temp fi echo "Temporary directory created." >>$templog } dload() { if [ $flag -eq 0 ]; then echo "Downloading $downloadfile" >> $templog wget $fsite/$downloadfile --http-user='$username' --http-passwd='$password' --directory-prefix=$tmp -t3 || error_download echo "Download complete. Checking file." >>$templog if [ -f $tmp/$downloadfile ]; then echo "Download verified." >>$templog else echo "Unable to verify download file." >>$templog error_download fi else echo "Downloading $downloadfile" >>$templog wget -P$tmp $isite/$downloadfile || error_download echo "Download complete. Checking file." >>$templog if [ -f $tmp/$downloadfile ]; then echo "Download verified." >>$templog else echo "Unable to verify download file." >>$templog error_download fi fi } xtract() { if [ $flag -eq 0 ]; then echo "Extracting files from archive." >>$templog which uncompress >/dev/null && uncomp='yes' || uncomp='no' if [ $uncomp = no ]; then echo "'uncompress' not found. Using 'tar -z'" >>$templog cd $tmp tar -zxvf $tmp/$downloadfile || error_tar echo "Files extracted." >>$templog else uncompress $tmp/$downloadfile || error_tar newfile=`ls $tmp` cd $tmp tar -xvf $tmp/$newfile || error_tar echo "Files extracted." >>$templog fi else echo "Extracting IDE files." >>$templog rm -rf $instdir/sav/*.ide unzip -o -q $tmp/$downloadfile -d $instdir/sav || error_tar echo "Files extracted." >>$templog mmsmtprestart fi } instal() { if [ $flag -eq 0 ]; then if [ -f /var/spool/intercheck/comms/ic.sta ]; then echo "Starting Installation." >>$templog echo "Intercheck server will be installed." >>$templog $tmp/sav-install/install.sh -v -d $instdir || error_install echo "Installation complete." >>$templog else echo "Starting Installation." >>$templog echo "Intercheck server will not be installed." >>$templog $tmp/sav-install/install.sh -ni -so -v -d $instdir|| error_install echo "Installation complete." >>$templog fi fi } rmtmp() { echo "Removing temporary directory." >>$templog if [ -d $tmp ]; then cd $lcd rm -rf $tmp || error_temp2 fi echo "Temporary directory removed." >>$templog } logit() { echo "+----------------------------------+" >>$templog echo "|savupd.sh - automated updating for|" >>$templog echo "| Sophos Anti-Virus |" >>$templog echo "| on UNIX / Linux / FreeBSD |" >>$templog echo "+----------------------------------+" >>$templog echo "Timestamp: $tag" >>$templog } logger() { if [ $log = YES ]; then if [ -f $logfile ]; then cat $logfile >> $logfile.`date +%B` fi cat $templog > $logfile echo "Logfile $logfile created." >> $logfile rm -rf $templog fi } mailer() { if [ $email = YES ]; then if [ $loglevel -eq 1 ]; then grep -i "error" $logfile if [ $? -eq 0 ]; then mail -s "Error Report - Sophos Update" $rcpt < $logfile fi fi if [ $loglevel -eq 2 ]; then if [ $fupd -eq 1 ]; then mail -s "Monthly update report" $rcpt < $logfile fi fi if [ $loglevel -eq 3 ]; then mail -s "Sophos Update Report" $rcpt < $logfile fi fi } tstamp() { echo $date > $tfile } mmsmtptest() { if [ -d /var/log/mmsmtp ]; then mmsmtpinst=1 else mmsmtpinst=0 fi } mmsmtpstop() { if [ "$mmsmtpinst" -eq 1 ]; then mstat=0 x=0 while [ "$mstat" -eq 0 ]; do if [ "$platform" = solaris.sparc ]; then mpid=`cat /etc/mmsmtp.pid` elif [ "$platform" = linux.intel ]; then mpid=`cat /var/run/mmsmtp.pid` fi x=$[x=x+1] ps -p $mpid >/dev/null 2>&1 mstat=$? /usr/local/sophos/mmsmtp/bin/mmsmtpd -shutdown >/dev/null 2>&1 # timeout entry if [ "$x" -gt 100 ]; then kill -9 $mpid >/dev/null 2>&1 fi done echo "MailMonitor daemon has successfully shutdown" >>$templog fi } mmsmtpstart() { if [ "$mmsmtpinst" -eq 1 ]; then mstat=1 x=0 while [ "$mstat" -eq 1 ]; do if [ "$platform" = solaris.sparc ]; then mpid=`cat /etc/mmsmtp.pid` elif [ "$platform" = linux.intel ]; then mpid=`cat /var/run/mmsmtp.pid` fi x=$[x=x+1] ps -p $mpid >/dev/null 2>&1 mstat=$? /usr/local/sophos/mmsmtp/bin/mmsmtpd -start >/dev/null 2>&1 # timeout entry if [ "$x" -gt 100 ]; then echo "Unable to restart the MailMonitor daemon" >>$templog return fi done echo "MailMonitor daemon has started successfully (PID: $mpid)" >>$templog fi } mmsmtprestart() { if [ "$mmsmtpinst" -eq 1 ]; then case "`uname -s`,`uname -m`" in SunOS,sun4*) platform=solaris.sparc ;; Linux,*86) platform=linux.intel ;; *) error_host esac mmsmtpstop mmsmtpstart fi } ############## # Error msgs # ############## error_cron() { echo "ERROR:" >>$templog echo "Unable to configure crontab." >>$templog echo "This means you will either need to manually run this script to update Sophos," >>$templog echo "or set your own crontab. See 'man 5 crontab' for details." >>$templog touch $cronfile return } error_sysfile() { echo "ERROR:" >>$templog echo "Unable to find '$c' in path." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog logger mailer exit 1 } error_host() { echo "ERROR:" >>$templog echo "Unable to determine platform." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog logger mailer exit 2 } error_temp() { echo "ERROR:" >>$templog echo "Unable to create temporary directory '$tmp'." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog logger mailer exit 3 } error_temp2() { echo "ERROR:" >>$templog echo "Unable to remove temporary directory '$tmp'." >>$templog logger mailer exit 3 } error_download() { echo "ERROR:" >>$templog echo "Unable to download '$downloadfile' ." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog echo "If you are using a proxy server, ensure that you have the correct entries in 'wgetrc'" >>$templog logger mailer exit 4 } error_tar() { echo "ERROR:" >>$templog echo "Unable to extract files from '$downloadfile'." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog logger mailer exit 5 } error_install() { errno=`echo $?` echo "ERROR: $errno" >>$templog echo "An error occured during installation." >>$templog echo "Unable to continue." >>$templog echo "Sophos Anti Virus was NOT updated." >>$templog logger mailer exit 6 } ######## # MAIN # ######## mmsmtptest if [ ! -d /var/log/sophos ]; then mkdir /var/log/sophos >/dev/null || error_temp fi if [ ! -f /etc/savupd.cfg ]; then create_cfg fi if [ ! -f /etc/savupd.cron ]; then create_cron fi ld_var chk_sysfile chk_tfile which_file mktmp dload xtract instal tstamp #rmtmp if [ $flag -eq 0 ]; then fupd=1 flag=1 downloadfile='ides.zip' dload xtract tstamp # rmtmp fi logger mailer From ssilva at sgvwater.com Thu Oct 12 22:15:23 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 12 23:15:29 2006 Subject: Preferred MTA? In-Reply-To: <452EA660.80001@rogers.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D33F@UBIMAIL1.ubisoft.org> <452EA660.80001@rogers.com> Message-ID: Mike Jakubik spake the following on 10/12/2006 1:32 PM: > Daniel Maher wrote: >> For my money, qmail is the way to go. That said, MailScanner doesn't >> officially support qmail, so even though it's arguably the best MTA >> out there right now, you'll likely have to pass it by if you want to >> continue leveraging MailScanner as a platform. >> >> One might be able to infer from my previous statement that I'm >> somewhat anti-sendmail. I don't deny it. :) What I will say, >> however, is that one of the advantages that sendmail /does/ have over >> qmail is that there is an absolute tonne of 3rd party add-ons, support >> modules, and so forth out there for it. >> > > > Thats because qmail is an obsolete and unmaintained (what, 8 years old > now?) POS MTA. > > Ding Ding Ding!!! Fighters, shake hands, and at the bell come out fighting!! Ding!!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From richard.siddall at elirion.net Thu Oct 12 23:14:31 2006 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Oct 12 23:16:37 2006 Subject: spam after mailscanner what next? {Scanned} In-Reply-To: <452BA747.3000905@ecs.soton.ac.uk> References: <452B8C57.1030207@rcwm.com> <452BA747.3000905@ecs.soton.ac.uk> Message-ID: <452EBE47.1040106@elirion.net> Julian Field wrote: [snip] > ClamAV for phishing detection (most effective in US, it appears) [snip] > What else have I forgotten? [snip] There's the SaneSecurity supplemental database for ClamAV. It's not as conservative as the official ClamAV phishing signatures. I'm also unsure if > All other SA plugins mentioned in /etc/mail/spamassassin/*.pre includes the image OCR plug-ins. Regards, Richard Siddall From itdept at fractalweb.com Thu Oct 12 23:38:03 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Oct 12 23:38:30 2006 Subject: spam getting through without even being checked In-Reply-To: <452E9DC2.8040608@pacific.net> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> Message-ID: <452EC3CB.9080707@fractalweb.com> Ken A wrote: > did you disable sendmail? > > chkconfig sendmail off > service sendmail stop > Ken, I think you're on to something. That said, if I turn off sendmail, then my machine stops listening for incoming connections on port 25. One hint as to what might be going on would be what I see when I start up sendmail with a "service sendmail start": Starting sendmail: [ OK ] Starting sm-client: [ OK ] This seems unusual to me. I've looked through the sendmail_app_init file in /etc/rc.d/init.d but honestly, shell scripting isn't my thing (so not exactly sure what I'm looking at). Any thoughts? Chris From ka at pacific.net Thu Oct 12 23:47:42 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 12 23:45:54 2006 Subject: spam getting through without even being checked In-Reply-To: <452EC3CB.9080707@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> Message-ID: <452EC60E.2080403@pacific.net> Chris Yuzik wrote: > Ken A wrote: >> did you disable sendmail? >> >> chkconfig sendmail off >> service sendmail stop >> > Ken, > > I think you're on to something. That said, if I turn off sendmail, then > my machine stops listening for incoming connections on port 25. Try restarting MailScanner AFTER you issue the two commands above. It should start incoming and outgoing sendmail processes. If you installed from the MailScanner rpm, you should have seen these instructions at the end of the install process telling you to disable sendmail with the commands above (not sure about the tar.gz), since the MailScanner init script handles starting and stopping sendmail processes after MailScanner is installed. If you have your original sendmail init script still running, it may claim port 25 and so the one that MailScanner tries to start is unable to bind to the port.. See your /var/log/maillog for sendmail errors about this. Ken Pacific.Net > One hint as to what might be going on would be what I see when I start > up sendmail with a "service sendmail start": > > Starting sendmail: [ OK ] > Starting sm-client: [ OK ] > > > This seems unusual to me. I've looked through the sendmail_app_init file > in /etc/rc.d/init.d but honestly, shell scripting isn't my thing (so not > exactly sure what I'm looking at). Any thoughts? > > Chris > > From paul at welshfamily.com Fri Oct 13 00:44:59 2006 From: paul at welshfamily.com (Paul Welsh) Date: Fri Oct 13 00:45:10 2006 Subject: URIBL not as effective as it was In-Reply-To: <2BD3058086A2A44896622E7CB3720BC2AFBB70@DRIFTWOOD.corporate.paccoast.com> Message-ID: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> This time last year I could rely on the URIBL family of anti-spam measures within spamassassin to detect loads of spam very reliably. Examples include: URIBL_SC_SURBL URIBL_AB_SURBL URIBL_WS_SURBL URIBL_SBL URIBL_OB_SURBL URIBL_WS_SURBL Seems to me these are far less effective than they were (they aren't showing up as much). Can anyone confirm this from their own experince? From michele at blacknight.ie Fri Oct 13 00:58:17 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Fri Oct 13 00:58:25 2006 Subject: URIBL not as effective as it was In-Reply-To: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> Message-ID: <452ED699.4030700@blacknight.ie> Paul Welsh wrote: > This time last year I could rely on the URIBL family of anti-spam measures > within spamassassin to detect loads of spam very reliably. Examples > include: > > URIBL_SC_SURBL > URIBL_AB_SURBL > URIBL_WS_SURBL > URIBL_SBL > URIBL_OB_SURBL > URIBL_WS_SURBL > > Seems to me these are far less effective than they were (they aren't showing > up as much). Can anyone confirm this from their own experince? > Short answer - no I've found that no single solution will be effective on its own Things to consider: geoip - our stats show that certain countries are more likely to be sources of spam - scoring based on that helps mta level blocks - spamhaus-xbl is very effective greylisting - works wonders milter-ahead - very handy image spam - there are sa plugins to help with this -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From mkettler at evi-inc.com Fri Oct 13 01:06:10 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Oct 13 01:06:27 2006 Subject: URIBL not as effective as it was In-Reply-To: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> Message-ID: <452ED872.40200@evi-inc.com> Paul Welsh wrote: > This time last year I could rely on the URIBL family of anti-spam measures > within spamassassin to detect loads of spam very reliably. Examples > include: > > URIBL_SC_SURBL > URIBL_AB_SURBL > URIBL_WS_SURBL > URIBL_SBL > URIBL_OB_SURBL > URIBL_WS_SURBL > > Seems to me these are far less effective than they were (they aren't showing > up as much). Can anyone confirm this from their own experince? > Yes, they are less effective than they were. And this is in general true for *ALL* groups of spamassassin rules. As time goes on, spammers change their methods to try to evade SA. The more time goes on, the less effective a given kind of rule will be as spammers get better at evasion. That's why SpamAssassin development continues. Spam changes, constantly, and in direct reaction to what spam filters are looking for. If spammers didn't keep changing, URIBLs would have never been made because razor would be a perfect permanent solution. Of course, URIBL's aren't useless. But they are hitting a lower percentage of the spam than they did last year. The current "hot trend" in spam is to send an embedded gif picture of your spam ad. These messages have no URI's in them, just a picture of one so there's nothing for URIBL to detect. (unless someone re-does the OCR plugin to call URIBLs). This is most popular in stock spams, which never had URIs, but it's also present in pill spams, which do have URIs but are now undetected by URIBL's. Of course, these messages have a lower return for the spammers. Since there's no URI to click, someone's going to have to manually re-type the domain to get to the spamvertized site. Fewer people are willing to do this, so these ads are less effective. These messages are also larger in size, so spammers can send fewer of them per hour. From paul at welshfamily.com Fri Oct 13 01:47:14 2006 From: paul at welshfamily.com (Paul Welsh) Date: Fri Oct 13 01:47:29 2006 Subject: Which spam stats package? In-Reply-To: <2BD3058086A2A44896622E7CB3720BC2AFBB70@DRIFTWOOD.corporate.paccoast.com> Message-ID: <200610130047.k9D0lR1o006092@bkserver.blacknight.ie> I'm looking for a package to report on spam stats. In particular I'd like to know which spamassassin categories have had most hits. I know of Vispan (http://www.while.org.uk/mailstats/), MailWatch (http://mailwatch.sourceforge.net/doku.php) and mailscanner-mrtg (http://sourceforge.net/projects/mailscannermrtg). Any others? Recommendations? From itdept at fractalweb.com Fri Oct 13 03:43:32 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Oct 13 03:43:45 2006 Subject: spam getting through without even being checked In-Reply-To: <452EC60E.2080403@pacific.net> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> Message-ID: <452EFD54.7040705@fractalweb.com> Ken A wrote: > Try restarting MailScanner AFTER you issue the two commands above. It > should start incoming and outgoing sendmail processes. > > If you installed from the MailScanner rpm, you should have seen these > instructions at the end of the install process telling you to disable > sendmail with the commands above (not sure about the tar.gz), since > the MailScanner init script handles starting and stopping sendmail > processes after MailScanner is installed. > > If you have your original sendmail init script still running, it may > claim port 25 and so the one that MailScanner tries to start is unable > to bind to the port.. See your /var/log/maillog for sendmail errors > about this. Hi Ken, I installed from the RPM, but this server is a bit unusual because it's running the Ensim control panel, so not sure if everything is "by the book". I tried shutting down sendmail, then restarting MailScanner, but nothing started listening on port 25 until I started up sendmail again. When MailScanner starts, even if sendmail is stopped it says nothing about sendmail, so something must be wrong. Not sure what to try or what to investigate next. In my MailScanner.conf file, the following might give a hint: MTA = sendmail Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail -ODeliveryMode=background -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned Thanks, Chris From pete at enitech.com.au Fri Oct 13 07:27:40 2006 From: pete at enitech.com.au (Peter Russell) Date: Fri Oct 13 07:27:52 2006 Subject: Mail Logs (OT) Message-ID: <452F31DC.50406@enitech.com.au> Hi there, i have mailscanner, postfix, and mailwatch. What i would like to be able to easily see is all of the mail stats. Because we block a lot of mail at the MTA using recipient maps we have heaps of stats in the maillog that dont make it to mailwatch. Is there any tool that will show me all of the spam, high spam, viruses, rejected by MTA and delivered type stats? From res at ausics.net Fri Oct 13 08:09:19 2006 From: res at ausics.net (Res) Date: Fri Oct 13 08:09:26 2006 Subject: permissions error in current stable? Message-ID: Jules, /opt/MailScanner-4.56.8/bin# ls -la upgrade_MailScanner_conf -rw-r--r-- 1 root root 8608 2006-09-30 21:45 upgrade_MailScanner_conf any reason this is all of a sudden not executable in the tar source ? -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solidstatelogic.com Fri Oct 13 09:30:23 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 09:30:38 2006 Subject: URIBL not as effective as it was In-Reply-To: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> Message-ID: <452F4E9F.7060001@solidstatelogic.com> Paul Welsh wrote: > This time last year I could rely on the URIBL family of anti-spam measures > within spamassassin to detect loads of spam very reliably. Examples > include: > > URIBL_SC_SURBL > URIBL_AB_SURBL > URIBL_WS_SURBL > URIBL_SBL > URIBL_OB_SURBL > URIBL_WS_SURBL > > Seems to me these are far less effective than they were (they aren't showing > up as much). Can anyone confirm this from their own experince? > Paul try black and grey from http://www.uribl.com/... I think these are included in 'modern' spam.assassin.prefs.conf on MailScanner, but I'm not sure.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Fri Oct 13 09:35:39 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 09:35:57 2006 Subject: OT: Preferred MTA? In-Reply-To: <452E9482.6050307@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> Message-ID: <452F4FDB.1020304@solidstatelogic.com> Denis Beauchemin wrote: > Hello all, > > I have been asked to evaluate what would be needed to turn our internal > mail hubs into secured ones. Since I always had trouble with sendmail's > documentation, I was thinking about switching to another MTA. > > We currently use many sendmail features such as greet_pause, > conncontrol, ratecontrol and milter-greylist. We have multiple domains > and use LDAP for final delivery address resolution. And of course, MS > must blend just fine with the MTA. > > What other MTA would give me those features with less headaches whenever > I need to change things? Exim? Postfix? others? > > I couldn't find a greylisting for Exim that shares its state table > between multiple MX... but I think PF could use my existing > milter-greylist as is... > > As for ease of configuration and quality of documentation, which do you > recommend? > > Do you recommend using a HW load balancer (and SSL accelerator) in front > of my servers? How about Cisco's? > > Thanks! > > Denis > Denis My vote is for exim, wonderful support (abit like MailScanner :-), no political problems and a very knowledge commitity. Config syntax is easy, and it's very configurable... No idea about loadbalancers.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dhawal at netmagicsolutions.com Fri Oct 13 09:42:22 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Oct 13 09:42:38 2006 Subject: URIBL not as effective as it was In-Reply-To: <452F4E9F.7060001@solidstatelogic.com> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> <452F4E9F.7060001@solidstatelogic.com> Message-ID: <452F516E.5080408@netmagicsolutions.com> Martin Hepworth wrote: > Paul Welsh wrote: >> This time last year I could rely on the URIBL family of anti-spam >> measures >> within spamassassin to detect loads of spam very reliably. Examples >> include: >> >> URIBL_SC_SURBL >> URIBL_AB_SURBL >> URIBL_WS_SURBL >> URIBL_SBL >> URIBL_OB_SURBL >> URIBL_WS_SURBL >> >> Seems to me these are far less effective than they were (they aren't >> showing >> up as much). Can anyone confirm this from their own experince? >> > Paul > > try black and grey from http://www.uribl.com/... > > I think these are included in 'modern' spam.assassin.prefs.conf on > MailScanner, but I'm not sure.. URIBL rules are also included in 25_uribl.cf (if you use sa-update).. however i noticed they weren't being used by default (maybe a configuration error on my test server). i had to manually add the BLACK/GREY from 25_uribl.cf to mailscanner.cf. Strangely SURBL and URIBL_SBL continued to work as usual. If someone can confirm the same behavio(u)r, i will file a bugzilla report for SA. - dhawal From stef at aoc-uk.com Fri Oct 13 09:53:57 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Oct 13 09:54:05 2006 Subject: Logwatch Update Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BE50@pardessus.aoc-uk.com> Hi Mike, > We keep a mirror here http://logwatch.vanderkooij.org/ > > No idea what is going on with logwatch.org site seems down > [so is cvs access so I suspect somthing bad ;) ] I caught the above on the MailScanner list - but it looks as though the FTP site is down, so I guess you aren't wrong in your suspicion of "something bad". Do you know if 7.3.1 is available for download elsewhere? All roads seem to lead back to ftp.kaybee.org which is unresponsive. Thanks Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From drew at technologytiger.net Fri Oct 13 10:00:12 2006 From: drew at technologytiger.net (Drew Marshall) Date: Fri Oct 13 10:00:26 2006 Subject: Mail Logs (OT) In-Reply-To: <452F31DC.50406@enitech.com.au> References: <452F31DC.50406@enitech.com.au> Message-ID: <42216.194.70.180.170.1160730012.squirrel@www.technologytiger.net> On Fri, October 13, 2006 07:27, Peter Russell wrote: > Hi there, i have mailscanner, postfix, and mailwatch. > > What i would like to be able to easily see is all of the mail stats. > Because we block a lot of mail at the MTA using recipient maps we have > heaps of stats in the maillog that dont make it to mailwatch. > > Is there any tool that will show me all of the spam, high spam, viruses, > rejected by MTA and delivered type stats? Have a look at pflogsumm http://jimsun.linxnet.com/postfix_contrib.html There are others listed at http://www.postfix.org/addon.html which might also give you the details you want. Drew From wjohns at balita.ph Fri Oct 13 10:00:47 2006 From: wjohns at balita.ph (Wayne) Date: Fri Oct 13 10:00:53 2006 Subject: In Log Watch In-Reply-To: <452F516E.5080408@netmagicsolutions.com> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> <452F4E9F.7060001@solidstatelogic.com> <452F516E.5080408@netmagicsolutions.com> Message-ID: <200610130900.k9D90lrn000397@balita.ph> Noticed this on the daily log ... Config Error: Cannot match against destination IP address when resolving configuration option "spamwhitelist" : 290 Time(s) Have checked the whitelist conf cannot see an IP address listed. Any ideas .... Glenn thanks for help on previous problem your advice seems to have cured things. Regards Wayne -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From drew at technologytiger.net Fri Oct 13 10:22:09 2006 From: drew at technologytiger.net (Drew Marshall) Date: Fri Oct 13 10:22:27 2006 Subject: OT: Preferred MTA? In-Reply-To: <452E9482.6050307@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> Message-ID: <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> On Thu, October 12, 2006 20:16, Denis Beauchemin wrote: > Hello all, > > I have been asked to evaluate what would be needed to turn our internal > mail hubs into secured ones. Since I always had trouble with sendmail's > documentation, I was thinking about switching to another MTA. > > We currently use many sendmail features such as greet_pause, > conncontrol, ratecontrol and milter-greylist. We have multiple domains > and use LDAP for final delivery address resolution. And of course, MS > must blend just fine with the MTA. > > What other MTA would give me those features with less headaches whenever > I need to change things? Exim? Postfix? others? > > I couldn't find a greylisting for Exim that shares its state table > between multiple MX... but I think PF could use my existing > milter-greylist as is... > > As for ease of configuration and quality of documentation, which do you > recommend? Another vote for Postfix here. Easy to control, large feature set built in (sender & recipient address verification for example), integrates with just about any database driven user list, mailing lists are no problem, built in self protection with rate limiting etc, secure and very quick, with 2.3.x milters can be used and just about any program can be piped to. Oh, the killer app for me is no 'constant' rebuilding of a file I don't understand and I have never had to patch a Postfix install due to a security flaw/ alert :-) But I am biased... > > Do you recommend using a HW load balancer (and SSL accelerator) in front > of my servers? How about Cisco's? Really can't comment but I would be interested to hear others thoughts too. Drew From colin at mainline.co.uk Fri Oct 13 10:23:38 2006 From: colin at mainline.co.uk (Colin Jack) Date: Fri Oct 13 10:22:57 2006 Subject: Whitelist rules Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea > Sent: Thursday, October 12, 2006 7:53 PM > To: MailScanner discussion > Subject: Re: Whitelist rules > > On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > > Joost Waversveld > > > Sent: Thursday, October 12, 2006 3:07 PM > > > To: MailScanner discussion > > > Subject: Re: Whitelist rules > > > > > > No, you're wrong... ;-) You can use wildcards just the > way you said. > > > > > > Keep in mind that the mail will get scanned, but will be > delivered > > > as normal, regardless of the score the message get. > > > > > > Regards, > > > > > > Joost Waversveld > > > > > > Colin Jack wrote: > > > > Please could someone give me a pointer > > > > > > > > I want to allow all mail for particular domain through > > > without being > > > > scanned. > > > > Am I right in saying that I cannot use wildcards in the > > > > spam.whitelist.rules like > > > > > > > > FromOrTo: *@domain.com yes > > > > > > > > If so, how do I do it? > > > > > > > > Many thanks > > > > > > > > Colin > > > Thanks ... well that makes life easier :) > > > > They are particularly keen that their mail shouldn't be > {disarmed} ... > > will this work this way? > > That's what I see here: whitelisted mail gets scanned, but > there are no changes made to the mail, possibly excepting an > additional header. > > -- > Mike Andrews, W5EGO > mikea@mikea.ath.cx > Tired old sysadmin > -- Okay ... that's cool ... except I did that last night and then this morning I had clients complaining that the server was very slow and a quick 'ps aux' showed hundreds of procmail processes for this particular domain just sitting there!! Commented out the change and restarted MailScanner and all okay again? Any ideas? Thanks Colin From Mailscanner at mailing.kaufland-informationssysteme.com Fri Oct 13 10:26:52 2006 From: Mailscanner at mailing.kaufland-informationssysteme.com (Matthias Sutter) Date: Fri Oct 13 10:26:53 2006 Subject: Exim with Mailscanner and retry problem In-Reply-To: <452E4BBD.7070500@solidstatelogic.com> References: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> <452E4BBD.7070500@solidstatelogic.com> Message-ID: <452F5BDC.8000201@mailing.kaufland-informationssysteme.com> Martin Hepworth wrote: > Matthias Sutter wrote: > >> Hello, >> >> I use Mailscanner with Exim and now we get some problems with >> graylisting. >> Is it correct that the Mailscanner start the exim outgouing deamon? >> Because I set in the initscritp / sysconfig /Mailscaner the option >> -q10m but we do not see an retry attemp ... >> >> Can sombody help me how give teh exim the retry option ? >> >> Thanks a lot >> >> Matthias Sutter >> >> >> > Matthias > > Depends on how you installed MailScanner, from the rpm, the tarball???? > > Normally editting the MTA startup script is up to you I think?? > Martin I installed Mailscanner as rpm and exim from the tarball. Do you mean the Mailscanner startupscript ? This is the exim outgoing section from the mailscanner script .... elif [ $MTA = 'exim' ]; then startproc -p $srvpid $EXIM -C $EXIMOUTCF -bd -q10m 2> /dev/null rc_status fi But I have no running deamon ... Should there a proccess - or is the processview correct ? 18862 ? Ss 0:00 /opt/exim/bin/exim -C /opt/exim/configure.in -bd 31168 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.in -bd 31792 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.in -bd 31955 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.in -bd 18887 ? Ss 0:00 MailScanner: master waiting for children, sleeping 18888 ? S 0:32 \_ MailScanner: waiting for messages 31776 ? Z 0:00 | \_ [MailScanner] 18927 ? S 0:32 \_ MailScanner: waiting for messages 31873 ? Z 0:00 | \_ [MailScanner] 18946 ? S 0:40 \_ MailScanner: waiting for messages 31850 ? Z 0:00 | \_ [MailScanner] 18961 ? S 0:30 \_ MailScanner: waiting for messages 19003 ? R 0:35 \_ MailScanner: scanning for filenames and filetypes 31988 ? Zs 0:00 | \_ [file] 19050 ? S 0:29 \_ MailScanner: virus scanning 31973 ? Rs 0:00 | \_ /usr/local/Sophos/bin/sweep -sc -f -all -rec ss -archive -cab -loopback --no-follow-symlinks --no-reset-atime -TNEF . 19099 ? S 0:34 \_ MailScanner: waiting for messages 31772 ? Z 0:00 | \_ [MailScanner] 19150 ? S 0:35 \_ MailScanner: virus scanning 31972 ? Rs 0:01 | \_ /usr/local/Sophos/bin/sweep -sc -f -all -rec ss -archive -cab -loopback --no-follow-symlinks --no-reset-atime -TNEF . 19170 ? S 0:39 \_ MailScanner: waiting for messages 19183 ? S 0:40 \_ MailScanner: waiting for messages 31740 ? Z 0:00 \_ [MailScanner] 18891 ? S 0:04 MailWatch SQL 28887 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYITd-0007Py 31989 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYITd-00 31990 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYIT 28989 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYITl-0007Re 31935 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYITl-00 31937 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYIT 31920 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu 1GYIZ0-0008ID-FM 31947 ? S 0:00 \_ /opt/exim/bin/exim -C /opt/exim/configure.out -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu 1GYIZ0-0008ID-FM From martinh at solidstatelogic.com Fri Oct 13 10:44:05 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 10:44:23 2006 Subject: Whitelist rules In-Reply-To: References: Message-ID: <452F5FE5.3010909@solidstatelogic.com> Colin Jack wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea >> Sent: Thursday, October 12, 2006 7:53 PM >> To: MailScanner discussion >> Subject: Re: Whitelist rules >> >> On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: >> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>>> Joost Waversveld >>>> Sent: Thursday, October 12, 2006 3:07 PM >>>> To: MailScanner discussion >>>> Subject: Re: Whitelist rules >>>> >>>> No, you're wrong... ;-) You can use wildcards just the >> way you said. >>>> Keep in mind that the mail will get scanned, but will be >> delivered >>>> as normal, regardless of the score the message get. >>>> >>>> Regards, >>>> >>>> Joost Waversveld >>>> >>>> Colin Jack wrote: >>>>> Please could someone give me a pointer >>>>> >>>>> I want to allow all mail for particular domain through >>>> without being >>>>> scanned. >>>>> Am I right in saying that I cannot use wildcards in the >>>>> spam.whitelist.rules like >>>>> >>>>> FromOrTo: *@domain.com yes >>>>> >>>>> If so, how do I do it? >>>>> >>>>> Many thanks >>>>> >>>>> Colin >>> Thanks ... well that makes life easier :) >>> >>> They are particularly keen that their mail shouldn't be >> {disarmed} ... >>> will this work this way? >> That's what I see here: whitelisted mail gets scanned, but >> there are no changes made to the mail, possibly excepting an >> additional header. >> >> -- >> Mike Andrews, W5EGO >> mikea@mikea.ath.cx >> Tired old sysadmin >> -- > > Okay ... that's cool ... except > > I did that last night and then this morning I had clients complaining > that the server was very slow and a quick 'ps aux' showed hundreds of > procmail processes for this particular domain just sitting there!! > > Commented out the change and restarted MailScanner and all okay again? > Any ideas? > > Thanks > > Colin > Procmail?????thats way after MS has anything to do with the email.. I'd check the procmail rules... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Fri Oct 13 10:50:39 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 10:50:49 2006 Subject: Exim with Mailscanner and retry problem In-Reply-To: <452F5BDC.8000201@mailing.kaufland-informationssysteme.com> References: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> <452E4BBD.7070500@solidstatelogic.com> <452F5BDC.8000201@mailing.kaufland-informationssysteme.com> Message-ID: <452F616F.2070302@solidstatelogic.com> Matthias Sutter wrote: > Martin Hepworth wrote: > >> Matthias Sutter wrote: >> >>> Hello, >>> >>> I use Mailscanner with Exim and now we get some problems with >>> graylisting. >>> Is it correct that the Mailscanner start the exim outgouing deamon? >>> Because I set in the initscritp / sysconfig /Mailscaner the option >>> -q10m but we do not see an retry attemp ... >>> >>> Can sombody help me how give teh exim the retry option ? >>> >>> Thanks a lot >>> >>> Matthias Sutter >>> >>> >>> >> Matthias >> >> Depends on how you installed MailScanner, from the rpm, the tarball???? >> >> Normally editting the MTA startup script is up to you I think?? >> > Martin > > I installed Mailscanner as rpm and exim from the tarball. > > Do you mean the Mailscanner startupscript ? > This is the exim outgoing section from the mailscanner script .... > > elif [ $MTA = 'exim' ]; then > startproc -p $srvpid $EXIM -C $EXIMOUTCF -bd -q10m 2> /dev/null > rc_status > fi > > But I have no running deamon ... > Should there a proccess - or is the processview correct ? > > 18862 ? Ss 0:00 /opt/exim/bin/exim -C /opt/exim/configure.in -bd > 31168 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.in -bd > 31792 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.in -bd > 31955 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.in -bd > 18887 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 18888 ? S 0:32 \_ MailScanner: waiting for messages > 31776 ? Z 0:00 | \_ [MailScanner] > 18927 ? S 0:32 \_ MailScanner: waiting for messages > 31873 ? Z 0:00 | \_ [MailScanner] > 18946 ? S 0:40 \_ MailScanner: waiting for messages > 31850 ? Z 0:00 | \_ [MailScanner] > 18961 ? S 0:30 \_ MailScanner: waiting for messages > 19003 ? R 0:35 \_ MailScanner: scanning for filenames and > filetypes > 31988 ? Zs 0:00 | \_ [file] > 19050 ? S 0:29 \_ MailScanner: virus scanning > 31973 ? Rs 0:00 | \_ /usr/local/Sophos/bin/sweep -sc -f > -all -rec ss -archive -cab -loopback --no-follow-symlinks > --no-reset-atime -TNEF . > 19099 ? S 0:34 \_ MailScanner: waiting for messages > 31772 ? Z 0:00 | \_ [MailScanner] > 19150 ? S 0:35 \_ MailScanner: virus scanning > 31972 ? Rs 0:01 | \_ /usr/local/Sophos/bin/sweep -sc -f > -all -rec ss -archive -cab -loopback --no-follow-symlinks > --no-reset-atime -TNEF . > 19170 ? S 0:39 \_ MailScanner: waiting for messages > 19183 ? S 0:40 \_ MailScanner: waiting for messages > 31740 ? Z 0:00 \_ [MailScanner] > 18891 ? S 0:04 MailWatch SQL > 28887 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out > -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 > 1GYITd-0007Py > 31989 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv > 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYITd-00 > 31990 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv > 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYIT > 28989 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out > -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 > 1GYITl-0007Re > 31935 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 > 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYITl-00 > 31937 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 > 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYIT > 31920 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out > -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu 1GYIZ0-0008ID-FM > 31947 ? S 0:00 \_ /opt/exim/bin/exim -C > /opt/exim/configure.out -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu > 1GYIZ0-0008ID-FM > > > hmm my outgoing exim is started like this.. /usr/local/sbin/exim -q15m -C /usr/local/etc/exi m/configure.out -oP /var/run/eximout.pid NB: NO -bd (other wise it will deamonise itself and listen on port 25!). -oP to tell it to write the PID to a different file. Also my configure.out has the log file locations pointing at a different place so I can see what the inbound and outbound exim's are doing with ease (ie hmm that log entry is it for the inbound or outbound exim????) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From brent.addis at pronet.co.nz Fri Oct 13 10:51:45 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Fri Oct 13 10:52:21 2006 Subject: Exim with Mailscanner and retry problem In-Reply-To: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> References: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> Message-ID: <452F61B1.7090303@pronet.co.nz> -q10m means try the queue again every 10 minutes. It doesn't mean resend the message every 10 minutes. Check the contents of /etc/exim4/conf.d/retry/30_exim4-config (assuming you have exim4) It probably has a default of: * * F,2h,15m; G,16h,1h,1.5; F,4d,6h Which specifies retries every 15 minutes for 2 hours, then increasing retry intervals. Try setting the first retry number down to 10. Matthias Sutter wrote: > Hello, > > I use Mailscanner with Exim and now we get some problems with > graylisting. > Is it correct that the Mailscanner start the exim outgouing deamon? > Because I set in the initscritp / sysconfig /Mailscaner the option > -q10m but we do not see an retry attemp ... > > Can sombody help me how give teh exim the retry option ? > > Thanks a lot > > Matthias Sutter > > > ------------------------------------------------------------------------ From febrianto at sioenasia.com Fri Oct 13 10:59:17 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Fri Oct 13 10:54:41 2006 Subject: Upgrade spamassassin Message-ID: Hi, Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using Centos 4.0). It cause arround 30 errors in spamassassin --lint. Panic. Then I download the Install-Clam-SA, and do the install... it doing great, and spamassassin --lint doesn't give me any error. So, I'm planning to upgrade spamassassin to version 3.1.7 from the source. Is there any special notes before I begin? Or should I wait for another upgrade of Install-Clam-SA from MailScanner download page? Best regards From colin at mainline.co.uk Fri Oct 13 11:16:40 2006 From: colin at mainline.co.uk (Colin Jack) Date: Fri Oct 13 11:17:13 2006 Subject: Whitelist rules Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin Hepworth > Sent: Friday, October 13, 2006 10:44 AM > To: MailScanner discussion > Subject: Re: Whitelist rules > > Colin Jack wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> mikea > >> Sent: Thursday, October 12, 2006 7:53 PM > >> To: MailScanner discussion > >> Subject: Re: Whitelist rules > >> > >> On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: > >> > >>>> -----Original Message----- > >>>> From: mailscanner-bounces@lists.mailscanner.info > >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >>>> Joost Waversveld > >>>> Sent: Thursday, October 12, 2006 3:07 PM > >>>> To: MailScanner discussion > >>>> Subject: Re: Whitelist rules > >>>> > >>>> No, you're wrong... ;-) You can use wildcards just the > >> way you said. > >>>> Keep in mind that the mail will get scanned, but will be > >> delivered > >>>> as normal, regardless of the score the message get. > >>>> > >>>> Regards, > >>>> > >>>> Joost Waversveld > >>>> > >>>> Colin Jack wrote: > >>>>> Please could someone give me a pointer > >>>>> > >>>>> I want to allow all mail for particular domain through > >>>> without being > >>>>> scanned. > >>>>> Am I right in saying that I cannot use wildcards in the > >>>>> spam.whitelist.rules like > >>>>> > >>>>> FromOrTo: *@domain.com yes > >>>>> > >>>>> If so, how do I do it? > >>>>> > >>>>> Many thanks > >>>>> > >>>>> Colin > >>> Thanks ... well that makes life easier :) > >>> > >>> They are particularly keen that their mail shouldn't be > >> {disarmed} ... > >>> will this work this way? > >> That's what I see here: whitelisted mail gets scanned, but > there are > >> no changes made to the mail, possibly excepting an > additional header. > >> > >> -- > >> Mike Andrews, W5EGO > >> mikea@mikea.ath.cx > >> Tired old sysadmin > >> -- > > > > Okay ... that's cool ... except > > > > I did that last night and then this morning I had clients > complaining > > that the server was very slow and a quick 'ps aux' showed > hundreds of > > procmail processes for this particular domain just sitting there!! > > > > Commented out the change and restarted MailScanner and all > okay again? > > Any ideas? > > > > Thanks > > > > Colin > > > > Procmail?????thats way after MS has anything to do with the email.. > > I'd check the procmail rules... > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Okay thanks ... just seemed odd that it was only this domain which seemed to be having problems. Probably a coincidence ... I will check it out. Regards Colin From martinh at solidstatelogic.com Fri Oct 13 11:18:56 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 11:19:09 2006 Subject: Upgrade spamassassin In-Reply-To: References: Message-ID: <452F6810.5040008@solidstatelogic.com> Budi Febrianto wrote: > Hi, > Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using > Centos 4.0). > It cause arround 30 errors in spamassassin --lint. > > Panic. > > Then I download the Install-Clam-SA, and do the install... it doing great, > and spamassassin --lint doesn't give me any error. > > So, I'm planning to upgrade spamassassin to version 3.1.7 from the source. > > Is there any special notes before I begin? Or should I wait for another > upgrade of Install-Clam-SA from MailScanner download page? > > Best regards > hmm I'd check where the yum install has put all the SA stuff as it tends to put in a different from the source/cpan install. you COULD end up with two SA configs installed and a confused system! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Mailscanner at mailing.kaufland-informationssysteme.com Fri Oct 13 13:02:09 2006 From: Mailscanner at mailing.kaufland-informationssysteme.com (Matthias Sutter) Date: Fri Oct 13 13:02:13 2006 Subject: Exim with Mailscanner and retry problem In-Reply-To: <452F616F.2070302@solidstatelogic.com> References: <452E40C8.6000007@mailing.kaufland-informationssysteme.com> <452E4BBD.7070500@solidstatelogic.com> <452F5BDC.8000201@mailing.kaufland-informationssysteme.com> <452F616F.2070302@solidstatelogic.com> Message-ID: <452F8041.6010007@mailing.kaufland-informationssysteme.com> Martin Hepworth wrote: > Matthias Sutter wrote: > >> Martin Hepworth wrote: >> >>> Matthias Sutter wrote: >>> >>>> Hello, >>>> >>>> I use Mailscanner with Exim and now we get some problems with >>>> graylisting. >>>> Is it correct that the Mailscanner start the exim outgouing deamon? >>>> Because I set in the initscritp / sysconfig /Mailscaner the option >>>> -q10m but we do not see an retry attemp ... >>>> >>>> Can sombody help me how give teh exim the retry option ? >>>> >>>> Thanks a lot >>>> >>>> Matthias Sutter >>>> >>>> >>>> >>> Matthias >>> >>> Depends on how you installed MailScanner, from the rpm, the tarball???? >>> >>> Normally editting the MTA startup script is up to you I think?? >>> >> Martin >> >> I installed Mailscanner as rpm and exim from the tarball. >> >> Do you mean the Mailscanner startupscript ? >> This is the exim outgoing section from the mailscanner script .... >> >> elif [ $MTA = 'exim' ]; then >> startproc -p $srvpid $EXIM -C $EXIMOUTCF -bd -q10m 2> /dev/null >> rc_status >> fi >> >> But I have no running deamon ... >> Should there a proccess - or is the processview correct ? >> >> 18862 ? Ss 0:00 /opt/exim/bin/exim -C >> /opt/exim/configure.in -bd >> 31168 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.in -bd >> 31792 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.in -bd >> 31955 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.in -bd >> 18887 ? Ss 0:00 MailScanner: master waiting for children, >> sleeping >> 18888 ? S 0:32 \_ MailScanner: waiting for messages >> 31776 ? Z 0:00 | \_ [MailScanner] >> 18927 ? S 0:32 \_ MailScanner: waiting for messages >> 31873 ? Z 0:00 | \_ [MailScanner] >> 18946 ? S 0:40 \_ MailScanner: waiting for messages >> 31850 ? Z 0:00 | \_ [MailScanner] >> 18961 ? S 0:30 \_ MailScanner: waiting for messages >> 19003 ? R 0:35 \_ MailScanner: scanning for filenames and >> filetypes >> 31988 ? Zs 0:00 | \_ [file] >> 19050 ? S 0:29 \_ MailScanner: virus scanning >> 31973 ? Rs 0:00 | \_ /usr/local/Sophos/bin/sweep -sc -f >> -all -rec ss -archive -cab -loopback --no-follow-symlinks >> --no-reset-atime -TNEF . >> 19099 ? S 0:34 \_ MailScanner: waiting for messages >> 31772 ? Z 0:00 | \_ [MailScanner] >> 19150 ? S 0:35 \_ MailScanner: virus scanning >> 31972 ? Rs 0:01 | \_ /usr/local/Sophos/bin/sweep -sc -f >> -all -rec ss -archive -cab -loopback --no-follow-symlinks >> --no-reset-atime -TNEF . >> 19170 ? S 0:39 \_ MailScanner: waiting for messages >> 19183 ? S 0:40 \_ MailScanner: waiting for messages >> 31740 ? Z 0:00 \_ [MailScanner] >> 18891 ? S 0:04 MailWatch SQL >> 28887 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out >> -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 >> 1GYITd-0007Py >> 31989 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv >> 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYITd-00 >> 31990 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.out -Mc 1GYITb-0007P3-Dn 1GYITd-0007Q5-Jv >> 1GYITd-0007Pv-5N 1GYITb-0007PK-S5 1GYIT >> 28989 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out >> -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 >> 1GYITl-0007Re >> 31935 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 >> 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYITl-00 >> 31937 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.out -Mc 1GYITk-0007Rt-9W 1GYITh-0007Ql-08 >> 1GYITj-0007Ri-MY 1GYITg-0007R0-T8 1GYIT >> 31920 ? S 0:00 /opt/exim/bin/exim -C /opt/exim/configure.out >> -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu 1GYIZ0-0008ID-FM >> 31947 ? S 0:00 \_ /opt/exim/bin/exim -C >> /opt/exim/configure.out -Mc 1GYIZ0-0008IL-Ly 1GYIZ1-0008IU-Gu >> 1GYIZ0-0008ID-FM >> >> >> > > hmm my outgoing exim is started like this.. > > /usr/local/sbin/exim -q15m -C /usr/local/etc/exi > m/configure.out -oP /var/run/eximout.pid > > NB: > > NO -bd (other wise it will deamonise itself and listen on port 25!). > > -oP to tell it to write the PID to a different file. > > Also my configure.out has the log file locations pointing at a > different place so I can see what the inbound and outbound exim's are > doing with ease (ie hmm that log entry is it for the inbound or > outbound exim????) > > Thanks to you, Now it works.The problem was in the Mailscanner initscript. The outgoing startup part should look like: /usr/local/sbin/exim -q15m -C /usr/local/etc/exi m/configure.out -oP /var/run/eximout.pid From ugob at camo-route.com Fri Oct 13 13:33:25 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Oct 13 13:34:39 2006 Subject: Upgrade spamassassin In-Reply-To: <452F6810.5040008@solidstatelogic.com> References: <452F6810.5040008@solidstatelogic.com> Message-ID: Martin Hepworth wrote: > Budi Febrianto wrote: >> Hi, >> Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using >> Centos 4.0). >> It cause arround 30 errors in spamassassin --lint. >> >> Panic. >> >> Then I download the Install-Clam-SA, and do the install... it doing >> great, >> and spamassassin --lint doesn't give me any error. >> >> So, I'm planning to upgrade spamassassin to version 3.1.7 from the >> source. >> >> Is there any special notes before I begin? Or should I wait for another >> upgrade of Install-Clam-SA from MailScanner download page? >> >> Best regards >> > hmm I'd check where the yum install has put all the SA stuff as it tends > to put in a different from the source/cpan install. > > you COULD end up with two SA configs installed and a confused system! > In fact, removing the rpm would be better, then install from source or cpan. From ugob at camo-route.com Fri Oct 13 13:41:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Oct 13 13:42:44 2006 Subject: OT: Preferred MTA? In-Reply-To: <452E9482.6050307@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Hello all, > > > Do you recommend using a HW load balancer (and SSL accelerator) in front > of my servers? How about Cisco's? I would recommend coyotepoint's products. http://www.coyotepoint.com/ > > Thanks! > > Denis > From hmkash at arl.army.mil Fri Oct 13 14:17:05 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Fri Oct 13 14:17:09 2006 Subject: Max Spam Check Size Message-ID: <229A346E44379140A59A48951B56E0C00260CDA2@ARLABML01.DS.ARL.ARMY.MIL> > 4.57.1-1 is up on the web site now. Has a new setting "Max Spam Check > Size". Messages bigger than this are assumed to not be spam. This > significantly speeds up spam checking. Spammers cannot afford to send > huge messages, they want to use their bandwidth sending more smaller > messages as it pays better. > > Default limit is 150k, which apparently is a very safe figure for this test. > > Please can you let me know your experience with this. So far this is working great. One thing I have noticed, though, and not sure if this is proper behavior or not. An email comes in with a password protected zip file infected with Bagle. It's size is about 250k. Previously it would also have been detected as SPAM (and virus infected) and quarantined. Now the spam checks are skipped and the messages are coming through with the attachment stripped, subject modified with the value of "Virus Subject Text" and body prepended with the contents of "Inline HTML Warning". Bagle is listed as a "Silent Virus" and "Still Deliver Silent Viruses" is set to no. .zip files are denied in our filename.rules.conf. "Allow Password Protected Archives" is no. So it seems like the filename rule is trumping the silent virus setting? Should it? Howard From sconway at wlnet.com Fri Oct 13 14:22:03 2006 From: sconway at wlnet.com (Stephen Conway) Date: Fri Oct 13 14:22:08 2006 Subject: Strange Sendmail Sessions In-Reply-To: <452EAC8E.808@USherbrooke.ca> Message-ID: <002a01c6eeca$943b8150$b000a8c0@skyhawk> Hello Denis: Yes, I found these too, but when I was using older version of Sendmail, I changed this, and it had no effect. After upgrading Sendmail to 8.13.8 , now the settings are doing the job, and server is not being tied up. The main question still remains, why are these coming? Is it some type of DOS attack? But if so, why from so many different Ips? Thanks, Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Thursday, October 12, 2006 4:59 PM To: MailScanner discussion Subject: Re: Strange Sendmail Sessions Stephen Conway a ?crit : > Hello All: > > I have a couple systems with the following: > > Intel based systems 1 GB RAM running Slackware Linux Sendmail 8.13.8 > MailScanner-4.55.10 SpamAssassin version 3.1.0 Perl 5.6.1 > > I have a problem where I am getting a lot of sendmail sessions opening > up similar to below: > > 0:00 sendmail: k9CJgJRU012733 c647683-42.impsat.com.co [64.76.83.42] > (may be > forged): DATA > 0:00 sendmail: k9CJlhwE014949 movaris-nxds1-89.hicap.alink.net > [67.131.237.89]: DATA > > A bunch of these keep coming in from various different networks, but > they all stay around and eventually my MAX Daemon Children vaule is > reached. The question is, can this be a network issue where these > sessions are not completing? Also, how can I get sendmail to kill > these old sessions after X minutes or something? > > Any assistance is appreciated. > > Thanks, > > Steve > > > Steve, I use the following in my sendmail.mc: define(`confTO_ACONNECT', `5m')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_ICONNECT', `20s')dnl define(`confTO_COMMAND', `5m')dnl define(`confTO_AUTH', `1m')dnl define(`confTO_DATABLOCK', `5m')dnl define(`confTO_DATAFINAL', `10m')dnl define(`confTO_MAIL', `5m')dnl define(`confTO_RCPT', `5m')dnl define(`confTO_RESOLVER_RETRANS_FIRST', `2s')dnl define(`confTO_RESOLVER_RETRANS_NORMAL', `10s')dnl define(`confTO_RESOLVER_RETRY_FIRST', `2')dnl define(`confTO_RESOLVER_RETRY_NORMAL', `5')dnl define(`confTO_STARTTLS', `5m')dnl I was also seeing connections that would not close, shutting my server down. Haven't seen any since I configured all the TO_ listed above. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Fri Oct 13 14:43:53 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 13 14:44:30 2006 Subject: Upgrade spamassassin In-Reply-To: References: Message-ID: <452F9819.5050608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The latest Install-Clam-SA includes the latest version of SpamAssassin already. Budi Febrianto wrote: > Hi, > Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using > Centos 4.0). > It cause arround 30 errors in spamassassin --lint. > > Panic. > > Then I download the Install-Clam-SA, and do the install... it doing great, > and spamassassin --lint doesn't give me any error. > > So, I'm planning to upgrade spamassassin to version 3.1.7 from the source. > > Is there any special notes before I begin? Or should I wait for another > upgrade of Install-Clam-SA from MailScanner download page? > > Best regards > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFL5gZEfZZRxQVtlQRAgDpAJwIVYeAG2CZoHfNFBxwtAyGi3QiigCfRFvF nRxHq15FHvLg5kWILsr72rk= =P7Ro -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mgt at stellarcore.net Fri Oct 13 14:55:56 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Oct 13 14:56:14 2006 Subject: Logwatch Update In-Reply-To: <200610130957.k9D9uvbW017808@bkserver.blacknight.ie> References: <200610130957.k9D9uvbW017808@bkserver.blacknight.ie> Message-ID: <452F9AEC.2070404@stellarcore.net> Hi Mike, > > We keep a mirror here http://logwatch.vanderkooij.org/ > > > > No idea what is going on with logwatch.org site seems down > > [so is cvs access so I suspect somthing bad ;) ] >I caught the above on the MailScanner list - but it looks as though the >FTP site is down, so I guess you aren't wrong in your suspicion of >"something bad". Do you know if 7.3.1 is available for download >elsewhere? All roads seem to lead back to ftp.kaybee.org which is >unresponsive. It's been down for a week plus now with no response. Time to start plan B I guess. I have the all the code in my CVS so I'll just roll a new RPM and post it. For now I can post the tarball which does have an install script [which works for most Unix but it has some issuess on AIX and HP_UX which, no suprises since it is using install] So if you are not RPM based grab the tarball and use the install_logwatch.sh. If you want to wait for the RPM I'll try to pull it together today. http://www.stellarcore.net/downloads/logwatch-7.3.1.tar.gz From mkettler at evi-inc.com Fri Oct 13 15:56:28 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Oct 13 15:56:49 2006 Subject: In Log Watch In-Reply-To: <200610130900.k9D90lrn000397@balita.ph> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> <452F4E9F.7060001@solidstatelogic.com> <452F516E.5080408@netmagicsolutions.com> <200610130900.k9D90lrn000397@balita.ph> Message-ID: <452FA91C.8060301@evi-inc.com> Wayne wrote: > Noticed this on the daily log ... > > Config Error: Cannot match against destination IP address when > resolving configuration option "spamwhitelist" : 290 Time(s) > > Have checked the whitelist conf cannot see an IP address listed. Any > ideas .... > > Glenn thanks for help on previous problem your advice seems to have > cured things. > What's this got to do with "URIBL not as effective as it was "? Recommendation: Don't use reply to create a new thread. Even if you change the subject line, threading mail readers and archivers will know what message you replied to because of the "In-Reply-To" header. As such they will properly bury your message in the unrelated thread you replied to. You can see this in action on the list archives: http://lists.mailscanner.info/pipermail/mailscanner/2006-October/thread.html This means that folks using threaded mail readers may over-look your message if it's under a thread they don't care about, because most threaded mail readers collapse the entire thread into a single heading. From Denis.Beauchemin at USherbrooke.ca Fri Oct 13 16:10:18 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Oct 13 16:11:11 2006 Subject: Which spam stats package? In-Reply-To: <200610130047.k9D0lR1o006092@bkserver.blacknight.ie> References: <200610130047.k9D0lR1o006092@bkserver.blacknight.ie> Message-ID: <452FAC5A.4030200@USherbrooke.ca> Paul Welsh a ?crit : > I'm looking for a package to report on spam stats. In particular I'd like > to know which spamassassin categories have had most hits. > > I know of Vispan (http://www.while.org.uk/mailstats/), MailWatch > (http://mailwatch.sourceforge.net/doku.php) and mailscanner-mrtg > (http://sourceforge.net/projects/mailscannermrtg). > > Any others? Recommendations? > > Paul, I wrote the following Perl script. Might be useful for you too. You will have to modify the search strings at the beginning of the script to your English equivalent (or whatever language you use). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- #!/usr/bin/perl -w # # Script that looks through maillog to find all messages tagged as spam # by MailScanner. It then tallies the different SpamAssassin rules that # fired. # # $Id: sa-hits,v 1.12 2006/10/11 12:28:37 bead2306 Exp $ # # $Log: sa-hits,v $ # Revision 1.12 2006/10/11 12:28:37 bead2306 # Mod pour requis avec decimales # # Revision 1.11 2006/10/02 21:23:58 bead2306 # Accelerated by using grep # # Revision 1.9 2006/10/02 20:12:50 bead2306 # Added cache-related strings # # Revision 1.8 2006/07/11 18:59:01 bead2306 # Modifications pour linback3 # # Revision 1.7 2005/05/24 14:49:14 bead2306 # Small correction for last hit on the line # # Revision 1.6 2005/05/16 20:29:51 bead2306 # Accepts any number of file names to process on the command line. # They don't have to be preceded with --log. # # Revision 1.5 2005/05/16 20:01:26 bead2306 # Can now work with compressed input files. # # Revision 1.4 2005/05/16 19:52:37 bead2306 # Added --log option to use an alternate maillog # # Revision 1.3 2005/05/16 18:45:23 bead2306 # Added Id and Log tags # # # Denis Beauchemin, 20050516 use Getopt::Long; my $isSpamString = "est un polluriel, SpamAssassin"; my $scoreString = "score="; my $reqdString = "requis "; my $autoString = "autolearn=spam"; my $cachedString = "cached, "; my $nCachedString = "not cached, "; my $maillog = "/var/log/maillog"; $maillog .= "/maillog" if ( `uname -n` =~ /^linback2?$/); @maillogs = (); my $sortByName = 0; my $sortByHits = 0; my $help = 0; GetOptions( 'sortbyname|byname' => \$sortByName, 'sortbyhits|byhits' => \$sortByHits, 'log=s' => \@maillogs, 'help' => \$help, ); if ( $help ) { print ' This program tallies SpamAssassin\'s rules that were triggered when an email was detected as spam by MailScanner. By default it sorts the results by rule name. It can also sort them by number of hits if called with --sortbyhits (or --byhits). The option --sortbyname (or --byname) is the default one. If you don\'t want to use the current maillog, specify a different one with --log new-maillog. All unknown command line parameters will be treated as additional file names to process. '; exit; } push @maillogs, @ARGV; @maillogs = ( $maillog ) if ( @maillogs == 0 ); #print "Maillogs: @maillogs\n"; foreach my $maillog ( @maillogs ) { print "Processing $maillog...\n"; $sortByName++ if ( ( $sortByName == 0 ) && ( $sortByHits == 0 ) ); my $openCmd = "LANG=C /bin/grep \"$isSpamString\" $maillog |"; if ( $maillog =~ /\.gz$/ ) { $openCmd = "gunzip -c $maillog | LANG=C /bin/grep \"$isSpamString\" |"; } open LOG, "$openCmd" || die "Cannot open $maillog"; while ( ) { next unless /$isSpamString \((?:$cachedString|$nCachedString)$scoreString[\d.]+, $reqdString[\d.]+,(?: $autoString,)?(.*)$/; my $hits = $1; foreach my $hit ( $hits =~ / ([^\s]+) [\d.]+(?:,|\))/g ) { $hit{$hit}++; } } close LOG; } if ( $sortByName ) { foreach my $hit ( sort keys %hit ) { printf "%23s %5d\n", $hit, $hit{$hit}; } } elsif ( $sortByHits ) { foreach my $hit ( sort {$hit{$b}<=>$hit{$a}} keys %hit ) { printf "%23s %5d\n", $hit, $hit{$hit}; } } From Denis.Beauchemin at USherbrooke.ca Fri Oct 13 16:20:09 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Oct 13 16:20:35 2006 Subject: OT: Preferred MTA? In-Reply-To: <452F4FDB.1020304@solidstatelogic.com> References: <452E9482.6050307@USherbrooke.ca> <452F4FDB.1020304@solidstatelogic.com> Message-ID: <452FAEA9.5070504@USherbrooke.ca> Martin Hepworth a ?crit : > Denis Beauchemin wrote: >> Hello all, >> >> I have been asked to evaluate what would be needed to turn our >> internal mail hubs into secured ones. Since I always had trouble >> with sendmail's documentation, I was thinking about switching to >> another MTA. >> >> We currently use many sendmail features such as greet_pause, >> conncontrol, ratecontrol and milter-greylist. We have multiple >> domains and use LDAP for final delivery address resolution. And of >> course, MS must blend just fine with the MTA. >> >> What other MTA would give me those features with less headaches >> whenever I need to change things? Exim? Postfix? others? >> >> I couldn't find a greylisting for Exim that shares its state table >> between multiple MX... but I think PF could use my existing >> milter-greylist as is... >> >> As for ease of configuration and quality of documentation, which do >> you recommend? >> >> Do you recommend using a HW load balancer (and SSL accelerator) in >> front of my servers? How about Cisco's? >> >> Thanks! >> >> Denis >> > Denis > > My vote is for exim, wonderful support (abit like MailScanner :-), no > political problems and a very knowledge commitity. > > Config syntax is easy, and it's very configurable... > > No idea about loadbalancers.. > Martin, How about my greylisting problem with multiple MX servers sharing the same state info? Can Exim do that? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061013/01e25fce/smime.bin From brian.duncan at kattenlaw.com Fri Oct 13 16:21:11 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Oct 13 16:21:18 2006 Subject: Mailscanner/Spam Assassin support for MicrosoftIMF/SCLSpamscoring? Message-ID: <65234743FE1555428435CE39E6AC4078B38A8D@CHI-US-EXCH-01.us.kmz.com> >I'm not an exchange person and I am thinking out loud here but would the "X-MS-Exchange-Organization-SCL:" header be ignored if it is added >from another relay, how would it make sure that the header is genuine? >I do agree that this would be a great feature to get working though, as it seems the only other way to achieve this is to use commercial >software called IMF tune that allows exchange to set the SCL score from the "X-Spam-Status: Yes" header. >Dean. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner >Before posting, read http://wiki.mailscanner.info/posting >Support MailScanner development - buy the book off the website! I don't think that Exchange acts on any X-Header for SCL values (At least nothing that I have tried so far). I tried everything to get messages to wind up in the Junk Mail folder through only X-Header modifications. I had no luck. I finally wound up using http://smtptracker.com It is only 35.00 for an enterprise license and 500.00 for the source code if you need it. The University of Florida has been using it for 2 years now. It is just a transport that sits on an exchange server that adds the SCL onto passing messages going by that have failed your Spam Assassin check. Whatever it adds to force junk mail folder is NOT X-header based. It's some custom exchange attribute I believe. I even opened a call with Microsoft to see if there was some x-header I could add to guarantee a message would wind up in Junk Mail folder. I was told that the SCL value is in some extended attribute in each message. (documented in Exchange 2007 beta as being an x-header, maybe they are changing this moving forward? I don't know) We are not actually using smtptracker.com in production yet, I am waiting till my exchange guy verifies if it is cluster friendly. It is nice to see that there is another product that supports tagging messages. (IMF tune) If anyone has successfully manages to get Exchange to act on any X-headers added to a message please post how you did it. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Denis.Beauchemin at USherbrooke.ca Fri Oct 13 16:22:58 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Oct 13 16:23:41 2006 Subject: OT: Preferred MTA? In-Reply-To: References: <452E9482.6050307@USherbrooke.ca> Message-ID: <452FAF52.1090507@USherbrooke.ca> Ugo Bellavance a ?crit : > Denis Beauchemin wrote: >> Hello all, >> >> >> Do you recommend using a HW load balancer (and SSL accelerator) in >> front of my servers? How about Cisco's? > > I would recommend coyotepoint's products. http://www.coyotepoint.com/ > >> >> Thanks! >> >> Denis >> > Ugo, I looked at their products a while ago (I think it was you who suggested them), but my network guys are kinda biased towards Cisco... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061013/9da8d0f6/smime.bin From mgt at stellarcore.net Fri Oct 13 16:27:09 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Oct 13 16:27:18 2006 Subject: OT: Logwatch RPM In-Reply-To: <200610131100.k9DB0DEd019565@bkserver.blacknight.ie> References: <200610131100.k9DB0DEd019565@bkserver.blacknight.ie> Message-ID: <452FB04D.8060301@stellarcore.net> One more post will apologies to Julian. I rebuilt the RPM and SRPM and posted them for now. http://www.stellarcore.net/downloads/logwatch-7.3.1-2.noarch.rpm http://www.stellarcore.net/downloads/logwatch-7.3.1-2.src.rpm This should tide everyone through until we figure out what happened to Kirk and the logwatch.org site. Worse case I'll setup a sourceforge project and move everything there. -Mike From hmkash at arl.army.mil Fri Oct 13 16:28:38 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Fri Oct 13 16:28:42 2006 Subject: Max Spam Check Size Message-ID: <229A346E44379140A59A48951B56E0C00260CDA6@ARLABML01.DS.ARL.ARMY.MIL> > So far this is working great. One thing I have noticed, though, and not > sure if this is proper behavior or not. An email comes in with a > password protected zip file infected with Bagle. It's size is about > 250k. Previously it would also have been detected as SPAM (and virus > infected) and quarantined. Now the spam checks are skipped and the > messages are coming through with the attachment stripped, subject > modified with the value of "Virus Subject Text" and body prepended with > the contents of "Inline HTML Warning". Bagle is listed as a "Silent > Virus" and "Still Deliver Silent Viruses" is set to no. .zip files are > denied in our filename.rules.conf. "Allow Password Protected Archives" > is no. So it seems like the filename rule is trumping the silent virus > setting? Should it? After some more digging, it appears that this may be a bug in how silent viruses are detected that was being masked by spam checks being run even on large messages. See the logs for the two messages below, both with Bagle infected attachments. The first messages is ~225k and the second is ~85k. Both are detected as password protected archives. The first only triggers the virus scanner on the .header file, not on the zip file itself, whereas the second triggers on both the .header file and the zip attachment. And only the second message is marked as silent. Since the first message was over 150k it was not detected as spam and the recipient received a stripped message despite Bagle being listed as a silent virus. Also notice the from address is blank in both of the "Infected message .header came from" lines. Howard Oct 13 08:48:35 mail MailScanner[9819]: Message 7683673CA7.A5EC8 from 201.58.242.33 (user@example.com) to example.com is too big for spam checks (311952 > 150000 bytes) Oct 13 08:49:08 mail MailScanner[9819]: Password-protected archive (zupd02.zip) in 7683673CA7.A5EC8 Oct 13 08:49:09 mail MailScanner[9819]: /7683673CA7.A5EC8.header Found the W32/Bagle!eml.gen virus !!! Oct 13 08:49:09 mail MailScanner[9819]: Infected message 7683673CA7.A5EC8.header came from Oct 13 08:49:09 mail MailScanner[9819]: Filename Checks: Denied file name (7683673CA7.A5EC8 zupd02.zip) Oct 13 08:49:09 mail MailScanner[9819]: HTML Img tag found in message 7683673CA7.A5EC8 from user@example.com Oct 13 08:49:09 mail MailScanner[9819]: Saved infected "zupd02.zip" to /var/spool/MailScanner/quarantine/20061013/7683673CA7.A5EC8 Oct 13 08:49:10 mail MailScanner[9819]: Requeue: 7683673CA7.A5EC8 to 173E173C67 Oct 13 03:03:36 mail MailScanner[26027]: Message 4744C212F67.DA7FF from 165.165.122.218 (user@example.com) to example.com is spam, SpamAssassin (not cached, score=19.578, required 5, BAYES_50 1.00, CUSTOM_RCVD_IN_MANY 3.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, HTML_IMAGE_ONLY_04 3.60, HTML_MESSAGE 0.00, HTML_SHORT_LENGTH 1.57, MIME_HTML_ONLY 0.00, MSGID_SPAM_LETTERS 3.02, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_NJABL_DUL1.95, RCVD_IN_SORBS_DUL 2.05, RM_rb_BODY 0.00, RM_rb_BREAK 0.00, RM_rb_HTML 0.00, SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 0.00) Oct 13 03:03:36 mail MailScanner[26027]: Spam Actions: message 4744C212F67.DA7FF actions are store Oct 13 03:03:36 mail MailScanner[26027]: Password-protected archive (Susanna.zip) in 4744C212F67.DA7FF Oct 13 03:03:36 mail MailScanner[26027]: /4744C212F67.DA7FF.header Found the W32/Bagle!eml.gen virus !!! Oct 13 03:03:36 mail MailScanner[26027]: /4744C212F67.DA7FF/Susanna.zip Found the W32/Bagle.fd!pwdzip virus !!! Oct 13 03:03:36 mail MailScanner[26027]: Infected message 4744C212F67.DA7FF came from 165.165.122.218 Oct 13 03:03:36 mail MailScanner[26027]: Infected message 4744C212F67.DA7FF.header came from Oct 13 03:03:36 mail MailScanner[26027]: Filename Checks: Denied file name (4744C212F67.DA7FF Susanna.zip) Oct 13 03:03:36 mail MailScanner[26027]: HTML Img tag found in message 4744C212F67.DA7FF from user@example.com Oct 13 03:03:36 mail MailScanner[26027]: Saved infected "Susanna.zip" to /var/spool/MailScanner/quarantine/20061013/4744C212F67.DA7FF Oct 13 03:03:36 mail MailScanner[26027]: Viruses marked as silent: /4744C212F67.DA7FF/Susanna.zip Found the W32/Bagle.fd!pwdzip virus !!!,Denied file name (Susanna.zip), From martinh at solidstatelogic.com Fri Oct 13 16:33:04 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 13 16:33:19 2006 Subject: OT: Preferred MTA? In-Reply-To: <452FAEA9.5070504@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> <452F4FDB.1020304@solidstatelogic.com> <452FAEA9.5070504@USherbrooke.ca> Message-ID: <452FB1B0.6010507@solidstatelogic.com> Denis Beauchemin wrote: > Martin Hepworth a ?crit : >> Denis Beauchemin wrote: >>> Hello all, >>> >>> I have been asked to evaluate what would be needed to turn our >>> internal mail hubs into secured ones. Since I always had trouble >>> with sendmail's documentation, I was thinking about switching to >>> another MTA. >>> >>> We currently use many sendmail features such as greet_pause, >>> conncontrol, ratecontrol and milter-greylist. We have multiple >>> domains and use LDAP for final delivery address resolution. And of >>> course, MS must blend just fine with the MTA. >>> >>> What other MTA would give me those features with less headaches >>> whenever I need to change things? Exim? Postfix? others? >>> >>> I couldn't find a greylisting for Exim that shares its state table >>> between multiple MX... but I think PF could use my existing >>> milter-greylist as is... >>> >>> As for ease of configuration and quality of documentation, which do >>> you recommend? >>> >>> Do you recommend using a HW load balancer (and SSL accelerator) in >>> front of my servers? How about Cisco's? >>> >>> Thanks! >>> >>> Denis >>> >> Denis >> >> My vote is for exim, wonderful support (abit like MailScanner :-), no >> political problems and a very knowledge commitity. >> >> Config syntax is easy, and it's very configurable... >> >> No idea about loadbalancers.. >> > Martin, > > How about my greylisting problem with multiple MX servers sharing the > same state info? Can Exim do that? > > Thanks! > > Denis > Denis depends where you store the greylist I guess.... Best to ask the experts on the exim mailing list - they're a friendly bunch. Be specific about what you are trying to do and they'll give you lots of pointers about the best way to achieve it. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ka at pacific.net Fri Oct 13 16:37:00 2006 From: ka at pacific.net (Ken A) Date: Fri Oct 13 16:35:12 2006 Subject: spam getting through without even being checked In-Reply-To: <452EFD54.7040705@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> Message-ID: <452FB29C.3030704@pacific.net> Chris Yuzik wrote: > Ken A wrote: >> Try restarting MailScanner AFTER you issue the two commands above. It >> should start incoming and outgoing sendmail processes. >> >> If you installed from the MailScanner rpm, you should have seen these >> instructions at the end of the install process telling you to disable >> sendmail with the commands above (not sure about the tar.gz), since >> the MailScanner init script handles starting and stopping sendmail >> processes after MailScanner is installed. >> >> If you have your original sendmail init script still running, it may >> claim port 25 and so the one that MailScanner tries to start is unable >> to bind to the port.. See your /var/log/maillog for sendmail errors >> about this. > Hi Ken, > > I installed from the RPM, but this server is a bit unusual because it's > running the Ensim control panel, so not sure if everything is "by the > book". > > I tried shutting down sendmail, then restarting MailScanner, but nothing > started listening on port 25 until I started up sendmail again. When > MailScanner starts, even if sendmail is stopped it says nothing about > sendmail, so something must be wrong. Not sure what to try or what to > investigate next. > > In my MailScanner.conf file, the following might give a hint: > > MTA = sendmail > Sendmail = /usr/sbin/sendmail > Sendmail2 = /usr/sbin/sendmail -ODeliveryMode=background > -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned Hi Chris, I don't use Ensim, so I'm not sure what the differences might be, but normally with the rpm (and install.sh), you will have an incoming instance of sendmail listening on port 25 putting mail in an incoming mail queue (mqueue.in) created by the install process. This mail is then picked up by MailScanner, scanned, then placed in outgoing mail queue, which is the default "original" mqueue. So, your system must be setup to start 2 instances of sendmail. Sendmail should start from the MailScanner init script. You might want to take a look at the init script and your /var/log/maillog to see why sendmail isn't starting. The defaults might be wrong for Ensim, so it might be better to get some feedback from someone else on the list who uses Ensim. Ken A. Pacific.Net > > Thanks, > Chris From mjthomas at thinkmcmillan.com Fri Oct 13 16:39:57 2006 From: mjthomas at thinkmcmillan.com (MJ Thomas) Date: Fri Oct 13 16:40:08 2006 Subject: Phishing & MailScanner has detected a possible fraud attempt from ... Message-ID: <006001c6eedd$d71be330$2a01a8c0@thinkmcmillan.com.local> Hi, I have reviewed the MailScanner documentation and some of the support lists, but I can't find an answer to my question. I am deploying an enewsletter for our client using 3rd party email deployment software. In order to track links, the email deployment software wraps the original HTTP links within a different URL. For example: www.thinkmcmillan.com For links like www.thinkmcmillan.com, the following message is displayed when the email is deployed to those email addresses who use MailScanner: MailScanner has detected a possible fraud attempt from "dcm5.com" claiming to be www.thinkmcmillan.com. Does MailScanner have a recommendation on how to handle legitimate wrappers that are used for tracking purposes? Is there some way of associating dcm5.com and bridgewatersystems.com so MailScanner does not flag this link as a possible fraud attempt? Thanks, ========================= MJ Thomas Technical Projects Lead McMillan T 613-789-1234 x296 mjthomas@thinkmcmillan.com thinkmcmillan.com ========================= Agency-Client Confidential Information This email and any files transmitted with it are confidential and intended solely for the use of the named addressee. If you have received this email in error you should not disseminate, distribute, or copy it; please notify the sender immediately and delete the message from your system. Please check this email and any attachments for the presence of viruses. McMillan accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061013/935a2bfd/attachment.html From jase at sensis.com Fri Oct 13 16:56:21 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Oct 13 17:01:24 2006 Subject: OT: Preferred MTA? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF1AA@corpatsmail1.corp.sensis.com> > > My vote is for exim, wonderful support (abit like > MailScanner :-), no > > political problems and a very knowledge commitity. > > > > Config syntax is easy, and it's very configurable... > > > > No idea about loadbalancers.. > > > Martin, > > How about my greylisting problem with multiple MX servers sharing the > same state info? Can Exim do that? > Depends on how you do the greylisting. I like this approach - http://www.exim.org/eximwiki/FastGrayListMiniTutorial. If you use a common mysql server then all your servers will be sharing the same state info. Jase From listacct at tulsaconnect.com Fri Oct 13 17:03:52 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Oct 13 17:03:54 2006 Subject: RBL checks broken in 4.56.8? Message-ID: <452FB8E8.8040808@tulsaconnect.com> I just switched from 4.55.9 to 4.56.8 and my RBL checks (MailScanner's RBL checks) are broken. SA's checks still work fine. Net::DNS 0.59 is installed and working. Simply switching back to 4.55.9 on the same box fixes the problem. spam.lists.conf is valid for the two I am using (spamcop and SBL+XBL). No errors show in debug mode. Ideas? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From kwang at ucalgary.ca Fri Oct 13 17:39:20 2006 From: kwang at ucalgary.ca (Kai Wang) Date: Fri Oct 13 17:45:03 2006 Subject: Can MailScanner do dkim/dk-milter? Message-ID: <452FC138.6010405@ucalgary.ca> Greetings. We run authenticated postfix+Mailscanner. I want to sign our out going messages. Because we enforced authentication. I don't want to run SpamAssassin. Is there a way to let MailScanner call dkim/dk-milter? Thanks -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andy at tireswing.net Fri Oct 13 17:26:39 2006 From: andy at tireswing.net (Andy Norris) Date: Fri Oct 13 17:48:47 2006 Subject: spam getting through without even being checked In-Reply-To: <452FB29C.3030704@pacific.net> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> Message-ID: <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> Yes, Chris, this is the problem I'm having with Ensim / MailScanner right now. Are you getting tons of sendmail processes running? If I stop sendmail, like I'm supposed to for MailScanner, MailScanner does, indeed, start the instances of sendmail that it needs for pushing the mail to the mailboxes. However, I cannot sent mail from my email client through the server, as there's no connection (nothing listening on port 25). So I have to be running sendmail, and MailScanner is only scanning the mail it gets around to before other sendmail processes deliver it without scanning. Also, when shutting down sendmail, the /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue directory gets backed up with a lot of mail... then when starting sendmail again -- because I have to! -- it takes a lot of time to get that mail out the door. In fact, there is mail in that directory from a couple days ago, and I need to figure out how to get sendmail to deal with all that. Is that directory filling up for you, as well? Seems that just recently things have started going more haywire. Don't know if it's just that we're being pounded by spammers or what. It would be great if we could share anything we might find to get to where we need to be! Thanks, Andy Norris andy@tireswing.net At 10:37 am 2006-10-13, you wrote: >Chris Yuzik wrote: >>Ken A wrote: >>>Try restarting MailScanner AFTER you issue the two commands above. >>>It should start incoming and outgoing sendmail processes. >>> >>>If you installed from the MailScanner rpm, you should have seen >>>these instructions at the end of the install process telling you >>>to disable sendmail with the commands above (not sure about the >>>tar.gz), since the MailScanner init script handles starting and >>>stopping sendmail processes after MailScanner is installed. >>> >>>If you have your original sendmail init script still running, it >>>may claim port 25 and so the one that MailScanner tries to start >>>is unable to bind to the port.. See your /var/log/maillog for >>>sendmail errors about this. >>Hi Ken, >>I installed from the RPM, but this server is a bit unusual because >>it's running the Ensim control panel, so not sure if everything is >>"by the book". >>I tried shutting down sendmail, then restarting MailScanner, but >>nothing started listening on port 25 until I started up sendmail >>again. When MailScanner starts, even if sendmail is stopped it says >>nothing about sendmail, so something must be wrong. Not sure what >>to try or what to investigate next. >>In my MailScanner.conf file, the following might give a hint: >>MTA = sendmail >>Sendmail = /usr/sbin/sendmail >>Sendmail2 = /usr/sbin/sendmail -ODeliveryMode=background >>-OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned >> > >Hi Chris, > >I don't use Ensim, so I'm not sure what the differences might be, >but normally with the rpm (and install.sh), you will have an >incoming instance of sendmail listening on port 25 putting mail in >an incoming mail queue (mqueue.in) created by the install process. >This mail is then picked up by MailScanner, scanned, then placed in >outgoing mail queue, which is the default "original" mqueue. >So, your system must be setup to start 2 instances of sendmail. >Sendmail should start from the MailScanner init script. You might >want to take a look at the init script and your /var/log/maillog to >see why sendmail isn't starting. The defaults might be wrong for >Ensim, so it might be better to get some feedback from someone else >on the list who uses Ensim. > >Ken A. >Pacific.Net > > > >>Thanks, >>Chris >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From dhawal at netmagicsolutions.com Fri Oct 13 18:04:06 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Oct 13 18:04:27 2006 Subject: Can MailScanner do dkim/dk-milter? In-Reply-To: <452FC138.6010405@ucalgary.ca> References: <452FC138.6010405@ucalgary.ca> Message-ID: <452FC706.2090802@netmagicsolutions.com> Kai Wang wrote: > > Greetings. > > We run authenticated postfix+Mailscanner. I want to sign our out going > messages. Because we enforced authentication. I don't want to run > SpamAssassin. Is there a way to let MailScanner call dkim/dk-milter? SpamAssasin can only verify (and not sign) DK/DKIM, so that is not an option. For outgoing messages, you'll have to write a custom function and call it via the 'Sign clean messages' in MailScanner.conf The other option is doing it at the postfix level, see: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim In any case, the important point to remember is that DKIM adoption is not as widespread as the DK adoption yet! (though it is happening gradually).. and you'll be better off implementing both till DK is completely phased out.. - dhawal From kwang at ucalgary.ca Fri Oct 13 18:41:46 2006 From: kwang at ucalgary.ca (Kai Wang) Date: Fri Oct 13 18:41:52 2006 Subject: Can MailScanner do dkim/dk-milter? In-Reply-To: <452FC706.2090802@netmagicsolutions.com> References: <452FC138.6010405@ucalgary.ca> <452FC706.2090802@netmagicsolutions.com> Message-ID: <452FCFDA.90705@ucalgary.ca> The reason, which I wanted to sign the outgoing message by MailScanner, is because MailScanner add additional header lines and I want to sign it after MailScanner processing and I know MailScanner allows you to add customized functions, which important for debugging. Postfix's milter does not give much error log which makes my life quite difficult and the documentation is not adequate. I know there are DK and DKIM options and have not decided which one to go. The link you showed me actually have different opinion of which one is better over the other. "At the time of this writing it appears the /dkim-milter/ is more reliable and better maintained than /dk-milter/, which is slowly fading into oblivion. Similar holds true in the world of Perl modules: there are modules /Mail::DomainKeys/ and /Mail::DKIM/, both of which can be used by SpamAssassin. Again the /Mail::DKIM/ (by Jason Long and Anthony D. Urso) seems to be of higher quality than the older /Mail::DomainKeys/. SpamAssassin makes it very easy to use each or both of them (for verification only), just by enabling the already provided plugins. Despite DomainKeys slowly giving grounds to DKIM, the DomainKeys is currently still in use by several large players in the Internet world, so this section will describe how to integrate both of them with Postfix and amavisd-new (an after-queue content filter) into a mail system." Thanks for the advice. Dhawal Doshy wrote: > Kai Wang wrote: >> >> Greetings. >> >> We run authenticated postfix+Mailscanner. I want to sign our out >> going messages. Because we enforced authentication. I don't want to >> run SpamAssassin. Is there a way to let MailScanner call dkim/dk-milter? > > SpamAssasin can only verify (and not sign) DK/DKIM, so that is not an > option. For outgoing messages, you'll have to write a custom function > and call it via the 'Sign clean messages' in MailScanner.conf > > The other option is doing it at the postfix level, see: > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim > > In any case, the important point to remember is that DKIM adoption is > not as widespread as the DK adoption yet! (though it is happening > gradually).. and you'll be better off implementing both till DK is > completely phased out.. > > - dhawal -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Oct 13 18:44:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 13 18:44:28 2006 Subject: Phishing & MailScanner has detected a possible fraud attempt from ... In-Reply-To: <006001c6eedd$d71be330$2a01a8c0@thinkmcmillan.com.local> References: <006001c6eedd$d71be330$2a01a8c0@thinkmcmillan.com.local> Message-ID: MJ Thomas spake the following on 10/13/2006 8:39 AM: > Hi, > > I have reviewed the MailScanner documentation and some of the support > lists, but I can't find an answer to my question. > > I am deploying an enewsletter for our client using 3rd party email > deployment software. In order to track links, the email deployment > software wraps the original HTTP links within a different URL. For example: > > target=_blank>www.thinkmcmillan.com > > For links like www.thinkmcmillan.com > , the following message is > displayed when the email is deployed to those email addresses who use > MailScanner: *MailScanner has detected a possible fraud attempt from > "dcm5.com" claiming to be* www.thinkmcmillan.com > . > > Does MailScanner have a recommendation on how to handle legitimate > wrappers that are used for tracking purposes? Is there some way of > associating dcm5.com and bridgewatersystems.com so MailScanner does not > flag this link as a possible fraud attempt? > > Thanks, > But that is exactly what the fraud detectors are supposed to do. It detects when the displayed url is different then the actual url. You would have to get the two url's (www.thinkmcmillan.com and dcm5.com) to match better, or convince Julian that it is legitimate so he can add it to his list of OK sites. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Oct 13 19:15:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 13 19:15:52 2006 Subject: spam getting through without even being checked In-Reply-To: <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> Message-ID: Andy Norris spake the following on 10/13/2006 9:26 AM: > > Yes, Chris, this is the problem I'm having with Ensim / MailScanner > right now. Are you getting tons of sendmail processes running? > > If I stop sendmail, like I'm supposed to for MailScanner, MailScanner > does, indeed, start the instances of sendmail that it needs for pushing > the mail to the mailboxes. However, I cannot sent mail from my email > client through the server, as there's no connection (nothing listening > on port 25). So I have to be running sendmail, and MailScanner is only > scanning the mail it gets around to before other sendmail processes > deliver it without scanning. > > Also, when shutting down sendmail, the > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue directory gets > backed up with a lot of mail... then when starting sendmail again -- > because I have to! -- it takes a lot of time to get that mail out the > door. In fact, there is mail in that directory from a couple days ago, > and I need to figure out how to get sendmail to deal with all that. Is > that directory filling up for you, as well? > > Seems that just recently things have started going more haywire. Don't > know if it's just that we're being pounded by spammers or what. > > It would be great if we could share anything we might find to get to > where we need to be! > > Thanks, > Andy Norris > andy@tireswing.net > > > At 10:37 am 2006-10-13, you wrote: > > >> Chris Yuzik wrote: >>> Ken A wrote: >>>> Try restarting MailScanner AFTER you issue the two commands above. >>>> It should start incoming and outgoing sendmail processes. >>>> >>>> If you installed from the MailScanner rpm, you should have seen >>>> these instructions at the end of the install process telling you to >>>> disable sendmail with the commands above (not sure about the >>>> tar.gz), since the MailScanner init script handles starting and >>>> stopping sendmail processes after MailScanner is installed. >>>> >>>> If you have your original sendmail init script still running, it may >>>> claim port 25 and so the one that MailScanner tries to start is >>>> unable to bind to the port.. See your /var/log/maillog for sendmail >>>> errors about this. >>> Hi Ken, >>> I installed from the RPM, but this server is a bit unusual because >>> it's running the Ensim control panel, so not sure if everything is >>> "by the book". >>> I tried shutting down sendmail, then restarting MailScanner, but >>> nothing started listening on port 25 until I started up sendmail >>> again. When MailScanner starts, even if sendmail is stopped it says >>> nothing about sendmail, so something must be wrong. Not sure what to >>> try or what to investigate next. >>> In my MailScanner.conf file, the following might give a hint: >>> MTA = sendmail >>> Sendmail = /usr/sbin/sendmail >>> Sendmail2 = /usr/sbin/sendmail -ODeliveryMode=background >>> -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned >>> >> >> Hi Chris, >> >> I don't use Ensim, so I'm not sure what the differences might be, but >> normally with the rpm (and install.sh), you will have an incoming >> instance of sendmail listening on port 25 putting mail in an incoming >> mail queue (mqueue.in) created by the install process. This mail is >> then picked up by MailScanner, scanned, then placed in outgoing mail >> queue, which is the default "original" mqueue. >> So, your system must be setup to start 2 instances of sendmail. >> Sendmail should start from the MailScanner init script. You might want >> to take a look at the init script and your /var/log/maillog to see why >> sendmail isn't starting. The defaults might be wrong for Ensim, so it >> might be better to get some feedback from someone else on the list who >> uses Ensim. >> >> Ken A. >> Pacific.Net Does Ensim have a list? They seem to use mailscanner in a non-standard way, and you might have better luck there. Otherwise, you will either have to make a support call, or hope that someone on the list is an Ensim guru. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From wjohns at balita.ph Fri Oct 13 19:59:50 2006 From: wjohns at balita.ph (Wayne) Date: Fri Oct 13 19:59:56 2006 Subject: In Log Watch Message-ID: <200610131859.k9DIxnpV032695@balita.ph> At 15:56 13/10/2006, you wrote: This is crazy .... I sent a new message from my client called In Log Watch as I always do I delete messages not of interest as soon as I get them and note I do not even have any entitled URIBL. Sorry don't know what you are on about are you sure you are flaming the right person or message. - Wayne - What's this got to do with "URIBL not as effective as it was "? Recommendation: Don't use reply to create a new thread. Even if you change the subject line, threading mail readers and archivers will know what message you replied to because of the "In-Reply-To" header. As such they will properly bury your message in the unrelated thread you replied to. -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From andy at tireswing.net Fri Oct 13 19:42:06 2006 From: andy at tireswing.net (Andy Norris) Date: Fri Oct 13 20:01:20 2006 Subject: spam getting through without even being checked In-Reply-To: References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> Message-ID: <6.2.3.4.2.20061013134014.02397d60@mail.tireswing.net> >Does Ensim have a list? They seem to use mailscanner in a non-standard way, >and you might have better luck there. >Otherwise, you will either have to make a support call, or hope that someone >on the list is an Ensim guru. Yes, they do, and I've posted there before, but the support is not great, and I was hoping that there might be a few Ensim folks on here who have the same bruises on their foreheads... and the same size holes in their office walls! Thanks, Andy From itdept at fractalweb.com Fri Oct 13 20:17:30 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Oct 13 20:17:48 2006 Subject: spam getting through without even being checked In-Reply-To: <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> Message-ID: <452FE64A.1070209@fractalweb.com> Hi Andy, Thanks for getting on this issue. Perhaps together and with the help of the gurus on this mailing list we can crack this problem. Andy Norris wrote: > Yes, Chris, this is the problem I'm having with Ensim / MailScanner > right now. Are you getting tons of sendmail processes running? Yes! Several sendmail processes running. Also, high server load (7 to 10) during peak times of the day. > If I stop sendmail, like I'm supposed to for MailScanner, MailScanner > does, indeed, start the instances of sendmail that it needs for > pushing the mail to the mailboxes. However, I cannot sent mail from my > email client through the server, as there's no connection (nothing > listening on port 25). So I have to be running sendmail, and > MailScanner is only scanning the mail it gets around to before other > sendmail processes deliver it without scanning. That's interesting. If I stop sendmail and MailScanner, then start only MailScanner, I don't see anything that indicates that sendmail has started up. Since it's a live server, I have to be particularly careful about when I experiment with this stuff since we have hundreds of users relying on this machine. > Also, when shutting down sendmail, the > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue directory > gets backed up with a lot of mail... then when starting sendmail again > -- because I have to! -- it takes a lot of time to get that mail out > the door. In fact, there is mail in that directory from a couple days > ago, and I need to figure out how to get sendmail to deal with all > that. Is that directory filling up for you, as well? The directory only fills up during peak times of the day for me, but it eventually clears itself out. If you type "mailq" does it list these stuck messages for you? At peak times of the day, it can take upwards of 20 minutes for a message to go through our server; at other times it's less than 15 seconds. A couple of minutes is acceptable, but to me > 5 minutes is not. > Seems that just recently things have started going more haywire. Don't > know if it's just that we're being pounded by spammers or what. I second that. About 6 weeks to a couple of months ago, we had no issues. Peak times of day were only few minutes for email to go through. We haven't changed anything. Not sure what's going on here. > It would be great if we could share anything we might find to get to > where we need to be! I concur. In the years I've been on this mailing list, I have found nothing but excellent information supplied by some of the top people in their various industries. MailScanner has been, and continues to be, the absolute pinnacle of what open source software and the community that uses and supports it can be. I am curious what might be different about your MailScanner.conf file and mine. Why does yours start sendmail and mine doesn't...Can you list the lines that start with "sendmail" from your conf file? Also, what version of Ensim and MailScanner are you running? What do you see when you type "service MailScanner start" (assuming it's stopped)? Do you see any reference to sendmail? Let's get this nut cracked and get back to the levels of spam filtering we used to have. Chris From mike at tc3net.com Fri Oct 13 20:43:37 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Oct 13 20:41:14 2006 Subject: spam getting through without even being checked In-Reply-To: <452EFD54.7040705@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> Message-ID: <1160768617.8099.8.camel@localhost> > I installed from the RPM, but this server is a bit unusual because it's > running the Ensim control panel, so not sure if everything is "by the book". > > I tried shutting down sendmail, then restarting MailScanner, but nothing > started listening on port 25 until I started up sendmail again. When > MailScanner starts, even if sendmail is stopped it says nothing about > sendmail, so something must be wrong. Not sure what to try or what to > investigate next. > > In my MailScanner.conf file, the following might give a hint: MailScanner has *nothing* to do with spam scanning on Ensim (unless you customize it to use spam lists). MailScanner is only used for Virus Scanning with ensim, otherwise it uses prefs in the user's home dir to call spamd. Make sure spamassassin is running, restart it to make sure "service spamassassin restart". You must have spam scanning enabled for the domain in the admin interface as well. MailScanner/spamassassin upgrades are tricky with Ensim, you should make sure you've familiarized yourself with the knowledge base thouroughly before upgrading. The Ensim forums are good, as well as www.ev1servers.com forums. Regards Michael Baird From mike at tc3net.com Fri Oct 13 20:47:02 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Oct 13 20:44:38 2006 Subject: spam getting through without even being checked In-Reply-To: <452FE64A.1070209@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> <452FE64A.1070209@fractalweb.com> Message-ID: <1160768822.8099.12.camel@localhost> On Fri, 2006-10-13 at 12:17 -0700, Chris Yuzik wrote: > Hi Andy, > > Thanks for getting on this issue. Perhaps together and with the help of > the gurus on this mailing list we can crack this problem. > > Andy Norris wrote: > > Yes, Chris, this is the problem I'm having with Ensim / MailScanner > > right now. Are you getting tons of sendmail processes running? > Yes! Several sendmail processes running. Also, high server load (7 to > 10) during peak times of the day. > > If I stop sendmail, like I'm supposed to for MailScanner, MailScanner > > does, indeed, start the instances of sendmail that it needs for > > pushing the mail to the mailboxes. However, I cannot sent mail from my > > email client through the server, as there's no connection (nothing > > listening on port 25). So I have to be running sendmail, and > > MailScanner is only scanning the mail it gets around to before other > > sendmail processes deliver it without scanning. > That's interesting. If I stop sendmail and MailScanner, then start only > MailScanner, I don't see anything that indicates that sendmail has > started up. Since it's a live server, I have to be particularly careful > about when I experiment with Ensim uses custom MailScanner startup scripts, they've actually seperated the MailScanner and Sendmail somewhat. With Ensim, you must restart both MailScanner "service MailScanner restart" and "service sendmail restart", the MailScanner init doesn't start both (If you are using it the Ensim delivered way). But again, MailScanner doesn't do anything for spam on Ensim (unless you modify it, beyond their setup). Regards Michael Baird From andy at tireswing.net Fri Oct 13 20:48:16 2006 From: andy at tireswing.net (Andy Norris) Date: Fri Oct 13 20:48:58 2006 Subject: spam getting through / ENSIM In-Reply-To: <452FE64A.1070209@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> <452FE64A.1070209@fractalweb.com> Message-ID: <6.2.3.4.2.20061013143638.02953770@mail.tireswing.net> At 02:17 pm 2006-10-13, you wrote: >Hi Andy, > >Thanks for getting on this issue. Perhaps together and with the help >of the gurus on this mailing list we can crack this problem. > >Andy Norris wrote: >>If I stop sendmail, like I'm supposed to for MailScanner, >>MailScanner does, indeed, start the instances of sendmail that it >>needs for pushing the mail to the mailboxes. However, I cannot sent >>mail from my email client through the server, as there's no >>connection (nothing listening on port 25). So I have to be running >>sendmail, and MailScanner is only scanning the mail it gets around >>to before other sendmail processes deliver it without scanning. >That's interesting. If I stop sendmail and MailScanner, then start >only MailScanner, I don't see anything that indicates that sendmail >has started up. Since it's a live server, I have to be particularly >careful about when I experiment with this stuff since we have >hundreds of users relying on this machine. The only way I've detected that MailScanner is starting the process is by doing "service sendmail status"... and just repeating that command repeatedly after stopping sendmail and restarting MailScanner. It takes several seconds... maybe a minute, but then it does show sendmail running on one to four PIDs. However, once MailScanner is done processing the batch, those processes are dead, and none of them are listening for SMTP connections. Perhaps it's as easy as me learning how to start sendmail just to listen on port 25?? Dunno. >>Also, when shutting down sendmail, the >>/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue directory >>gets backed up with a lot of mail... then when starting sendmail >>again -- because I have to! -- it takes a lot of time to get that >>mail out the door. In fact, there is mail in that directory from a >>couple days ago, and I need to figure out how to get sendmail to >>deal with all that. Is that directory filling up for you, as well? >The directory only fills up during peak times of the day for me, but >it eventually clears itself out. If you type "mailq" does it list >these stuck messages for you? Yes, it does list them. One thing I JUST now did, though I'm not sure how much of a difference this will make... I edited /etc/sysconfig/sendmail and changed a line from QUEUE=1h to QUEUE=1m. The outgoing mail seems to be getting picked up quicker. >At peak times of the day, it can take upwards of 20 minutes for a >message to go through our server; at other times it's less than 15 >seconds. A couple of minutes is acceptable, but to me > 5 minutes is not. >>Seems that just recently things have started going more haywire. >>Don't know if it's just that we're being pounded by spammers or what. >I second that. About 6 weeks to a couple of months ago, we had no >issues. Peak times of day were only few minutes for email to go >through. We haven't changed anything. Not sure what's going on here. >>It would be great if we could share anything we might find to get >>to where we need to be! >I concur. In the years I've been on this mailing list, I have found >nothing but excellent information supplied by some of the top people >in their various industries. MailScanner has been, and continues to >be, the absolute pinnacle of what open source software and the >community that uses and supports it can be. Yes, I do rely on this group quite a bit, and I hope that everyone on the group can tolerate a thread on trying to figure out how to get MailScanner running optimally on Ensim. I fault Julian and MailScanner not a bit in the problems I'm having. Ensim seems to be a black box in some areas, and this is not the first time I've been flustered. However, it comes down to the fact I have to use SOMEthing. And everything has its strengths and weaknesses. >I am curious what might be different about your MailScanner.conf >file and mine. Why does yours start sendmail and mine doesn't...Can >you list the lines that start with "sendmail" from your conf file? >Also, what version of Ensim and MailScanner are you running? What do >you see when you type "service MailScanner start" (assuming it's >stopped)? Do you see any reference to sendmail? I tell you what... I will send in a separate email to you my MailScanner.conf file if you will share yours with me. I would be interested in seeing the deltas. It's high time I clean mine up, too. I'm running: sendmail v8.12.11 RHEL ES v3 (Taroon update 4) Perl v5.8.0 spamassassin v3.1.0 Ensim Pro 4.0.3-22.rhel.3ES >Let's get this nut cracked and get back to the levels of spam >filtering we used to have. Agreed! I'd like to get back to being an "expert" in the things I want to know / do... not the things that nobody else wants to tackle! Andy >Chris From itdept at fractalweb.com Fri Oct 13 20:53:02 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Oct 13 20:53:19 2006 Subject: spam getting through without even being checked In-Reply-To: <1160768617.8099.8.camel@localhost> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <1160768617.8099.8.camel@localhost> Message-ID: <452FEE9E.6050909@fractalweb.com> Michael Baird wrote: > MailScanner has *nothing* to do with spam scanning on Ensim (unless you > customize it to use spam lists). MailScanner is only used for Virus > Scanning with ensim, otherwise it uses prefs in the user's home dir to > call spamd. Make sure spamassassin is running, restart it to make sure > "service spamassassin restart". You must have spam scanning enabled for > the domain in the admin interface as well. > Right, in the default config, that's true. WHY Ensim does it this way, I'll never know; rather than finding out what would be best, they typically go and customize the heck out of something in some bizarre manner. I have changed my system so that MailScanner does the antispam, not spamd. Spamd is not running on the system. The challenge I seem to be having is that I end up with a sendmail process out there that picks up mail and doesn't pass it through MailScanner. MOST mail does go through MailScanner, but some (especially at peak times) goes through unchecked. Thanks, Chris From itdept at fractalweb.com Fri Oct 13 20:55:31 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Oct 13 20:55:47 2006 Subject: spam getting through without even being checked In-Reply-To: <1160768822.8099.12.camel@localhost> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> <452FE64A.1070209@fractalweb.com> <1160768822.8099.12.camel@localhost> Message-ID: <452FEF33.8010806@fractalweb.com> Michael Baird wrote: > Ensim uses custom MailScanner startup scripts, they've actually > seperated the MailScanner and Sendmail somewhat. With Ensim, you must > restart both MailScanner "service MailScanner restart" and "service > sendmail restart", the MailScanner init doesn't start both (If you are > using it the Ensim delivered way). But again, MailScanner doesn't do > anything for spam on Ensim (unless you modify it, beyond their setup). > Michael, Ok, now I think we're getting somewhere. So is it the MailScanner startup script that's supposed to start up sendmail? Perhaps what Andy and I need to do is modify this so that MailScanner starts sendmail instead of the system starting it directly? Looking forward to your thoughts! Regards, Chris From mike at tc3net.com Fri Oct 13 21:17:54 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Oct 13 21:15:31 2006 Subject: spam getting through without even being checked In-Reply-To: <452FEE9E.6050909@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <1160768617.8099.8.camel@localhost> <452FEE9E.6050909@fractalweb.com> Message-ID: <1160770674.8099.16.camel@localhost> On Fri, 2006-10-13 at 12:53 -0700, Chris Yuzik wrote: > Michael Baird wrote: > > MailScanner has *nothing* to do with spam scanning on Ensim (unless you > > customize it to use spam lists). MailScanner is only used for Virus > > Scanning with ensim, otherwise it uses prefs in the user's home dir to > > call spamd. Make sure spamassassin is running, restart it to make sure > > "service spamassassin restart". You must have spam scanning enabled for > > the domain in the admin interface as well. > > > Right, in the default config, that's true. WHY Ensim does it this way, > I'll never know; rather than finding out what would be best, they > typically go and customize the heck out of something in some bizarre manner. > > I have changed my system so that MailScanner does the antispam, not > spamd. Spamd is not running on the system. > > The challenge I seem to be having is that I end up with a sendmail > process out there that picks up mail and doesn't pass it through > MailScanner. MOST mail does go through MailScanner, but some (especially > at peak times) goes through unchecked. Did you remove your /etc/rc.d/init.d/sendmail start script?. When Ensim adds/removes domains it also restarts many services including sendmail and MailScanner. If you have not removed the sendmail init script their could be issues, depending on which init script (since you aren't using their MailScanner start script), is launched first. Regards Michael Baird From glenn.steen at gmail.com Fri Oct 13 21:29:11 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 13 21:29:14 2006 Subject: OT: Preferred MTA? In-Reply-To: <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> Message-ID: <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> On 13/10/06, Drew Marshall wrote: > > On Thu, October 12, 2006 20:16, Denis Beauchemin wrote: > > Hello all, > > > > I have been asked to evaluate what would be needed to turn our internal > > mail hubs into secured ones. Since I always had trouble with sendmail's > > documentation, I was thinking about switching to another MTA. > > > > We currently use many sendmail features such as greet_pause, > > conncontrol, ratecontrol and milter-greylist. We have multiple domains > > and use LDAP for final delivery address resolution. And of course, MS > > must blend just fine with the MTA. > > > > What other MTA would give me those features with less headaches whenever > > I need to change things? Exim? Postfix? others? > > > > I couldn't find a greylisting for Exim that shares its state table > > between multiple MX... but I think PF could use my existing > > milter-greylist as is... > > > > As for ease of configuration and quality of documentation, which do you > > recommend? > > Another vote for Postfix here. Easy to control, large feature set built in > (sender & recipient address verification for example), integrates with > just about any database driven user list, mailing lists are no problem, > built in self protection with rate limiting etc, secure and very quick, > with 2.3.x milters can be used and just about any program can be piped to. > > Oh, the killer app for me is no 'constant' rebuilding of a file I don't > understand and I have never had to patch a Postfix install due to a > security flaw/ alert :-) > > But I am biased... CC As long as Julian is willing to support Postfix, and please note that there has mostly been "hot air" from the PF devels so far (not the "roaring bonfire of hell" they've been promising with every new version), I see no problem arising from the somewhat ... strained... relations. AFAICS, _all_ the features requested are supported (one way or another) in PF 2.3. > > > > Do you recommend using a HW load balancer (and SSL accelerator) in front > > of my servers? How about Cisco's? > > Really can't comment but I would be interested to hear others thoughts too. > Capable but not that cheap:-). How do you loadbalance now? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at yeticomputers.com Fri Oct 13 21:33:49 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Oct 13 21:33:59 2006 Subject: In Log Watch In-Reply-To: <200610131859.k9DIxnpV032695@balita.ph> References: <200610131859.k9DIxnpV032695@balita.ph> Message-ID: <452FF82D.6050002@yeticomputers.com> Checking the headers, I find that your message with the subject "In Log Watch" had an "In-Reply-To:" field of "<452F516E.5080408@netmagicsolutions.com>". The message in my client with that ID was from Dhawal Doshy and had the subject "Re: URIBL not as effective as it was". The "In-Reply-To" header normally gets set through the reply function of your mail client. I've done this myself when I wasn't sure of the correct list address. However, a thread-savvy mail client will quite happily insert your message into an existing thread - even if you change the subject line after hitting reply. Nowadays, if I can't remember the list address, I'll hit reply, copy the address from the reply, close the reply and start a new message, pasting in the address from the reply. I forgot during last month's discussion of autoresponders, though, so I know how easy it is. Rick Wayne wrote: > At 15:56 13/10/2006, you wrote: > > This is crazy .... I sent a new message from my client called In Log > Watch as I always do I delete messages not of interest as soon as I > get them and note I do not even have any entitled URIBL. Sorry don't > know what you are on about are you sure you are flaming the right > person or message. > > - Wayne - > > > What's this got to do with "URIBL not as effective as it was "? > > Recommendation: Don't use reply to create a new thread. Even if you > change the subject line, threading mail readers and archivers will > know what message you replied to because of the "In-Reply-To" header. > As such they will properly bury your message in the unrelated thread > you replied to. > > From glenn.steen at gmail.com Fri Oct 13 21:36:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 13 21:36:31 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <223f97700610050049m4ada99aeh9fc3db5ad3eaf78@mail.gmail.com> Message-ID: <223f97700610131336i6ee90be2ta90bfd3b69f39ca8@mail.gmail.com> On 12/10/06, Kevin Miller wrote: > Glenn Steen wrote: > > On 04/10/06, Scott Silva wrote: > > (snip) > >> Never mind ... I actually RTFM. Will try to remember to do so in the > >> future. > > ... Amazing what that can reveal, eh?:-). > > > >> Replying to myself ... Hmmmm... Must be running postfix somewhere. > >> Oh yeah... Now I remember ... > > Always knew you were a closet PF user...:-D. > > > > Somewhat back on track: I thought I'd need both ImageInfo and > > FuzzyOcr... But when I implemented ImageInfo (I like to change things > > (that work:) one small step at a time, when possible... Tweaking, not > > frobbing;), I fairly quickly realised it got all the image-based spam > > without hardly any FPs (at least not any _new_ FPs... The ones FP'ing > > was doing that already due to badly come together .... "marketing > > systems"... "solicited" spam type of things:-). So I backed off from > > the ocr bit (have it running on a testbed, but... will probably not > > introduce it into production use). > > > > What amazes me is that some of the more influential merchant > > banks/financial institutions have really no clue as to how to put mail > > together that don't look spammy... Instead they annoy us (their > > "users") with notes about please making exceptions _for their domain > > names_ ... Really no clue at all. > > If their communications are that important, why not make the effort to > > set up SPF and/or Domain Keys... Or just avoid forging senders, HTML > > mails with a lot of big images, ALL CAPS subjects etc etc etc. Jeez. > > > > Well, you probably just saved me a whole bunch of work Glenn. Was > poking around getting ready to install all the dependencies for FuzzyOCR > and stumbled across this post about ImageInfo. It looks much easier! > I like easier. As should any admin:-D > Couple of quick questions though. Did you have to make any tweaks to > it, or just run it out of the box? No tweaks that I remember ... Nope, just ran it "out of the box". > The install instructions in ImageInfo.pm are slightly spartan - it says: > # 3) add to init.pre (or v310.pre) the following line > # loadplugin Mail::SpamAssassin::Plugin::ImageInfo > # or if not in plugin dir.. > # loadplugin Mail::SpamAssassin::Plugin::ImageInfo /path/to/plugin > > I didn't have a plugin directory, so just made one. For that line, > should I append the filename on it too, like this: > loadplugin Mail::SpamAssassin::Plugin::ImageInfo > /etc/mail/spamassassin/plugin/ImageInfo.pm > or just > loadplugin Mail::SpamAssassin::Plugin::ImageInfo > /etc/mail/spamassassin/plugin > (watch the line wrap) I didn't have to do anything like that. Just plopped it into my Plugin directory (mine was something like /usr/lib/perl5/site_perl//Mail/SpamAssassin/Plugin ... At home, VPN still "bad", so thats entirely from my lossy memory:-). It wouldn't cost you anything to try the latter... If it fails (check with a lint), just tag on ImageInfo.pm at the end... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From itdept at fractalweb.com Fri Oct 13 21:40:45 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Oct 13 21:46:40 2006 Subject: spam getting through without even being checked In-Reply-To: <1160770674.8099.16.camel@localhost> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <1160768617.8099.8.camel@localhost> <452FEE9E.6050909@fractalweb.com> <1160770674.8099.16.camel@localhost> Message-ID: <452FF9CD.8030006@fractalweb.com> Michael Baird wrote: > Did you remove your /etc/rc.d/init.d/sendmail start script?. When Ensim > adds/removes domains it also restarts many services including sendmail > and MailScanner. If you have not removed the sendmail init script their > could be issues, depending on which init script (since you aren't using > their MailScanner start script), is launched first. > Michael, I haven't removed the sendmail start script, because at this point, I think I still need it. As I mentioned in one of the earlier messages in this thread, if I don't start sendmail using the "service sendmail start" command, then nothing listens on port 25--which would cut down on spam and server load :) but obviously not a good idea. Until I can get MailScanner to start a sendmail process listening on port 25, I can't remove/disable the sendmail start script. Chris From Kevin_Miller at ci.juneau.ak.us Fri Oct 13 21:56:41 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Oct 13 21:56:47 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: <223f97700610131336i6ee90be2ta90bfd3b69f39ca8@mail.gmail.com> Message-ID: Glenn Steen wrote: >> I didn't have a plugin directory, so just made one. For that line, >> should I append the filename on it too, like this: >> loadplugin Mail::SpamAssassin::Plugin::ImageInfo >> /etc/mail/spamassassin/plugin/ImageInfo.pm >> or just >> loadplugin Mail::SpamAssassin::Plugin::ImageInfo >> /etc/mail/spamassassin/plugin >> (watch the line wrap) > > I didn't have to do anything like that. Just plopped it into my Plugin > directory (mine was something like > /usr/lib/perl5/site_perl//Mail/SpamAssassin/Plugin ... At > home, VPN still "bad", so thats entirely from my lossy memory:-). > It wouldn't cost you anything to try the latter... If it fails (check > with a lint), just tag on ImageInfo.pm at the end... I figured it was probably pretty simple like that, but did a 'locate plugin' and didn't turn up anything. Guess I should have tried 'locate Plugin' (capitol P). But that's OK. Today I'm a tiny bit more educated than yesterday, and spam is down just a tad bit more so overall it's a net gain. I did run lint and it barfed so I added the name to the end of the path and it loads just dapper now. Not sure what exactly it does that catches image spam, but I'm sure it's doing something. I'll see how it goes for a couple weeks and if needs be toss in the the FuzzyOCR module as well. Hopefully I'll have similar results to yours and not need the extra overhead. Have a great weekend all... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mike at tc3net.com Fri Oct 13 22:42:41 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Oct 13 22:40:16 2006 Subject: spam getting through without even being checked In-Reply-To: <452FEF33.8010806@fractalweb.com> References: <452E91B0.7090205@fractalweb.com> <452E9DC2.8040608@pacific.net> <452EC3CB.9080707@fractalweb.com> <452EC60E.2080403@pacific.net> <452EFD54.7040705@fractalweb.com> <452FB29C.3030704@pacific.net> <6.2.3.4.2.20061013111808.02803c40@mail.tireswing.net> <452FE64A.1070209@fractalweb.com> <1160768822.8099.12.camel@localhost> <452FEF33.8010806@fractalweb.com> Message-ID: <1160775762.8099.23.camel@localhost> On Fri, 2006-10-13 at 12:55 -0700, Chris Yuzik wrote: > Michael Baird wrote: > > Ensim uses custom MailScanner startup scripts, they've actually > > seperated the MailScanner and Sendmail somewhat. With Ensim, you must > > restart both MailScanner "service MailScanner restart" and "service > > sendmail restart", the MailScanner init doesn't start both (If you are > > using it the Ensim delivered way). But again, MailScanner doesn't do > > anything for spam on Ensim (unless you modify it, beyond their setup). > > > Michael, > > Ok, now I think we're getting somewhere. So is it the MailScanner > startup script that's supposed to start up sendmail? Perhaps what Andy > and I need to do is modify this so that MailScanner starts sendmail > instead of the system starting it directly? Looking forward to your > thoughts! Yes, if you have converted over to a standard MailScanner type install and using the standard MailScanner init script, it starts the listening sendmail Daemon. Ensim has a modified MailScanner/sendmail init script which starts them independantly. Ensim restarts the services via the init scripts everytime a domain add/delete is done. If your read their forums you will see post from me suggesting a far better system for spam scanning that their oddball system, However they don't appear to wish to do so. Their spamc/spamd type system causes the server to be bum rushed from time to time, and the server load is higher then it should be. Regards Michael Baird From ugob at camo-route.com Fri Oct 13 22:46:04 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Oct 13 22:46:31 2006 Subject: [OT] List address (Was Re: In Log Watch) In-Reply-To: <452FF82D.6050002@yeticomputers.com> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> Message-ID: May I recommend using a news reader to read news, you can use Gmane and it is really so much better than readint the mailing list via e-mail. You need to post? Don't even have to know the list address, you just go to the newsgroup, click on "Write" or "New". I personnaly like Thunderbird a lot as a news reader, but I guess OE, which is installed by default on all Windows PCs, would do a good job. Hth, Ugo From G.Pentland at soton.ac.uk Fri Oct 13 22:57:19 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Fri Oct 13 22:57:27 2006 Subject: Anyone using FuzzyOCR? Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C5DC@ISS-CL-EX-V1.soton.ac.uk> All, I'm trialling FuzzyOCR and having mixed results. Are any of you using this and what have you found? Good and bad, I'm interested. Thanks, Gary From paul at welshfamily.com Fri Oct 13 23:03:39 2006 From: paul at welshfamily.com (Paul Welsh) Date: Fri Oct 13 23:03:50 2006 Subject: MailScanner Digest, Vol 10, Issue 28 In-Reply-To: <200610131656.k9DGuN9e029817@bkserver.blacknight.ie> Message-ID: <200610132203.k9DM3m9f005688@bkserver.blacknight.ie> > -----Original Message----- > Date: Fri, 13 Oct 2006 11:10:18 -0400 > From: Denis Beauchemin > Subject: Re: Which spam stats package? > To: MailScanner discussion > > I wrote the following Perl script. Might be useful for you too. Thanks Denis, I'll try this out. It looks like it will do what I need. From itdept at fractalweb.com Sat Oct 14 01:18:55 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Oct 14 01:34:59 2006 Subject: Surgemail? Message-ID: <45302CEF.9010704@fractalweb.com> Anyone out there using "Surgemail"? How about with MailScanner? Has a long feature list. Looking for feedback. Thanks, Chris From dward at nccumc.org Sat Oct 14 01:52:29 2006 From: dward at nccumc.org (Douglas Ward) Date: Sat Oct 14 01:52:32 2006 Subject: Surgemail? In-Reply-To: <45302CEF.9010704@fractalweb.com> References: <45302CEF.9010704@fractalweb.com> Message-ID: I run surgemail behind a MailScanner server. It functions about the same way that my Exchange and postfix servers do. I don't do any filtering on the surgemail level. Everything that passes through the MailScanner server is clean (in theory). On 10/13/06, Chris Yuzik wrote: > > Anyone out there using "Surgemail"? How about with MailScanner? Has a > long feature list. Looking for feedback. > > Thanks, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061013/66b1e698/attachment.html From bgmahesh at gmail.com Sat Oct 14 03:28:01 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sat Oct 14 03:28:04 2006 Subject: Surgemail? In-Reply-To: References: <45302CEF.9010704@fractalweb.com> Message-ID: <5227ac5c0610131928w401e1ca4u37f9cf1ec7902c49@mail.gmail.com> So you have a separate server for Mailscanner and one more for surgemail? Surgemail folks discourage using any other software other than Aspam but I too feel Mailscanner is a lot more effective. People talk about Mailscanner/ClamAV/SA being slow but I can live with that speed On 10/14/06, Douglas Ward wrote: > > I run surgemail behind a MailScanner server. It functions about the same > way that my Exchange and postfix servers do. I don't do any filtering on > the surgemail level. Everything that passes through the MailScanner server > is clean (in theory). > > On 10/13/06, Chris Yuzik wrote: > > > > Anyone out there using "Surgemail"? How about with MailScanner? Has a > > long feature list. Looking for feedback. > > > > Thanks, > > Chris > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061014/d55c26f3/attachment.html From mgt at stellarcore.net Sat Oct 14 03:59:13 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat Oct 14 03:59:30 2006 Subject: Logs as localhost Message-ID: <45305281.2020806@stellarcore.net> I have not dug into this so sorry if this has come up but does anyone know why MailScanner would report as localhost to syslogd under Solaris 10? Oct 13 19:55:41 localhost MailScanner[5322]: New Batch: Scanning 1 messages, 1393 bytes -Mike From wjohns at balita.ph Sat Oct 14 04:09:47 2006 From: wjohns at balita.ph (Wayne) Date: Sat Oct 14 04:09:51 2006 Subject: In Log Watch In-Reply-To: <452FF82D.6050002@yeticomputers.com> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> Message-ID: <200610140309.k9E39kvD003754@balita.ph> At 21:33 13/10/2006, you wrote: Mailscanner is in my address book so I don't follow your procedure. >Nowadays, if I can't remember the >list address, I'll hit reply, copy the address from the reply, close the >reply and start a new message, pasting in the address from the reply. -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From mike at vesol.com Sat Oct 14 04:27:42 2006 From: mike at vesol.com (Mike Kercher) Date: Sat Oct 14 04:27:52 2006 Subject: Logs as localhost In-Reply-To: <45305281.2020806@stellarcore.net> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mike Tremaine > Sent: Friday, October 13, 2006 9:59 PM > To: mailscanner@lists.mailscanner.info > Subject: Logs as localhost > > > I have not dug into this so sorry if this has come up but > does anyone know why MailScanner would report as localhost to > syslogd under Solaris 10? > > Oct 13 19:55:41 localhost MailScanner[5322]: New Batch: > Scanning 1 messages, > 1393 bytes > > -Mike What do you have in your /etc/hosts? Mike From ugob at camo-route.com Sat Oct 14 04:37:44 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Oct 14 04:38:02 2006 Subject: In Log Watch In-Reply-To: <200610140309.k9E39kvD003754@balita.ph> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> Message-ID: Wayne wrote: > At 21:33 13/10/2006, you wrote: > > Mailscanner is in my address book so I don't follow your procedure. > Ok then, please try to avoid hijacking a thread like you did, if you did. If you didn't, don't worry and have fun! ugo From itdept at fractalweb.com Sat Oct 14 04:41:14 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Oct 14 04:41:25 2006 Subject: Mailwatch? Message-ID: <45305C5A.6060204@fractalweb.com> Hi everyone, I've been running MailWatch for a long time now, but haven't updated it in forever. Went to go get the latest version this evening and...latest version is now almost 1 year old??? What happened to it? Is there something else/better that people are using now? Thanks, Chris From randyf at sibernet.com Sat Oct 14 04:48:20 2006 From: randyf at sibernet.com (Randy Fishel) Date: Sat Oct 14 04:49:56 2006 Subject: Logs as localhost In-Reply-To: References: Message-ID: <2E1ADE5B-6417-409A-A56B-BA9075C8FC26@sibernet.com> On Oct 13, 2006, at 8:27 PM, Mike Kercher wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Mike Tremaine >> Sent: Friday, October 13, 2006 9:59 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Logs as localhost >> >> >> I have not dug into this so sorry if this has come up but >> does anyone know why MailScanner would report as localhost to >> syslogd under Solaris 10? >> >> Oct 13 19:55:41 localhost MailScanner[5322]: New Batch: >> Scanning 1 messages, >> 1393 bytes >> >> -Mike > > > What do you have in your /etc/hosts? > > Mike > -- Or more importantly, what is the value of loghost in /etc/hosts? rf From r.berber at computer.org Sat Oct 14 05:46:40 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Oct 14 05:46:55 2006 Subject: Logs as localhost In-Reply-To: <45305281.2020806@stellarcore.net> References: <45305281.2020806@stellarcore.net> Message-ID: Mike Tremaine wrote: > I have not dug into this so sorry if this has come up but does anyone > know why MailScanner would report as localhost to syslogd under Solaris 10? > > Oct 13 19:55:41 localhost MailScanner[5322]: New Batch: Scanning 1 > messages, 1393 bytes It's a known bug/feature on Solaris, there's even a bug report about this for Sys::Syslog. I have changed it to report in the normal format, just change a couple of lines in MailScanner/lib/MailScanner/Log.pm : line 39 - use Sys::Syslog qw(:DEFAULT setlogsock); line 71 - Sys::Syslog::setlogsock('native'); This on version 4.57.1, It's the same in 4.56.8 but not before (or 2 versions before), the line number changed. -- Ren? Berber From wjohns at balita.ph Sat Oct 14 09:41:03 2006 From: wjohns at balita.ph (Wayne) Date: Sat Oct 14 09:41:07 2006 Subject: In Log Watch In-Reply-To: References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> Message-ID: <200610140841.k9E8f2FF018445@balita.ph> At 04:37 14/10/2006, you wrote: I certainly _never_ hi-jacked any thread I asked a ligitimate question - next thing I know I am jumped on and accused of something I did not do. I have been an alpha and beta tester of LSoft's Listserv for many years now and a list owner for as many. I find this list all too ready to 'jump' on people for no reason really I don't want to be part of a list that puts so much power into the hands of this type of people and I for one will be glad to see the back of it. - Wayne - >Ok then, please try to avoid hijacking a thread like you did, if you >did. If you didn't, don't worry and have fun! -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From res at ausics.net Sat Oct 14 10:37:28 2006 From: res at ausics.net (Res) Date: Sat Oct 14 10:37:48 2006 Subject: In Log Watch In-Reply-To: <200610140841.k9E8f2FF018445@balita.ph> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> <200610140841.k9E8f2FF018445@balita.ph> Message-ID: Wayne, On Sat, 14 Oct 2006, Wayne wrote: > At 04:37 14/10/2006, you wrote: > > I certainly _never_ hi-jacked any thread I asked a ligitimate question - next > thing I know I am jumped on and accused of something I did not do. I have > been an alpha and beta tester of LSoft's Listserv for many years now and a > list owner for as many. I might be off base here, and not taken much notice of earleir posts, but maybe some of the problem is with your poor mailer? It fails on recognising who said what... -At 04:37 14/10/2006, you wrote:- This is what is your posts are saying... referring to everyone who reads it as we said when we did not say :) I'm sure once your mailer is corrected there will be less hassle -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Sat Oct 14 10:47:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 10:47:15 2006 Subject: SOLVED: Re: mailscanner hangs on automatic restart {Scanned} In-Reply-To: References: <223f97700610131336i6ee90be2ta90bfd3b69f39ca8@mail.gmail.com> Message-ID: <223f97700610140247n80d5a95r256725845350e9ef@mail.gmail.com> On 13/10/06, Kevin Miller wrote: (snip) > Not sure what exactly it does > that catches image spam, but I'm sure it's doing something. Look for the DC_ rules (defined in the "companion" .cf file) ... DC_UNO_LARGO type things... It _will_ add points to some non-spam, but it will absolutely make a huge difference for the image type spam. > I'll see how it goes for a couple weeks and if needs be toss in the the > FuzzyOCR module as well. Hopefully I'll have similar results to yours > and not need the extra overhead. > > Have a great weekend all... Likewise. -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Oct 14 11:19:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 11:19:32 2006 Subject: Mail Logs (OT) In-Reply-To: <42216.194.70.180.170.1160730012.squirrel@www.technologytiger.net> References: <452F31DC.50406@enitech.com.au> <42216.194.70.180.170.1160730012.squirrel@www.technologytiger.net> Message-ID: <223f97700610140319l4e9245bcpa92429b19a506142@mail.gmail.com> On 13/10/06, Drew Marshall wrote: > On Fri, October 13, 2006 07:27, Peter Russell wrote: > > Hi there, i have mailscanner, postfix, and mailwatch. > > > > What i would like to be able to easily see is all of the mail stats. > > Because we block a lot of mail at the MTA using recipient maps we have > > heaps of stats in the maillog that dont make it to mailwatch. > > > > Is there any tool that will show me all of the spam, high spam, viruses, > > rejected by MTA and delivered type stats? > > Have a look at pflogsumm http://jimsun.linxnet.com/postfix_contrib.html I use this (in conjunction with MailWatch one get a good grip on things). It doesn't handle the HOLD construct very well, and if you (like me) have maillogs split into separate info, warning and error files then you'll need look at some other logfile (that has them all in sequence) like syslog... Other than that, it works very well. I post the logs through a very ugly/simplistic php hack, so the PHB/windoze disabled collegues can look at it too:-). I run a daily and a weekly summary from cron that dump the textfiles into the published directory... And the hack just display them. Pretty much like the CGI you can find through Jimsun.... I just missed it:-). Can probably clean it a bit and share upon request. > There are others listed at http://www.postfix.org/addon.html which might > also give you the details you want. I looked at a lot of those (anteater, isoqlog etc etc) and most work pretty badly when taking the HOLD thing into account. And pflogsumm gives the best (most relevant) results IMO. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Oct 14 11:24:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 11:24:42 2006 Subject: Whitelist rules In-Reply-To: References: Message-ID: <223f97700610140324m46412127j7a88a91b1e955aa2@mail.gmail.com> On 13/10/06, Colin Jack wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Martin Hepworth > > Sent: Friday, October 13, 2006 10:44 AM > > To: MailScanner discussion > > Subject: Re: Whitelist rules > > > > Colin Jack wrote: > > >> -----Original Message----- > > >> From: mailscanner-bounces@lists.mailscanner.info > > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > >> mikea > > >> Sent: Thursday, October 12, 2006 7:53 PM > > >> To: MailScanner discussion > > >> Subject: Re: Whitelist rules > > >> > > >> On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: > > >> > > >>>> -----Original Message----- > > >>>> From: mailscanner-bounces@lists.mailscanner.info > > >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > >>>> Joost Waversveld > > >>>> Sent: Thursday, October 12, 2006 3:07 PM > > >>>> To: MailScanner discussion > > >>>> Subject: Re: Whitelist rules > > >>>> > > >>>> No, you're wrong... ;-) You can use wildcards just the > > >> way you said. > > >>>> Keep in mind that the mail will get scanned, but will be > > >> delivered > > >>>> as normal, regardless of the score the message get. > > >>>> > > >>>> Regards, > > >>>> > > >>>> Joost Waversveld > > >>>> > > >>>> Colin Jack wrote: > > >>>>> Please could someone give me a pointer > > >>>>> > > >>>>> I want to allow all mail for particular domain through > > >>>> without being > > >>>>> scanned. > > >>>>> Am I right in saying that I cannot use wildcards in the > > >>>>> spam.whitelist.rules like > > >>>>> > > >>>>> FromOrTo: *@domain.com yes > > >>>>> > > >>>>> If so, how do I do it? > > >>>>> > > >>>>> Many thanks > > >>>>> > > >>>>> Colin > > >>> Thanks ... well that makes life easier :) > > >>> > > >>> They are particularly keen that their mail shouldn't be > > >> {disarmed} ... > > >>> will this work this way? > > >> That's what I see here: whitelisted mail gets scanned, but > > there are > > >> no changes made to the mail, possibly excepting an > > additional header. > > >> > > >> -- > > >> Mike Andrews, W5EGO > > >> mikea@mikea.ath.cx > > >> Tired old sysadmin > > >> -- > > > > > > Okay ... that's cool ... except > > > > > > I did that last night and then this morning I had clients > > complaining > > > that the server was very slow and a quick 'ps aux' showed > > hundreds of > > > procmail processes for this particular domain just sitting there!! > > > > > > Commented out the change and restarted MailScanner and all > > okay again? > > > Any ideas? > > > > > > Thanks > > > > > > Colin > > > > > > > Procmail?????thats way after MS has anything to do with the email.. > > > > I'd check the procmail rules... > > > > -- > > Martin Hepworth > > Senior Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > Okay thanks ... just seemed odd that it was only this domain which > seemed to be having problems. > > Probably a coincidence ... I will check it out. > > Regards > > Colin Sounds like your procmail rules are depending on information added by MailScanenr.... Which doesn't get added when whitelisting like this. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Oct 14 11:41:08 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 11:41:11 2006 Subject: Phishing & MailScanner has detected a possible fraud attempt from ... In-Reply-To: References: <006001c6eedd$d71be330$2a01a8c0@thinkmcmillan.com.local> Message-ID: <223f97700610140341p164147bavc787199b802296cf@mail.gmail.com> On 13/10/06, Scott Silva wrote: > MJ Thomas spake the following on 10/13/2006 8:39 AM: > > Hi, > > > > I have reviewed the MailScanner documentation and some of the support > > lists, but I can't find an answer to my question. > > > > I am deploying an enewsletter for our client using 3rd party email > > deployment software. In order to track links, the email deployment > > software wraps the original HTTP links within a different URL. For example: > > > > > target=_blank>www.thinkmcmillan.com > > > > For links like www.thinkmcmillan.com > > , the following message is > > displayed when the email is deployed to those email addresses who use > > MailScanner: *MailScanner has detected a possible fraud attempt from > > "dcm5.com" claiming to be* www.thinkmcmillan.com > > . > > > > Does MailScanner have a recommendation on how to handle legitimate > > wrappers that are used for tracking purposes? Is there some way of > > associating dcm5.com and bridgewatersystems.com so MailScanner does not > > flag this link as a possible fraud attempt? > > > > Thanks, > > > But that is exactly what the fraud detectors are supposed to do. It detects > when the displayed url is different then the actual url. You would have to get > the two url's (www.thinkmcmillan.com and dcm5.com) to match better, or > convince Julian that it is legitimate so he can add it to his list of OK sites. > Or simply have those customers add your "fakes" to the phishing whitelist themselves. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Oct 14 11:54:53 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 11:54:55 2006 Subject: Mailwatch? In-Reply-To: <45305C5A.6060204@fractalweb.com> References: <45305C5A.6060204@fractalweb.com> Message-ID: <223f97700610140354g676ce94dm568ac22119f9c6e@mail.gmail.com> On 14/10/06, Chris Yuzik wrote: > Hi everyone, > > I've been running MailWatch for a long time now, but haven't updated it > in forever. Went to go get the latest version this evening and...latest > version is now almost 1 year old??? What happened to it? Is there > something else/better that people are using now? > > Thanks, > Chris The relevant question is "When will 2.0 go public", and should be directed to STeve directly or (better yet) to the MailWatch list. Steves working on a _big_ overhaul that will redo most, if not all, of the code. In the mean time 1.0.3 is a pretty solid offering (with some very nice patches floating around on the MW list). So... Do like the rest of us... Be patient:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Oct 14 12:13:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 12:13:17 2006 Subject: In Log Watch In-Reply-To: <200610130900.k9D90lrn000397@balita.ph> References: <200610122345.k9CNj7kp005039@bkserver.blacknight.ie> <452F4E9F.7060001@solidstatelogic.com> <452F516E.5080408@netmagicsolutions.com> <200610130900.k9D90lrn000397@balita.ph> Message-ID: <223f97700610140413n7bf52f27va9249f47cbb3c31e@mail.gmail.com> On 13/10/06, Wayne wrote: > Noticed this on the daily log ... > > Config Error: Cannot match against destination IP address when > resolving configuration option "spamwhitelist" : 290 Time(s) > > Have checked the whitelist conf cannot see an IP address listed. Any ideas .... Perhaps a typo in a name then? So that the name lookup would time out...? > Glenn thanks for help on previous problem your advice seems to have > cured things. Glad to be of help. > Regards > > Wayne > > About the "threading issue": I had something a bit similar happen to me a couple of years back, where my work MUA (Bl**dy LookOut!) seriously messed up threading (breaking threads mostly). As it turned out this was due to a policy I had no say in... So now I read all my lists through Gmail (which at least threads nicely:-). I'm not saying you should go that path, nor leave just because all those with threaded readers (well, some...:-) in a not too unfriendly manner point this out (yes, I've looked at the thread... Not much swearing, namecalling etc;). It might be that this is indeed due to some strange missdeed by mailman or some other interveneing system/MTA. Or it might be human factor. Or the "eleveation above sealevel constant"... or whatever:-). All I'm saying is that there is a real (if not that big) problem, and that (accusations aside) it might be a good idea to at least allow the possibility that it might be at your end (this actually go for all participants in this thread;-). Anyway, lets leave that behind and move on... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dward at nccumc.org Sat Oct 14 12:32:59 2006 From: dward at nccumc.org (Douglas Ward) Date: Sat Oct 14 12:33:03 2006 Subject: Surgemail? In-Reply-To: <5227ac5c0610131928w401e1ca4u37f9cf1ec7902c49@mail.gmail.com> References: <45302CEF.9010704@fractalweb.com> <5227ac5c0610131928w401e1ca4u37f9cf1ec7902c49@mail.gmail.com> Message-ID: My surgemail server is one of four e-mail servers (two run mailman/postfix, one exchange server and surgemail). My MailScanner gateway routes e-mail between all four without any delay or difficulty. I saw where the surgemail folks discouraged the use of a gateway but I have no idea why. It works great in my office and I highly recommend it. On 10/13/06, BG Mahesh wrote: > > > So you have a separate server for Mailscanner and one more for surgemail? > Surgemail folks discourage using any other software other than Aspam but I > too feel Mailscanner is a lot more effective. People talk about > Mailscanner/ClamAV/SA being slow but I can live with that speed > > On 10/14/06, Douglas Ward wrote: > > > > I run surgemail behind a MailScanner server. It functions about the > > same way that my Exchange and postfix servers do. I don't do any filtering > > on the surgemail level. Everything that passes through the MailScanner > > server is clean (in theory). > > > > On 10/13/06, Chris Yuzik < itdept@fractalweb.com> wrote: > > > > > > Anyone out there using "Surgemail"? How about with MailScanner? Has a > > > long feature list. Looking for feedback. > > > > > > Thanks, > > > Chris > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > -- > B.G. Mahesh > http://www.greynium.com/ > http://www.oneindia.in/ > http://www.click.in/ - Free Indian Classifieds > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061014/3bc255cf/attachment.html From wjohns at balita.ph Sat Oct 14 14:00:23 2006 From: wjohns at balita.ph (Wayne) Date: Sat Oct 14 14:00:28 2006 Subject: In Log Watch In-Reply-To: References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> <200610140841.k9E8f2FF018445@balita.ph> Message-ID: <200610141300.k9ED0Mqf023447@balita.ph> At 10:37 14/10/2006, Res wrote: I am totally confused by your comments they just do not make sense. I asked a question about whilelist error in reply I get admonished for something totally different. Why is my mailer poor I have never had any problems. Thank you Glenn for answering my original question - I will check. Certainly I won't be asking any more help on this list :-( >>At 04:37 14/10/2006, you wrote: >> >>I certainly _never_ hi-jacked any thread I asked a ligitimate >>question - next thing I know I am jumped on and accused of >>something I did not do. I have been an alpha and beta tester of >>LSoft's Listserv for many years now and a list owner for as many. > >I might be off base here, and not taken much notice of earleir >posts, but maybe some of the problem is with your poor mailer? It >fails on recognising who said what... -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From mgt at stellarcore.net Sat Oct 14 14:57:45 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat Oct 14 14:58:03 2006 Subject: Logs as localhost In-Reply-To: <200610141103.k9EB3qmL021203@bkserver.blacknight.ie> References: <200610141103.k9EB3qmL021203@bkserver.blacknight.ie> Message-ID: <4530ECD9.4020009@stellarcore.net> > I have not dug into this so sorry if this has come up but does anyone > > know why MailScanner would report as localhost to syslogd under Solaris 10? > > > > Oct 13 19:55:41 localhost MailScanner[5322]: New Batch: Scanning 1 > > messages, 1393 bytes >It's a known bug/feature on Solaris, there's even a bug report about this for >Sys::Syslog. >I have changed it to report in the normal format, just change a couple of >lines in MailScanner/lib/MailScanner/Log.pm : > > >line 39 - >use Sys::Syslog qw(:DEFAULT setlogsock);> > >line 71 - > Sys::Syslog::setlogsock('native'); >This on version 4.57.1, It's the same in 4.56.8 but not before (or 2 versions >before), the line number changed. That got it thanks!! I'm on MailScanner 4.56.7 and the code had an extra if for solaris and irix, etc.... So I just commented out the chunk and added back a single line eval with the native setlogsock. Restarted MailScanner and we are in business. [Apologizes to the others who tried to help but for whom I did not post complete info like my /etc/hosts stuff or state that only MailScanner was logging wrong.] -Mike From glenn.steen at gmail.com Sat Oct 14 16:11:53 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 14 16:11:57 2006 Subject: In Log Watch In-Reply-To: <200610141300.k9ED0Mqf023447@balita.ph> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> <200610140841.k9E8f2FF018445@balita.ph> <200610141300.k9ED0Mqf023447@balita.ph> Message-ID: <223f97700610140811o2da17da8pcc4fb1ac4c1aa3ed@mail.gmail.com> On 14/10/06, Wayne wrote: > At 10:37 14/10/2006, Res wrote: > > I am totally confused by your comments they just do not make sense. > > I asked a question about whilelist error in reply I get admonished > for something totally different. Why is my mailer poor I have never > had any problems. Our friend Res has been known to have a less than civil tounge (not that I think it's that bad this time:-), from time to time:-). And some pretty strong views:-):-). Don't let it get to you;-). We're all entiteled to our own opinions. > Thank you Glenn for answering my original question - I will check. Good. I'm sure we'll get to the bottom of this, with the usual (-ly) nice open discussion that is the hallmark of this list. > Certainly I won't be asking any more help on this list :-( That would (if my memory serves me right) be a loss on all parts. Please reconsider your position (We're usually a pretty easygoing and helpful bunch:-). What usually riles at least a few participants are things like top-posting, not trimming and thread-breaking/hijacking... And possibly just yacking about unrelated stuff, although this list (thanks to the forgiving nature of Jules etc) is more forgiving to such transgressions than is the norm for specialised mailing-lists. That you (due to whatever reason) seemed to be thread-hijacking prompted the first few messages to that effect. Taken all together, they might well have been a tad much, I'll give you that. And I for one beleive you when you say that you did no such thing intentionally. If it happens again (spontaneously hijacking a thread through no action of yours) one should perhaps look at what could be causing it. Other than that, why not just move on to the next question? We'll be happy to have you around;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mgt at stellarcore.net Sat Oct 14 16:54:27 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat Oct 14 16:54:52 2006 Subject: Razor2 Solaris and hostname Message-ID: <45310833.90802@stellarcore.net> I have one last problem on this setup it seems [and I haven't totally isolated it but] whenever razor2 plugin detects a spam it resets the hostname to --fqdn under Solaris 10. Using Razor2-2.82 Mailscanner-4.56.7 and Spamassassin 3.1.6 and Perl 5.8.4 Anyone else having this problem? -Mike From marco at uNiXpSyChO.com Sat Oct 14 17:24:29 2006 From: marco at uNiXpSyChO.com (uNiXpSyChO) Date: Sat Oct 14 17:27:13 2006 Subject: Razor2 Solaris and hostname In-Reply-To: <45310833.90802@stellarcore.net> References: <45310833.90802@stellarcore.net> Message-ID: Mike Tremaine wrote: > > I have one last problem on this setup it seems [and I haven't totally > isolated it but] whenever razor2 plugin detects a spam it resets the > hostname to --fqdn under Solaris 10. Using Razor2-2.82 > Mailscanner-4.56.7 and Spamassassin 3.1.6 and Perl 5.8.4 > > Anyone else having this problem? > > -Mike set your hostname on the system to include fqdn in /etc/nodename and /etc/hostname.bge0 (or whichever interface). i believe there was a bug in Sys::Hostname::Long or something like that. i thought i read somewhere it being fixed in new versions. From shuttlebox at gmail.com Sat Oct 14 18:19:48 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Oct 14 18:19:52 2006 Subject: Logs as localhost In-Reply-To: References: <45305281.2020806@stellarcore.net> Message-ID: <625385e30610141019l55288289t6f9fda56f932acd1@mail.gmail.com> On 10/14/06, Ren? Berber wrote: > It's a known bug/feature on Solaris, there's even a bug report about this for > Sys::Syslog. > > I have changed it to report in the normal format, just change a couple of lines > in MailScanner/lib/MailScanner/Log.pm : > > line 39 - > use Sys::Syslog qw(:DEFAULT setlogsock); > > line 71 - > Sys::Syslog::setlogsock('native'); It happens with Solaris 9 also. I tested native but changed it back to save space, I feel no need to see the id and log level on every line and it increases the chance of getting a truncated log line. -- /peter From shuttlebox at gmail.com Sat Oct 14 18:23:03 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Oct 14 18:23:07 2006 Subject: Razor2 Solaris and hostname In-Reply-To: References: <45310833.90802@stellarcore.net> Message-ID: <625385e30610141023v39d82870q99a2750b8433b3e8@mail.gmail.com> On 10/14/06, uNiXpSyChO wrote: > set your hostname on the system to include fqdn in /etc/nodename and > /etc/hostname.bge0 (or whichever interface). i believe there was a bug > in Sys::Hostname::Long or something like that. i thought i read > somewhere it being fixed in new versions. Would that help? The bug is that Solaris doesn't support the -fqdn option and sets the hostname to just that instead. It's fixed in the current release (1.4). -- /peter From mgt at stellarcore.net Sat Oct 14 18:27:21 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat Oct 14 18:27:39 2006 Subject: Razor2 Solaris and hostname In-Reply-To: <45310833.90802@stellarcore.net> References: <45310833.90802@stellarcore.net> Message-ID: <45311DF9.5000300@stellarcore.net> >> >> I have one last problem on this setup it seems [and I haven't totally >> isolated it but] whenever razor2 plugin detects a spam it resets the >> hostname to --fqdn under Solaris 10. Using Razor2-2.82 >> Mailscanner-4.56.7 and Spamassassin 3.1.6 and Perl 5.8.4 > set your hostname on the system to include fqdn in /etc/nodename and > /etc/hostname.bge0 (or whichever interface). i believe there was a bug > in Sys::Hostname::Long or something like that. i thought i read > somewhere it being fixed in new versions. That got it thanks. [Or more specifically I had to issue a "hostname host.domain.net" even after manually setting /etc/hostname.hme0 and /etc/nodename] -Mike From MailScanner at ecs.soton.ac.uk Sat Oct 14 18:32:41 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 14 18:32:55 2006 Subject: Razor2 Solaris and hostname In-Reply-To: <625385e30610141023v39d82870q99a2750b8433b3e8@mail.gmail.com> References: <45310833.90802@stellarcore.net> <625385e30610141023v39d82870q99a2750b8433b3e8@mail.gmail.com> Message-ID: <45311F39.2030101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 10/14/06, uNiXpSyChO wrote: >> set your hostname on the system to include fqdn in /etc/nodename and >> /etc/hostname.bge0 (or whichever interface). i believe there was a bug >> in Sys::Hostname::Long or something like that. i thought i read >> somewhere it being fixed in new versions. > > Would that help? The bug is that Solaris doesn't support the -fqdn > option and sets the hostname to just that instead. It's fixed in the > current release (1.4). > Yes, you need the latest version of Sys::Hostname::Long or else you need to find it and edit it so it doesn't attempt to run the "hostname" command, which is a really dumb way of doing it in my book anyway. But I guess it mostly works. Shame the author had never used anything except Linux :-( Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFMR86EfZZRxQVtlQRAqOfAKD7D/v9mDYNo4MfFH72BgCOlXvonQCfZ+HG sOBAbve0IAjaPq2I9Hg8CYw= =S6Hl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From colin at mainline.co.uk Sat Oct 14 20:17:40 2006 From: colin at mainline.co.uk (Colin Jack) Date: Sat Oct 14 20:17:49 2006 Subject: Whitelist rules Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 14 October 2006 11:25 > To: MailScanner discussion > Subject: Re: Whitelist rules > > On 13/10/06, Colin Jack wrote: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > > Martin Hepworth > > > Sent: Friday, October 13, 2006 10:44 AM > > > To: MailScanner discussion > > > Subject: Re: Whitelist rules > > > > > > Colin Jack wrote: > > > >> -----Original Message----- > > > >> From: mailscanner-bounces@lists.mailscanner.info > > > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of > > > >> mikea > > > >> Sent: Thursday, October 12, 2006 7:53 PM > > > >> To: MailScanner discussion > > > >> Subject: Re: Whitelist rules > > > >> > > > >> On Thu, Oct 12, 2006 at 06:44:47PM +0100, Colin Jack wrote: > > > >> > > > >>>> -----Original Message----- > > > >>>> From: mailscanner-bounces@lists.mailscanner.info > > > >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] > On Behalf > > > >>>> Of Joost Waversveld > > > >>>> Sent: Thursday, October 12, 2006 3:07 PM > > > >>>> To: MailScanner discussion > > > >>>> Subject: Re: Whitelist rules > > > >>>> > > > >>>> No, you're wrong... ;-) You can use wildcards just the > > > >> way you said. > > > >>>> Keep in mind that the mail will get scanned, but will be > > > >> delivered > > > >>>> as normal, regardless of the score the message get. > > > >>>> > > > >>>> Regards, > > > >>>> > > > >>>> Joost Waversveld > > > >>>> > > > >>>> Colin Jack wrote: > > > >>>>> Please could someone give me a pointer > > > >>>>> > > > >>>>> I want to allow all mail for particular domain through > > > >>>> without being > > > >>>>> scanned. > > > >>>>> Am I right in saying that I cannot use wildcards in the > > > >>>>> spam.whitelist.rules like > > > >>>>> > > > >>>>> FromOrTo: *@domain.com yes > > > >>>>> > > > >>>>> If so, how do I do it? > > > >>>>> > > > >>>>> Many thanks > > > >>>>> > > > >>>>> Colin > > > >>> Thanks ... well that makes life easier :) > > > >>> > > > >>> They are particularly keen that their mail shouldn't be > > > >> {disarmed} ... > > > >>> will this work this way? > > > >> That's what I see here: whitelisted mail gets scanned, but > > > there are > > > >> no changes made to the mail, possibly excepting an > > > additional header. > > > >> > > > >> -- > > > >> Mike Andrews, W5EGO > > > >> mikea@mikea.ath.cx > > > >> Tired old sysadmin > > > >> -- > > > > > > > > Okay ... that's cool ... except > > > > > > > > I did that last night and then this morning I had clients > > > complaining > > > > that the server was very slow and a quick 'ps aux' showed > > > hundreds of > > > > procmail processes for this particular domain just > sitting there!! > > > > > > > > Commented out the change and restarted MailScanner and all > > > okay again? > > > > Any ideas? > > > > > > > > Thanks > > > > > > > > Colin > > > > > > > > > > Procmail?????thats way after MS has anything to do with > the email.. > > > > > > I'd check the procmail rules... > > > > > > -- > > > Martin Hepworth > > > Senior Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > Okay thanks ... just seemed odd that it was only this domain which > > seemed to be having problems. > > > > Probably a coincidence ... I will check it out. > > > > Regards > > > > Colin > Sounds like your procmail rules are depending on information > added by MailScanenr.... Which doesn't get added when > whitelisting like this. > > -- > -- Glenn Great thanks Glenn - I will check that out. That would make sense. Regards Colin From MailScanner at ecs.soton.ac.uk Sat Oct 14 21:37:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 14 21:37:52 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <71437982F5B13A4D9A5B2669BDB89EE40765C5DC@ISS-CL-EX-V1.soton.ac.uk> References: <71437982F5B13A4D9A5B2669BDB89EE40765C5DC@ISS-CL-EX-V1.soton.ac.uk> Message-ID: <45314A92.3070708@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have spoken to other people who have tried FuzzyOCR and have found Imageinfo much more useful. FuzzyOCR is reckoned to be very high on resources and very slow, of the order of several seconds per message. The opinion from other people I have spoken to seems to be that it is not worth it. But that's my opinion, Gary.... (along with Steve Freegard of MailWatch fame and Anthony of milter.org fame). Pentland G. wrote: > All, > > I'm trialling FuzzyOCR and having mixed results. > > Are any of you using this and what have you found? Good and bad, I'm > interested. > > Thanks, > > Gary > > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFMUqTEfZZRxQVtlQRAvOiAJ4njTG4uuYfQG39AOGbYumw56Gv4gCbBEba Il9G8auXN+L5S6Y1X5bvCNQ= =Ab3s -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at barendse.to Sun Oct 15 11:11:53 2006 From: mailscanner at barendse.to (Remco Barendse) Date: Sun Oct 15 11:11:58 2006 Subject: Some spam mails do not trigger anything? Message-ID: Hi list! I'm a bit puzzled. Every day some spam mails are getting through without triggering anything in SA. I'm using SpamAss 3.1.7 with DCC, Razor and Pyzor2, and I have the following lists in my MailScanner.conf: Spam List = ORDB-RBL SBL+XBL spamcop.net NJABL I got an e-mail this morning for example : X-nu-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=4.726, required 6, BAYES_99 3.50, EXTRA_MPART_TYPE 1.09, FORGED_RCVD_HELO 0.14) This one triggered BAYES_99 but some do not even hit that. Is anyone else seeing this? I am logging all spam messages to a mail account and I can see that all things seem to be working. Also is it correct that only the first MailScanner checks the mail for hits on ORDB-RBL SBL+XBL spamcop.net NJABL etc. and subsequents passes through MS on other servers do not do this check again? Thanks :) From csweeney at osubucks.org Sun Oct 15 14:59:35 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sun Oct 15 14:59:56 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <45314A92.3070708@ecs.soton.ac.uk> References: <71437982F5B13A4D9A5B2669BDB89EE40765C5DC@ISS-CL-EX-V1.soton.ac.uk> <45314A92.3070708@ecs.soton.ac.uk> Message-ID: <45323EC7.5080905@osubucks.org> The only reason I haven't tried Imageinfo is, if I understand how it works it seems it would cause alot of false positives if you have people sending pictures in the email. People sharing pictures might not like this. I would really like to find a good fix as the amount of image SPAM getting in now, its getting very bad. Julian Field wrote: > I have spoken to other people who have tried FuzzyOCR and have found > Imageinfo much more useful. FuzzyOCR is reckoned to be very high on > resources and very slow, of the order of several seconds per message. > The opinion from other people I have spoken to seems to be that it is > not worth it. > > But that's my opinion, Gary.... (along with Steve Freegard of MailWatch > fame and Anthony of milter.org fame). > > Pentland G. wrote: > >> All, > >> > >> I'm trialling FuzzyOCR and having mixed results. > >> > >> Are any of you using this and what have you found? Good and bad, I'm > >> interested. > >> > >> Thanks, > >> > >> Gary > >> > >> > >> > > Jules > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061015/32c7680e/smime.bin From brose at med.wayne.edu Sun Oct 15 17:42:22 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Sun Oct 15 17:42:42 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <45314A92.3070708@ecs.soton.ac.uk> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B4888B7@MED-CORE03-MS1.med.wayne.edu> I've been using it for a while now and it hasn't been that bad. Note that it's configured to have a low SA priority so it's the last plugin called and also to be skipped if the message already has a sufficient spamscore. The default is 10 but I changed it to 8 in the cf so that it matched my MailScanner configs. It has been good at catching those animated spam gifs. I also use imageinfo but has does lead to many false positives so I had to lower the scores on it. Imageinfo is good for the layered images spams since you will hardly find regular email uses doing that. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Saturday, October 14, 2006 4:38 PM To: MailScanner discussion Subject: Re: Anyone using FuzzyOCR? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have spoken to other people who have tried FuzzyOCR and have found Imageinfo much more useful. FuzzyOCR is reckoned to be very high on resources and very slow, of the order of several seconds per message. The opinion from other people I have spoken to seems to be that it is not worth it. But that's my opinion, Gary.... (along with Steve Freegard of MailWatch fame and Anthony of milter.org fame). Pentland G. wrote: > All, > > I'm trialling FuzzyOCR and having mixed results. > > Are any of you using this and what have you found? Good and bad, I'm > interested. > > Thanks, > > Gary > > > Jules - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFMUqTEfZZRxQVtlQRAvOiAJ4njTG4uuYfQG39AOGbYumw56Gv4gCbBEba Il9G8auXN+L5S6Y1X5bvCNQ= =Ab3s -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From csweeney at osubucks.org Sun Oct 15 19:00:23 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sun Oct 15 19:00:41 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B4888B7@MED-CORE03-MS1.med.wayne.edu> References: <8F2A53954C22554EB75D9643FCCE0C6B4888B7@MED-CORE03-MS1.med.wayne.edu> Message-ID: <45327737.3000606@osubucks.org> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061015/45de5c6f/smime.bin From ugob at camo-route.com Sun Oct 15 19:33:45 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sun Oct 15 19:34:12 2006 Subject: In Log Watch In-Reply-To: <200610140841.k9E8f2FF018445@balita.ph> References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> <200610140841.k9E8f2FF018445@balita.ph> Message-ID: Wayne wrote: > At 04:37 14/10/2006, you wrote: > > I certainly _never_ hi-jacked any thread I asked a ligitimate question - > next thing I know I am jumped on and accused of something I did not do. > I have been an alpha and beta tester of LSoft's Listserv for many years > now and a list owner for as many. Ok, ok, calm down. Just have a look here http://thread.gmane.org/gmane.mail.virus.mailscanner/35703/focus=45053 You'll see that your post "In Log Watch" is under the "URIBL not as effective as it was". So we see it as hijacked. You didn't do it? Fine, no problem, I don't know what happened then, and as I said in my previous post, if you didn't do it, then don't worry and let's go on... Ugo From brose at med.wayne.edu Sun Oct 15 20:52:28 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Sun Oct 15 20:52:41 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <45327737.3000606@osubucks.org> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B4888B8@MED-CORE03-MS1.med.wayne.edu> FuzzyOCR doesn't care about pictures, only text. It's scanning the image for text and then fuzzyocr will then regex the text to see if any of the words match those that you have fuzzyocr configured to look for. The more words then the greater the score. So unless they are putting words in their picures fuzzyocr won't care. Imageinfo might cause you problems but it does consist of various tests and you can always disable those that give you problems like the single image of such and such size. The layering tests are still good. That is where the spammer has multiple images and uses html formatting to piece the individual images together to form a bigger picture. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Sweeney Sent: Sunday, October 15, 2006 2:00 PM To: MailScanner discussion Subject: Re: Anyone using FuzzyOCR? I want to use some sort of filtering for image spam as it keeps getting worse and worse, but I host email for alot of realtor's and they do alot of emailing of pictures for BPO's clients, etc. I am concerned that these will get scored too high and get blocked. What is your take on that? Thanks Rose, Bobby wrote: > I've been using it for a while now and it hasn't been that bad. Note > that it's configured to have a low SA priority so it's the last plugin > called and also to be skipped if the message already has a sufficient > spamscore. The default is 10 but I changed it to 8 in the cf so that it > matched my MailScanner configs. It has been good at catching those > animated spam gifs. > > I also use imageinfo but has does lead to many false positives so I had > to lower the scores on it. Imageinfo is good for the layered images > spams since you will hardly find regular email uses doing that. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Saturday, October 14, 2006 4:38 PM > To: MailScanner discussion > Subject: Re: Anyone using FuzzyOCR? > I have spoken to other people who have tried FuzzyOCR and have found Imageinfo much more useful. FuzzyOCR is reckoned to be very high on resources and very slow, of the order of several seconds per message. The opinion from other people I have spoken to seems to be that it is not worth it. But that's my opinion, Gary.... (along with Steve Freegard of MailWatch fame and Anthony of milter.org fame). Pentland G. wrote: >> All, >> >> I'm trialling FuzzyOCR and having mixed results. >> >> Are any of you using this and what have you found? Good and bad, I'm >> interested. >> >> Thanks, >> >> Gary >> >> >> Jules -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061015/18536854/attachment.html From itdept at fractalweb.com Sun Oct 15 23:42:38 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Sun Oct 15 23:42:45 2006 Subject: need help modifying shell script Message-ID: <4532B95E.5040105@fractalweb.com> Hi guys and gals, While I'm not bad at Perl, I admit that I suck at bash shell scripting. Here's the scoop. As I discovered and pointed out in a previous thread, some mail is being picked up by sendmail and sneaking right through the spam/virus checks and getting plopped into the users' mailboxes. Obviously not a good situation. I've attached a zip that contains the existing MailScanner_app_init that's currently running on the system, as well as the new one from the rpm. I've also included sendmail_app_init that came with the system. I've tried stopping sendmail, then disabling the sendmail_app_init script and starting MailScanner from MailScanner_app_init_rpmnew but mail can't get in to the server. The problem I'm having is that the existing MailScanner_app_init doesn't start up the necessary sendmail daemon to listen for incoming email on port 25; that seems to happen in sendmail_app_init. The MailScanner_app_init_rpmnew does say it starts sendmail, but doesn't start anything that listens for incoming mail (kind of an important part for a mail server :). I presume I just need to find the part of sendmail_app_init that starts the sendmail daemon listening on port 25 and insert that line (or lines) into the MailScanner_app_init_rpmnew file and using that instead of the stock one. Problem is, I'm going bleary-eyed trying to figure this out and I think I'm gonna break something baaad. If any of you are good at shell scripting, I would really appreciate some help. Thanks, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: relevant files.zip Type: application/x-zip-compressed Size: 6276 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061015/f25bccc6/relevantfiles.bin From paul at welshfamily.com Mon Oct 16 00:34:13 2006 From: paul at welshfamily.com (Paul Welsh) Date: Mon Oct 16 00:34:42 2006 Subject: Which spam stats package? In-Reply-To: <200610131656.k9DGuN9e029817@bkserver.blacknight.ie> Message-ID: <200610152334.k9FNYftY020298@bkserver.blacknight.ie> > -----Original Message----- > Date: Fri, 13 Oct 2006 11:10:18 -0400 > From: Denis Beauchemin > Subject: Re: Which spam stats package? > To: MailScanner discussion > > I wrote the following Perl script. Might be useful for you too. Hi Denis I modified the following 2 lines of your Perl script: #my $isSpamString = "est un polluriel, SpamAssassin"; my $isSpamString = "is spam, SpamAssassin"; my $scoreString = "score="; #my $reqdString = "requis "; my $reqdString = "required "; my $autoString = "autolearn=spam"; my $cachedString = "cached, "; my $nCachedString = "not cached, "; I changed MailScanner.conf to change: log spam = yes However, when I run sa-hits, I just get this: # ./sa-hits Maillogs: /var/log/maillog Processing /var/log/maillog... Excuse my ignorance, but what am I missing? From pete at enitech.com.au Mon Oct 16 01:43:06 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Oct 16 01:43:16 2006 Subject: Which spam stats package? In-Reply-To: <200610152334.k9FNYftY020298@bkserver.blacknight.ie> References: <200610152334.k9FNYftY020298@bkserver.blacknight.ie> Message-ID: <4532D59A.2000004@enitech.com.au> Does the account you are running your script under have read access to the maillog? Paul Welsh wrote: >> -----Original Message----- >> Date: Fri, 13 Oct 2006 11:10:18 -0400 >> From: Denis Beauchemin >> Subject: Re: Which spam stats package? >> To: MailScanner discussion >> >> I wrote the following Perl script. Might be useful for you too. > > Hi Denis > > I modified the following 2 lines of your Perl script: > > #my $isSpamString = "est un polluriel, SpamAssassin"; > my $isSpamString = "is spam, SpamAssassin"; > my $scoreString = "score="; > #my $reqdString = "requis "; > my $reqdString = "required "; > my $autoString = "autolearn=spam"; > my $cachedString = "cached, "; > my $nCachedString = "not cached, "; > > I changed MailScanner.conf to change: > log spam = yes > > However, when I run sa-hits, I just get this: > > # ./sa-hits > Maillogs: /var/log/maillog > Processing /var/log/maillog... > > Excuse my ignorance, but what am I missing? > From pete at enitech.com.au Mon Oct 16 02:06:00 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Oct 16 02:06:45 2006 Subject: Mail Logs (OT) In-Reply-To: <223f97700610140319l4e9245bcpa92429b19a506142@mail.gmail.com> References: <452F31DC.50406@enitech.com.au> <42216.194.70.180.170.1160730012.squirrel@www.technologytiger.net> <223f97700610140319l4e9245bcpa92429b19a506142@mail.gmail.com> Message-ID: <4532DAF8.3080701@enitech.com.au> For anyone else who may be keen, awstats does a pretty great job of capturing and storing stats and i have had it running for ages and completely forgot about it, launch the GUI to awstats and voila, 12+ months of details mail stats...no spam stats but thats cool mailwatch has all the spam stats. Glenn Steen wrote: > On 13/10/06, Drew Marshall wrote: >> On Fri, October 13, 2006 07:27, Peter Russell wrote: >> > Hi there, i have mailscanner, postfix, and mailwatch. >> > >> > What i would like to be able to easily see is all of the mail stats. >> > Because we block a lot of mail at the MTA using recipient maps we have >> > heaps of stats in the maillog that dont make it to mailwatch. >> > >> > Is there any tool that will show me all of the spam, high spam, >> viruses, >> > rejected by MTA and delivered type stats? >> >> Have a look at pflogsumm http://jimsun.linxnet.com/postfix_contrib.html > > I use this (in conjunction with MailWatch one get a good grip on > things). It doesn't handle the HOLD construct very well, and if you > (like me) have maillogs split into separate info, warning and error > files then you'll need look at some other logfile (that has them all > in sequence) like syslog... > Other than that, it works very well. I post the logs through a very > ugly/simplistic php hack, so the PHB/windoze disabled collegues can > look at it too:-). I run a daily and a weekly summary from cron that > dump the textfiles into the published directory... And the hack just > display them. Pretty much like the CGI you can find through Jimsun.... > I just missed it:-). Can probably clean it a bit and share upon > request. > >> There are others listed at http://www.postfix.org/addon.html which might >> also give you the details you want. > > I looked at a lot of those (anteater, isoqlog etc etc) and most work > pretty badly when taking the HOLD thing into account. And pflogsumm > gives the best (most relevant) results IMO. > From r.berber at computer.org Mon Oct 16 02:21:30 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 16 02:21:46 2006 Subject: need help modifying shell script In-Reply-To: <4532B95E.5040105@fractalweb.com> References: <4532B95E.5040105@fractalweb.com> Message-ID: Chris Yuzik wrote: [snip] > I've tried stopping sendmail, then disabling the sendmail_app_init > script and starting MailScanner from MailScanner_app_init_rpmnew but > mail can't get in to the server. Are you sure? The file you sent as MailScanner_app_init_rpmnew.txt seems good and complete. If you disabled the other 2 scripts, the _rpmnew should do the job: line 135 starts first sendmail (listening on port 25 unless you changed the .mc file and/or /etc/sysconfig/MailScanner); line 141 starts the second sendmail; line 184 starts the outgoing sendmail. > The problem I'm having is that the existing MailScanner_app_init doesn't > start up the necessary sendmail daemon to listen for incoming email on > port 25; that seems to happen in sendmail_app_init. Correct, that can be seen from the other 2 scripts, but those should not be used. > The > MailScanner_app_init_rpmnew does say it starts sendmail, but doesn't > start anything that listens for incoming mail (kind of an important part > for a mail server :). [snip] Check other changes somewhere else, the script as I said looks good. The only place I can think off that could have something wrong is /etc/sysconfig/MailScanner, look for something like -O DaemonPortOptions= and Port=? (which would be unusual but could have been used as a test). Or a better test is to see what ports is sendmail listening to after starting with that rpmnew script (it should listen to 25, 587 and perhaps 465). Use "lsof -i tcp:smtp" and "lspf -p `pidof sendmail`" -- Ren? Berber From res at ausics.net Mon Oct 16 02:55:21 2006 From: res at ausics.net (Res) Date: Mon Oct 16 02:55:43 2006 Subject: Mail Logs (OT) In-Reply-To: <4532DAF8.3080701@enitech.com.au> References: <452F31DC.50406@enitech.com.au> <42216.194.70.180.170.1160730012.squirrel@www.technologytiger.net> <223f97700610140319l4e9245bcpa92429b19a506142@mail.gmail.com> <4532DAF8.3080701@enitech.com.au> Message-ID: On Mon, 16 Oct 2006, Peter Russell wrote: > For anyone else who may be keen, awstats does a pretty great job of capturing > and storing stats and i have had it running for ages and completely forgot > about it, launch the GUI to awstats and voila, 12+ months of details mail awstats, that's scary, given the security issues that always pop up. mailscanner-mrtg works well. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From itdept at fractalweb.com Mon Oct 16 02:57:28 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Oct 16 02:57:46 2006 Subject: Spam Re: need help modifying shell script In-Reply-To: References: <4532B95E.5040105@fractalweb.com> Message-ID: <4532E708.8090302@fractalweb.com> Hi Ren?, Thank you for your help. I've never used the lsof command, so learned a couple of things from your message. Apparently, you're right. The rpmnew file DOES indeed start sendmail listening on port 25, as expected. I guess what isn't working is that the sendmail it starts doesn't seem to interface with PAM or something. So, if I issue the following commands: service sendmail start service MailScanner start Then all is well. However... service sendmail stop service MailScanner_app_init_rpmnew start (I haven't replaced the old one with the one from the rpm yet) Then everything seems great UNTIL I try to send an email and it asks me for my password. If I put the correct password in, it says "nope, try again" (well, not exactly in those words, but you get the idea). So what is it that starts up in the stock sendmail service script that isn't getting started with the rpmnew MailScanner one? Thanks, Chris From ugob at camo-route.com Mon Oct 16 03:11:05 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Mon Oct 16 03:11:44 2006 Subject: [Fwd: clamav 0.88.5 released (Sun, 15 Oct 2006 22:36:01 GMT)] Message-ID: From febrianto at sioenasia.com Mon Oct 16 03:28:59 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Oct 16 03:24:31 2006 Subject: Might be tnef problem Message-ID: Dear Guru, After I upgrade into MailScanner 4.54.6-1 with included tnef 1.4-1, some user start complains that they received dat file that can't be open. This never happen before with previous version (at least no one reported to me if they have problems). They claim that they attached jpeg or gif files, and all files received as dat files. My client using lotus notes 6.5. If I run the tnef manually, it give a report 'Seems not to be a TNEF file'. I'm not sure if this they problem or mine. Best Regards From febrianto at sioenasia.com Mon Oct 16 03:34:55 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Oct 16 03:30:25 2006 Subject: Upgrade spamassassin In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 10/13/2006 07:33:25 PM: > Martin Hepworth wrote: > > Budi Febrianto wrote: > >> Hi, > >> Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using > >> Centos 4.0). > >> It cause arround 30 errors in spamassassin --lint. > >> > >> Panic. > >> > >> Then I download the Install-Clam-SA, and do the install... it doing > >> great, > >> and spamassassin --lint doesn't give me any error. > >> > >> So, I'm planning to upgrade spamassassin to version 3.1.7 from the > >> source. > >> > >> Is there any special notes before I begin? Or should I wait for another > >> upgrade of Install-Clam-SA from MailScanner download page? > >> > >> Best regards > >> > > hmm I'd check where the yum install has put all the SA stuff as it tends > > to put in a different from the source/cpan install. > > > > you COULD end up with two SA configs installed and a confused system! > > > > In fact, removing the rpm would be better, then install from source or cpan. > > -- Yes, the rpm version still available. I will remove it. I'm not sure, but after upgraded into versio spamassassin 3.1.7 everything run faster :). From febrianto at sioenasia.com Mon Oct 16 03:38:06 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Oct 16 03:33:35 2006 Subject: Upgrade spamassassin In-Reply-To: <452F9819.5050608@ecs.soton.ac.uk> Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 10/13/2006 08:43:53 PM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The latest Install-Clam-SA includes the latest version of SpamAssassin > already. > > Budi Febrianto wrote: > > Hi, > > Today, I just upgraded spamassassin from 3.01 to 3.06 with yum (I'm using > > Centos 4.0). > > It cause arround 30 errors in spamassassin --lint. > > > > Panic. > > > > Then I download the Install-Clam-SA, and do the install... it doing great, > > and spamassassin --lint doesn't give me any error. > > > > So, I'm planning to upgrade spamassassin to version 3.1.7 from the source. > > > > Is there any special notes before I begin? Or should I wait for another > > upgrade of Install-Clam-SA from MailScanner download page? > > > > Best regards > > > > > > Jules > > - -- My mistake. Yes it spamassassin 3.1.7. But the link still said 'ClamAV 0.88.2 and SpamAssassin 3.1.3 easy installation package' so without checking I assume it 3.1.3 version. Best Regards From r.berber at computer.org Mon Oct 16 03:41:57 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 16 03:42:09 2006 Subject: Spam Re: need help modifying shell script In-Reply-To: <4532E708.8090302@fractalweb.com> References: <4532B95E.5040105@fractalweb.com> <4532E708.8090302@fractalweb.com> Message-ID: Chris Yuzik wrote: [snip] > Apparently, you're right. The rpmnew file DOES indeed start sendmail > listening on port 25, as expected. I guess what isn't working is that > the sendmail it starts doesn't seem to interface with PAM or something. > So, if I issue the following commands: > > service sendmail start > service MailScanner start > > Then all is well. However... > > service sendmail stop > service MailScanner_app_init_rpmnew start (I haven't replaced the old > one with the one from the rpm yet) > > Then everything seems great UNTIL I try to send an email and it asks me > for my password. If I put the correct password in, it says "nope, try > again" (well, not exactly in those words, but you get the idea). > > So what is it that starts up in the stock sendmail service script that > isn't getting started with the rpmnew MailScanner one? One difference between those scripts is that the new one doesn't use /etc/sysconfig/sendmail, there could be some additional options in there. You'll probably get faster at the problem by looking at the mail log, is there a complaint when sendmail starts? what's the error when your password is not accepted? Is it normal that your server asks for a password when sending mail? If it is, then sendmail depends on saslauthd and I don't know how RedHat has that one configured, in Solaris I installed an independent (except that it starts earlier) start script... so you may see if saslauthd is running and if it's not then start it yourself and see if now sendmail accepts your password. -- Ren? Berber From itdept at fractalweb.com Mon Oct 16 04:51:44 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Oct 16 04:52:02 2006 Subject: need help modifying shell script In-Reply-To: References: <4532B95E.5040105@fractalweb.com> <4532E708.8090302@fractalweb.com> Message-ID: <453301D0.2010703@fractalweb.com> Ren? Berber wrote: > One difference between those scripts is that the new one doesn't use > /etc/sysconfig/sendmail, there could be some additional options in there. > Ren?, OK, now we might just be getting there. It's like fishing through spaghetti on this system. In MailScanner_app_init_rpmnew, I see that sendmail is /usr/sbin/sendmail. Upon visiting this dir, I see that /usr/sbin/sendmail is a symbolic link to /etc/alternatives/mta, which is a symbolic link to /usr/sbin/sendmail.sendmail (whew!). Now, /etc/sysconfig/sendmail is a non-executable text file that contains only the following two lines: DAEMON=yes QUEUE=1h Upon further investigation, I did the old "tail -f /var/log/maillog | grep sendmail" and issued the following command: #service sendmail start which resulted in the following relevant entries: Oct 15 20:41:33 ns1 sendmail[18795]: alias database /etc/aliases rebuilt by root Oct 15 20:41:33 ns1 sendmail[18795]: /etc/aliases: 111 aliases, longest 40 bytes, 2039 bytes total Oct 15 20:41:33 ns1 sm-acceptingconnections[18811]: starting daemon (8.12.11): SMTP+queueing@01:00:00 Oct 15 20:41:34 ns1 sm-scanner[18823]: starting daemon (8.12.11): queueing@01:00:00 Oct 15 20:41:34 ns1 sm-msp-queue[18835]: starting daemon (8.12.11): queueing@01:00:00 This is quite different from: # service MailScanner stop # service sendmail stop # service MailScanner start Which gives the following: Oct 15 20:44:19 ns1 sendmail[19318]: alias database /etc/aliases rebuilt by root Oct 15 20:44:19 ns1 sendmail[19318]: /etc/aliases: 111 aliases, longest 40 bytes, 2039 bytes total Oct 15 20:44:19 ns1 sendmail[19326]: starting daemon (8.12.11): SMTP Oct 15 20:44:19 ns1 sendmail[19335]: starting daemon (8.12.11): queueing@00:15:00 The obvious differences are the "sm-acceptingconnections", "sm-scanner", and "sm-msp-queue" I've tried stopping saslauthd, then starting MailScanner, then starting saslauthd, but it was no better; still asked for the user's password to send email, which is normal, but it couldn't recognize the correct password when it was given. I'm now stuck again, and hope that you can get out the ouija-board and get me to the next step. :-) Thanks, Chris From pete at enitech.com.au Mon Oct 16 05:09:26 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Oct 16 05:09:34 2006 Subject: OT: Preferred MTA? In-Reply-To: <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> Message-ID: <453305F6.9050004@enitech.com.au> > CC > As long as Julian is willing to support Postfix, and please note that > there has mostly been "hot air" from the PF devels so far (not the > "roaring bonfire of hell" they've been promising with every new > version), I see no problem arising from the somewhat ... strained... > relations. > AFAICS, _all_ the features requested are supported (one way or > another) in PF 2.3. > Is there a simple way to split message to multiple recipients individual emails, yet? Do you think there ever will be? What is everyone else doing to avoid this nightmare? From r.berber at computer.org Mon Oct 16 05:16:26 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 16 05:16:34 2006 Subject: need help modifying shell script In-Reply-To: <453301D0.2010703@fractalweb.com> References: <4532B95E.5040105@fractalweb.com> <4532E708.8090302@fractalweb.com> <453301D0.2010703@fractalweb.com> Message-ID: Chris Yuzik wrote: [snip] > OK, now we might just be getting there. It's like fishing through > spaghetti on this system. In MailScanner_app_init_rpmnew, I see that > sendmail is /usr/sbin/sendmail. Upon visiting this dir, I see that > /usr/sbin/sendmail is a symbolic link to /etc/alternatives/mta, which is > a symbolic link to /usr/sbin/sendmail.sendmail (whew!). Now, > /etc/sysconfig/sendmail is a non-executable text file that contains only > the following two lines: > > DAEMON=yes > QUEUE=1h Normal so far. > Upon further investigation, I did the old "tail -f /var/log/maillog | > grep sendmail" and issued the following command: > > #service sendmail start > > which resulted in the following relevant entries: > > Oct 15 20:41:33 ns1 sendmail[18795]: alias database /etc/aliases > rebuilt by root > Oct 15 20:41:33 ns1 sendmail[18795]: /etc/aliases: 111 aliases, > longest 40 bytes, 2039 bytes total > Oct 15 20:41:33 ns1 sm-acceptingconnections[18811]: starting daemon > (8.12.11): SMTP+queueing@01:00:00 > Oct 15 20:41:34 ns1 sm-scanner[18823]: starting daemon (8.12.11): > queueing@01:00:00 > Oct 15 20:41:34 ns1 sm-msp-queue[18835]: starting daemon (8.12.11): > queueing@01:00:00 > > This is quite different from: > > # service MailScanner stop > # service sendmail stop > # service MailScanner start > > Which gives the following: > > Oct 15 20:44:19 ns1 sendmail[19318]: alias database /etc/aliases > rebuilt by root > Oct 15 20:44:19 ns1 sendmail[19318]: /etc/aliases: 111 aliases, > longest 40 bytes, 2039 bytes total > Oct 15 20:44:19 ns1 sendmail[19326]: starting daemon (8.12.11): SMTP > Oct 15 20:44:19 ns1 sendmail[19335]: starting daemon (8.12.11): > queueing@00:15:00 > > The obvious differences are the "sm-acceptingconnections", "sm-scanner", > and "sm-msp-queue" The rpmnew script uses -OProcessTitlePrefix= to set those names. > I've tried stopping saslauthd, then starting MailScanner, then starting > saslauthd, but it was no better; still asked for the user's password to > send email, which is normal, but it couldn't recognize the correct > password when it was given. And no output to the log? That would be unusual. > I'm now stuck again, and hope that you can get out the ouija-board and > get me to the next step. :-) Wild guess: saslauthd needs "sendmail" as process name, not "sm-acceptingconnections"... I've never changed the name of the process so I have no experience here. So, quick test time, edit rpmnew script and get rid of the option for the sm-acceptingconnections daemon. The alternative would be to create a link to the /usr/lib/sasl2/Sendmail.cf file with the funky names [but all this is just a wild guess, I really don't know what is going on]. -- Ren? Berber From glenn.steen at gmail.com Mon Oct 16 07:24:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 16 07:24:07 2006 Subject: OT: Preferred MTA? In-Reply-To: <453305F6.9050004@enitech.com.au> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> <453305F6.9050004@enitech.com.au> Message-ID: <223f97700610152324n6b8d0a5bg61899131eab4ff3c@mail.gmail.com> On 16/10/06, Peter Russell wrote: > > > CC > > As long as Julian is willing to support Postfix, and please note that > > there has mostly been "hot air" from the PF devels so far (not the > > "roaring bonfire of hell" they've been promising with every new > > version), I see no problem arising from the somewhat ... strained... > > relations. > > AFAICS, _all_ the features requested are supported (one way or > > another) in PF 2.3. > > > Is there a simple way to split message to multiple recipients individual > emails, yet? Do you think there ever will be? > > What is everyone else doing to avoid this nightmare? If you deem my wiki entry to be to "nightmarish", then I cannot help you. If you've just missed it, go look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient ... It looks worse than it is;-). Do pay attention to the changes needed to not unintentionally whitelisting _every mail_ (you cannot whitelist 127.0.0.1 with this...), and the different solutions for releasing mails. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From vanhorn at whidbey.com Mon Oct 16 08:04:39 2006 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Mon Oct 16 08:04:52 2006 Subject: SMTP problem Message-ID: <45332F07.4090301@whidbey.com> Two weeks ago one of my servers was compromised and I had to rebuild it from the ground up. I jumped a couple of versions, installing Fedora Core 5. I dragged over my previous MailScanner directory and installed MailScanner 4.55-10.3. I was having some odd problems with not several SMTP servers failing to deliver mail, so after a couple of days of head scratching and with some help here on the list I switched to Postfix. The text of the error messages changed, but essentially the same servers would initiate an SMTP session and then never close it. Fearing that I may have caused some problems due to my unfamiliarity with Postfix I switched back to Sendmail, but after many hours of fighting the problem I still can't receive mail from several important mail servers. That is, from several servers that are important to users on the system. I'm pretty sure this isn't actually a MailScanner issue, but I figure that there are quite a few experts here, so I'd appreciate it if anyone has any idea of what I should be looking at. Below are four lines from maillog, each pair of lines indicate a message that never arrived. Any suggestions would be welcome. Van Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: timeout waiting for input from mail.networksolutionsemail.com during server cmd read Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: mail.networksolutionsemail.com [205.178.146.50] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: timeout waiting for input from mailout.whidbey.net during server cmd read Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: mailout.whidbey.net [209.166.64.124] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From res at ausics.net Mon Oct 16 08:42:06 2006 From: res at ausics.net (Res) Date: Mon Oct 16 08:42:14 2006 Subject: SMTP problem In-Reply-To: <45332F07.4090301@whidbey.com> References: <45332F07.4090301@whidbey.com> Message-ID: On Mon, 16 Oct 2006, G. Armour Van Horn wrote: > Two weeks ago one of my servers was compromised and I had to rebuild it > from the ground up. I jumped a couple of versions, installing Fedora > Core 5. I dragged over my previous MailScanner directory and installed > MailScanner 4.55-10.3. > > I was having some odd problems with not several SMTP servers failing to > deliver mail, so after a couple of days of head scratching and with some > help here on the list I switched to Postfix. The text of the error > messages changed, but essentially the same servers would initiate an > SMTP session and then never close it. > > Fearing that I may have caused some problems due to my unfamiliarity > with Postfix I switched back to Sendmail, but after many hours of > fighting the problem I still can't receive mail from several important > mail servers. That is, from several servers that are important to users > on the system. > > I'm pretty sure this isn't actually a MailScanner issue, but I figure > that there are quite a few experts here, so I'd appreciate it if anyone > has any idea of what I should be looking at. Below are four lines from > maillog, each pair of lines indicate a message that never arrived. Any > suggestions would be welcome. > > Van > > > Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: timeout > waiting for input from mail.networksolutionsemail.com during server cmd read > Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: > mail.networksolutionsemail.com [205.178.146.50] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA I wish i could be so lucky as to have my MTA fail mail from those incompetant uncooperative @$$wipes at networksolutions... Have you recently made changes to any firewall rules? You are not denying icmp frag pkts are you? if not, I doubt this is your propblem to fix. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From wjohns at balita.ph Mon Oct 16 08:44:11 2006 From: wjohns at balita.ph (Wayne) Date: Mon Oct 16 08:44:15 2006 Subject: In Log Watch In-Reply-To: References: <200610131859.k9DIxnpV032695@balita.ph> <452FF82D.6050002@yeticomputers.com> <200610140309.k9E39kvD003754@balita.ph> <200610140841.k9E8f2FF018445@balita.ph> Message-ID: <200610160744.k9G7iAKR013160@balita.ph> At 19:33 15/10/2006, Ugo Bellavance wrote: Thanks Ugo I appreciate what you say but it seems everytime I post a thread someone has some complaint about it - and I object to the threatening and abusive private emails (those responsible know who they are) ... so feel it better not to post ... just read. Matter close as far as I am concerned Regards Wayne >Ok, ok, calm down. Just have a look here > >http://thread.gmane.org/gmane.mail.virus.mailscanner/35703/focus=45053 > >You'll see that your post "In Log Watch" is under the "URIBL not as >effective as it was". So we see it as hijacked. -- This message has been scanned for viruses and dangerous content by Balita MailScanner, and is believed to be clean. From shuttlebox at gmail.com Mon Oct 16 10:08:36 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Oct 16 10:08:40 2006 Subject: DoS lack of logs In-Reply-To: References: <625385e30610090417t65abb526i7635764bc8d50c84@mail.gmail.com> Message-ID: <625385e30610160208u31900ff6y47b27dece4dbb9fe@mail.gmail.com> On 10/9/06, Jim Holland wrote: > I am pretty sure that this is only a problem on older versions of > MailScanner and that if you update to the current version the problem will > disappear. Not only does the current version minimise the chances of a > denial of service problem occurring, but if it does occur it will also > report more helpfully: > > Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871 > > so that you know where the problem is. The problem message will then be > quarantined so that it can be dealt with manually if required and the rest > of the system will carry on without interference. I'm now running 4.56.8 and I don't get the above (crystal clear) log message, instead I get the old: Virus Scanning: Denial Of Service attack detected! There's no sign of it getting quarantined either, maybe it is but I can't tell from the logs. Every time I get a DoS attempt I want to check out the message because it's often legit mail causing it. A message like this would be helpful: Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871. Message quarantined. Then you know what happened to which message. -- /peter From wizard at jimhermann.com Mon Oct 16 12:16:08 2006 From: wizard at jimhermann.com (Jim Hermann) Date: Mon Oct 16 12:16:13 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B4888B7@MED-CORE03-MS1.med.wayne.edu> Message-ID: <021b01c6f114$7aea4050$c901a8c0@Dual> I just installed FuzzyOCR and it works for SpamAssassin. How do I get it to work for MailScanner? Jim > -----Original Message----- > From: Rose, Bobby [mailto:brose@med.wayne.edu] > Sent: Sunday, October 15, 2006 11:42 AM > To: MailScanner discussion > Subject: RE: Anyone using FuzzyOCR? > > I've been using it for a while now and it hasn't been that bad. Note > that it's configured to have a low SA priority so it's the last plugin > called and also to be skipped if the message already has a sufficient > spamscore. The default is 10 but I changed it to 8 in the cf > so that it > matched my MailScanner configs. It has been good at catching those > animated spam gifs. From andoni.auzmendi at robertwalters.com Mon Oct 16 12:25:04 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Mon Oct 16 12:25:14 2006 Subject: Anyone using FuzzyOCR? Message-ID: <5450254EC7E7B54193C8AEFD904AA36325DB97@PAT.internal.robertwalters.com> Once it works for SpamAssassin you are sorted as Mailscanner uses SpamAssassin. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jim Hermann Sent: 16 October 2006 12:16 To: 'MailScanner discussion' Subject: RE: Anyone using FuzzyOCR? I just installed FuzzyOCR and it works for SpamAssassin. How do I get it to work for MailScanner? Jim > -----Original Message----- > From: Rose, Bobby [mailto:brose@med.wayne.edu] > Sent: Sunday, October 15, 2006 11:42 AM > To: MailScanner discussion > Subject: RE: Anyone using FuzzyOCR? > > I've been using it for a while now and it hasn't been that bad. Note > that it's configured to have a low SA priority so it's the last plugin > called and also to be skipped if the message already has a sufficient > spamscore. The default is 10 but I changed it to 8 in the cf > so that it > matched my MailScanner configs. It has been good at catching those > animated spam gifs. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From mjthomas at thinkmcmillan.com Mon Oct 16 14:00:41 2006 From: mjthomas at thinkmcmillan.com (MJ Thomas) Date: Mon Oct 16 14:00:50 2006 Subject: Phishing & MailScanner has detected a possible fraud attemptfrom ... In-Reply-To: Message-ID: <008b01c6f123$1693eb60$2a01a8c0@thinkmcmillan.com.local> Thanks Scott, I realize the software is functioning as intended. What I was hoping to find out is whether there is a legitimate way to associate two domains so that the MailScanner software does not flag the link. Perhaps by making the dcm5.com domain Sender ID compliant? Cheers, ========================= MJ Thomas Technical Projects Lead McMillan T 613-789-1234 x296 mjthomas@thinkmcmillan.com thinkmcmillan.com ========================= Agency-Client Confidential Information This email and any files transmitted with it are confidential and intended solely for the use of the named addressee. If you have received this email in error you should not disseminate, distribute, or copy it; please notify the sender immediately and delete the message from your system. Please check this email and any attachments for the presence of viruses. McMillan accepts no liability for any damage caused by any virus transmitted by this email. -----Original Message----- From: Scott Silva [mailto:ssilva@sgvwater.com] Sent: October 13, 2006 1:44 PM To: mailscanner@lists.mailscanner.info Subject: Re: Phishing & MailScanner has detected a possible fraud attemptfrom ... MJ Thomas spake the following on 10/13/2006 8:39 AM: > Hi, > > I have reviewed the MailScanner documentation and some of the support > lists, but I can't find an answer to my question. > > I am deploying an enewsletter for our client using 3rd party email > deployment software. In order to track links, the email deployment > software wraps the original HTTP links within a different URL. For example: > > target=_blank>www.thinkmcmillan.com > > For links like www.thinkmcmillan.com > , the following message is > displayed when the email is deployed to those email addresses who use > MailScanner: *MailScanner has detected a possible fraud attempt from > "dcm5.com" claiming to be* www.thinkmcmillan.com > . > > Does MailScanner have a recommendation on how to handle legitimate > wrappers that are used for tracking purposes? Is there some way of > associating dcm5.com and bridgewatersystems.com so MailScanner does > not flag this link as a possible fraud attempt? > > Thanks, > But that is exactly what the fraud detectors are supposed to do. It detects when the displayed url is different then the actual url. You would have to get the two url's (www.thinkmcmillan.com and dcm5.com) to match better, or convince Julian that it is legitimate so he can add it to his list of OK sites. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From P.G.M.Peters at utwente.nl Mon Oct 16 14:40:07 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Oct 16 14:40:12 2006 Subject: Mailscanner/Spam Assassin support for Microsoft IMF/SCL Spamscoring? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429535@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0429535@winchester.andrewscompanies.com> Message-ID: <45338BB7.9070508@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sandrews@andrewscompanies.com wrote on 3-10-2006 18:17: > If I read this right, that capability is already in mailscanner...take a > look under your "what to do with spam" section, where it says Spam > Actions = typical is deliver, but you could have "deliver header > X-MS-Exchange-Organization-SCL: 6.5" in there just as well. You could > give it some high SCL for the high spam that matches what you're looking > for on the exchange side for the SCL. So what if it's not the PRECISE > score in SCL terms, only so that it trips the trigger for the right > behavior on the exchange side. Is it possible to add two (or more) headers this way? We already use the header for Thunderbird. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFM4u3elLo80lrIdIRAhYrAJ9I+Y/tg7BohHm2OC8NzQhu0Sup7gCfQYmI DqB10gu0XNW/dZTqLTMZ7ZE= =XcBB -----END PGP SIGNATURE----- From evanderleun at hal9000.nl Mon Oct 16 14:54:23 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Mon Oct 16 14:54:26 2006 Subject: sendmail /etc/mail/access Message-ID: <45338F0F.2080905@hal9000.nl> Hi, Does anybody know a way to block all email to a certain address on sendmail level? (I'd know what to do in MailScanner) As far as I'm concerned /etc/mail/access only can discard mails /from/ a certain address, but not /to/ a certain address.. Anybody? :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061016/8036871a/attachment.html From DARYL at monm.edu Mon Oct 16 14:59:25 2006 From: DARYL at monm.edu (Carr, Daryl B.) Date: Mon Oct 16 15:01:16 2006 Subject: How to Filter junk by valid accounts Message-ID: <995C465EA5BB0D42A493986D8D2E0750062D616C@ntmail2.monm.edu> Hello, What is the best way to filter email addresses as "valid" with sendmail. We have recently experienced a large increase in junk email resulting in the mqueue.in becoming very large (>400,000). I have investigated LDAP, NIS, lists of names, etc. Please point me in the best direction. Thank you! Daryl Daryl Carr Monmouth College Monmouth, IL USA From Peter.Bates at lshtm.ac.uk Mon Oct 16 15:10:29 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Mon Oct 16 15:11:18 2006 Subject: SA 3.1.7 and lint Message-ID: <4533A0E50200007600007B0F@193.63.251.15> Hello all... I've updated my MS to 4.56, and also SA to 3.1.7. I've read the Release Notes/etc. for SA, which makes mention of disabling network tests for the --lint command. I'm just curious now as to the best way to check whether DCC/Razor/Pyzor are working if --lint disables them. I can do spamassassin -D -t < test-message but it seems an odd method just to check for this sort of thing. Sorry, I know this is more of an SA question! ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From rgreen at trayerproducts.com Mon Oct 16 15:24:04 2006 From: rgreen at trayerproducts.com (Rodney Green) Date: Mon Oct 16 15:25:02 2006 Subject: SA Upgrade Message-ID: <45339604.1070508@trayerproducts.com> Hello, I'm looking to upgrade SpamAssassin from version 3.0.2 to 3.1.7. The previous install of SpamAssassin was installed from source, I believe. There is no rpm listed when I do "rpm -qa" on my Red Hat 9 system. Is it okay to run the ClamAV/SpamAssassin easy install package Julian put together or should I install the new version from source? Any other advice is welcome. Thanks, Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at tc3net.com Mon Oct 16 15:46:41 2006 From: mike at tc3net.com (Michael Baird) Date: Mon Oct 16 15:45:44 2006 Subject: How to Filter junk by valid accounts In-Reply-To: <995C465EA5BB0D42A493986D8D2E0750062D616C@ntmail2.monm.edu> References: <995C465EA5BB0D42A493986D8D2E0750062D616C@ntmail2.monm.edu> Message-ID: <1161010001.31763.26.camel@localhost> On Mon, 2006-10-16 at 08:59 -0500, Carr, Daryl B. wrote: > Hello, > > What is the best way to filter email addresses as "valid" with sendmail. > We have recently experienced a large increase in junk email resulting in > the mqueue.in becoming very large (>400,000). > > I have investigated LDAP, NIS, lists of names, etc. > > Please point me in the best direction. > > Thank you! This must be somesort of mail gateway that forwards to an internal mail server? You are looking to do recipient address verification. If this is a case, probably your best bet is a milter to call your internal servers and verify the recipients. I'm using this milter with success http://smfs.sourceforge.net/smf-sav.html, but am not using the RAV feature, which is apparently what you are looking for. Regards Michael Baird From bamcomp at yahoo.com Mon Oct 16 16:16:47 2006 From: bamcomp at yahoo.com (Brett Moss) Date: Mon Oct 16 16:16:53 2006 Subject: sendmail /etc/mail/access In-Reply-To: <45338F0F.2080905@hal9000.nl> Message-ID: <20061016151647.99312.qmail@web36615.mail.mud.yahoo.com> --- Erik van der Leun wrote: > Hi, > > Does anybody know a way to block all email to a > certain address on > sendmail level? (I'd know what to do in MailScanner) > > As far as I'm concerned /etc/mail/access only can > discard mails /from/ a > certain address, but not /to/ a certain address.. > > Anybody? :) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info Hello, You can do this with REJECT on the right hand side example- user@domain REJECT hth, Brett __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jaearick at colby.edu Mon Oct 16 16:32:31 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Oct 16 16:32:42 2006 Subject: OT: sendmail: possible SMTP attack?? Message-ID: Gang, I've been seeing a ton of "possible SMTP attack" syslog messages from sendmail for the last couple of days, from all over the place (mostly Isreal and Brazil). Normally, I almost never see this message from sendmail. Anybody else seeing this? New email virus??? Any other ideas? Jeff Earickson Colby College From Kevin_Miller at ci.juneau.ak.us Mon Oct 16 16:52:55 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 16 16:53:04 2006 Subject: sendmail: possible SMTP attack?? In-Reply-To: Message-ID: Jeff A. Earickson wrote: > Gang, > > I've been seeing a ton of "possible SMTP attack" syslog messages > from sendmail for the last couple of days, from all over the > place (mostly Isreal and Brazil). Normally, I almost never see > this message from sendmail. Anybody else seeing this? New > email virus??? Any other ideas? > > Jeff Earickson > Colby College Yeah - I see about 165 since yesterday. Mine are coming from .il and .cz mostly; other addresses don't have country codes... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Mon Oct 16 16:55:27 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 16:55:46 2006 Subject: SA 3.1.7 and lint In-Reply-To: <4533A0E50200007600007B0F@193.63.251.15> References: <4533A0E50200007600007B0F@193.63.251.15> Message-ID: <4533AB6F.2070104@evi-inc.com> Peter Bates wrote: > Hello all... > > I've updated my MS to 4.56, and also SA to 3.1.7. > > I've read the Release Notes/etc. for SA, which makes > mention of disabling network tests for the --lint command. > > I'm just curious now as to the best way to check whether > DCC/Razor/Pyzor are working if --lint disables them. > > I can do spamassassin -D -t < test-message > but it seems an odd method just to check for this sort of thing. That's the best way. Quite frankly, the fact that network tests were enabled in --lint was a bit of a farce anyway. The test message used by lint doesn't even have any Received: headers, so all the DNSRBL tests were not being exercised anyway. While --lint would have checked razor/dcc/pyzor, it would not really check any other network tests in any useful way. --lint is really intended to check your config-file syntax, and nothing else. It's not intended to provide a comprehensive test of functionality. Besides, this way you can also add the surbl.org test URL to your message and test your URIBL functionality at the same time. http://www.surbl.org/faq.html#testpoints Note: because SA strips off everything but the domain and TLD before calling the URIBLs, only the surbl-org-permanent-test-point(DOT)com one will work. test.sc.surbl.org won't work because SA will strip it down to surbl.org first. From mkettler at evi-inc.com Mon Oct 16 17:10:13 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 17:10:32 2006 Subject: OT: sendmail: possible SMTP attack?? In-Reply-To: References: Message-ID: <4533AEE5.9090704@evi-inc.com> Jeff A. Earickson wrote: > Gang, > > I've been seeing a ton of "possible SMTP attack" syslog messages > from sendmail for the last couple of days, from all over the > place (mostly Isreal and Brazil). Normally, I almost never see > this message from sendmail. Anybody else seeing this? New > email virus??? Any other ideas? I'm seeing a lot of them too. The failing command is HELO/EHLO. This means the sender issued 3 or more HELO/EHLO commands in a single conversation with sendmail. Probably a buggy spam tool or virus. Based on the low distribution of hosts doing this, I'd guess it's a virus, and that this bug is inhibiting its ability to spread. From Kevin_Miller at ci.juneau.ak.us Mon Oct 16 17:15:44 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 16 17:15:49 2006 Subject: OT: sendmail: possible SMTP attack?? In-Reply-To: <4533AEE5.9090704@evi-inc.com> Message-ID: Matt Kettler wrote: > Jeff A. Earickson wrote: >> Gang, >> >> I've been seeing a ton of "possible SMTP attack" syslog messages >> from sendmail for the last couple of days, from all over the >> place (mostly Isreal and Brazil). Normally, I almost never see >> this message from sendmail. Anybody else seeing this? New >> email virus??? Any other ideas? > > I'm seeing a lot of them too. The failing command is HELO/EHLO. This > means the sender issued 3 or more HELO/EHLO commands in a single > conversation with sendmail. > > Probably a buggy spam tool or virus. Based on the low distribution of > hosts > doing this, I'd guess it's a virus, and that this bug is inhibiting > its ability to spread. Yup - three goes per each message. My system tagged it as high scoring spam on the one I drilled down on so I figured it was just the latest misconfigured botnet... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From rpoe at plattesheriff.org Mon Oct 16 17:37:19 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Oct 16 17:38:52 2006 Subject: Greylisting .. recommendations Message-ID: <45336EEE.65ED.00A2.0@plattesheriff.org> Thinking about implementing greylisting. Who's greylisting programs / software does everyone use? I don't mind if it uses mySQL or whatever, but I need to be able to add whitelisted domains fairly easily.. From mailscanner at yeticomputers.com Mon Oct 16 17:56:56 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Oct 16 17:57:07 2006 Subject: Greylisting .. recommendations In-Reply-To: <45336EEE.65ED.00A2.0@plattesheriff.org> References: <45336EEE.65ED.00A2.0@plattesheriff.org> Message-ID: <4533B9D8.7070509@yeticomputers.com> I use sqlgrey with Postfix. Have had no operational issues, although there have been a couple of oddball logging things that have popped up in FreeBSD over the last year or so that I've run it. Rob Poe wrote: > Thinking about implementing greylisting. > > Who's greylisting programs / software does everyone use? > > I don't mind if it uses mySQL or whatever, but I need to be able to add whitelisted domains fairly easily.. > > > > From brian.duncan at kattenlaw.com Mon Oct 16 18:02:05 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Mon Oct 16 18:02:23 2006 Subject: sendmail /etc/mail/access Message-ID: <65234743FE1555428435CE39E6AC4078B38A94@CHI-US-EXCH-01.us.kmz.com> To:domainname.com REJECT No user with that name. or To:user@domainname.com REJECT No user with that name. I use this specifically to reject ALL other mail to specific domains. I export email addresses from back end MS AD and use access to allow all addresses instead of a look ahead milter. Then finally reject all others to that domain. You can reject individuals also. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun Sent: Monday, October 16, 2006 8:54 AM To: mailscanner@lists.mailscanner.info Subject: sendmail /etc/mail/access Hi, Does anybody know a way to block all email to a certain address on sendmail level? (I'd know what to do in MailScanner) As far as I'm concerned /etc/mail/access only can discard mails from a certain address, but not to a certain address.. Anybody? :) =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061016/12745d2a/attachment.html From rpoe at plattesheriff.org Mon Oct 16 18:02:50 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Oct 16 18:03:59 2006 Subject: Greylisting .. recommendations In-Reply-To: <4533B9D8.7070509@yeticomputers.com> References: <45336EEE.65ED.00A2.0@plattesheriff.org> <4533B9D8.7070509@yeticomputers.com> Message-ID: <453374EA.65ED.00A2.0@plattesheriff.org> Forgot to mention . This would be for sendmail :) >>> Rick Chadderdon 10/16/2006 11:56 AM >>> I use sqlgrey with Postfix. Have had no operational issues, although there have been a couple of oddball logging things that have popped up in FreeBSD over the last year or so that I've run it. Rob Poe wrote: > Thinking about implementing greylisting. > > Who's greylisting programs / software does everyone use? > > I don't mind if it uses mySQL or whatever, but I need to be able to add whitelisted domains fairly easily.. > > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From G.Pentland at soton.ac.uk Mon Oct 16 18:06:35 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Mon Oct 16 18:06:47 2006 Subject: Greylisting .. recommendations Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C5FB@ISS-CL-EX-V1.soton.ac.uk> Rob Poe wrote: > Thinking about implementing greylisting. > > Who's greylisting programs / software does everyone use? > > I don't mind if it uses mySQL or whatever, but I need to be able to > add whitelisted domains fairly easily.. Milter-greylist... Settings are of constant discussion, the following is what I have compromised on for minimum user impact but are still quite effective. peer peer peer peer peer syncaddr * port 7689 acl whitelist addr 127.0.0.0/8 acl whitelist addr /16 report all delayedreject Lazyaw dumpfreq 10m timeout 2d greylist 10m autowhite 32d (keepps monthly newsletters etc. in the list) subnetmatch /24 pidfile "/var/run/milter-greylist.pid" socket "/var/milter-greylist/milter-greylist.sock" dumpfile "/var/milter-greylist/greylist.db" user "milter" From mailscanner at yeticomputers.com Mon Oct 16 18:17:52 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Oct 16 18:18:07 2006 Subject: OT: But I found it amusing... Message-ID: <4533BEC0.2020606@yeticomputers.com> One of my users just sent me a message from one of her vendors. It basically said, "We've removed you from our weekly update list because you blocked our mail. Let us know when you unblock us and I'll add you again." My user asked me if I could find out why the mail was being blocked, because she needed the updates. No problem... It turned out to be an SPF hardfail. Further checking led me to guess that someone added an mail exchanger without changing the MX entry for the domain. Their SPF entry is "v=spf1 mx -all". The mails that are getting blocked are, of course, not from their MX entry's IP address. But they send us, "as soon as you unblock us..." (sigh) To be fair, the person who sent my user that message is a sales rep and probably saw nothing more than their mail system's bounce message. (Which should have, however, had an explanatory link...) Still... I'm sitting here shaking my head. Rick From dnsadmin at 1bigthink.com Mon Oct 16 18:43:11 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Mon Oct 16 18:43:30 2006 Subject: Semi-OT Fwd: [Clamav-announce] announcing ClamAV 0.88.5 Message-ID: <7.0.1.0.0.20061016134132.061c5180@1bigthink.com> >Dear ClamAV users, > >ClamAV 0.88.5 fixes a crash in the CHM unpacker and a heap overflow in >the function rebuilding PE files after unpacking. > > >-- >The ClamAV team (http://www.clamav.net/team.html) > > >-- >Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit >[Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it >PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg >_______________________________________________ From mkettler at evi-inc.com Mon Oct 16 18:50:16 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 18:50:32 2006 Subject: Greylisting .. recommendations In-Reply-To: <45336EEE.65ED.00A2.0@plattesheriff.org> References: <45336EEE.65ED.00A2.0@plattesheriff.org> Message-ID: <4533C658.6020502@evi-inc.com> Rob Poe wrote: > Thinking about implementing greylisting. > > Who's greylisting programs / software does everyone use? > > I don't mind if it uses mySQL or whatever, but I need to be able to add whitelisted domains fairly easily.. I use milter-greylist. The ACL syntax is quite nice. In the newer betas you can even greylist based on RBLs, and default to not greylisting. While this might seem an odd setup, think of how this could let you use RBLs that are too aggressive for blacklisting, while not causing a lot of mail delay for legitimate mail. From mailscanner at mango.zw Mon Oct 16 19:17:03 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 16 19:13:01 2006 Subject: How to Filter junk by valid accounts In-Reply-To: <1161010001.31763.26.camel@localhost> Message-ID: On Mon, 16 Oct 2006, Michael Baird wrote: > On Mon, 2006-10-16 at 08:59 -0500, Carr, Daryl B. wrote: > > Hello, > > > > What is the best way to filter email addresses as "valid" with sendmail. > > We have recently experienced a large increase in junk email resulting in > > the mqueue.in becoming very large (>400,000). > > > > I have investigated LDAP, NIS, lists of names, etc. > > > > Please point me in the best direction. > > > > Thank you! > > This must be somesort of mail gateway that forwards to an internal mail > server? You are looking to do recipient address verification. If this is > a case, probably your best bet is a milter to call your internal servers > and verify the recipients. I'm using this milter with success > http://smfs.sourceforge.net/smf-sav.html, but am not using the RAV > feature, which is apparently what you are looking for. I have just implemented this milter on a gateway, specifically for recipient address verification, and it works very well, although I have a few issues that need to be worked out. On the gateway you list the domains you want to relay for in the sendmail access file, and put an entry in the mailertable file - just as normal. When a connection is made from an external server for a relay domain it will look at the appropriate entry in the mailertable file and make an smtp connection to that server to verify if the address is OK. If it is OK then mail is accepted, otherwise it is rejected if a negative response is received, or tempfails if it can't get a positive response. It will also work with addresses specified in the virtusertable file. milter-ahead is a commercial alternative that presumably does all the above in a much more sophisticated manner. The only problems I have noticed so far are: I currently cannot get it to accept mail to local accounts on the gateway - they always tempfail. Bad in principle, but not too serious in my situation as there is virtually no external mail to local accounts on the gateway. There must be a solution! If an address is rejected by the server listed in mailertable the response is always the same: "550 5.1.1 Sorry, no mailbox here by that name". That is rather misleading if there is another reason, such as a full mailbox. For the moment I have changed that message in the source to be more inclusive. Although it is failsafe, in that if the socket fails then sendmail will just accept all incoming mail, it cannot cleanly reload its configuration file without shutting down MailScanner/sendmail first and waiting for a while before restarting both. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From Kevin_Miller at ci.juneau.ak.us Mon Oct 16 19:25:09 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 16 19:25:13 2006 Subject: But I found it amusing... In-Reply-To: <4533BEC0.2020606@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > One of my users just sent me a message from one of her vendors. It > basically said, "We've removed you from our weekly update list because > you blocked our mail. Let us know when you unblock us and I'll add > you again." My user asked me if I could find out why the mail was > being blocked, because she needed the updates. No problem... > > It turned out to be an SPF hardfail. Further checking led me to guess > that someone added an mail exchanger without changing the MX entry for > the domain. Their SPF entry is "v=spf1 mx -all". The mails that are > getting blocked are, of course, not from their MX entry's IP address. > But they send us, "as soon as you unblock us..." (sigh) > > To be fair, the person who sent my user that message is a sales rep > and probably saw nothing more than their mail system's bounce message. > (Which should have, however, had an explanatory link...) Still... > I'm sitting here shaking my head. > > Rick LOL. Some days, retirement can't come soon enough! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From paul at welshfamily.com Mon Oct 16 19:58:51 2006 From: paul at welshfamily.com (Paul Welsh) Date: Mon Oct 16 19:59:21 2006 Subject: Which spam stats package? In-Reply-To: <200610160400.k9G400Rd025566@bkserver.blacknight.ie> Message-ID: <200610161859.k9GIxJVC013607@bkserver.blacknight.ie> > -----Original Message----- > Date: Mon, 16 Oct 2006 10:43:06 +1000 > From: Peter Russell > Subject: Re: Which spam stats package? > > Does the account you are running your script under have read > access to > the maillog? I'm running it as root. From Kevin_Miller at ci.juneau.ak.us Mon Oct 16 20:23:26 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 16 20:23:35 2006 Subject: DCC & lint issue Message-ID: So this is weird. Came in this weekend and found the following message: =============================================== RulesDuJour Run Summary on mxg: ***NOTICE***: spamassassin --lint failed. This means that you have an error somwhere in your SpamAssassin configuration. To determine what the problem is, please run 'spamassassin --lint' from a shell and notice the error messages it prints. For more (debug) information, add the -D switch to the command. Usually the problem will be found in local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. Here are the errors that 'spamassassin --lint' reported: [5088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [5088] warn: lint: 1 issues detected, please rerun with debug enabled for more information =============================================== Killed MailScanner (4.55.9), ran #spamassassin --lint -D and sure enough, it complained. snip [19980] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc snip [19980] warn: lint: 1 issues detected, please rerun with debug enabled for more information In my spamassassin.prefs.conf I have mxg:/etc/MailScanner # grep dcc spam.assassin.prefs.conf dcc_path /usr/local/bin/dccproc # use_dcc 0 I've retyped the line, change the space to tab and back, moved the line, etc. No dice. My other MailScanner boxes are running just fine with that line. The file exists: mxg:/etc/MailScanner # l /usr/local/bin/dcc* -r-sr-xr-x 1 root bin 447676 2005-06-02 07:44 /usr/local/bin/dccproc* mxg:/etc/MailScanner # spamassassin -V SpamAssassin version 3.1.7 running on Perl version 5.8.6 Anybody else seeing this? I upgraded spamassassin last week, didn't change any dcc stuff. Any clues? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Mon Oct 16 20:32:48 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 20:33:03 2006 Subject: DCC & lint issue In-Reply-To: References: Message-ID: <4533DE60.1070308@evi-inc.com> Kevin Miller wrote: > So this is weird. Came in this weekend and found the following message: > > Killed MailScanner (4.55.9), ran #spamassassin --lint -D and sure > enough, it complained. > snip > [19980] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc > snip > [19980] warn: lint: 1 issues detected, please rerun with debug enabled > for more information > > > mxg:/etc/MailScanner # spamassassin -V > SpamAssassin version 3.1.7 > running on Perl version 5.8.6 > > Anybody else seeing this? I upgraded spamassassin last week, didn't > change any dcc stuff. Any clues? Did you load the DCC plugin in your /etc/mail/spamassassin/v310.pre? DCC is disabled by default in the 3.1.x series due to not-completely-free licensing. Most folks just using DCC can do so for free. However, there are a few restrictions, such as any local server MUST also report to the global DCC or you're in violation. Because of that, SA doesn't call DCC by default, forcing you to at least decide that you conform to DCC's licensing terms before enabling it. You'll need to uncomment the following line in v310.pre: loadplugin Mail::SpamAssassin::Plugin::DCC From Kevin_Miller at ci.juneau.ak.us Mon Oct 16 20:46:17 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Oct 16 20:46:25 2006 Subject: DCC & lint issue In-Reply-To: <4533DE60.1070308@evi-inc.com> Message-ID: Matt Kettler wrote: > Did you load the DCC plugin in your /etc/mail/spamassassin/v310.pre? Bingo. Weird thing was it was working until I upgraded. I'd expect an .rpmnew file or some such but none were there so I completely missed that. I'll follow up on the licensing. Definitely want to play fair. Thanks much Matt... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Mon Oct 16 20:48:25 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 20:48:34 2006 Subject: DCC & lint issue In-Reply-To: <4533DE60.1070308@evi-inc.com> References: <4533DE60.1070308@evi-inc.com> Message-ID: <4533E209.8090205@evi-inc.com> Matt Kettler wrote: > > DCC is disabled by default in the 3.1.x series due to not-completely-free > licensing. Most folks just using DCC can do so for free. However, there are a > few restrictions, such as any local server MUST also report to the global DCC or > you're in violation. Because of that, SA doesn't call DCC by default, forcing > you to at least decide that you conform to DCC's licensing terms before enabling it. > > > You'll need to uncomment the following line in v310.pre: > loadplugin Mail::SpamAssassin::Plugin::DCC Clarification Note/disclaimer: The above is NOT intended to be an all-inclusive interpretation of the DCC licensing terms, and was merely an example of one restriction. You should read the license yourself. I suggest reading the whole thing, but pay particular attention to the first paragraph, as this lists situations that are excluded from the terms of the license: http://www.rhyolite.com/anti-spam/dcc/dcc-tree/LICENSE From rob at dido.ca Mon Oct 16 21:08:03 2006 From: rob at dido.ca (Rob Morin) Date: Mon Oct 16 21:08:12 2006 Subject: Doc for score explanations? Message-ID: <4533E6A3.3080604@dido.ca> Hello all... more and more recently i have been asked by clients why emails are getting marked as SPM. I tell them well maybe because of this and that, that use to work ok, but now they want to know why exactly an email was marked as spam... here is an example.... Oct 16 15:28:17 peter MailScanner[5660]: Message 1920269005F.5C45D from 207.99.47.70 (dplatt@domain2.com) to domain.com is spam, SpamAssassin (score=12.46, required 4, BAYES_60 1.00, FB_4WORD_DOLLARe 0.85, FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD1_END_DOLLAR 1.39, FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.60, FM_MULTI_ODD2 1.10, FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) So what do i tell the client? There must be some docs or list to read against to figure out why its getting marked as spam.... Did i confuse anyone? p.s. the original domain name has been change to conceal the innocent :) -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From ugob at camo-route.com Mon Oct 16 21:26:59 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Mon Oct 16 21:27:24 2006 Subject: Doc for score explanations? In-Reply-To: <4533E6A3.3080604@dido.ca> References: <4533E6A3.3080604@dido.ca> Message-ID: Rob Morin wrote: > Hello all... more and more recently i have been asked by clients why > emails are getting marked as SPM. I tell them well maybe because of this > and that, that use to work ok, but now they want to know why exactly an > email was marked as spam... here is an example.... > > Oct 16 15:28:17 peter MailScanner[5660]: Message 1920269005F.5C45D from > 207.99.47.70 (dplatt@domain2.com) to domain.com is spam, SpamAssassin > (score=12.46, required 4, BAYES_60 1.00, FB_4WORD_DOLLARe 0.85, > FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD1_END_DOLLAR 1.39, > FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.60, FM_MULTI_ODD2 1.10, > FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, > OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) > > So what do i tell the client? There must be some docs or list to read > against to figure out why its getting marked as spam.... http://spamassassin.apache.org/tests.html > > Did i confuse anyone? > p.s. the original domain name has been change to conceal the innocent > :) > > From vanhorn at whidbey.com Mon Oct 16 21:30:11 2006 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Mon Oct 16 21:30:16 2006 Subject: SMTP problem In-Reply-To: References: <45332F07.4090301@whidbey.com> Message-ID: <4533EBD3.30606@whidbey.com> Res wrote: > > On Mon, 16 Oct 2006, G. Armour Van Horn wrote: > >> Two weeks ago one of my servers was compromised and I had to rebuild it >> from the ground up. I jumped a couple of versions, installing Fedora >> Core 5. I dragged over my previous MailScanner directory and installed >> MailScanner 4.55-10.3. >> >> I was having some odd problems with not several SMTP servers failing to >> deliver mail, so after a couple of days of head scratching and with some >> help here on the list I switched to Postfix. The text of the error >> messages changed, but essentially the same servers would initiate an >> SMTP session and then never close it. >> >> Fearing that I may have caused some problems due to my unfamiliarity >> with Postfix I switched back to Sendmail, but after many hours of >> fighting the problem I still can't receive mail from several important >> mail servers. That is, from several servers that are important to users >> on the system. >> >> I'm pretty sure this isn't actually a MailScanner issue, but I figure >> that there are quite a few experts here, so I'd appreciate it if anyone >> has any idea of what I should be looking at. Below are four lines from >> maillog, each pair of lines indicate a message that never arrived. Any >> suggestions would be welcome. >> >> Van >> >> >> Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: timeout >> waiting for input from mail.networksolutionsemail.com during server >> cmd read >> Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: >> mail.networksolutionsemail.com [205.178.146.50] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA > > > > I wish i could be so lucky as to have my MTA fail mail from those > incompetant uncooperative @$$wipes at networksolutions... > > Have you recently made changes to any firewall rules? > You are not denying icmp frag pkts are you? > > if not, I doubt this is your propblem to fix. > It's my problem to fix because important mail is not getting through, and there actually is some of that which comes through the NetSol machine which handles mail redirection. No change in firewall rules during this incident, and the other machines behind the same firewall are not having the problem. Mail was running fine before my sudden forced rebuild, and still is for quite a few hosts. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From stefano at cdh.it Mon Oct 16 21:35:22 2006 From: stefano at cdh.it (Stefano Carlotto) Date: Mon Oct 16 21:35:40 2006 Subject: Avoid double scan Message-ID: <4533ED0A.9010008@cdh.it> Is it possible to make a trusted MailScanner 'sign' email message in such a way that another MailScanner do not scan messages again? I was thinking that in a situation with multiple mail server it may be useful in order to reduce global systems load. Of course the choice of not to scan messages should be based on the capacity to recognize the sign of the friendly server and on the time passed from the previous mailscanner scan. thanks. From ssilva at sgvwater.com Mon Oct 16 21:39:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 16 21:39:41 2006 Subject: SA Upgrade In-Reply-To: <45339604.1070508@trayerproducts.com> References: <45339604.1070508@trayerproducts.com> Message-ID: Rodney Green spake the following on 10/16/2006 7:24 AM: > Hello, > > I'm looking to upgrade SpamAssassin from version 3.0.2 to 3.1.7. The > previous install of SpamAssassin was installed from source, I believe. > There is no rpm listed when I do "rpm -qa" on my Red Hat 9 system. > > Is it okay to run the ClamAV/SpamAssassin easy install package Julian > put together or should I install the new version from source? Any other > advice is welcome. > > Thanks, > Rod > > > Julian's package is a source install. As long as you don't have an rpm of spamassassin, you should be ok. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Mon Oct 16 21:45:12 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 16 21:45:35 2006 Subject: Doc for score explanations? In-Reply-To: <4533E6A3.3080604@dido.ca> References: <4533E6A3.3080604@dido.ca> Message-ID: <4533EF58.4040603@evi-inc.com> Rob Morin wrote: > Hello all... more and more recently i have been asked by clients why > emails are getting marked as SPM. I tell them well maybe because of this > and that, that use to work ok, but now they want to know why exactly an > email was marked as spam... here is an example.... > > Oct 16 15:28:17 peter MailScanner[5660]: Message 1920269005F.5C45D from > 207.99.47.70 (dplatt@domain2.com) to domain.com is spam, SpamAssassin > (score=12.46, required 4, BAYES_60 1.00, FB_4WORD_DOLLARe 0.85, > FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD1_END_DOLLAR 1.39, > FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.60, FM_MULTI_ODD2 1.10, > FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, > OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) > > So what do i tell the client? There must be some docs or list to read > against to figure out why its getting marked as spam.... It got marked as spam largely because of your add-on rulesets. Most of those FB_* rules come from http://www.rulesemporium.com/rules/88_FVGT_body.cf And the rest come from http://www.rulesemporium.com/rules/99_FVGT_meta.cf So perhaps a better question is, if you don't know already know exactly what these rules do, why did you add them? I'm quite well versed in SA, but I do not know what these sets do, other than that Fred Tarasevicius wrote them. I can tell you from looking at the rulefiles: FB_SINGLE_1WORD appears to look for a shortish word (8 chars max) with a 1 roughly in the middle. FB_SINGLE_0WORD is similar, but looks for a 0, allows $ signs in the second half, and has a 7 character limit. FB_4WORD_DOLLARe appears to look for a word (13 chars max) with a dollar-sign in the middle, but excludes Micro$oft. My guess is this ruleset would tear the hell out of any email with programmer's source code in it, or anything containing lots of mixed alphanumeric "id" strings. (ie: reports using a lot of abbreviations) A default SA install would have ranked this with a score of 3.47 (BAYES_60 1.00, OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) > Did i confuse anyone? > p.s. the original domain name has been change to conceal the innocent > :) > > From pete at enitech.com.au Mon Oct 16 22:59:52 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Oct 16 23:00:05 2006 Subject: OT: Preferred MTA? In-Reply-To: <223f97700610152324n6b8d0a5bg61899131eab4ff3c@mail.gmail.com> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> <453305F6.9050004@enitech.com.au> <223f97700610152324n6b8d0a5bg61899131eab4ff3c@mail.gmail.com> Message-ID: <453400D8.7050906@enitech.com.au> >> Is there a simple way to split message to multiple recipients individual >> emails, yet? Do you think there ever will be? >> >> What is everyone else doing to avoid this nightmare? > If you deem my wiki entry to be to "nightmarish", then I cannot help > you. If you've just missed it, go look at > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > > ... It looks worse than it is;-). > > Do pay attention to the changes needed to not unintentionally > whitelisting _every mail_ (you cannot whitelist 127.0.0.1 with > this...), and the different solutions for releasing mails. > > Cheers Thanks Glen. I have considered this approach, but i think that the reward Vs the risk of the extra level of complexity isnt worth it, for me specifically. I like the idea of a content filter to handle this, which according to the devs is a simple thing to do, if you know how. It would be ideal because it would be compatible with the single instance of postfix using the hold method. Thanks again Pete From michele at blacknight.ie Mon Oct 16 23:13:00 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight.ie) Date: Mon Oct 16 23:13:16 2006 Subject: Avoid double scan In-Reply-To: <4533ED0A.9010008@cdh.it> References: <4533ED0A.9010008@cdh.it> Message-ID: <453403EC.6060302@blacknight.ie> Stefano Carlotto wrote: > Is it possible to make a trusted MailScanner 'sign' email message in > such a way that another MailScanner do not scan messages again? > I was thinking that in a situation with multiple mail server it may be > useful in order to reduce global systems load. Of course the choice of > not to scan messages should be based on the capacity to recognize the > sign of the friendly server and on the time passed from the previous > mailscanner scan. > > thanks. Have a look in MailScanner.conf - there's an option about signing.. If you are moving mail between your own servers you could whitelist your own network.... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From taz at taz-mania.com Tue Oct 17 00:44:39 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Oct 17 00:44:44 2006 Subject: How to Filter junk by valid accounts In-Reply-To: Message-ID: On Mon, 16 Oct 2006 20:17:03 +0200 (CAT) Jim Holland wrote: >On Mon, 16 Oct 2006, Michael Baird wrote: > >> On Mon, 2006-10-16 at 08:59 -0500, Carr, Daryl B. wrote: >> > Hello, >> > >> > What is the best way to filter email addresses as "valid" with >>sendmail. >> > We have recently experienced a large increase in junk email >>resulting in >> > the mqueue.in becoming very large (>400,000). >> > >> > I have investigated LDAP, NIS, lists of names, etc. >> > >> > Please point me in the best direction. >> > >> > Thank you! >> >> This must be somesort of mail gateway that forwards to an internal >>mail >> server? You are looking to do recipient address verification. If >>this is >> a case, probably your best bet is a milter to call your internal >>servers >> and verify the recipients. I'm using this milter with success >> http://smfs.sourceforge.net/smf-sav.html, but am not using the RAV >> feature, which is apparently what you are looking for. > >I have just implemented this milter on a gateway, specifically for >recipient address verification, and it works very well, although I >have a >few issues that need to be worked out. > >On the gateway you list the domains you want to relay for in the >sendmail >access file, and put an entry in the mailertable file - just as >normal. >When a connection is made from an external server for a relay domain >it >will look at the appropriate entry in the mailertable file and make >an >smtp connection to that server to verify if the address is OK. If it >is >OK then mail is accepted, otherwise it is rejected if a negative >response >is received, or tempfails if it can't get a positive response. > >It will also work with addresses specified in the virtusertable file. > >milter-ahead is a commercial alternative that presumably does all the >above in a much more sophisticated manner. > Actually it appears to do it in pretty much the same way! >The only problems I have noticed so far are: > > I currently cannot get it to accept mail to local accounts on the > gateway - they always tempfail. Bad in principle, but not > too serious in my situation as there is virtually no external > mail to local accounts on the gateway. There must be a solution! I had the same problem at first... It turned out to be that my rejection for the helo statement was causing it. I don't allow a remote mailserver to use my own servers name as in the HELO command. Well in the config for SMF-SAV it wants the servers FQDN... Which it uses for HELO. This caused the milter to use my own servers name when verifing. Be sure you whitelist your servers own IP address and/or create a seperate name for the HELO. > > If an address is rejected by the server listed in mailertable > the response is always the same: "550 5.1.1 Sorry, no mailbox > here by that name". That is rather misleading if there is > another reason, such as a full mailbox. For the moment I have > changed that message in the source to be more inclusive. > > Although it is failsafe, in that if the socket fails then > sendmail will just accept all incoming mail, it cannot > cleanly reload its configuration file without shutting down > MailScanner/sendmail first and waiting for a while before > restarting both. > >Regards > >Jim Holland >System Administrator >MANGO - Zimbabwe's non-profit e-mail service > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From res at ausics.net Tue Oct 17 03:10:08 2006 From: res at ausics.net (Res) Date: Tue Oct 17 03:10:16 2006 Subject: OT: sendmail: possible SMTP attack?? In-Reply-To: References: Message-ID: On Mon, 16 Oct 2006, Jeff A. Earickson wrote: > Gang, > > I've been seeing a ton of "possible SMTP attack" syslog messages > from sendmail for the last couple of days, from all over the > place (mostly Isreal and Brazil). Normally, I almost never see > this message from sendmail. Anybody else seeing this? New > email virus??? Any other ideas? Is this not the right time of the year for the annual hackers fest ? :) I think it is, so the lil script kiddies are prolly up to no good. the two countries you mention are the most common starting grounds for it. > > Jeff Earickson > Colby College > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From brent.addis at pronet.co.nz Tue Oct 17 03:44:01 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Oct 17 03:50:37 2006 Subject: installer sql lite wrong ver Message-ID: <7EF1F27F7292534D82933F70AB6996CC0C0B5F@pro-ak-exch01.hosted.pronet.net.nz> The sql lite that comes with the latest installer is a newer version (1.12) than the installer is looking for (1.11) Might want to fix it in the tarball? For the moment, editing install.sh and correcting the version works. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/64a6ca44/attachment.html From markee at bandwidthco.com Tue Oct 17 04:38:46 2006 From: markee at bandwidthco.com (markee) Date: Tue Oct 17 04:35:42 2006 Subject: SMTP problem In-Reply-To: <45332F07.4090301@whidbey.com> Message-ID: <00be01c6f19d$c0331310$0300a8c0@bandwidthco.com> Are you using the same sendmail.cf file or configuration? ########################################## This is coming from the home and office of: Mark E. Donaldson Bandwidthco Computer Security markee@bandwidthco.com http://www.bandwidthco.com/ Copyright C 1999 Bandwidthco.com. All rights reserved. 4500 0028 a66b 4000 8006 d307 c0a8 000a c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60 5010 f64c c0f6 0000 0000 0000 0000 ########################################## CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, GAWN, X-Ways (WinHex) Forensics Certified ########################################## Hacking is the process of influencing a computer system in such a way that it performs an action that is useful to you. ########################################## .~. /V\ /( )\ ^^-^^ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of G. Armour Van Horn Sent: Monday, October 16, 2006 12:05 AM To: MailScanner discussion Subject: SMTP problem Two weeks ago one of my servers was compromised and I had to rebuild it from the ground up. I jumped a couple of versions, installing Fedora Core 5. I dragged over my previous MailScanner directory and installed MailScanner 4.55-10.3. I was having some odd problems with not several SMTP servers failing to deliver mail, so after a couple of days of head scratching and with some help here on the list I switched to Postfix. The text of the error messages changed, but essentially the same servers would initiate an SMTP session and then never close it. Fearing that I may have caused some problems due to my unfamiliarity with Postfix I switched back to Sendmail, but after many hours of fighting the problem I still can't receive mail from several important mail servers. That is, from several servers that are important to users on the system. I'm pretty sure this isn't actually a MailScanner issue, but I figure that there are quite a few experts here, so I'd appreciate it if anyone has any idea of what I should be looking at. Below are four lines from maillog, each pair of lines indicate a message that never arrived. Any suggestions would be welcome. Van Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: timeout waiting for input from mail.networksolutionsemail.com during server cmd read Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: mail.networksolutionsemail.com [205.178.146.50] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: timeout waiting for input from mailout.whidbey.net during server cmd read Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: mailout.whidbey.net [209.166.64.124] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From ka at pacific.net Tue Oct 17 05:42:47 2006 From: ka at pacific.net (Ken) Date: Tue Oct 17 05:41:54 2006 Subject: Anyone using FuzzyOCR? In-Reply-To: <45323EC7.5080905@osubucks.org> References: <71437982F5B13A4D9A5B2669BDB89EE40765C5DC@ISS-CL-EX-V1.soton.ac.uk> <45314A92.3070708@ecs.soton.ac.uk> <45323EC7.5080905@osubucks.org> Message-ID: <45345F47.4020303@pacific.net> We are using both ImageInfo and Fuzzyocr at the moment. Fuzzyocr does use quite a bit of resources, running gocr multiple times on each image, but it does work well and it does stop the image spam, though I don't much like feeding images to complex executables for obvious reasons... Also, much of the current image spam I'm seeing is designed to evade ocr, so it's getting very difficult to match, even with Fuzzyocr, and probably partly because of Fuzzyocr. ImageInfo is good too, and hits a lot of spam. The default scoring seems a bit high, but that's easy enough to change. There has been a significant increase in image spam since last week, so this is a hot topic! Ken A Pacific.Net Chris Sweeney wrote: > The only reason I haven't tried Imageinfo is, if I understand how it > works it seems it would cause alot of false positives if you have people > sending pictures in the email. People sharing pictures might not like > this. I would really like to find a good fix as the amount of image > SPAM getting in now, its getting very bad. > > > Julian Field wrote: > >> I have spoken to other people who have tried FuzzyOCR and have found >> Imageinfo much more useful. FuzzyOCR is reckoned to be very high on >> resources and very slow, of the order of several seconds per message. >> The opinion from other people I have spoken to seems to be that it is >> not worth it. >> >> But that's my opinion, Gary.... (along with Steve Freegard of MailWatch >> fame and Anthony of milter.org fame). >> >> Pentland G. wrote: >> >>>> All, >>>> >>>> I'm trialling FuzzyOCR and having mixed results. >>>> >>>> Are any of you using this and what have you found? Good and bad, I'm >>>> interested. >>>> >>>> Thanks, >>>> >>>> Gary >>>> >>>> >>>> >>>> >> Jules >> >> > > From evanderleun at hal9000.nl Tue Oct 17 08:02:40 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Oct 17 08:02:42 2006 Subject: sendmail /etc/mail/access In-Reply-To: <20061016151647.99312.qmail@web36615.mail.mud.yahoo.com> References: <20061016151647.99312.qmail@web36615.mail.mud.yahoo.com> Message-ID: <45348010.3080709@hal9000.nl> Thanks :) Couldn't find this easily in the sendmail documentation :) Works like a charm! > --- Erik van der Leun wrote: > > >> Hi, >> >> Does anybody know a way to block all email to a >> certain address on >> sendmail level? (I'd know what to do in MailScanner) >> >> As far as I'm concerned /etc/mail/access only can >> discard mails /from/ a >> certain address, but not /to/ a certain address.. >> >> Anybody? :) >> >>> -- >>> >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> > > Hello, > You can do this with REJECT on the right hand side > example- > user@domain REJECT > > hth, > Brett > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/2c93b31a/attachment.html From mailscanner at mango.zw Tue Oct 17 08:26:40 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 17 08:22:34 2006 Subject: sendmail /etc/mail/access In-Reply-To: <45348010.3080709@hal9000.nl> Message-ID: On Tue, 17 Oct 2006, Erik van der Leun wrote: > >> Does anybody know a way to block all email to a > >> certain address on > >> sendmail level? (I'd know what to do in MailScanner) > >> > >> As far as I'm concerned /etc/mail/access only can > >> discard mails /from/ a > >> certain address, but not /to/ a certain address.. > >> > >> Anybody? :) > >> > > Hello, > > You can do this with REJECT on the right hand side > > example- > > user@domain REJECT I also find it useful to maintain a list of valid users for dialup domains in the access file, eg: To:user1@example.com RELAY To:user2@example.com RELAY To:user3@example.com RELAY To:example.com ERROR:5.1.1:550 No such user Then you can avoid sending mail for non-existent users to the client that they will have to send back to you again when they next connect. It also means you can have a policy of always reject rather than bounce wrongly addressed mail. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From glenn.steen at gmail.com Tue Oct 17 08:30:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 17 08:30:51 2006 Subject: OT: Preferred MTA? In-Reply-To: <453400D8.7050906@enitech.com.au> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> <453305F6.9050004@enitech.com.au> <223f97700610152324n6b8d0a5bg61899131eab4ff3c@mail.gmail.com> <453400D8.7050906@enitech.com.au> Message-ID: <223f97700610170030y2652492ag5ded1d060e625aad@mail.gmail.com> On 16/10/06, Peter Russell wrote: > > >> Is there a simple way to split message to multiple recipients individual > >> emails, yet? Do you think there ever will be? > >> > >> What is everyone else doing to avoid this nightmare? > > If you deem my wiki entry to be to "nightmarish", then I cannot help > > you. If you've just missed it, go look at > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > > > > ... It looks worse than it is;-). > > > > Do pay attention to the changes needed to not unintentionally > > whitelisting _every mail_ (you cannot whitelist 127.0.0.1 with > > this...), and the different solutions for releasing mails. > > > > Cheers > > Thanks Glen. I have considered this approach, but i think that the > reward Vs the risk of the extra level of complexity isnt worth it, for > me specifically. I like the idea of a content filter to handle this, > which according to the devs is a simple thing to do, if you know how. It > would be ideal because it would be compatible with the single instance > of postfix using the hold method. > > Thanks again > Pete Well, the impact would probably be rather similar, any which way you do it:-). I do have some ideas on how to combine the multiple transport/header checks into one instance of PF, but ... have so far lacked both time and incentive to do something like that. We'll see if I can find some time to play with it ... probably not before the weekend (when we'll be revamping our LAN... The times when a highly educated admin gets to become a cable grunt/monkey... Sigh:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Tue Oct 17 09:40:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 17 09:46:01 2006 Subject: RBL checks broken in 4.56.8? In-Reply-To: <452FB8E8.8040808@tulsaconnect.com> References: <452FB8E8.8040808@tulsaconnect.com> Message-ID: <453496EF.6020509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is anyone else seeing this problem at all? TCIS List Acct wrote: > I just switched from 4.55.9 to 4.56.8 and my RBL checks (MailScanner's > RBL checks) are broken. SA's checks still work fine. Net::DNS 0.59 > is installed and working. Simply switching back to 4.55.9 on the same > box fixes the problem. > spam.lists.conf is valid for the two I am using (spamcop and > SBL+XBL). No errors show in debug mode. > > Ideas? > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNJgaEfZZRxQVtlQRAiaqAJ4mk36vJoK+r+PihPFs1pQ447IxTACeKu5+ OW/XjakiWtvGO6sxD3fptBo= =8thV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Oct 17 09:44:28 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 17 09:46:12 2006 Subject: installer sql lite wrong ver In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC0C0B5F@pro-ak-exch01.hosted.pronet.net.nz> References: <7EF1F27F7292534D82933F70AB6996CC0C0B5F@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <453497EC.9050306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many thanks. Brent Addis wrote: > > The sql lite that comes with the latest installer is a newer version > (1.12) than the installer is looking for (1.11) > > > > Might want to fix it in the tarball? > > > > For the moment, editing install.sh and correcting the version works. > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNJgfEfZZRxQVtlQRAvPgAKDllvvxab3kFOJyGzmWQt+RVjd8OACfZswS G44sdb4cNa8AZsSYQltn0kc= =/56A -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Tue Oct 17 09:53:34 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 17 09:53:45 2006 Subject: RBL checks broken in 4.56.8? In-Reply-To: <453496EF.6020509@ecs.soton.ac.uk> References: <452FB8E8.8040808@tulsaconnect.com> <453496EF.6020509@ecs.soton.ac.uk> Message-ID: <45349A0E.9070206@solidstatelogic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is anyone else seeing this problem at all? > > TCIS List Acct wrote: >> I just switched from 4.55.9 to 4.56.8 and my RBL checks (MailScanner's >> RBL checks) are broken. SA's checks still work fine. Net::DNS 0.59 >> is installed and working. Simply switching back to 4.55.9 on the same >> box fixes the problem. >> spam.lists.conf is valid for the two I am using (spamcop and >> SBL+XBL). No errors show in debug mode. >> >> Ideas? >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFNJgaEfZZRxQVtlQRAiaqAJ4mk36vJoK+r+PihPFs1pQ447IxTACeKu5+ > OW/XjakiWtvGO6sxD3fptBo= > =8thV > -----END PGP SIGNATURE----- > Jules I think someone mentioned this on the IRC channel last week. Could of course be the same person... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at mckerrs.net Tue Oct 17 11:08:01 2006 From: mailscanner at mckerrs.net (Mailscanner Admin) Date: Tue Oct 17 11:06:43 2006 Subject: Increased SPAM getting through Message-ID: <4534AB81.8090807@mckerrs.net> Has anyone else noticed increased SPAM getting through over the past week or so ? Especially where the spam is fairly obvious yet BAYES_00 is triggered ? here is one example; X-mckerrs-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.334, required 3, BAYES_00 -2.60, EXTRA_MPART_TYPE 1.09, HTML_IMAGE_ONLY_24 1.84, HTML_MESSAGE 0.00) X-mckerrs-MailScanner-From: pixkmoq@tomieraines.com my spam score is 3.0 as you can see and the BAYES_00 seems to be the one the brings the score back under 3. I'm running MS 4.50.12 and SA 3.1.7 from atrpms repo. Any clues ? Cheers, Brian. From martinh at solidstatelogic.com Tue Oct 17 11:17:36 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 17 11:17:47 2006 Subject: Increased SPAM getting through In-Reply-To: <4534AB81.8090807@mckerrs.net> References: <4534AB81.8090807@mckerrs.net> Message-ID: <4534ADC0.9050102@solidstatelogic.com> Mailscanner Admin wrote: > Has anyone else noticed increased SPAM getting through over the past > week or so ? Especially where the spam is fairly obvious yet BAYES_00 is > triggered ? > > here is one example; > > X-mckerrs-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.334, > required 3, BAYES_00 -2.60, EXTRA_MPART_TYPE 1.09, > HTML_IMAGE_ONLY_24 1.84, HTML_MESSAGE 0.00) > X-mckerrs-MailScanner-From: pixkmoq@tomieraines.com > > my spam score is 3.0 as you can see and the BAYES_00 seems to be the one > the brings the score back under 3. > > > I'm running MS 4.50.12 and SA 3.1.7 from atrpms repo. > > > Any clues ? > > > Cheers, > > > Brian. > Brian nope. have you got any of the SARE/fred etc rules installed from www.rulesemporium.com have you got razar2/dcc running? have you got the network tests running so the URI-RBL rules happen? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Tue Oct 17 11:36:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 17 11:36:27 2006 Subject: Increased SPAM getting through In-Reply-To: <4534AB81.8090807@mckerrs.net> References: <4534AB81.8090807@mckerrs.net> Message-ID: <223f97700610170336v20d7ecc4g23eaa008d68f6043@mail.gmail.com> On 17/10/06, Mailscanner Admin wrote: > Has anyone else noticed increased SPAM getting through over the past week or so ? Especially where the spam is fairly obvious yet BAYES_00 is triggered ? > > here is one example; > > X-mckerrs-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.334, > required 3, BAYES_00 -2.60, EXTRA_MPART_TYPE 1.09, > HTML_IMAGE_ONLY_24 1.84, HTML_MESSAGE 0.00) > X-mckerrs-MailScanner-From: pixkmoq@tomieraines.com > > my spam score is 3.0 as you can see and the BAYES_00 seems to be the one the brings the score back under 3. Yes, well... Is this by any chance an image based spam? (I'm thinking that would be a rethorical question, given the rule hits you have). If so, look into implementing ImageInfo and perhaps FuzzyOcr (ongoing/recent threads on this liost point you in the right direction;-). Bayes has likely not that much to work with, so... that would probably explain why it fires the _00 rule... And training will not help you much with that type of spam... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From otherrace707500 at yahoo.co.uk Tue Oct 17 13:00:04 2006 From: otherrace707500 at yahoo.co.uk (Joseph Chafumuka) Date: Tue Oct 17 13:00:08 2006 Subject: UNSUBSCRIPTION Message-ID: <20061017120004.34086.qmail@web28104.mail.ukl.yahoo.com> I would like to unsubscribe Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/4d84c2cc/attachment.html From amoore at dekalbmemorial.com Tue Oct 17 13:28:05 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Tue Oct 17 13:28:09 2006 Subject: sendmail /etc/mail/access In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF122570192909B@exch1.dekalbmemorial.local> Buy yourself a copy of the O'Reilly Sendmail books. They are money well spent. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN Phone: 260.920.2808 E-mail: amoore@dekalbmemorial.com ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun Sent: Tuesday, October 17, 2006 3:03 AM To: MailScanner discussion Subject: Re: sendmail /etc/mail/access Thanks :) Couldn't find this easily in the sendmail documentation :) Works like a charm! --- Erik van der Leun wrote: Hi, Does anybody know a way to block all email to a certain address on sendmail level? (I'd know what to do in MailScanner) As far as I'm concerned /etc/mail/access only can discard mails /from/ a certain address, but not /to/ a certain address.. Anybody? :) -- MailScanner mailing list mailscanner@lists.mailscanner.info Hello, You can do this with REJECT on the right hand side example- user@domain REJECT hth, Brett __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/4901a5c9/attachment.html From mike at vesol.com Tue Oct 17 13:34:47 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Oct 17 13:34:56 2006 Subject: UNSUBSCRIPTION In-Reply-To: <20061017120004.34086.qmail@web28104.mail.ukl.yahoo.com> Message-ID: http://lists.mailscanner.info/mailman/listinfo/mailscanner ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Joseph Chafumuka Sent: Tuesday, October 17, 2006 7:00 AM To: mailscanner@lists.mailscanner.info Subject: UNSUBSCRIPTION I would like to unsubscribe Send instant messages to your online friends http://uk.messenger.yahoo.com From amoore at dekalbmemorial.com Tue Oct 17 14:34:35 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Tue Oct 17 14:34:41 2006 Subject: SARE Rules Emporium Message-ID: <60D398EB2DB948409CA1F50D8AF12257019290FF@exch1.dekalbmemorial.local> Anybody know what happened to the Rules Emporium website? All I get is a domain parking page. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN Phone: 260.920.2808 E-mail: amoore@dekalbmemorial.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/48dd95b3/attachment.html From brose at med.wayne.edu Tue Oct 17 14:39:55 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Tue Oct 17 14:40:04 2006 Subject: SARE Rules Emporium In-Reply-To: <60D398EB2DB948409CA1F50D8AF12257019290FF@exch1.dekalbmemorial.local> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B4888D2@MED-CORE03-MS1.med.wayne.edu> That would be a question for the spamassassin lists. Someone posted to that list that the name registration expired. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Aaron K. Moore Sent: Tuesday, October 17, 2006 9:35 AM To: mailscanner@lists.mailscanner.info Subject: SARE Rules Emporium Anybody know what happened to the Rules Emporium website? All I get is a domain parking page. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN Phone: 260.920.2808 E-mail: amoore@dekalbmemorial.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/b72cf2f4/attachment.html From info at mevershosting.nl Tue Oct 17 14:41:42 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Tue Oct 17 14:41:56 2006 Subject: Found 385 messages waiting Message-ID: <78964AB012E2A247BA86E219659F235C6DD382@mevers1.meverskantoor.nl> But only scanning 9, I see the maximum is 30 but why does it not scan 30 ? Hope somebody knows.. Thanx in advance Richard From raymond at prolocation.net Tue Oct 17 14:44:14 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Oct 17 14:44:17 2006 Subject: SARE Rules Emporium In-Reply-To: <60D398EB2DB948409CA1F50D8AF12257019290FF@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF12257019290FF@exch1.dekalbmemorial.local> Message-ID: Hi! > Anybody know what happened to the Rules Emporium website? All I get is > a domain parking page. Renewal issue, its being worked on with enom ... Bye, Raymond. From listacct at tulsaconnect.com Tue Oct 17 14:51:10 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Oct 17 14:49:18 2006 Subject: RBL checks broken in 4.56.8? In-Reply-To: <45349A0E.9070206@solidstatelogic.com> References: <452FB8E8.8040808@tulsaconnect.com> <453496EF.6020509@ecs.soton.ac.uk> <45349A0E.9070206@solidstatelogic.com> Message-ID: <4534DFCE.9010308@tulsaconnect.com> Martin Hepworth wrote: > Jules > I think someone mentioned this on the IRC channel last week. Could of > course be the same person... > Nope, I haven't visited the IRC channel yet.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mrm at medicine.wisc.edu Tue Oct 17 14:53:15 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Oct 17 14:53:40 2006 Subject: phishing schemes getting by Message-ID: <45349A6E.7FBE.00FC.3@medicine.wisc.edu> Sorry if this has been previously addressed, but lately I've been noticing a lot of phishing schemes that seem to be wiseing up. They are no longer providing links of the sort: somebank.com and are now doing somebank.com and are now doing Rob Morin wrote: > >> Hello all... more and more recently i have been asked by clients why >> emails are getting marked as SPM. I tell them well maybe because of this >> and that, that use to work ok, but now they want to know why exactly an >> email was marked as spam... here is an example.... >> >> Oct 16 15:28:17 peter MailScanner[5660]: Message 1920269005F.5C45D from >> 207.99.47.70 (dplatt@domain2.com) to domain.com is spam, SpamAssassin >> (score=12.46, required 4, BAYES_60 1.00, FB_4WORD_DOLLARe 0.85, >> FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD1_END_DOLLAR 1.39, >> FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.60, FM_MULTI_ODD2 1.10, >> FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, >> OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) >> >> So what do i tell the client? There must be some docs or list to read >> against to figure out why its getting marked as spam.... >> > > > It got marked as spam largely because of your add-on rulesets. > > Most of those FB_* rules come from > http://www.rulesemporium.com/rules/88_FVGT_body.cf > > And the rest come from > http://www.rulesemporium.com/rules/99_FVGT_meta.cf > > > So perhaps a better question is, if you don't know already know exactly what > these rules do, why did you add them? > > I'm quite well versed in SA, but I do not know what these sets do, other than > that Fred Tarasevicius wrote them. > > I can tell you from looking at the rulefiles: > > FB_SINGLE_1WORD appears to look for a shortish word (8 chars max) with a 1 > roughly in the middle. > > FB_SINGLE_0WORD is similar, but looks for a 0, allows $ signs in the second > half, and has a 7 character limit. > > FB_4WORD_DOLLARe appears to look for a word (13 chars max) with a dollar-sign in > the middle, but excludes Micro$oft. > > My guess is this ruleset would tear the hell out of any email with programmer's > source code in it, or anything containing lots of mixed alphanumeric "id" > strings. (ie: reports using a lot of abbreviations) > > A default SA install would have ranked this with a score of 3.47 (BAYES_60 1.00, > OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37) > > > > >> Did i confuse anyone? >> p.s. the original domain name has been change to conceal the innocent >> :) >> >> >> > > From shuttlebox at gmail.com Tue Oct 17 16:01:10 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Oct 17 16:01:15 2006 Subject: Increased SPAM getting through In-Reply-To: <223f97700610170336v20d7ecc4g23eaa008d68f6043@mail.gmail.com> References: <4534AB81.8090807@mckerrs.net> <223f97700610170336v20d7ecc4g23eaa008d68f6043@mail.gmail.com> Message-ID: <625385e30610170801v44f7dcb4q76a2600103288c07@mail.gmail.com> On 10/17/06, Glenn Steen wrote: > direction;-). Bayes has likely not that much to work with, so... that > would probably explain why it fires the _00 rule... And training will > not help you much with that type of spam... That would fire the 50 rule (or not at all). 00 means Bayes is certain it's not spam. -- /peter From mike at vesol.com Tue Oct 17 16:02:42 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Oct 17 16:03:02 2006 Subject: Found 385 messages waiting In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD385@mevers1.meverskantoor.nl> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > Yes i know, lock type is ok its posix > > but still > > Richard > Do all of the messages in the queue have matching df/qf pairs? Mike From info at mevershosting.nl Tue Oct 17 16:17:08 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Tue Oct 17 16:17:10 2006 Subject: MailScanner speed / time per step Message-ID: <78964AB012E2A247BA86E219659F235C6DD386@mevers1.meverskantoor.nl> anybody know a good way to log time for every step mailscanner / spamassassin takes ? I want to tune my mailscanners, would be nice to find out the time the mailscanner spends on every step. Richard From brian.duncan at kattenlaw.com Tue Oct 17 16:17:58 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue Oct 17 16:18:48 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. Message-ID: <65234743FE1555428435CE39E6AC4078B38A9B@CHI-US-EXCH-01.us.kmz.com> I know it's off topic, with all the Fuzzy OCR talk and ImageInfo talk I figured someone might know. Any way to specifically detect an animated GIF? Now we are getting (very few but I am sure it will increase) these animated GIF pump and dump Spams that Fuzzy OCR cannot process succesfully. I will paste one in here, I hope this message is not caught as Spam. I am not sure if it's the OCR engine or the way the animate GIF is designed. As you see it slowly scrolls through the text included in the image, then if you wait long enough (like 10 minutes) the final frames of this animated GIF are only the background with NO text. Based on what Fuzzy OCR is telling me the only text it sees is some / and \. (Which happen to be what is left on the final frames of this GIF) If I could just add a score for ANY included animated gif I highly doubt I would have any false positives. Thanks for any info. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/71e9759e/attachment.html From ryan at marinocrane.com Tue Oct 17 16:32:22 2006 From: ryan at marinocrane.com (Ryan Pitt) Date: Tue Oct 17 16:32:41 2006 Subject: Increased SPAM getting through In-Reply-To: <4534ADC0.9050102@solidstatelogic.com> References: <4534AB81.8090807@mckerrs.net> <4534ADC0.9050102@solidstatelogic.com> Message-ID: <4534F786.1090708@marinocrane.com> Martin Hepworth wrote: > nope. > > have you got any of the SARE/fred etc rules installed from > www.rulesemporium.com > > have you got razar2/dcc running? > > have you got the network tests running so the URI-RBL rules happen? Martin, Please forgive the ignorance. We are also experiencing high volumes of spam, specifically image type spam. How do we check if razar2, DCC and network tests are running? Thanks Ryan From martinh at solidstatelogic.com Tue Oct 17 16:45:44 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 17 16:45:55 2006 Subject: Increased SPAM getting through In-Reply-To: <4534F786.1090708@marinocrane.com> References: <4534AB81.8090807@mckerrs.net> <4534ADC0.9050102@solidstatelogic.com> <4534F786.1090708@marinocrane.com> Message-ID: <4534FAA8.1050007@solidstatelogic.com> Ryan Pitt wrote: > Martin Hepworth wrote: >> nope. >> >> have you got any of the SARE/fred etc rules installed from >> www.rulesemporium.com >> >> have you got razar2/dcc running? >> >> have you got the network tests running so the URI-RBL rules happen? > Martin, > > Please forgive the ignorance. We are also experiencing high volumes of > spam, specifically image type spam. > How do we check if razar2, DCC and network tests are running? > > Thanks > Ryan if running SA < 3.1.6 then spamassassin -D --lint will show you. also see if you can drop unknown users on the inbound MTA (there's recipes in the wiki giving examples for sendmail, postfix and exim). You'll prob find you drop well ober 60% of your connections via that method. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Oct 17 16:44:07 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 17 16:46:00 2006 Subject: MailScanner speed / time per step In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD386@mevers1.meverskantoor.nl> References: <78964AB012E2A247BA86E219659F235C6DD386@mevers1.meverskantoor.nl> Message-ID: <4534FA47.9030809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start by setting Log Speed = yes and then look in your maillog. Mevershosting.nl wrote: > anybody know a good way to log time for every step mailscanner / > spamassassin takes ? > > I want to tune my mailscanners, would be nice to find out the time the > mailscanner spends on every step. > > Richard > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNPqKEfZZRxQVtlQRAsanAJsE/1DWQvcYQeRz0a+cgqZEFGlcwACggfNb P8KfnYELF3t+s9vOx7HyNJI= =+HIG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Tue Oct 17 16:55:47 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 16:56:50 2006 Subject: Increased SPAM getting through In-Reply-To: <4534F786.1090708@marinocrane.com> References: <4534AB81.8090807@mckerrs.net> <4534ADC0.9050102@solidstatelogic.com> <4534F786.1090708@marinocrane.com> Message-ID: Ryan Pitt spake the following on 10/17/2006 8:32 AM: > Martin Hepworth wrote: >> nope. >> >> have you got any of the SARE/fred etc rules installed from >> www.rulesemporium.com >> >> have you got razar2/dcc running? >> >> have you got the network tests running so the URI-RBL rules happen? > Martin, > > Please forgive the ignorance. We are also experiencing high volumes of > spam, specifically image type spam. > How do we check if razar2, DCC and network tests are running? > > Thanks > Ryan You should see tags from DCC, RAZOR, or PYZOR in the message headers and the maillog. For instance, you could see the razor hits with; grep RAZOR /var/log/maillog Or in a message header you should see scores related to them. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jaearick at colby.edu Tue Oct 17 17:06:26 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Oct 17 17:06:48 2006 Subject: RulesDuJour blowup? Message-ID: Gang, Did anybody else have their daily RulesDuJour update blow up on them today? All of my new files are 5969 bytes in size and are an html webpage to buy school supplies. Hunh??? Jeff Earickson Colby College From ka at pacific.net Tue Oct 17 17:14:00 2006 From: ka at pacific.net (Ken A) Date: Tue Oct 17 17:12:07 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A9B@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A9B@CHI-US-EXCH-01.us.kmz.com> Message-ID: <45350148.7070300@pacific.net> Duncan, Brian M. wrote: > I know it's off topic, with all the Fuzzy OCR talk and ImageInfo talk I > figured someone might know. > > Any way to specifically detect an animated GIF? Now we are getting > (very few but I am sure it will increase) these animated GIF pump and > dump Spams that Fuzzy OCR cannot process succesfully. I will paste one > in here, I hope this message is not caught as Spam. I am not sure if > it's the OCR engine or the way the animate GIF is designed. > > As you see it slowly scrolls through the text included in the image, > then if you wait long enough (like 10 minutes) the final frames of this > animated GIF are only the background with NO text. > > Based on what Fuzzy OCR is telling me the only text it sees is some / > and \. (Which happen to be what is left on the final frames of this > GIF) Fuzzyocr just considers the largest frames.. which as you say, are blank... :-\ > If I could just add a score for ANY included animated gif I highly doubt > I would have any false positives. Frankly, I'd love to block that incredimail animated junk, but our users would disagree. giftext from the libungif package can tell you how many frames are in an animated gif. FuzzyOCR makes use of it, but I don't think there is any scoring based on the number of frames or size of frames. Perhaps there should be. To block these, save a few of them, then 'cat 1 2 3 4 | sort' and look for identical lines. Make a FULL rule to match the common part. full LOCAL_MYRULE /BASE64_ENCODED_TEXT_HERE/ describe LOCAL_MYRULE anim image and junk bayes score LOCAL_MYRULE 1.0 I've found that this works well, but test, test, test and _watch out for FPs_ ymmv. Ken A, Pacific.Net > > Thanks for any info. > > > > > > > 49A93E77700999DE5D000000184B29000065234743FE1555428435CE39E6AC4078000000 > B50C470000/1_multipart?2_.zip.gif> > > > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > From Kevin_Miller at ci.juneau.ak.us Tue Oct 17 17:12:16 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Oct 17 17:12:20 2006 Subject: RulesDuJour blowup? In-Reply-To: Message-ID: Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? Jeff, I run RulesDuJour nightly, but didn't notice any updates last night, so nothing to explode. All my rule sets seem to be intact... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From martinh at solidstatelogic.com Tue Oct 17 17:14:16 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 17 17:14:48 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: <45350158.8070002@solidstatelogic.com> Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College rulesemporium.com went off the net due a fubar by the domain registrar. Should be sorted now. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ryan at marinocrane.com Tue Oct 17 17:16:00 2006 From: ryan at marinocrane.com (Ryan Pitt) Date: Tue Oct 17 17:16:19 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: <453501C0.5060204@marinocrane.com> Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College I had the same thing happen to me. It rolled back to yesterday's version though. I also believe they had domain issues this morning which could have caused it. I'm going to wait until tomorrow before I do anything more. Ryan From richard.siddall at elirion.net Tue Oct 17 17:14:33 2006 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Oct 17 17:16:34 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: <45350169.5000001@elirion.net> Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College I believe RDJ uses the rulesemporium.com web site, which is down due to domain registration renewal problems. Regards, Richard. From dave.list at pixelhammer.com Tue Oct 17 17:19:50 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Oct 17 17:20:16 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: <453502A6.2030508@pixelhammer.com> Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College There is a domain regstration issue with rulesemporium, Chris is working on it today. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Tue Oct 17 17:21:23 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 17:21:48 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A9B@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A9B@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 10/17/2006 8:17 AM: > I know it's off topic, with all the Fuzzy OCR talk and ImageInfo talk I > figured someone might know. > > Any way to specifically detect an animated GIF? Now we are getting > (very few but I am sure it will increase) these animated GIF pump and > dump Spams that Fuzzy OCR cannot process succesfully. I will paste one > in here, I hope this message is not caught as Spam. I am not sure if > it's the OCR engine or the way the animate GIF is designed. > > As you see it slowly scrolls through the text included in the image, > then if you wait long enough (like 10 minutes) the final frames of this > animated GIF are only the background with NO text. > > Based on what Fuzzy OCR is telling me the only text it sees is some / > and \. (Which happen to be what is left on the final frames of this GIF) > > If I could just add a score for ANY included animated gif I highly doubt > I would have any false positives. > > Thanks for any info. > I looked at about a dozen animated GIFs and I see one common thing. They have the text string "NETSCAPE2.0" (without the quotes). You would have to add something to the magic that the file command uses(mine is /usr/share/magic), and then you could ban that filetype in MailScanner. I would check as many animated GIF's as you can before you try this to make sure that string is there. I don't see that string in my magic file, so it shouldn't conflict with anything, but I can't be sure about false positives. Or you could just ban all gif images, if that will fly with your users. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ryan at marinocrane.com Tue Oct 17 17:22:32 2006 From: ryan at marinocrane.com (Ryan Pitt) Date: Tue Oct 17 17:22:51 2006 Subject: Increased SPAM getting through In-Reply-To: <4534FAA8.1050007@solidstatelogic.com> References: <4534AB81.8090807@mckerrs.net> <4534ADC0.9050102@solidstatelogic.com> <4534F786.1090708@marinocrane.com> <4534FAA8.1050007@solidstatelogic.com> Message-ID: <45350348.6070704@marinocrane.com> Martin Hepworth wrote: > also see if you can drop unknown users on the inbound MTA (there's > recipes in the wiki giving examples for sendmail, postfix and exim). > You'll prob find you drop well ober 60% of your connections via that > method. I dont see a recipe for Sendmail on the Wiki. Any ideas? Thanks Ryan From dhawal at netmagicsolutions.com Tue Oct 17 17:25:33 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Oct 17 17:25:55 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: <453503FD.1060705@netmagicsolutions.com> Jeff A. Earickson wrote: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? The domain has expired and the owners are working towards renewing it.. give them a day or 2 to fix it. - dhawal From mscanlist at drisp.com Tue Oct 17 17:36:09 2006 From: mscanlist at drisp.com (Michael Kain) Date: Tue Oct 17 17:36:13 2006 Subject: But I found it amusing... In-Reply-To: References: Message-ID: <45350679.3040308@drisp.com> Kevin Miller wrote: > Rick Chadderdon wrote: > >> One of my users just sent me a message from one of her vendors. It >> basically said, "We've removed you from our weekly update list because >> you blocked our mail. Let us know when you unblock us and I'll add >> you again." My user asked me if I could find out why the mail was >> being blocked, because she needed the updates. No problem... >> >> It turned out to be an SPF hardfail. Further checking led me to guess >> that someone added an mail exchanger without changing the MX entry for >> the domain. Their SPF entry is "v=spf1 mx -all". The mails that are >> getting blocked are, of course, not from their MX entry's IP address. >> But they send us, "as soon as you unblock us..." (sigh) >> >> To be fair, the person who sent my user that message is a sales rep >> and probably saw nothing more than their mail system's bounce message. >> (Which should have, however, had an explanatory link...) Still... >> I'm sitting here shaking my head. >> >> Rick >> > > LOL. Some days, retirement can't come soon enough! > > ...Kevin > Who are you kidding? If you retired you would miss dealing with these problems. haha. From ssilva at sgvwater.com Tue Oct 17 17:46:15 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 17:46:52 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: Jeff A. Earickson spake the following on 10/17/2006 9:06 AM: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College I saw it this morning. But all the rules rolled back ok after the lint failed, so I am still up. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jaearick at colby.edu Tue Oct 17 17:50:23 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Oct 17 17:50:33 2006 Subject: RulesDuJour blowup? In-Reply-To: <45350158.8070002@solidstatelogic.com> References: <45350158.8070002@solidstatelogic.com> Message-ID: On Tue, 17 Oct 2006, Martin Hepworth wrote: > Date: Tue, 17 Oct 2006 17:14:16 +0100 > From: Martin Hepworth > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: RulesDuJour blowup? > > Jeff A. Earickson wrote: >> Gang, >> >> Did anybody else have their daily RulesDuJour update blow up on >> them today? All of my new files are 5969 bytes in size and are >> an html webpage to buy school supplies. Hunh??? >> >> Jeff Earickson >> Colby College > > rulesemporium.com went off the net due a fubar by the domain registrar. > Should be sorted now. After recovering yesterday's rules from backup, I suspected DNS poisoning and stopped and restarted DNS on my mail server. Then I ran the update script and things worked. Yikes! Jeff Earickson Colby College From mscanlist at drisp.com Tue Oct 17 17:52:12 2006 From: mscanlist at drisp.com (Michael Kain) Date: Tue Oct 17 17:52:22 2006 Subject: Server Loads/hardware standards Message-ID: <45350A3C.8080906@drisp.com> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. The change has surfaced in the last month or so. My current setup: Dual P3 1.13 1GB Ram FC5 Mail gateway running MS/clam/SA forwards scanned mail to internal mail server (when there's a problem, users hit send/receive and that doesn't cause an error..thus avoiding immediate call) I've used Julian's clam/sa install script (which is awesome), and read posts relating to new releases before upgrading/such. With spamassassin enabled, the batch list grows and grows, was up to 95k at one point.. disabling SA in MS cleared that out fairly quickly. I've wiped the SA/bayes temp files thinking bayes was backing up, however, it seems that is not helping. What I would like an opinion on is this... Am I trying to do too much with the hardware that I currently have? Or do I put together a bigger beefier machine? -Mike From stef at aoc-uk.com Tue Oct 17 18:02:15 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Tue Oct 17 18:02:18 2006 Subject: RulesDuJour blowup? Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BE64@pardessus.aoc-uk.com> dave.list@pixelhammer.com wrote on 17 October 2006 17:20: > Jeff A. Earickson wrote: >> Gang, >> >> Did anybody else have their daily RulesDuJour update blow up on them >> today? All of my new files are 5969 bytes in size and are an html >> webpage to buy school supplies. Hunh??? >> >> Jeff Earickson >> Colby College > > There is a domain regstration issue with rulesemporium, Chris is > working on it today. Seems to be back up and working fine now. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From ssilva at sgvwater.com Tue Oct 17 18:07:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 18:07:38 2006 Subject: RulesDuJour blowup? Follow-up report In-Reply-To: References: Message-ID: Jeff A. Earickson spake the following on 10/17/2006 9:06 AM: > Gang, > > Did anybody else have their daily RulesDuJour update blow up on > them today? All of my new files are 5969 bytes in size and are > an html webpage to buy school supplies. Hunh??? > > Jeff Earickson > Colby College A followup to this issue. I see the issue is resolved now, but I had to clear out the /etc/mail/spamassassin/RulesDuJour directory to get it to successfully download on my test machine. It should clear itself up, but if not, you know what to check. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Tue Oct 17 18:22:29 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue Oct 17 18:22:37 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. Message-ID: <65234743FE1555428435CE39E6AC4078B38A9F@CHI-US-EXCH-01.us.kmz.com> > I looked at about a dozen animated GIFs and I see one common > thing. They have the text string "NETSCAPE2.0" (without the quotes). > You would have to add something to the magic that the file > command uses(mine is /usr/share/magic), and then you could > ban that filetype in MailScanner. > I would check as many animated GIF's as you can before you > try this to make sure that string is there. > I don't see that string in my magic file, so it shouldn't > conflict with anything, but I can't be sure about false positives. > > Or you could just ban all gif images, if that will fly with > your users. > > I don't have the option to ban all GIF images. I just started looking through the SpamAssasin mail list and see someone has commented on animated GIF's. > A simple way to block these images would > be to scan the GIF for offset frames. I don't think there is any valid > GIF which makes use of these techniques I am guessing that GIF images that do not contain offset frames would then be static and would have a better Chance of being OCR'ed correctly. Attached logo's for users messages is really the reason for me to allow inline images. So if there was a way to detect GIF's that contain offset frames that would be great. (Through something like ImageInfo.pm) =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Kevin_Miller at ci.juneau.ak.us Tue Oct 17 18:24:31 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Oct 17 18:24:35 2006 Subject: RulesDuJour blowup? In-Reply-To: <453503FD.1060705@netmagicsolutions.com> Message-ID: Dhawal Doshy wrote: > Jeff A. Earickson wrote: >> Gang, >> >> Did anybody else have their daily RulesDuJour update blow up on >> them today? All of my new files are 5969 bytes in size and are >> an html webpage to buy school supplies. Hunh??? > > The domain has expired and the owners are working towards renewing > it.. give them a day or 2 to fix it. > > - dhawal It comes up fine for me - probably cached. FWIW, http://38.99.66.94/ works just fine. Just say, "DNS. We don't need no stinkin' DNS"... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From brian.duncan at kattenlaw.com Tue Oct 17 18:26:39 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Tue Oct 17 18:26:45 2006 Subject: Increased SPAM getting through Message-ID: <65234743FE1555428435CE39E6AC4078B38AA0@CHI-US-EXCH-01.us.kmz.com> We have a backend active directory server that exports ALL SMTP aliases for users every hour. I import this list at all sendmail/Mailscanner/SpamAssassin boxes. It gets built into the access file, all Addresses from AD are allowed to be sent to, all others are rejected. Originally I combined the methods I found on the Wiki I believe. There was an example VB script to export aliases from AD if needed. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ryan Pitt > Sent: Tuesday, October 17, 2006 11:23 AM > To: MailScanner discussion > Subject: Re: Increased SPAM getting through > > Martin Hepworth wrote: > > also see if you can drop unknown users on the inbound MTA (there's > > recipes in the wiki giving examples for sendmail, postfix and exim). > > You'll prob find you drop well ober 60% of your connections > via that > > method. > I dont see a recipe for Sendmail on the Wiki. Any ideas? > Thanks > Ryan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From mrm at medicine.wisc.edu Tue Oct 17 18:30:08 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Oct 17 18:30:27 2006 Subject: Found 385 messages waiting In-Reply-To: References: <78964AB012E2A247BA86E219659F235C6DD385@mevers1.meverskantoor.nl> Message-ID: <4534CCCF.7FBE.00FC.3@medicine.wisc.edu> > > Do all of the messages in the queue have matching df/qf pairs? > Not to hijack this thread, but what does it mean if you end up with unmatched pairs that start accumilating? For instance, I notice I get about 2 - 3 df files per week with no corresponding qf file in my incoming folder that never go away unless I manually delete them. I have posix style locking, but don't know where else to look to troubleshoot. Mike From ka at pacific.net Tue Oct 17 19:02:24 2006 From: ka at pacific.net (Ken A) Date: Tue Oct 17 19:00:35 2006 Subject: Server Loads/hardware standards In-Reply-To: <45350A3C.8080906@drisp.com> References: <45350A3C.8080906@drisp.com> Message-ID: <45351AB0.60604@pacific.net> Michael Kain wrote: > Recently, I've gone from handling 40k messages /day to nearly 30k/hour. > The change has surfaced in the last month or so. > > My current setup: > Dual P3 1.13 > 1GB Ram > FC5 > > Mail gateway running MS/clam/SA forwards scanned mail to internal mail > server (when there's a problem, users hit send/receive and that doesn't > cause an error..thus avoiding immediate call) I've used Julian's clam/sa > install script (which is awesome), and read posts relating to new > releases before upgrading/such. > > With spamassassin enabled, the batch list grows and grows, was up to 95k > at one point.. disabling SA in MS cleared that out fairly quickly. I've > wiped the SA/bayes temp files thinking bayes was backing up, however, it > seems that is not helping. > > What I would like an opinion on is this... Am I trying to do too much > with the hardware that I currently have? Or do I put together a bigger > beefier machine? Are you: 1. Accepting mail to non-existent users? Don't! 2. Blocking any mail at your MTA using any rbls? Maybe do? 3. Running a local caching nameserver? Do! 4. Willing to buy more RAM? Do! You can't process 30k messages an hour with MS/SA on the hardware you have, no. Max is probably somewhere around 10k/hr with somewhat beefier hardware.. Also, read the wiki entries about performance (running mailscanner incoming in tmpfs, etc..) Ken A. Pacific.Net > -Mike From ssilva at sgvwater.com Tue Oct 17 19:03:43 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 19:04:27 2006 Subject: Server Loads/hardware standards In-Reply-To: <45350A3C.8080906@drisp.com> References: <45350A3C.8080906@drisp.com> Message-ID: Michael Kain spake the following on 10/17/2006 9:52 AM: > Recently, I've gone from handling 40k messages /day to nearly 30k/hour. > The change has surfaced in the last month or so. > > My current setup: > Dual P3 1.13 > 1GB Ram > FC5 > > Mail gateway running MS/clam/SA forwards scanned mail to internal mail > server (when there's a problem, users hit send/receive and that doesn't > cause an error..thus avoiding immediate call) I've used Julian's clam/sa > install script (which is awesome), and read posts relating to new > releases before upgrading/such. > > With spamassassin enabled, the batch list grows and grows, was up to 95k > at one point.. disabling SA in MS cleared that out fairly quickly. I've > wiped the SA/bayes temp files thinking bayes was backing up, however, it > seems that is not helping. > > What I would like an opinion on is this... Am I trying to do too much > with the hardware that I currently have? Or do I put together a bigger > beefier machine? > > -Mike The current recommendation is 1 gig per processor. Is any of this mail stuff that can be rejected easily by MTA rules or non-existant users? Do you have a caching nameserver running on the gateway machine? You could also handle this load by adding another gateway machine and using a round-robin dns to pseudu-loadshare. It could help you handle some of the load until you decide if you need a new machine. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 17 19:06:57 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 19:10:20 2006 Subject: But I found it amusing... In-Reply-To: <45350679.3040308@drisp.com> References: <45350679.3040308@drisp.com> Message-ID: Michael Kain spake the following on 10/17/2006 9:36 AM: > Kevin Miller wrote: >> Rick Chadderdon wrote: >> >>> One of my users just sent me a message from one of her vendors. It >>> basically said, "We've removed you from our weekly update list because >>> you blocked our mail. Let us know when you unblock us and I'll add >>> you again." My user asked me if I could find out why the mail was >>> being blocked, because she needed the updates. No problem... >>> >>> It turned out to be an SPF hardfail. Further checking led me to guess >>> that someone added an mail exchanger without changing the MX entry for >>> the domain. Their SPF entry is "v=spf1 mx -all". The mails that are >>> getting blocked are, of course, not from their MX entry's IP address. >>> But they send us, "as soon as you unblock us..." (sigh) >>> >>> To be fair, the person who sent my user that message is a sales rep >>> and probably saw nothing more than their mail system's bounce message. >>> (Which should have, however, had an explanatory link...) Still... >>> I'm sitting here shaking my head. >>> >>> Rick >>> >> >> LOL. Some days, retirement can't come soon enough! >> >> ...Kevin >> > Who are you kidding? If you retired you would miss dealing with these > problems. haha. But retirement gives you a new set of problems; Do I take a nap or go fishing? Do I spend the day with the grandkids at the zoo or take them to the movies? Those problems seem sooo much easier to handle!! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From info at mevershosting.nl Tue Oct 17 19:41:45 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Tue Oct 17 19:41:47 2006 Subject: Increased SPAM getting through Message-ID: <78964AB012E2A247BA86E219659F235C6DD38C@mevers1.meverskantoor.nl> Ryan, put this in your /etc/mail/spamassassin/mailscanner.cf rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2 this gets most of the image spam you have to play a little with the score and see when it starts getting spam out. Richard -----Oorspronkelijk bericht----- Van: Ryan Pitt [mailto:ryan@marinocrane.com] Verzonden: dinsdag 17 oktober 2006 17:32 Aan: MailScanner discussion Onderwerp: Re: Increased SPAM getting through Martin Hepworth wrote: > nope. > > have you got any of the SARE/fred etc rules installed from > www.rulesemporium.com > > have you got razar2/dcc running? > > have you got the network tests running so the URI-RBL rules happen? Martin, Please forgive the ignorance. We are also experiencing high volumes of spam, specifically image type spam. How do we check if razar2, DCC and network tests are running? Thanks Ryan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----- Scanned for virus and spam ----- Scanned for virus and spam From info at mevershosting.nl Tue Oct 17 19:47:25 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Tue Oct 17 19:47:27 2006 Subject: Found 385 messages waiting Message-ID: <78964AB012E2A247BA86E219659F235C6DD38E@mevers1.meverskantoor.nl> If you want i can post the script i user to get rid of the lose ends.. I checked and rechecked, the mails the files come from seem to have gone through so no worry there. Richard -----Oorspronkelijk bericht----- Van: Michael Masse [mailto:mrm@medicine.wisc.edu] Verzonden: dinsdag 17 oktober 2006 19:30 Aan: MailScanner discussion Onderwerp: RE: Found 385 messages waiting > > Do all of the messages in the queue have matching df/qf pairs? > Not to hijack this thread, but what does it mean if you end up with unmatched pairs that start accumilating? For instance, I notice I get about 2 - 3 df files per week with no corresponding qf file in my incoming folder that never go away unless I manually delete them. I have posix style locking, but don't know where else to look to troubleshoot. Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----- Scanned for virus and spam ----- Scanned for virus and spam From Denis.Beauchemin at USherbrooke.ca Tue Oct 17 20:08:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Oct 17 20:08:21 2006 Subject: OT: Preferred MTA? In-Reply-To: <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> Message-ID: <45352A12.80703@USherbrooke.ca> Glenn Steen a ?crit : > On 13/10/06, Drew Marshall wrote: >> > >> > Do you recommend using a HW load balancer (and SSL accelerator) in >> front >> > of my servers? How about Cisco's? >> >> Really can't comment but I would be interested to hear others >> thoughts too. >> > Capable but not that cheap:-). > How do you loadbalance now? > Using DNS round-robin... :-( Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061017/ef3d6f6a/smime.bin From MailScanner at ecs.soton.ac.uk Tue Oct 17 20:10:18 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 17 20:14:09 2006 Subject: Server Loads/hardware standards In-Reply-To: <45350A3C.8080906@drisp.com> References: <45350A3C.8080906@drisp.com> Message-ID: <45352A9A.1060707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Kain wrote: > Recently, I've gone from handling 40k messages /day to nearly > 30k/hour. The change has surfaced in the last month or so. > > My current setup: > Dual P3 1.13 > 1GB Ram > FC5 > > Mail gateway running MS/clam/SA forwards scanned mail to internal mail > server (when there's a problem, users hit send/receive and that > doesn't cause an error..thus avoiding immediate call) I've used > Julian's clam/sa install script (which is awesome), and read posts > relating to new releases before upgrading/such. I have just upgraded it to contain ClamAV 0.88.5. > > With spamassassin enabled, the batch list grows and grows, was up to > 95k at one point.. disabling SA in MS cleared that out fairly > quickly. I've wiped the SA/bayes temp files thinking bayes was > backing up, however, it seems that is not helping. > > What I would like an opinion on is this... Am I trying to do too much > with the hardware that I currently have? Or do I put together a > bigger beefier machine? Start by trying switching off DCC / Razor / Pyzor. Also, if you can put /root/.spamassassin (i.e. where you store Bayes files) on tmpfs that will help quite a bit. > > -Mike Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNStyEfZZRxQVtlQRAoRbAJ4+o6D8ocabpxJIFYOjPkdh1EJi4gCdESo/ dehnpWA1rjy09QJRRcG4lng= =Rd27 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From matt at coders.co.uk Tue Oct 17 20:20:53 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Oct 17 20:21:17 2006 Subject: Found 385 messages waiting In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD38E@mevers1.meverskantoor.nl> References: <78964AB012E2A247BA86E219659F235C6DD38E@mevers1.meverskantoor.nl> Message-ID: <45352D15.50903@coders.co.uk> > Not to hijack this thread, but what does it mean if you end up with > unmatched pairs that start accumilating? For instance, I notice I > get about 2 - 3 df files per week with no corresponding qf file in my > incoming folder that never go away unless I manually delete them. I > have posix style locking, but don't know where else to look to > troubleshoot. Check what version of Sendmail you are running. There is a known issue with older releases which can cause df orphans when a milters timeout and when connections are dropped. matt From info at mevershosting.nl Tue Oct 17 20:21:19 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Tue Oct 17 20:21:23 2006 Subject: tmpfs Message-ID: <78964AB012E2A247BA86E219659F235C6DD392@mevers1.meverskantoor.nl> Did anyone ever try to run the complete mailscanner including perl on a tmpfs ? Richard From MailScanner at ecs.soton.ac.uk Tue Oct 17 20:29:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 17 20:29:32 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: References: <45350A3C.8080906@drisp.com> Message-ID: <45352F0B.4070402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Michael Kain spake the following on 10/17/2006 9:52 AM: > >> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. >> The change has surfaced in the last month or so. >> >> My current setup: >> Dual P3 1.13 >> 1GB Ram >> FC5 >> >> Mail gateway running MS/clam/SA forwards scanned mail to internal mail >> server (when there's a problem, users hit send/receive and that doesn't >> cause an error..thus avoiding immediate call) I've used Julian's clam/sa >> install script (which is awesome), and read posts relating to new >> releases before upgrading/such. >> >> With spamassassin enabled, the batch list grows and grows, was up to 95k >> at one point.. disabling SA in MS cleared that out fairly quickly. I've >> wiped the SA/bayes temp files thinking bayes was backing up, however, it >> seems that is not helping. >> >> What I would like an opinion on is this... Am I trying to do too much >> with the hardware that I currently have? Or do I put together a bigger >> beefier machine? >> >> -Mike >> You can make a huge difference to the amount of spam you have to process with 2 tools: 1) milter-gris 2) milter-null Number 1 implements grey-listing. There are a lot of discussions about greylisting on the web, and a lot of people are very wary of it initially. I was too. Then I ran a test with a handful of the fussiest email users I have (I've got about 2000 users in total). I told them I was implementing something new, but refused to tell them what, so they would not have any pre-conceptions about it. They *all* loved it, and none of them reported any problems at all. So I implemented it across all of my users, who are very fussy Computer Science and Electronics academics, as well as the students. That was about 6 months ago, since when I have had *1* complaint, which I dealt with by adding them to the whitelist for it. So my conclusion with greylisting is test it with some very fussy users, then roll it out to everyone. Number 2 implements back-scatter detection. Basically, what this does is get rid of all the "This message could not be delivered..." notices that weren't generated in response to your own users' mail. It doesn't throw away all of them, so that if your users mistype an address, they still get the error message from it. But all the delivery failure messages generated by forged spam get killed. Between these 2, you will remove 80-90% of all the mail coming into your site, without losing any genuine real mail at all. This will make your hardware go a hell of a lot further, and you will find you don't need to spend any money on new hardware at all. My MX servers used to just about cope. Then I implemented these 2 techniques and they now just tick along quite happily, getting very bored. Both of the above techniques can be done very easily in sendmail and Postfix using the milters which are available from www.snertsoft.com. I thoroughly recommend them to everyone. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNS8QEfZZRxQVtlQRAlVDAKDAcLnmAPCpH7joNTguKkSqKazZXACg5xRc UsdsgAaMsK/YW02xH109FQw= =mOLq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jwilliams at courtesymortgage.com Tue Oct 17 20:35:44 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Tue Oct 17 20:35:55 2006 Subject: Upgrading MailScanner to latest and greats with Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> Been awhile, but I finally have some time to upgrade MailScanner to latest (from 4-46.2) as well as Postfix (currently running 2.2.6). I'm running FreeBSD and I think im going to do a clean install of everything. Of course, that is after I backup all my configs. :) Just curious to know if there are any known issues with MailScanner and the latest postfix? I vaguely remember reading that postfix had some new things added to it recently that caused it not to gel as well with Mailscanner. Just wanted to follow up on that and make sure I didn't run into any major hitches. I appreciate the feedback. Cheers, Jason Williams -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Tue Oct 17 20:43:07 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Oct 17 20:43:18 2006 Subject: Upgrading MailScanner to latest and greats with Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> Message-ID: <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> On 17 Oct 2006, at 20:35, Jason Williams wrote: > Been awhile, but I finally have some time to upgrade MailScanner to > latest (from 4-46.2) as well as Postfix (currently running 2.2.6). > > I'm running FreeBSD and I think im going to do a clean install of > everything. Of course, that is after I backup all my configs. :) > > Just curious to know if there are any known issues with MailScanner > and > the latest postfix? I vaguely remember reading that postfix had > some new > things added to it recently that caused it not to gel as well with > Mailscanner. Just wanted to follow up on that and make sure I > didn't run > into any major hitches. In a word, no. In slightly more verbose, nope :-) I am awaiting a future release that is supposed to implement message body amendment via milter that is supposed to break everything from the microwave to MailScanner but you are safe for the time being. Assuming you have installed from port just portupgrade Postfix and rebuild from the port (cd /usr/ports/mail/mailscanner make && make deinstall && make install) MailScanner will see you good to go and preserve your configs. Diff the new MailScanner.conf from the old one, change as required and you are back up and running in 20 minutes. Drew From gmourani at privalodc.com Tue Oct 17 21:03:32 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Tue Oct 17 21:03:42 2006 Subject: MailScanner & Postfix Message-ID: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> Hello, I've installed latest version of MailScanner (4.56.8) with Postfix (2.3.3) and SpamAssassin (3.1.7) into my Linux server. At first view, all seem to work fine but it's just an illusion because I receive spam like I've never received in the pass. Without MailScanner, Spam are correctly blocked by Spamassassin. Gerhard, -- PrivalODC Cel: (514) 726-3766 Tel: (450) 761-9973 ext 634 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gborders at jlewiscooper.com Tue Oct 17 21:34:38 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Tue Oct 17 21:34:50 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38A9F@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38A9F@CHI-US-EXCH-01.us.kmz.com> Message-ID: <45353E5E.70707@jlewiscooper.com> Duncan, Brian M. wrote: > > So if there was a way to detect GIF's that contain offset frames that > would be great. (Through something like ImageInfo.pm) I've used imagemagick's "identify"command at shell level to pull info out about graphics images in the past. A quick test of an animated gif gives this result: [root@mailbox]# identify test.gif test.gif[0] GIF 300x300 300x300+0+0 PseudoClass 256c 8-bit 87.1406kb test.gif[1] GIF 300x300 300x300+0+0 PseudoClass 256c 8-bit 87.1406kb test.gif[2] GIF 300x300 300x300+0+0 PseudoClass 256c 8-bit 87.1406kb test.gif[3] GIF 300x300 300x300+0+0 PseudoClass 256c 8-bit 87.1406kb test.gif[4] GIF 300x300 300x300+0+0 PseudoClass 256c 8-bit 87.1406kb Displays info about each frame. Feed that to a wc line count and you get a frame count in your image: [root@mailbox]# identify test.gif | wc -l 5 The "identify -verbose" command gives even more detailed info for adding to SA rules. Hope you can use this info! Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Tue Oct 17 22:10:02 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Oct 17 22:10:11 2006 Subject: MailScanner & Postfix In-Reply-To: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> Message-ID: On 17 Oct 2006, at 21:03, Gerhard Mourani wrote: > Hello, > > I've installed latest version of MailScanner (4.56.8) with Postfix > (2.3.3) > and SpamAssassin (3.1.7) into my Linux server. At first view, all > seem to > work fine but it's just an illusion because I receive spam like > I've never > received in the pass. Without MailScanner, Spam are correctly > blocked by > Spamassassin. Check the users that you have called SA with in the past as you will now be call them as the postfix user. Is your Bayes correctly set up to use this user? Have you run spammassassin --lint -D as the postfix user and checked for errors? Drew From arturs at netvision.net.il Tue Oct 17 22:32:05 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 17 22:34:08 2006 Subject: OT: need help installing FuzzyOCR Message-ID: <013a01c6f233$b12f5180$3701a8c0@lapxp> Hi, I am trying to install the FuzzyOCR plugin to work with SpamAssassin on CentOS-4.4. It asks for ImageMagick installation, so I yummed for it and found a great deal of packages. I hesitate between ImageMagick.i386 and ImageMagick-perl.i386, while latter seems to be more appropriate. Is it right? May someone share some other tips for installing/configuring the plugin? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From ssilva at sgvwater.com Tue Oct 17 23:04:00 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 23:04:23 2006 Subject: Found 385 messages waiting In-Reply-To: <4534CCCF.7FBE.00FC.3@medicine.wisc.edu> References: <78964AB012E2A247BA86E219659F235C6DD385@mevers1.meverskantoor.nl> <4534CCCF.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 10/17/2006 10:30 AM: > > >> Do all of the messages in the queue have matching df/qf pairs? >> > > Not to hijack this thread, but what does it mean if you end up with unmatched pairs that start accumilating? For instance, I notice I get about 2 - 3 df files per week with no corresponding qf file in my incoming folder that never go away unless I manually delete them. I have posix style locking, but don't know where else to look to troubleshoot. > > Mike > > You can get them if a connection gets dropped during the data phase of the mail exchange. They are also a symptom of bad locking, and probably have other causes. 2 or 3 a week is not that bad. You can search the maillog with that queue ID and see what happened. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 17 23:09:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 17 23:09:29 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: <45352F0B.4070402@ecs.soton.ac.uk> References: <45350A3C.8080906@drisp.com> <45352F0B.4070402@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 10/17/2006 12:29 PM: > Scott Silva wrote: >>> Michael Kain spake the following on 10/17/2006 9:52 AM: >>> >>>> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. >>>> The change has surfaced in the last month or so. >>>> >>>> My current setup: >>>> Dual P3 1.13 >>>> 1GB Ram >>>> FC5 >>>> >>>> Mail gateway running MS/clam/SA forwards scanned mail to internal mail >>>> server (when there's a problem, users hit send/receive and that doesn't >>>> cause an error..thus avoiding immediate call) I've used Julian's clam/sa >>>> install script (which is awesome), and read posts relating to new >>>> releases before upgrading/such. >>>> >>>> With spamassassin enabled, the batch list grows and grows, was up to 95k >>>> at one point.. disabling SA in MS cleared that out fairly quickly. I've >>>> wiped the SA/bayes temp files thinking bayes was backing up, however, it >>>> seems that is not helping. >>>> >>>> What I would like an opinion on is this... Am I trying to do too much >>>> with the hardware that I currently have? Or do I put together a bigger >>>> beefier machine? >>>> >>>> -Mike >>>> > You can make a huge difference to the amount of spam you have to process > with 2 tools: > > 1) milter-gris > 2) milter-null > > Number 1 implements grey-listing. There are a lot of discussions about > greylisting on the web, and a lot of people are very wary of it > initially. I was too. Then I ran a test with a handful of the fussiest > email users I have (I've got about 2000 users in total). I told them I > was implementing something new, but refused to tell them what, so they > would not have any pre-conceptions about it. They *all* loved it, and > none of them reported any problems at all. So I implemented it across > all of my users, who are very fussy Computer Science and Electronics > academics, as well as the students. That was about 6 months ago, since > when I have had *1* complaint, which I dealt with by adding them to the > whitelist for it. > > So my conclusion with greylisting is test it with some very fussy users, > then roll it out to everyone. > > Number 2 implements back-scatter detection. Basically, what this does is > get rid of all the "This message could not be delivered..." notices that > weren't generated in response to your own users' mail. It doesn't throw > away all of them, so that if your users mistype an address, they still > get the error message from it. But all the delivery failure messages > generated by forged spam get killed. > > Between these 2, you will remove 80-90% of all the mail coming into your > site, without losing any genuine real mail at all. This will make your > hardware go a hell of a lot further, and you will find you don't need to > spend any money on new hardware at all. > > My MX servers used to just about cope. Then I implemented these 2 > techniques and they now just tick along quite happily, getting very bored. > > Both of the above techniques can be done very easily in sendmail and > Postfix using the milters which are available from www.snertsoft.com. I > thoroughly recommend them to everyone. > > Jules > So the addition of the two milters doesn't add that much load? I am using mimedefang currently to kill all the dictionary attacks at my backup MX's, but might consider something else when the spam load goes up. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From listacct at tulsaconnect.com Tue Oct 17 23:16:46 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Oct 17 23:16:42 2006 Subject: A way to start all children at once? Message-ID: <4535564E.4040506@tulsaconnect.com> We run fairly high-volume MS boxes (500-600,000 messages per day per box) and many times when we need to re-start the MS processes, the children take a good long while (we have 40-50 children starting per box) to initially start. It would be nice if MS could have a setting to start all of the child processes at once rather than staggering the startup. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From ajos1 at onion.demon.co.uk Tue Oct 17 23:34:57 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Tue Oct 17 23:35:22 2006 Subject: OT: need help installing FuzzyOCR Message-ID: - I have no answers... as I am doing the same thing at this precise moment... based on http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Being Fedora5 my ImageMigick is... ImageMagick-6.2.5.4-4.2.1.fc5.6.i386.rpm My system already has: giftopnm, jpegtopnm and pngtopnm (from netpbm) and imagemagick But I am having to hunt down "gocr" from http://jocr.sourceforge.net/ . "giffix" and "giftext" should exist on my system... as I have giflib-4.1.3-6.2.1 on it... but they are not there! So I will have to see if they have changed name... or been missed out... or I am being a cabbage. More laters... -----Original Message----- From: mailscanner@lists.mailscanner.info Subj: OT: need help installing FuzzyOCR Date: Tue, 17 Oct 2006 23:32:05 +0200 Hi, I am trying to install the FuzzyOCR plugin to work with SpamAssassin on CentOS-4.4. It asks for ImageMagick installation, so I yummed for it and found a great deal of packages. I hesitate between ImageMagick.i386 and ImageMagick-perl.i386, while latter seems to be more appropriate. Is it right? May someone share some other tips for installing/configuring the plugin? Thanks! Best, Arthur Sherman == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From gmourani at privalodc.com Tue Oct 17 23:59:46 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Wed Oct 18 00:00:00 2006 Subject: MailScanner & Postfix In-Reply-To: References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> Message-ID: <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> Here is my output of the /usr/bin/spamassassin --lint -D command run as user postfix, maybe you can see something that is not correctely set. bash-3.1$ /usr/bin/spamassassin --lint -D [13265] dbg: logger: adding facilities: all [13265] dbg: logger: logging level is DBG [13265] dbg: generic: SpamAssassin version 3.1.7 [13265] dbg: config: score set 0 chosen. [13265] dbg: util: running in taint mode? yes [13265] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [13265] dbg: util: PATH included '/usr/bin', keeping [13265] dbg: util: PATH included '/bin', keeping [13265] dbg: util: PATH included '/usr/sbin', keeping [13265] dbg: util: PATH included '/sbin', keeping [13265] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [13265] dbg: util: PATH included '/home/gmourani/bin', which doesn't exist, dropping [13265] dbg: util: final PATH set to: /usr/bin:/bin:/usr/sbin:/sbin [13265] dbg: message: ---- MIME PARSER START ---- [13265] dbg: message: main message type: text/plain [13265] dbg: message: parsing normal part [13265] dbg: message: added part, type: text/plain [13265] dbg: message: ---- MIME PARSER END ---- [13265] dbg: dns: is Net::DNS::Resolver available? yes [13265] dbg: dns: Net::DNS version: 0.59 [13265] dbg: diag: perl platform: 5.008008 linux [13265] dbg: diag: module installed: Digest::SHA1, version 2.10 [13265] dbg: diag: module installed: HTML::Parser, version 3.46 [13265] dbg: diag: module installed: MIME::Base64, version 3.07 [13265] dbg: diag: module installed: DB_File, version 1.814 [13265] dbg: diag: module installed: Net::DNS, version 0.59 [13265] dbg: diag: module installed: Net::SMTP, version 2.29 [13265] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [13265] dbg: diag: module installed: IP::Country::Fast, version 309.002 [13265] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [13265] dbg: diag: module installed: Net::Ident, version 1.20 [13265] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [13265] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [13265] dbg: diag: module installed: Time::HiRes, version 1.86 [13265] dbg: diag: module installed: DBI, version 1.48 [13265] dbg: diag: module installed: Getopt::Long, version 2.35 [13265] dbg: diag: module installed: LWP::UserAgent, version 2.024 [13265] dbg: diag: module installed: HTTP::Date, version 1.46 [13265] dbg: diag: module installed: Archive::Tar, version 1.26 [13265] dbg: diag: module installed: IO::Zlib, version 1.04 [13265] dbg: ignore: using a test message to lint rules [13265] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [13265] dbg: config: read file /etc/mail/spamassassin/init.pre [13265] dbg: config: read file /etc/mail/spamassassin/v310.pre [13265] dbg: config: read file /etc/mail/spamassassin/v312.pre [13265] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [13265] dbg: config: using "/usr/share/spamassassin" for default rules dir [13265] dbg: config: read file /usr/share/spamassassin/10_misc.cf [13265] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf [13265] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf [13265] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_compensate.cf [13265] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_drugs.cf [13265] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/20_phrases.cf [13265] dbg: config: read file /usr/share/spamassassin/20_porn.cf [13265] dbg: config: read file /usr/share/spamassassin/20_ratware.cf [13265] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf [13265] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [13265] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf [13265] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf [13265] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf [13265] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf [13265] dbg: config: read file /usr/share/spamassassin/25_dcc.cf [13265] dbg: config: read file /usr/share/spamassassin/25_dkim.cf [13265] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf [13265] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf [13265] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [13265] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [13265] dbg: config: read file /usr/share/spamassassin/25_replace.cf [13265] dbg: config: read file /usr/share/spamassassin/25_spf.cf [13265] dbg: config: read file /usr/share/spamassassin/25_textcat.cf [13265] dbg: config: read file /usr/share/spamassassin/25_uribl.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_de.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_it.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf [13265] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf [13265] dbg: config: read file /usr/share/spamassassin/50_scores.cf [13265] dbg: config: read file /usr/share/spamassassin/60_awl.cf [13265] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf [13265] dbg: config: read file /usr/share/spamassassin/60_whitelist_dk.cf [13265] dbg: config: read file /usr/share/spamassassin/60_whitelist_dkim.cf [13265] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [13265] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf [13265] dbg: config: using "/etc/mail/spamassassin" for site rules dir [13265] dbg: config: read file /etc/mail/spamassassin/local.cf [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x931aac8) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x93328d4) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x9355f14) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [13265] dbg: dcc: local tests only, disabling DCC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x933d52c) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [13265] dbg: pyzor: local tests only, disabling Pyzor [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x93b625c) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [13265] dbg: razor2: local tests only, skipping Razor [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x93d1440) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [13265] dbg: reporter: local tests only, disabling SpamCop [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x93ee850) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x93fdfdc) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x9419268) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x88f7254) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x88f7f38) [13265] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [13265] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x95db980) [13265] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [13265] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [13265] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [13265] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [13265] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [13265] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [13265] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [13265] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [13265] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [13265] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [13265] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [13265] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [13265] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x95db980) implements 'finish_parsing_end' [13265] dbg: replacetags: replacing tags [13265] dbg: replacetags: done replacing tags [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen [13265] dbg: bayes: found bayes db version 3 [13265] dbg: bayes: DB journal sync: last sync: 0 [13265] dbg: bayes: not available for scanning, only 190 spam(s) in bayes DB < 200 [13265] dbg: bayes: untie-ing [13265] dbg: bayes: untie-ing db_toks [13265] dbg: bayes: untie-ing db_seen [13265] dbg: config: score set 0 chosen. [13265] dbg: message: ---- MIME PARSER START ---- [13265] dbg: message: main message type: text/plain [13265] dbg: message: parsing normal part [13265] dbg: message: added part, type: text/plain [13265] dbg: message: ---- MIME PARSER END ---- [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen [13265] dbg: bayes: found bayes db version 3 [13265] dbg: bayes: DB journal sync: last sync: 0 [13265] dbg: bayes: not available for scanning, only 190 spam(s) in bayes DB < 200 [13265] dbg: bayes: untie-ing [13265] dbg: bayes: untie-ing db_toks [13265] dbg: bayes: untie-ing db_seen [13265] dbg: dns: is DNS available? 0 [13265] dbg: metadata: X-Spam-Relays-Trusted: [13265] dbg: metadata: X-Spam-Relays-Untrusted: [13265] dbg: metadata: X-Spam-Relays-Internal: [13265] dbg: metadata: X-Spam-Relays-External: [13265] dbg: message: no encoding detected [13265] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x931aac8) implements 'parsed_metadata' [13265] dbg: rules: local tests only, ignoring RBL eval [13265] dbg: check: running tests for priority: 0 [13265] dbg: rules: running header regexp tests; score so far=0 [13265] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [13265] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1161125813" [13265] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1161125813@lint_rules> [13265] dbg: rules: " [13265] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [13265] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [13265] dbg: eval: all '*To' addrs: [13265] dbg: rules: ran eval rule NO_RELAYS ======> got hit [13265] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [13265] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [13265] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [13265] dbg: uri: running uri tests; score so far=-0.001 [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks [13265] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen [13265] dbg: bayes: found bayes db version 3 [13265] dbg: bayes: DB journal sync: last sync: 0 [13265] dbg: bayes: not available for scanning, only 190 spam(s) in bayes DB < 200 [13265] dbg: bayes: not scoring message, returning undef [13265] dbg: bayes: DB expiry: tokens in DB: 43279, Expiry max size: 150000, Oldest atime: 1161011302, Newest atime: 1161125619, Last expire: 1160942485, Current time: 1161125814 [13265] dbg: bayes: DB journal sync: last sync: 0 [13265] dbg: bayes: untie-ing [13265] dbg: bayes: untie-ing db_toks [13265] dbg: bayes: untie-ing db_seen [13265] dbg: rules: running raw-body-text per-line regexp tests; score so far=-0.001 [13265] dbg: rules: running full-text regexp tests; score so far=-0.001 [13265] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x931aac8) implements 'check_tick' [13265] dbg: check: running tests for priority: 500 [13265] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x931aac8) implements 'check_post_dnsbl' [13265] dbg: rules: running meta tests; score so far=-0.001 [13265] dbg: rules: running header regexp tests; score so far=1.866 [13265] dbg: rules: running body-text per-line regexp tests; score so far=1.866 [13265] dbg: uri: running uri tests; score so far=1.866 [13265] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 [13265] dbg: rules: running full-text regexp tests; score so far=1.866 [13265] dbg: check: running tests for priority: 1000 [13265] dbg: rules: running meta tests; score so far=1.866 [13265] dbg: rules: running header regexp tests; score so far=1.866 [13265] dbg: rules: running body-text per-line regexp tests; score so far=1.866 [13265] dbg: uri: running uri tests; score so far=1.866 [13265] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 [13265] dbg: rules: running full-text regexp tests; score so far=1.866 [13265] dbg: check: is spam? score=1.866 required=4.5 [13265] dbg: check: tests=MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [13265] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID Regards, > On 17 Oct 2006, at 21:03, Gerhard Mourani wrote: > >> Hello, >> >> I've installed latest version of MailScanner (4.56.8) with Postfix >> (2.3.3) >> and SpamAssassin (3.1.7) into my Linux server. At first view, all >> seem to >> work fine but it's just an illusion because I receive spam like >> I've never >> received in the pass. Without MailScanner, Spam are correctly >> blocked by >> Spamassassin. > > Check the users that you have called SA with in the past as you will > now be call them as the postfix user. Is your Bayes correctly set up > to use this user? Have you run spammassassin --lint -D as the postfix > user and checked for errors? > > Drew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- PrivalODC Cel: (514) 726-3766 Tel: (450) 761-9973 ext 634 Ce message ?lectronique ainsi que tous les documents annex?s s?adressent exclusivement ? la personne ou ? l?entit? inscrite dans la rubrique destinataire ; il peut contenir des renseignements de nature confidentielle ou privil?gi?e aux termes des lois applicables. Nulle autre personne ne doit y avoir acc?s. Si vous n??tes pas le destinataire convenu, nous vous avisons par la pr?sente qu'il est strictement interdit d'en divulguer le contenu, de le distribuer, le copier ou l?utiliser. Veuillez aviser l?exp?diteur imm?diatement par retour de courrier ?lectronique et supprimer ce message de votre syst?me. Toute diffusion ou reproduction de ce document ainsi que tout mesure prise ? l??gard de la pr?sente sont formellement interdites . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jlmiller at mmtnetworks.com.au Wed Oct 18 00:27:08 2006 From: jlmiller at mmtnetworks.com.au (Jon Miller) Date: Wed Oct 18 00:20:45 2006 Subject: new install Message-ID: I'm about to install MailScanner, postfix, sophos and MailWatch on a new server. Is there a preferred order to doing this? This will be for the purpose of testing and trying to understand what and how MailScanner works. Since the last installation went tits up thought I better check with the group on this one. Is it better to install everything on the single server or should I divide certain things up. Jon From ajos1 at onion.demon.co.uk Wed Oct 18 00:41:13 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Oct 18 00:41:26 2006 Subject: OT: need help installing FuzzyOCR Message-ID: - Update... well... "giflib seems to be libungif" and "libungif seems to be giflib". Just worked out why... "giftext" and so on are missing from Fedora5... the rpms are only installing 3 library files. So it is off to http://sourceforge.net/projects/libungif to do it all from scratch without RPM. rpm -ql giflib-devel-4.1.3-6.2.1 ================================ * list of documents * rpm -ql giflib-4.1.3-6.2.1 ========================== /usr/lib/libgif.so.4 /usr/lib/libgif.so.4.1.3 /usr/lib/libungif.so.4 /usr/lib/libungif.so.4.1.3 /usr/share/doc/giflib-4.1.3 /usr/share/doc/giflib-4.1.3/AUTHORS /usr/share/doc/giflib-4.1.3/BUGS /usr/share/doc/giflib-4.1.3/COPYING /usr/share/doc/giflib-4.1.3/ChangeLog /usr/share/doc/giflib-4.1.3/NEWS /usr/share/doc/giflib-4.1.3/ONEWS /usr/share/doc/giflib-4.1.3/README /usr/share/doc/giflib-4.1.3/TODO -----Original Message----- From: ajos1@onion.demon.co.uk Subj: Re: OT: need help installing FuzzyOCR Date: Tue, 17 Oct 2006 23:34:57 (GMT/BST) - I have no answers... as I am doing the same thing at this precise moment... based on http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Being Fedora5 my ImageMigick is... ImageMagick-6.2.5.4-4.2.1.fc5.6.i386.rpm My system already has: giftopnm, jpegtopnm and pngtopnm (from netpbm) and imagemagick But I am having to hunt down "gocr" from http://jocr.sourceforge.net/ . "giffix" and "giftext" should exist on my system... as I have giflib-4.1.3-6.2.1 on it... but they are not there! So I will have to see if they have changed name... or been missed out... or I am being a cabbage. More laters... == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From ajos1 at onion.demon.co.uk Wed Oct 18 00:44:01 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Oct 18 00:44:08 2006 Subject: Japanese spam... Message-ID: - Last week or 2... I have 50 to 100 messages per day with ".jp" on the end... all out of the blue... is it just me? or has everyone been getting extra spam from ".jp" ? >From - akiramenai_2006@ocn.ne.jp Subj - =?iso-2022-jp?b?gyrcn... ... From arturs at netvision.net.il Wed Oct 18 00:57:15 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 18 00:59:18 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: Message-ID: <016001c6f247$f8ed2a10$3701a8c0@lapxp> Hi, Installed all missing modules with yum from DAG repo. Testing... Thanks to all for your help! Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of ajos1@onion.demon.co.uk > Sent: Wednesday, October 18, 2006 2:41 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: OT: need help installing FuzzyOCR > > - > > Update... well... > > "giflib seems to be libungif" and "libungif seems to be giflib". > > Just worked out why... "giftext" and so on are missing from > Fedora5... the rpms are only installing 3 library files. > > So it is off to http://sourceforge.net/projects/libungif to > do it all from scratch without RPM. > > rpm -ql giflib-devel-4.1.3-6.2.1 > ================================ > * list of documents * > > rpm -ql giflib-4.1.3-6.2.1 > ========================== > /usr/lib/libgif.so.4 > /usr/lib/libgif.so.4.1.3 > /usr/lib/libungif.so.4 > /usr/lib/libungif.so.4.1.3 > /usr/share/doc/giflib-4.1.3 > /usr/share/doc/giflib-4.1.3/AUTHORS > /usr/share/doc/giflib-4.1.3/BUGS > /usr/share/doc/giflib-4.1.3/COPYING > /usr/share/doc/giflib-4.1.3/ChangeLog > /usr/share/doc/giflib-4.1.3/NEWS > /usr/share/doc/giflib-4.1.3/ONEWS > /usr/share/doc/giflib-4.1.3/README > /usr/share/doc/giflib-4.1.3/TODO > > > -----Original Message----- > From: ajos1@onion.demon.co.uk > Subj: Re: OT: need help installing FuzzyOCR > Date: Tue, 17 Oct 2006 23:34:57 (GMT/BST) > > - > > I have no answers... as I am doing the same thing at this > precise moment... based on > http://wiki.apache.org/spamassassin/FuzzyOcrPlugin > > Being Fedora5 my ImageMigick is... > ImageMagick-6.2.5.4-4.2.1.fc5.6.i386.rpm > > My system already has: giftopnm, jpegtopnm and pngtopnm (from > netpbm) and imagemagick > > But I am having to hunt down "gocr" from > http://jocr.sourceforge.net/ . > > "giffix" and "giftext" should exist on my system... as I have > giflib-4.1.3-6.2.1 on it... but they are not there! So I > will have to see if they have changed name... or been missed > out... or I am being a cabbage. > > More laters... > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikea at mikea.ath.cx Wed Oct 18 01:33:27 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Oct 18 01:33:33 2006 Subject: Japanese spam... In-Reply-To: ; from ajos1@onion.demon.co.uk on Wed, Oct 18, 2006 at 12:44:01AM +0000 References: Message-ID: <20061017193327.A11951@mikea.ath.cx> On Wed, Oct 18, 2006 at 12:44:01AM +0000, ajos1@onion.demon.co.uk wrote: > - > > Last week or 2... I have 50 to 100 messages per day with ".jp" on the end... all out of the blue... is it just me? or has everyone been getting extra spam from ".jp" ? > > >From - akiramenai_2006@ocn.ne.jp > Subj - =?iso-2022-jp?b?gyrcn... Since I put all .jp netblocks in the blacklist[1], we don't have any problems with spam from .jp. But I see an _awful_ lot of attempts from those netblocks. [1] We're state government, we have no business connections with .jp, and have *never* received valid E-mail from anyone in .jp. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From ssilva at sgvwater.com Wed Oct 18 00:55:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 02:05:05 2006 Subject: new install In-Reply-To: References: Message-ID: Jon Miller spake the following on 10/17/2006 4:27 PM: > I'm about to install MailScanner, postfix, sophos and MailWatch on a new server. >Is there a preferred order to doing this? This will be for the purpose of testing and >trying to understand what and how MailScanner works. Since the last installation went >tits up thought I better check with the group on this one. Is it better to install >everything on the single server or should I divide certain things up. > > Jon > I would get postfix going and able to pass messages. You can install sophos using the sophos-install script included with MailScanner Then get MailScanner installed and make sure that mail flows properly, test with eicar file to see if virus scanning is working. Then you can get mailwatch going. One step at a time gives consistent points of pass/fail as you go. You can install everything on one server if that is all you are going to use, but if you are going to want to play with multiple machines in the future, you ctry and do a distributed mailwatch setup, and maybe a central bayes db server. All this can be done later, as you progress with your learning. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From spamtrap71892316634 at anime.net Wed Oct 18 02:42:46 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Wed Oct 18 02:42:51 2006 Subject: Japanese spam... In-Reply-To: <20061017193327.A11951@mikea.ath.cx> References: <20061017193327.A11951@mikea.ath.cx> Message-ID: On Tue, 17 Oct 2006, mikea wrote: > On Wed, Oct 18, 2006 at 12:44:01AM +0000, ajos1@onion.demon.co.uk wrote: >> Last week or 2... I have 50 to 100 messages per day with ".jp" on the end... all out of the blue... is it just me? or has everyone been getting extra spam from ".jp" ? >>> From - akiramenai_2006@ocn.ne.jp >> Subj - =?iso-2022-jp?b?gyrcn... > Since I put all .jp netblocks in the blacklist[1], we don't have any > problems with spam from .jp. But I see an _awful_ lot of attempts from > those netblocks. > [1] We're state government, we have no business connections with .jp, > and have *never* received valid E-mail from anyone in .jp. Easier to just block iso-2022-jp (and euc-kr, big5, etc). That will block japanese spams no matter what IP they come from. -Dan From mrm at medicine.wisc.edu Wed Oct 18 05:35:06 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Wed Oct 18 05:35:35 2006 Subject: Found 385 messages waiting In-Reply-To: <4534CCCF.7FBE.00FC.3@medicine.wisc.edu> References: <78964AB012E2A247BA86E219659F235C6DD385@mevers1.meverskantoor.nl> <4534CCCF.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <453568AE.7FBE.00FC.3@medicine.wisc.edu> >If you want i can post the script i user to get rid of the lose ends.. >I checked and rechecked, the mails the files come from seem to have gone >through so no worry there. >Richard That would be much appreciated. Mike From vanhorn at whidbey.com Wed Oct 18 06:23:35 2006 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Wed Oct 18 06:23:42 2006 Subject: SMTP problem - solved In-Reply-To: <45332F07.4090301@whidbey.com> References: <45332F07.4090301@whidbey.com> Message-ID: <4535BA57.2070106@whidbey.com> In addition to the issue related below, at the same time we were also experiencing a problem for some users updating their websites on the server for via ftp, and at least two iBooks were unable to connect using ssh. My conclusion was that the real problem was a lower-level issue with TCP/IP in Fedora Core 5. Tonight I pulled the hard drive, video card, and NIC from the problematic system (an Athlon 1GHz that had been running without error for years) and bolted them into another system (P-IV 1700) and everything is running perfectly. I'm thinking there is some issue between the current kernel or TCP/IP implementation and the chipset on the Athlon board. When I return it to service I'll make sure I stay at Fedora Core 2 or earlier, with which it has no issues. Thanks for the help. Van G. Armour Van Horn wrote: > Two weeks ago one of my servers was compromised and I had to rebuild it > from the ground up. I jumped a couple of versions, installing Fedora > Core 5. I dragged over my previous MailScanner directory and installed > MailScanner 4.55-10.3. > > I was having some odd problems with not several SMTP servers failing to > deliver mail, so after a couple of days of head scratching and with some > help here on the list I switched to Postfix. The text of the error > messages changed, but essentially the same servers would initiate an > SMTP session and then never close it. > > Fearing that I may have caused some problems due to my unfamiliarity > with Postfix I switched back to Sendmail, but after many hours of > fighting the problem I still can't receive mail from several important > mail servers. That is, from several servers that are important to users > on the system. > > I'm pretty sure this isn't actually a MailScanner issue, but I figure > that there are quite a few experts here, so I'd appreciate it if anyone > has any idea of what I should be looking at. Below are four lines from > maillog, each pair of lines indicate a message that never arrived. Any > suggestions would be welcome. > > Van > > > Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: timeout > waiting for input from mail.networksolutionsemail.com during server > cmd read > Oct 15 20:50:27 vanquish sendmail[13915]: k9G2oQu2013915: > mail.networksolutionsemail.com [205.178.146.50] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > > Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: timeout > waiting for input from mailout.whidbey.net during server cmd read > Oct 15 21:03:43 vanquish sendmail[14141]: k9G33hTX014141: > mailout.whidbey.net [209.166.64.124] did not issue MAIL/EXPN/VRFY/ETRN > during connection to MTA > > > > > > > -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From drew at technologytiger.net Wed Oct 18 07:29:39 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 18 07:29:48 2006 Subject: MailScanner & Postfix In-Reply-To: <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> Message-ID: On 17 Oct 2006, at 23:59, Gerhard Mourani wrote: > Here is my output of the /usr/bin/spamassassin --lint -D command > run as > user postfix, maybe you can see something that is not correctely set. > > bash-3.1$ /usr/bin/spamassassin --lint -D > > [13265] dbg: bayes: tie-ing to DB file R/O > /var/spool/MailScanner/spamassassin/bayes_seen > [13265] dbg: bayes: found bayes db version 3 > [13265] dbg: bayes: DB journal sync: last sync: 0 > [13265] dbg: bayes: not available for scanning, only 190 spam(s) in > bayes > DB < 200 There you go then. Another 10 Spam messages learnt and bayes will start kicking in. I suspect that your previous SA set up used a different user so you could always copy over it's bayes database (Don't forget files permissions) so you are running quicker or just teach it 10 more Spam messages using sa-learn. Drew From craig at csfs.co.za Wed Oct 18 08:09:54 2006 From: craig at csfs.co.za (Craig Retief) Date: Wed Oct 18 08:10:18 2006 Subject: RulesDuJour blowup? In-Reply-To: Message-ID: Im getting the following error from RulesDuJour Updates, don't know if it is related to the domain problem or not. AUTOBAN: Over 500 *.cf requests in 48 hours period - Check your CRON CONTACT: webmaster@uribl.com Check this .cf page (taken from update script) http://38.99.66.94/rules/70_sare_obfu.cf I pasted the page into my browser and got the error above. any1 else seeing this or just me? Thx Craig > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: 17 October 2006 07:25 PM > To: MailScanner discussion > Subject: RE: RulesDuJour blowup? > > Dhawal Doshy wrote: > > Jeff A. Earickson wrote: > >> Gang, > >> > >> Did anybody else have their daily RulesDuJour update blow up on > >> them today? All of my new files are 5969 bytes in size and are > >> an html webpage to buy school supplies. Hunh??? > > > > The domain has expired and the owners are working towards renewing > > it.. give them a day or 2 to fix it. > > > > - dhawal > > It comes up fine for me - probably cached. FWIW, http://38.99.66.94/ > works just fine. > > Just say, "DNS. We don't need no stinkin' DNS"... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Oct 18 09:02:19 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 18 09:02:27 2006 Subject: OT: Preferred MTA? In-Reply-To: <45352A12.80703@USherbrooke.ca> References: <452E9482.6050307@USherbrooke.ca> <42412.194.70.180.170.1160731329.squirrel@www.technologytiger.net> <223f97700610131329k8870d5el22a1549ae431ce0a@mail.gmail.com> <45352A12.80703@USherbrooke.ca> Message-ID: <223f97700610180102x1b587e9bqf807da99223ac624@mail.gmail.com> On 17/10/06, Denis Beauchemin wrote: > Glenn Steen a ?crit : > > On 13/10/06, Drew Marshall wrote: > >> > > >> > Do you recommend using a HW load balancer (and SSL accelerator) in > >> front > >> > of my servers? How about Cisco's? > >> > >> Really can't comment but I would be interested to hear others > >> thoughts too. > >> > > Capable but not that cheap:-). > > How do you loadbalance now? > > > Using DNS round-robin... :-( Ok... Well, last I looked (not that recently, but then... not more than a year or so ago:-) they could do all sorts of clever things (including a "smarter RR"... Memory fails me on the details). At the time, the PHB balked at the priice though:)... And then the need (in our organization) ... dissipated... I'm certain you can get gear (or buld something clever yourself) at half the cost or less... The question you need ask yourself is "is it worth the extra time/hassle?" ... If your network guys are comfy with Cisco, that would be a big factor for using their gear too. I'm not current on the competition though. I'm certain someone else will jump in with details about that (and more "in-depth" on ciscos gear) though:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Wed Oct 18 09:08:52 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 18 09:10:58 2006 Subject: RulesDuJour blowup? In-Reply-To: Message-ID: <018801c6f28c$a72b64e0$3701a8c0@lapxp> Do not see any error, only .cf itself. Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Craig Retief > Sent: Wednesday, October 18, 2006 9:10 AM > To: 'MailScanner discussion' > Subject: RE: RulesDuJour blowup? > > Im getting the following error from RulesDuJour Updates, > don't know if it is > related to the domain problem or not. > > AUTOBAN: Over 500 *.cf requests in 48 hours period - Check your CRON > CONTACT: webmaster@uribl.com > > Check this .cf page (taken from update script) > > http://38.99.66.94/rules/70_sare_obfu.cf > > I pasted the page into my browser and got the error above. > > any1 else seeing this or just me? > > Thx > > Craig > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > > Sent: 17 October 2006 07:25 PM > > To: MailScanner discussion > > Subject: RE: RulesDuJour blowup? > > > > Dhawal Doshy wrote: > > > Jeff A. Earickson wrote: > > >> Gang, > > >> > > >> Did anybody else have their daily RulesDuJour update blow up on > > >> them today? All of my new files are 5969 bytes in size and are > > >> an html webpage to buy school supplies. Hunh??? > > > > > > The domain has expired and the owners are working towards renewing > > > it.. give them a day or 2 to fix it. > > > > > > - dhawal > > > > It comes up fine for me - probably cached. FWIW, > http://38.99.66.94/ > > works just fine. > > > > Just say, "DNS. We don't need no stinkin' DNS"... > > > > ...Kevin > > -- > > Kevin Miller Registered Linux User No: 307357 > > CBJ MIS Dept. Network Systems Admin., Mail Admin. > > 155 South Seward Street ph: (907) 586-0242 > > Juneau, Alaska 99801 fax: (907 586-4500 > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From pete at enitech.com.au Wed Oct 18 09:43:55 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Oct 18 09:44:05 2006 Subject: Upgrading MailScanner to latest and greats with Postfix In-Reply-To: <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> Message-ID: <4535E94B.9000903@enitech.com.au> > > In a word, no. In slightly more verbose, nope :-) > > I am awaiting a future release that is supposed to implement message > body amendment via milter that is supposed to break everything from the > microwave to MailScanner but you are safe for the time being. > > Assuming you have installed from port just portupgrade Postfix and > rebuild from the port (cd /usr/ports/mail/mailscanner make && make > deinstall && make install) MailScanner will see you good to go and > preserve your configs. Diff the new MailScanner.conf from the old one, > change as required and you are back up and running in 20 minutes. I am still running 2.1.5 - i think i need to upgrade to 2.3 - my mailscanner is up to date. I cant keep up with the changes of postfix - is something broken in the latest version i should steer clear of? To upgrade from source, run the normal sopurce installs and keep a backup of my main.cf - my transport, recipient, access, relay_domain maps will continue to work fine? Thanks Pete From drew at technologytiger.net Wed Oct 18 10:11:09 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 18 10:11:25 2006 Subject: Upgrading MailScanner to latest and greats with Postfix In-Reply-To: <4535E94B.9000903@enitech.com.au> References: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> <4535E94B.9000903@enitech.com.au> Message-ID: <55271.194.70.180.170.1161162669.squirrel@www.technologytiger.net> On Wed, October 18, 2006 09:43, Peter Russell wrote: >> >> In a word, no. In slightly more verbose, nope :-) >> >> I am awaiting a future release that is supposed to implement message >> body amendment via milter that is supposed to break everything from the >> microwave to MailScanner but you are safe for the time being. >> >> Assuming you have installed from port just portupgrade Postfix and >> rebuild from the port (cd /usr/ports/mail/mailscanner make && make >> deinstall && make install) MailScanner will see you good to go and >> preserve your configs. Diff the new MailScanner.conf from the old one, >> change as required and you are back up and running in 20 minutes. > > I am still running 2.1.5 - i think i need to upgrade to 2.3 - my > mailscanner is up to date. I cant keep up with the changes of postfix - > is something broken in the latest version i should steer clear of? To > upgrade from source, run the normal sopurce installs and keep a backup > of my main.cf - my transport, recipient, access, relay_domain maps will > continue to work fine? No, nothing broken. It works just fine. Yup, just keep copies of your configs and lob them back in. Start Postfix and tail your maillog. There are a couple of changes particularly under smtpd_ options. They are pretty minor and I can't remember exactly but your logs will certainly tell you. Just look up the correct syntax option here http://www.postfix.org/postconf.5.html Drew From MailScanner at ecs.soton.ac.uk Wed Oct 18 11:04:56 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 11:09:22 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: References: <45350A3C.8080906@drisp.com> <45352F0B.4070402@ecs.soton.ac.uk> Message-ID: <4535FC48.3030408@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Julian Field spake the following on 10/17/2006 12:29 PM: > >> Scott Silva wrote: >> >>>> Michael Kain spake the following on 10/17/2006 9:52 AM: >>>> >>>> >>>>> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. >>>>> The change has surfaced in the last month or so. >>>>> >>>>> My current setup: >>>>> Dual P3 1.13 >>>>> 1GB Ram >>>>> FC5 >>>>> >>>>> Mail gateway running MS/clam/SA forwards scanned mail to internal mail >>>>> server (when there's a problem, users hit send/receive and that doesn't >>>>> cause an error..thus avoiding immediate call) I've used Julian's clam/sa >>>>> install script (which is awesome), and read posts relating to new >>>>> releases before upgrading/such. >>>>> >>>>> With spamassassin enabled, the batch list grows and grows, was up to 95k >>>>> at one point.. disabling SA in MS cleared that out fairly quickly. I've >>>>> wiped the SA/bayes temp files thinking bayes was backing up, however, it >>>>> seems that is not helping. >>>>> >>>>> What I would like an opinion on is this... Am I trying to do too much >>>>> with the hardware that I currently have? Or do I put together a bigger >>>>> beefier machine? >>>>> >>>>> -Mike >>>>> >>>>> >> You can make a huge difference to the amount of spam you have to process >> with 2 tools: >> >> 1) milter-gris >> 2) milter-null >> >> Number 1 implements grey-listing. There are a lot of discussions about >> greylisting on the web, and a lot of people are very wary of it >> initially. I was too. Then I ran a test with a handful of the fussiest >> email users I have (I've got about 2000 users in total). I told them I >> was implementing something new, but refused to tell them what, so they >> would not have any pre-conceptions about it. They *all* loved it, and >> none of them reported any problems at all. So I implemented it across >> all of my users, who are very fussy Computer Science and Electronics >> academics, as well as the students. That was about 6 months ago, since >> when I have had *1* complaint, which I dealt with by adding them to the >> whitelist for it. >> >> So my conclusion with greylisting is test it with some very fussy users, >> then roll it out to everyone. >> >> Number 2 implements back-scatter detection. Basically, what this does is >> get rid of all the "This message could not be delivered..." notices that >> weren't generated in response to your own users' mail. It doesn't throw >> away all of them, so that if your users mistype an address, they still >> get the error message from it. But all the delivery failure messages >> generated by forged spam get killed. >> >> Between these 2, you will remove 80-90% of all the mail coming into your >> site, without losing any genuine real mail at all. This will make your >> hardware go a hell of a lot further, and you will find you don't need to >> spend any money on new hardware at all. >> >> My MX servers used to just about cope. Then I implemented these 2 >> techniques and they now just tick along quite happily, getting very bored. >> >> Both of the above techniques can be done very easily in sendmail and >> Postfix using the milters which are available from www.snertsoft.com. I >> thoroughly recommend them to everyone. >> >> Jules >> >> > So the addition of the two milters doesn't add that much load? > No, they don't. And they save way more load than they cause! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNf0kEfZZRxQVtlQRAv6sAKCwu7kfBHIL7TK/UHTcMG65W+egqACeIXOu 0Hoea8EOk74OgOH+J0/iphQ= =TPuu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 18 11:10:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 11:14:24 2006 Subject: A way to start all children at once? In-Reply-To: <4535564E.4040506@tulsaconnect.com> References: <4535564E.4040506@tulsaconnect.com> Message-ID: <4535FD7B.40705@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The reason that is a bad idea is called the "thundering herd problem". All your child processes grab messages together. Then they all virus scan together. They they all expand the attachments together. Then they all do DNS lookups together. You get the idea. The result is that at one moment every child needs your CPU. Then they all need your disk. Then they all need your network, etc. This is "A Bad Thing (tm)". The staggered startups is done precisely to remove this problem. The delay is 11 seconds, which is perfect as you don't even get children started on the same number of seconds from one minute to the next. There is (virtually always) method in my madness. :-) TCIS List Acct wrote: > We run fairly high-volume MS boxes (500-600,000 messages per day per > box) and > many times when we need to re-start the MS processes, the children > take a good > long while (we have 40-50 children starting per box) to initially > start. It > would be nice if MS could have a setting to start all of the child > processes at > once rather than staggering the startup. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNf5QEfZZRxQVtlQRAtYbAJsGZqpMmgIUJm8UY0qYzaT2yy4g5wCgmUks 3wbugWfLh7TnF9XO7RlZwNY= =lEMS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 18 11:11:04 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 11:14:46 2006 Subject: new install In-Reply-To: References: Message-ID: <4535FDB8.8010700@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Postfix MailScanner Sophos (using my "Sophos.install" command) MailWatch. Check your system still correctly delivers mail after each stage. Jon Miller wrote: > I'm about to install MailScanner, postfix, sophos and MailWatch on a new server. Is there a preferred order to doing this? This will be for the purpose of testing and trying to understand what and how MailScanner works. Since the last installation went tits up thought I better check with the group on this one. Is it better to install everything on the single server or should I divide certain things up. > > Jon > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFNf5TEfZZRxQVtlQRAnJDAKD3g9S1kq2bvNMyF7P9XNJoEWwICACfaE+j v0qAEB+kDF9+pf3hQLO87Vo= =fqeW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Oct 18 12:07:56 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 18 12:07:59 2006 Subject: Increased SPAM getting through In-Reply-To: <625385e30610170801v44f7dcb4q76a2600103288c07@mail.gmail.com> References: <4534AB81.8090807@mckerrs.net> <223f97700610170336v20d7ecc4g23eaa008d68f6043@mail.gmail.com> <625385e30610170801v44f7dcb4q76a2600103288c07@mail.gmail.com> Message-ID: <223f97700610180407s1d2aa52dyf22bb1a3d5912a30@mail.gmail.com> On 17/10/06, shuttlebox wrote: > On 10/17/06, Glenn Steen wrote: > > direction;-). Bayes has likely not that much to work with, so... that > > would probably explain why it fires the _00 rule... And training will > > not help you much with that type of spam... > > That would fire the 50 rule (or not at all). 00 means Bayes is certain > it's not spam. I know that Peter. Bad choice of words, perhaps:-). Rephrase that "the little it has to work with makes it certain it isn't spam". If they follow the norm and have some stray snippet from a book or HOWTO or whatever, training on that would probably not lead you anywhere you'd like to go. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From info at mevershosting.nl Wed Oct 18 12:39:31 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Wed Oct 18 12:39:33 2006 Subject: Found 385 messages waiting Message-ID: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> Mike, list, This is the script i use, i doesnt delete files but renames them. You could stop mailscanner first in the script before running this, but i found it doesnt really make a differance. #!/bin/sh cd /var/spool/mqueue.in # remove df files with no corresponding qf files for df in df* do qf=`echo $df | sed 's/d/q/'` if [ -r $df -a ! -f $qf ] then echo -n "" mv $df `echo $df | sed 's/d/D/'` fi done # remove qf files with no corresponding df files for qf in qf* do df=`echo $qf | sed 's/q/d/'` if [ -r $qf -a ! -f $df ] then echo -n "" mv $qf `echo $qf | sed 's/q/Q/'` fi done cd /var/spool/mqueue # remove df files with no corresponding qf files for df in df* do qf=`echo $df | sed 's/d/q/'` if [ -r $df -a ! -f $qf ] then echo -n "" mv $df `echo $df | sed 's/d/D/'` fi done # remove qf files with no corresponding df files for qf in qf* do df=`echo $qf | sed 's/q/d/'` if [ -r $qf -a ! -f $df ] then echo -n "" mv $qf `echo $qf | sed 's/q/Q/'` fi done -----Oorspronkelijk bericht----- Van: Michael Masse [mailto:mrm@medicine.wisc.edu] Verzonden: woensdag 18 oktober 2006 6:35 Aan: MailScanner discussion Onderwerp: RE: Found 385 messages waiting >If you want i can post the script i user to get rid of the lose ends.. >I checked and rechecked, the mails the files come from seem to have gone >through so no worry there. >Richard That would be much appreciated. Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----- Scanned for virus and spam ----- Scanned for virus and spam From michele at blacknight.ie Wed Oct 18 12:44:20 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed Oct 18 12:44:07 2006 Subject: OT: MS Exchange Alternatives Message-ID: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> A bit off topic, but as a group you're more likely to know :) What "sane" alternatives to Exchange currently exist out there? I've come across Zimbra and a couple of others, but I want to assess a few to see which is the "best fit" for a client TIA Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 Vote Now: http://www.netvisionary.ie/votenom.html From glenn.steen at gmail.com Wed Oct 18 12:52:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 18 12:52:09 2006 Subject: Upgrading MailScanner to latest and greats with Postfix In-Reply-To: <55271.194.70.180.170.1161162669.squirrel@www.technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> <4535E94B.9000903@enitech.com.au> <55271.194.70.180.170.1161162669.squirrel@www.technologytiger.net> Message-ID: <223f97700610180452u3631ea51ued5b63e2898094b2@mail.gmail.com> On 18/10/06, Drew Marshall wrote: > On Wed, October 18, 2006 09:43, Peter Russell wrote: > >> > >> In a word, no. In slightly more verbose, nope :-) > >> > >> I am awaiting a future release that is supposed to implement message > >> body amendment via milter that is supposed to break everything from the > >> microwave to MailScanner but you are safe for the time being. > >> > >> Assuming you have installed from port just portupgrade Postfix and > >> rebuild from the port (cd /usr/ports/mail/mailscanner make && make > >> deinstall && make install) MailScanner will see you good to go and > >> preserve your configs. Diff the new MailScanner.conf from the old one, > >> change as required and you are back up and running in 20 minutes. > > > > I am still running 2.1.5 - i think i need to upgrade to 2.3 - my > > mailscanner is up to date. I cant keep up with the changes of postfix - > > is something broken in the latest version i should steer clear of? To > > upgrade from source, run the normal sopurce installs and keep a backup > > of my main.cf - my transport, recipient, access, relay_domain maps will > > continue to work fine? > > No, nothing broken. It works just fine. Yup, just keep copies of your > configs and lob them back in. Start Postfix and tail your maillog. There > are a couple of changes particularly under smtpd_ options. They are pretty > minor and I can't remember exactly but your logs will certainly tell you. > Just look up the correct syntax option here > http://www.postfix.org/postconf.5.html > > Drew > Wasn't there a queue depth default change between 2.1 and 2.2? I have this vague recollection of perhaps needing to tweak some odd setting there...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kte at nexis.be Wed Oct 18 12:49:43 2006 From: kte at nexis.be (kte@nexis.be) Date: Wed Oct 18 12:52:33 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> Message-ID: scalix "Michele Neylon :: Blacknight" Sent by: mailscanner-bounces@lists.mailscanner.info 18/10/2006 13:44 Please respond to MailScanner discussion To cc Subject OT: MS Exchange Alternatives A bit off topic, but as a group you're more likely to know :) What "sane" alternatives to Exchange currently exist out there? I've come across Zimbra and a couple of others, but I want to assess a few to see which is the "best fit" for a client TIA Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 Vote Now: http://www.netvisionary.ie/votenom.html -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/748f4fac/attachment.html From martinh at solidstatelogic.com Wed Oct 18 13:01:44 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 18 13:02:16 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> References: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> Message-ID: <453617A8.40209@solidstatelogic.com> Michele Neylon :: Blacknight wrote: > A bit off topic, but as a group you're more likely to know :) > > What "sane" alternatives to Exchange currently exist out there? > > I've come across Zimbra and a couple of others, but I want to assess a few > to see which is the "best fit" for a client > > TIA > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > Vote Now: http://www.netvisionary.ie/votenom.html > Michele looked at zimbra - very bloated will look again when my BFO server turns up next week. looked at CommunicatePro - fast, does what I want it to...includes SIP & Jabber server as well so I move the phones/run video conferencing for no extra money! also openexchange and of coruse the horde framework (which doesn't integrate full with outleek which is what you're after i guess). -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From claude.gagne at multitech.qc.ca Wed Oct 18 13:06:45 2006 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Wed Oct 18 13:06:50 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> References: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> Message-ID: <453618D5.1070104@multitech.qc.ca> Hi Michel, It's kind of funny I'm actively searching for one solution too. The only Groupware that seems to do the job (didnt test it yet) is Egroupware if you need Outlook/Sunbird/iCal connectors. Let me know if you find something interesting :) Michele Neylon :: Blacknight a ?crit : > A bit off topic, but as a group you're more likely to know :) > > What "sane" alternatives to Exchange currently exist out there? > > I've come across Zimbra and a couple of others, but I want to assess a few > to see which is the "best fit" for a client > > TIA > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > Vote Now: http://www.netvisionary.ie/votenom.html > > -- * Claude Gagn?* / Technicien informatique/ claude.gagne@multitech.qc.ca 226-A, chemin des Poirier Montmagny (Qc) G5V 3X8 T?l. : (418) 248-2247 T?l?c. : (418) 248-2230 *8, rue du Domaine Rivi?re-du-Loup (Qc) G5R 2P5 T?l. : (418) 867-3355 T?l?c. : (418) 867-2775 * -------------- next part -------------- Skipped content of type multipart/related From hakon at symfoni.no Wed Oct 18 13:16:19 2006 From: hakon at symfoni.no (hakon@symfoni.no) Date: Wed Oct 18 13:13:01 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> Message-ID: Hi, There is always Lotus Domino. Not free, but very nice :-) Regards, H?kon Phillip T?nder-Keul Symfoni Software AS . Wergelandsveien 3, N-0167 Oslo, Norway mob: +47 913 57 689, tel: +47 23292300 , fax: +47 23292320 website: http://www.symfoni.no/, support: mailto:support@symfoni.no "Michele Neylon :: Blacknight" Sent by: mailscanner-bounces@lists.mailscanner.info 18.10.2006 13:54 Please respond to MailScanner discussion To cc Subject OT: MS Exchange Alternatives A bit off topic, but as a group you're more likely to know :) What "sane" alternatives to Exchange currently exist out there? I've come across Zimbra and a couple of others, but I want to assess a few to see which is the "best fit" for a client TIA Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 Vote Now: http://www.netvisionary.ie/votenom.html -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From denis at croombs.org Wed Oct 18 13:14:41 2006 From: denis at croombs.org (denis@croombs.org) Date: Wed Oct 18 13:13:12 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> References: <02fb01c6f2aa$c01b6220$e3f31151@blacknight.local> Message-ID: <7592.87.238.80.64.1161173681.squirrel@www.croombs.org> > A bit off topic, but as a group you're more likely to know :) > > What "sane" alternatives to Exchange currently exist out there? > > I've come across Zimbra and a couple of others, but I want to assess a few > to see which is the "best fit" for a client > Hi Try the kolab project and the outlook connector from http://www.toltec.co.za/ I have done it a number of times (to 150 uers) Regards Denis From t.d.lee at durham.ac.uk Wed Oct 18 13:12:53 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Oct 18 13:13:16 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: References: Message-ID: Re: > Re: > > A bit off topic, but as a group you're more likely to know :) > > > > What "sane" alternatives to Exchange currently exist out there? > > > > I've come across Zimbra and a couple of others, but I want to assess a few > > to see which is the "best fit" for a client > > scalix Also "hula": www.hula-project.org This is open-source, and seems to have some sort of sponsorship with Novell. As part of your assesessment, remember to check how active development is. I've got a vague recollection that one of the open-source products (can't remember which) might be dormant. Even if something was 99.9% complete a year ago, if there's no active development now, then addressing future troubles might be problematical. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From mike at vesol.com Wed Oct 18 13:15:04 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 18 13:15:27 2006 Subject: SMTP problem - solved In-Reply-To: <4535BA57.2070106@whidbey.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > In addition to the issue related below, at the same time we > were also experiencing a problem for some users updating > their websites on the server for via ftp, and at least two > iBooks were unable to connect using ssh. My conclusion was > that the real problem was a lower-level issue with TCP/IP in > Fedora Core 5. Tonight I pulled the hard drive, video card, > and NIC from the problematic system (an Athlon 1GHz that had > been running without error for years) and bolted them into > another system (P-IV 1700) and everything is running perfectly. > > I'm thinking there is some issue between the current kernel > or TCP/IP implementation and the chipset on the Athlon board. > When I return it to service I'll make sure I stay at Fedora > Core 2 or earlier, with which it has no issues. > > Thanks for the help. > > Van > > G. Armour Van Horn wrote: > > ----------------------------------------------------------- You might consider running Centos instead of Fedora too. Mike From G.Pentland at soton.ac.uk Wed Oct 18 13:18:43 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Wed Oct 18 13:19:03 2006 Subject: OT: Preferred MTA? Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C611@ISS-CL-EX-V1.soton.ac.uk> Denis Beauchemin wrote: > Glenn Steen a ?crit : >> On 13/10/06, Drew Marshall wrote: >>>> >>>> Do you recommend using a HW load balancer (and SSL accelerator) in >>>> front of my servers? How about Cisco's? >>> >>> Really can't comment but I would be interested to hear others >>> thoughts too. >>> >> Capable but not that cheap:-). >> How do you loadbalance now? >> > Using DNS round-robin... :-( Why? What for? MX records (if you have more than at the same priority) will load balance anyway, I guess it is sort of a round robin. You could deliberately have one at a lower priority, that would tend to attract spam and hence genuine mail would be on slightly less loaded servers. Gary From Chris at 7of9b.org Wed Oct 18 13:19:27 2006 From: Chris at 7of9b.org (Chris Burton) Date: Wed Oct 18 13:19:43 2006 Subject: OT: MS Exchange Alternatives References: Message-ID: <008a01c6f2af$af788e70$05fea8c0@murphy3> > There is always Lotus Domino. Not free, but very nice :-) I think you need to start taking the drugs again, fantasy Domino life is leaking into the real world... ;) When I was looking I wasn't able to find anything that worked "well" and didn't leave me wanting to go back to Exchange, but it was a while ago now. ChrisB. From matt at coders.co.uk Wed Oct 18 13:41:57 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Oct 18 13:42:20 2006 Subject: OT: Preferred MTA? In-Reply-To: <71437982F5B13A4D9A5B2669BDB89EE40765C611@ISS-CL-EX-V1.soton.ac.uk> References: <71437982F5B13A4D9A5B2669BDB89EE40765C611@ISS-CL-EX-V1.soton.ac.uk> Message-ID: <45362115.3000104@coders.co.uk> Pentland G. wrote: >> Using DNS round-robin... :-( > > Why? What for? > > MX records (if you have more than at the same priority) will load balance anyway, I guess it is sort of a round robin. Some servers always hit the first (ASCII wise) no matter what is returned. It is better (as you have finally done Mr Pentland ;-) ) is to have a single MX Hostname that resolves to multiple IP addresses. > > You could deliberately have one at a lower priority, that would tend to attract spam and hence genuine mail would be on slightly less loaded servers. To improve it: MX 10 server1 MX 10 server2 MX 10 server3 MX 0 mail-server where mail-server is DNS round robin for the IP addresses of server1-3. This ensures that in the event of one of the servers being down and the initial connection failing, there is a fall back which can be used. Matt From res at ausics.net Wed Oct 18 13:44:46 2006 From: res at ausics.net (Res) Date: Wed Oct 18 13:45:01 2006 Subject: A way to start all children at once? In-Reply-To: <4535564E.4040506@tulsaconnect.com> References: <4535564E.4040506@tulsaconnect.com> Message-ID: On Tue, 17 Oct 2006, TCIS List Acct wrote: > We run fairly high-volume MS boxes (500-600,000 messages per day per box) and > many times when we need to re-start the MS processes, the children take a > good > long while (we have 40-50 children starting per box) to initially start. It > would be nice if MS could have a setting to start all of the child processes > at > once rather than staggering the startup. in the main MailScanner perl file there are a couple sleep commands, I too found that 11 seconds was too long with our loads, I shortened them to 5 and things looked much better -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From Denis.Beauchemin at USherbrooke.ca Wed Oct 18 13:33:26 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 18 13:47:02 2006 Subject: Which spam stats package? In-Reply-To: <200610152334.k9FNYftY020298@bkserver.blacknight.ie> References: <200610152334.k9FNYftY020298@bkserver.blacknight.ie> Message-ID: <45361F16.1050607@USherbrooke.ca> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/52772a49/smime.bin From drew at technologytiger.net Wed Oct 18 13:48:20 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 18 13:48:35 2006 Subject: Upgrading MailScanner to latest and greats with Postfix In-Reply-To: <223f97700610180452u3631ea51ued5b63e2898094b2@mail.gmail.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD0FA@cmexchange01.CourtesyMortgage.local> <0F1E67F4-F3DB-40E7-A6F6-4730AC7EF094@technologytiger.net> <4535E94B.9000903@enitech.com.au> <55271.194.70.180.170.1161162669.squirrel@www.technologytiger.net> <223f97700610180452u3631ea51ued5b63e2898094b2@mail.gmail.com> Message-ID: <56601.194.70.180.170.1161175700.squirrel@www.technologytiger.net> On Wed, October 18, 2006 12:52, Glenn Steen wrote: >> Drew >> > Wasn't there a queue depth default change between 2.1 and 2.2? I have > this vague recollection of perhaps needing to tweak some odd setting > there...:-) You are right although it shouldn't be a problem out of the box (It defaults to only hashing the deferred queue). It's only a problem if you specify the queue depth on either side of MailScanner to be different depths (This is still true if you set the queue depths yourself). There is an entry in the wiki from memory. Drew From G.Pentland at soton.ac.uk Wed Oct 18 14:40:17 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Wed Oct 18 14:41:15 2006 Subject: OT: Preferred MTA? Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C615@ISS-CL-EX-V1.soton.ac.uk> Matt Hampton wrote: > Some servers always hit the first (ASCII wise) no matter what is > returned. > > It is better (as you have finally done Mr Pentland ;-) ) is to have a > single MX Hostname that resolves to multiple IP addresses. To be honest I didn't notice that but I probably put a lot more effort into settings like RefuseLA than most... The reson I changed it was more to do with badly behaved servers not liking the 8!! MX records I had previously. > To improve it: > > MX 10 server1 > MX 10 server2 > MX 10 server3 > MX 0 mail-server > > where mail-server is DNS round robin for the IP addresses of > server1-3. > > This ensures that in the event of one of the servers being down and > the initial connection failing, there is a fall back which can be > used. Agreed, that will work nicely. Gary From mikea at mikea.ath.cx Wed Oct 18 14:42:57 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Oct 18 14:43:02 2006 Subject: Japanese spam... In-Reply-To: ; from spamtrap71892316634@anime.net on Tue, Oct 17, 2006 at 06:42:46PM -0700 References: <20061017193327.A11951@mikea.ath.cx> Message-ID: <20061018084257.B14190@mikea.ath.cx> On Tue, Oct 17, 2006 at 06:42:46PM -0700, Dan Hollis wrote: > On Tue, 17 Oct 2006, mikea wrote: > > On Wed, Oct 18, 2006 at 12:44:01AM +0000, ajos1@onion.demon.co.uk wrote: > >> Last week or 2... I have 50 to 100 messages per day with ".jp" on the end... all out of the blue... is it just me? or has everyone been getting extra spam from ".jp" ? > >>> From - akiramenai_2006@ocn.ne.jp > >> Subj - =?iso-2022-jp?b?gyrcn... > > Since I put all .jp netblocks in the blacklist[1], we don't have any > > problems with spam from .jp. But I see an _awful_ lot of attempts from > > those netblocks. > > [1] We're state government, we have no business connections with .jp, > > and have *never* received valid E-mail from anyone in .jp. > > Easier to just block iso-2022-jp (and euc-kr, big5, etc). That will block > japanese spams no matter what IP they come from. If I block them at the connection level (blackmilter in my case), I don't have to wait until I see the language encoding stuff. But YMMV. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From gmourani at privalodc.com Wed Oct 18 14:47:24 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Wed Oct 18 14:47:36 2006 Subject: MailScanner & Postfix In-Reply-To: References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> Message-ID: <3991.70.82.58.187.1161179244.squirrel@webmail.privalodc.com> Hi, Thanks for your reply, I've see that the spamassassin binary was in mode 511 and changed this to mode 555. After that Mailscanner seem to work and generated the output message you've see below. Another question (maybe you can help). Does the postfix user need to have a shell access to the system for Mailscanner to work? > On 17 Oct 2006, at 23:59, Gerhard Mourani wrote: > >> Here is my output of the /usr/bin/spamassassin --lint -D command >> run as >> user postfix, maybe you can see something that is not correctely set. >> >> bash-3.1$ /usr/bin/spamassassin --lint -D >> >> [13265] dbg: bayes: tie-ing to DB file R/O >> /var/spool/MailScanner/spamassassin/bayes_seen >> [13265] dbg: bayes: found bayes db version 3 >> [13265] dbg: bayes: DB journal sync: last sync: 0 >> [13265] dbg: bayes: not available for scanning, only 190 spam(s) in >> bayes >> DB < 200 > > There you go then. Another 10 Spam messages learnt and bayes will > start kicking in. I suspect that your previous SA set up used a > different user so you could always copy over it's bayes database > (Don't forget files permissions) so you are running quicker or just > teach it 10 more Spam messages using sa-learn. > > Drew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- PrivalODC Cel: (514) 726-3766 Tel: (450) 761-9973 ext 634 Ce message ?lectronique ainsi que tous les documents annex?s s?adressent exclusivement ? la personne ou ? l?entit? inscrite dans la rubrique destinataire ; il peut contenir des renseignements de nature confidentielle ou privil?gi?e aux termes des lois applicables. Nulle autre personne ne doit y avoir acc?s. Si vous n??tes pas le destinataire convenu, nous vous avisons par la pr?sente qu'il est strictement interdit d'en divulguer le contenu, de le distribuer, le copier ou l?utiliser. Veuillez aviser l?exp?diteur imm?diatement par retour de courrier ?lectronique et supprimer ce message de votre syst?me. Toute diffusion ou reproduction de ce document ainsi que tout mesure prise ? l??gard de la pr?sente sont formellement interdites . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon at ateb.co.uk Wed Oct 18 14:55:36 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Wed Oct 18 14:55:37 2006 Subject: whitelist a file from the content scanner Message-ID: <45363258.2060400@ateb.co.uk> Hi, I need to be able to stop mailscanner from virus checking and filetype detecting a particular filename so that our support team can send updates via email. The file will always be called (for example only:) update.zip and may contain .exe and other type files that are normally banned. At the moment mailscanner always rejects the file and quarantines it because it is in the banned filetypes list. If I exempt .zip files or specifically update.zip then mailscanner proceeds to unpack the file and quarantine any files inside which also are banned. This is all good stuff as far as mailscanner doing its job, but I want this file to pass through mailscanner completely untouched/unchecked. I want to exempt this file name from all checks, - spam virus content and filetype. Is this possible??? Best Regards Simon From martinh at solidstatelogic.com Wed Oct 18 15:04:16 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Oct 18 15:04:29 2006 Subject: whitelist a file from the content scanner In-Reply-To: <45363258.2060400@ateb.co.uk> References: <45363258.2060400@ateb.co.uk> Message-ID: <45363460.7070908@solidstatelogic.com> Simon Annetts wrote: > Hi, > I need to be able to stop mailscanner from virus checking and filetype > detecting a particular filename so that our support team can send > updates via email. The file will always be called (for example only:) > update.zip and may contain .exe and other type files that are normally > banned. > > At the moment mailscanner always rejects the file and quarantines it > because it is in the banned filetypes list. If I exempt .zip files or > specifically update.zip then mailscanner proceeds to unpack the file and > quarantine any files inside which also are banned. This is all good > stuff as far as mailscanner doing its job, but I want this file to pass > through mailscanner completely untouched/unchecked. I want to exempt > this file name from all checks, - spam virus content and filetype. > > > Is this possible??? > Best Regards > Simon > > Simon I'd do this by originating ip-address if I where you....put a ruleset on the checks, so if its from you're lan you don't run the extra filename checks etc... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Dominique.Marant at univ-lille1.fr Wed Oct 18 14:58:40 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Wed Oct 18 15:06:20 2006 Subject: install-Clam-SA freshclam Message-ID: <45363310.9080106@univ-lille1.fr> The package install-Clam-SA is updated when there is a new version of ClamAv or spamassassin. So, in http://www.mailscanner.info/downloads.html, it would better to specify the version in the name. For example : install-Clam-0-88-5-SA-3-1-5 With install-Clam-SA, could you say me if I have to run a freshclam in the crontab or if the signature update is done automaticaly with the module Mail-ClamAV ? Thanks in advance for your reply Dominique From dhawal at netmagicsolutions.com Wed Oct 18 15:07:50 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Oct 18 15:08:18 2006 Subject: MailScanner & Postfix In-Reply-To: <3991.70.82.58.187.1161179244.squirrel@webmail.privalodc.com> References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> <3991.70.82.58.187.1161179244.squirrel@webmail.privalodc.com> Message-ID: <45363536.9090800@netmagicsolutions.com> Gerhard Mourani wrote: > Hi, > > Thanks for your reply, I've see that the spamassassin binary was in mode > 511 and changed this to mode 555. After that Mailscanner seem to work and > generated the output message you've see below. You can also use the in-built 'MailScanner --lint or --debug-sa' to check if everything is normal. > Another question (maybe you can help). Does the postfix user need to have > a shell access to the system for Mailscanner to work? Umm no.. never, a '/sbin/nologin' is just fine. - dhawal PS: are you the same 'Gerhard Mourani' as the one who wrote 'securing and optimizing linux'? >> On 17 Oct 2006, at 23:59, Gerhard Mourani wrote: >> >>> Here is my output of the /usr/bin/spamassassin --lint -D command >>> run as >>> user postfix, maybe you can see something that is not correctely set. >>> >>> bash-3.1$ /usr/bin/spamassassin --lint -D >>> >>> [13265] dbg: bayes: tie-ing to DB file R/O >>> /var/spool/MailScanner/spamassassin/bayes_seen >>> [13265] dbg: bayes: found bayes db version 3 >>> [13265] dbg: bayes: DB journal sync: last sync: 0 >>> [13265] dbg: bayes: not available for scanning, only 190 spam(s) in >>> bayes >>> DB < 200 >> There you go then. Another 10 Spam messages learnt and bayes will >> start kicking in. I suspect that your previous SA set up used a >> different user so you could always copy over it's bayes database >> (Don't forget files permissions) so you are running quicker or just >> teach it 10 more Spam messages using sa-learn. >> >> Drew From mscanlist at drisp.com Wed Oct 18 15:25:28 2006 From: mscanlist at drisp.com (Michael Kain) Date: Wed Oct 18 15:25:34 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: <4535FC48.3030408@ecs.soton.ac.uk> References: <45350A3C.8080906@drisp.com> <45352F0B.4070402@ecs.soton.ac.uk> <4535FC48.3030408@ecs.soton.ac.uk> Message-ID: <45363958.8010105@drisp.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Scott Silva wrote: > >> Julian Field spake the following on 10/17/2006 12:29 PM: >> >> >>> Scott Silva wrote: >>> >>> >>>>> Michael Kain spake the following on 10/17/2006 9:52 AM: >>>>> >>>>> >>>>> >>>>>> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. >>>>>> The change has surfaced in the last month or so. >>>>>> >>>>>> My current setup: >>>>>> Dual P3 1.13 >>>>>> 1GB Ram >>>>>> FC5 >>>>>> >>>>>> Mail gateway running MS/clam/SA forwards scanned mail to internal mail >>>>>> server (when there's a problem, users hit send/receive and that doesn't >>>>>> cause an error..thus avoiding immediate call) I've used Julian's clam/sa >>>>>> install script (which is awesome), and read posts relating to new >>>>>> releases before upgrading/such. >>>>>> >>>>>> With spamassassin enabled, the batch list grows and grows, was up to 95k >>>>>> at one point.. disabling SA in MS cleared that out fairly quickly. I've >>>>>> wiped the SA/bayes temp files thinking bayes was backing up, however, it >>>>>> seems that is not helping. >>>>>> >>>>>> What I would like an opinion on is this... Am I trying to do too much >>>>>> with the hardware that I currently have? Or do I put together a bigger >>>>>> beefier machine? >>>>>> >>>>>> -Mike >>>>>> >>>>>> >>>>>> >>> You can make a huge difference to the amount of spam you have to process >>> with 2 tools: >>> >>> 1) milter-gris >>> 2) milter-null >>> >>> Number 1 implements grey-listing. There are a lot of discussions about >>> greylisting on the web, and a lot of people are very wary of it >>> initially. I was too. Then I ran a test with a handful of the fussiest >>> email users I have (I've got about 2000 users in total). I told them I >>> was implementing something new, but refused to tell them what, so they >>> would not have any pre-conceptions about it. They *all* loved it, and >>> none of them reported any problems at all. So I implemented it across >>> all of my users, who are very fussy Computer Science and Electronics >>> academics, as well as the students. That was about 6 months ago, since >>> when I have had *1* complaint, which I dealt with by adding them to the >>> whitelist for it. >>> >>> So my conclusion with greylisting is test it with some very fussy users, >>> then roll it out to everyone. >>> >>> Number 2 implements back-scatter detection. Basically, what this does is >>> get rid of all the "This message could not be delivered..." notices that >>> weren't generated in response to your own users' mail. It doesn't throw >>> away all of them, so that if your users mistype an address, they still >>> get the error message from it. But all the delivery failure messages >>> generated by forged spam get killed. >>> >>> Between these 2, you will remove 80-90% of all the mail coming into your >>> site, without losing any genuine real mail at all. This will make your >>> hardware go a hell of a lot further, and you will find you don't need to >>> spend any money on new hardware at all. >>> >>> My MX servers used to just about cope. Then I implemented these 2 >>> techniques and they now just tick along quite happily, getting very bored. >>> >>> Both of the above techniques can be done very easily in sendmail and >>> Postfix using the milters which are available from www.snertsoft.com. I >>> thoroughly recommend them to everyone. >>> >>> Jules >>> >>> >>> >> So the addition of the two milters doesn't add that much load? >> >> > No, they don't. And they save way more load than they cause! > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFNf0kEfZZRxQVtlQRAv6sAKCwu7kfBHIL7TK/UHTcMG65W+egqACeIXOu > 0Hoea8EOk74OgOH+J0/iphQ= > =TPuu > -----END PGP SIGNATURE----- > > Outstanding! I will give these a shot and post the results. Thank you! From Denis.Beauchemin at USherbrooke.ca Wed Oct 18 15:46:30 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 18 15:47:14 2006 Subject: Found 385 messages waiting In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> Message-ID: <45363E46.1080700@USherbrooke.ca> Mevershosting.nl a ?crit : > Mike, list, > > This is the script i use, i doesnt delete files but renames them. You > could stop mailscanner first in the script before running this, but i > found it doesnt really make a differance. > > snip I use the following one-liner in root's crontab to remove files that don't have today's date (uses bash syntax on a RHEL 4 system): 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/886f1d8d/smime.bin From sandrews at andrewscompanies.com Wed Oct 18 15:54:34 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Oct 18 15:54:43 2006 Subject: Bayes_toks.expire Message-ID: <1964AAFBC212F742958F9275BF63DBB042969B@winchester.andrewscompanies.com> I've got a couple out of probably 20 mailscanner servers where the /etc/MailScanner/bayes directory just fills itself over time with bayes_toks.expireXXXX files. They are updated to the latest mailscanner and clamav/sa packages. I can't find where these are configured differently than any of the others... What am I doing wrong? Thanks, Steve From Denis.Beauchemin at USherbrooke.ca Wed Oct 18 15:55:54 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 18 15:57:08 2006 Subject: OT: Preferred MTA? In-Reply-To: <71437982F5B13A4D9A5B2669BDB89EE40765C611@ISS-CL-EX-V1.soton.ac.uk> References: <71437982F5B13A4D9A5B2669BDB89EE40765C611@ISS-CL-EX-V1.soton.ac.uk> Message-ID: <4536407A.1030502@USherbrooke.ca> Pentland G. a ?crit : > Denis Beauchemin wrote: > >> Glenn Steen a ?crit : >> >>> On 13/10/06, Drew Marshall wrote: >>> >>>>> Do you recommend using a HW load balancer (and SSL accelerator) in >>>>> front of my servers? How about Cisco's? >>>>> >>>> Really can't comment but I would be interested to hear others >>>> thoughts too. >>>> >>>> >>> Capable but not that cheap:-). >>> How do you loadbalance now? >>> >>> >> Using DNS round-robin... :-( >> > > Why? What for? > > MX records (if you have more than at the same priority) will load balance anyway, I guess it is sort of a round robin. > > You could deliberately have one at a lower priority, that would tend to attract spam and hence genuine mail would be on slightly less loaded servers. > > Gary > > > That's the MX trick I was referring to as round-robin. I had 3 servers at same priority. Turns out that we got so much spam attacks in the last few days, that I decided to turn one to a lower priority so it would attract spammers. Hope this works does the trick. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/ac0cac56/smime.bin From glenn.steen at gmail.com Wed Oct 18 16:10:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 18 16:10:35 2006 Subject: install-Clam-SA freshclam In-Reply-To: <45363310.9080106@univ-lille1.fr> References: <45363310.9080106@univ-lille1.fr> Message-ID: <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> On 18/10/06, Dominique Marant wrote: > The package install-Clam-SA is updated when there is a new version of > ClamAv or spamassassin. > So, in http://www.mailscanner.info/downloads.html, it would better to > specify the version in the name. For example : install-Clam-0-88-5-SA-3-1-5 Might be a good thought... How about it Jules? > With install-Clam-SA, could you say me if I have to run a freshclam in > the crontab or if the signature update is done automaticaly with the > module Mail-ClamAV ? No need to do this by yourself, MailScanner (not the perl Mail-ClamAV module ....) will do this via the update_virus_scanners script (if you're not using FreeBSD ports at least:-). It'll find all installed AV-scanners and run their respective autoupdate scripts. > Thanks in advance for your reply > > Dominique > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simon at ateb.co.uk Wed Oct 18 16:21:15 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Wed Oct 18 16:21:18 2006 Subject: whitelist a file from the content scanner In-Reply-To: <45363460.7070908@solidstatelogic.com> References: <45363258.2060400@ateb.co.uk> <45363460.7070908@solidstatelogic.com> Message-ID: <4536466B.2090608@ateb.co.uk> Martin Hepworth wrote: > Simon Annetts wrote: >> Hi, >> I need to be able to stop mailscanner from virus checking and filetype >> detecting a particular filename so that our support team can send >> updates via email. The file will always be called (for example only:) >> update.zip and may contain .exe and other type files that are normally >> banned. >> >> At the moment mailscanner always rejects the file and quarantines it >> because it is in the banned filetypes list. If I exempt .zip files or >> specifically update.zip then mailscanner proceeds to unpack the file >> and quarantine any files inside which also are banned. This is all >> good stuff as far as mailscanner doing its job, but I want this file >> to pass through mailscanner completely untouched/unchecked. I want to >> exempt this file name from all checks, - spam virus content and >> filetype. >> >> >> Is this possible??? >> Best Regards >> Simon >> >> > Simon > > I'd do this by originating ip-address if I where you....put a ruleset on > the checks, so if its from you're lan you don't run the extra filename > checks etc... > > > Thanks, but I still want all other checking to be done from the host(s) that are sending this particular file (actually its another mailserver). I just want to exclude that one and only filename (and tie it down to ip address too would be even nicer but by IP on its own isn't enough). There must be a way surely? Simon From glenn.steen at gmail.com Wed Oct 18 16:32:02 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 18 16:32:06 2006 Subject: whitelist a file from the content scanner In-Reply-To: <4536466B.2090608@ateb.co.uk> References: <45363258.2060400@ateb.co.uk> <45363460.7070908@solidstatelogic.com> <4536466B.2090608@ateb.co.uk> Message-ID: <223f97700610180832t147aab63y5d59d14b019d0899@mail.gmail.com> On 18/10/06, Simon Annetts wrote: > > Martin Hepworth wrote: > > Simon Annetts wrote: > >> Hi, > >> I need to be able to stop mailscanner from virus checking and filetype > >> detecting a particular filename so that our support team can send > >> updates via email. The file will always be called (for example only:) > >> update.zip and may contain .exe and other type files that are normally > >> banned. > >> > >> At the moment mailscanner always rejects the file and quarantines it > >> because it is in the banned filetypes list. If I exempt .zip files or > >> specifically update.zip then mailscanner proceeds to unpack the file > >> and quarantine any files inside which also are banned. This is all > >> good stuff as far as mailscanner doing its job, but I want this file > >> to pass through mailscanner completely untouched/unchecked. I want to > >> exempt this file name from all checks, - spam virus content and > >> filetype. > >> > >> > >> Is this possible??? > >> Best Regards > >> Simon > >> > >> > > Simon > > > > I'd do this by originating ip-address if I where you....put a ruleset on > > the checks, so if its from you're lan you don't run the extra filename > > checks etc... > > > > > > > Thanks, but I still want all other checking to be done from the host(s) > that are sending this particular file (actually its another mailserver). > I just want to exclude that one and only filename (and tie it down to ip > address too would be even nicer but by IP on its own isn't enough). > There must be a way surely? > > Simon Well, you could overload the filename settings for that IP address so that you allow the name, and then set archive depth depending on IP (0 will disable the unpacking of zips). Combining them so that you have a check on both name and IP would likely need be a custom function (look in CustoimFunction... There are examples you could likely build on). You should be able to use that to return different values depending on filename/IP, and use that on the Archive Depth setting. I might be wrong though, I haven't tested this:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Oct 18 16:30:54 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 16:32:25 2006 Subject: Found 385 messages waiting In-Reply-To: <45363E46.1080700@USherbrooke.ca> References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> Message-ID: Denis Beauchemin spake the following on 10/18/2006 7:46 AM: > Mevershosting.nl a ?crit : >> Mike, list, >> >> This is the script i use, i doesnt delete files but renames them. You >> could stop mailscanner first in the script before running this, but i >> found it doesnt really make a differance. >> >> snip > I use the following one-liner in root's crontab to remove files that > don't have today's date (uses bash syntax on a RHEL 4 system): > 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l > /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date > '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null > > Denis > It would be better to use something that goes back at least the number of days your system will retry for, something like; find /var/spool/mqueue.in -type f -mtime +3 -print to display orphaned files and find /var/spool/mqueue.in -type f -mtime +3 -print | xargs rm -f to delete them if your queue return is set to 3 days. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gmourani at privalodc.com Wed Oct 18 16:34:57 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Wed Oct 18 16:35:06 2006 Subject: MailScanner & Postfix In-Reply-To: <45363536.9090800@netmagicsolutions.com> References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> <3991.70.82.58.187.1161179244.squirrel@webmail.privalodc.com> <45363536.9090800@netmagicsolutions.com> Message-ID: <4798.70.82.58.187.1161185697.squirrel@webmail.privalodc.com> > You can also use the in-built MailScanner ... Thanks for the tips, seem to run fine now, here the output of the command, I'll wait to see if users will report Spam to me or not today. [root@primul gmourani]# /usr/sbin/MailScanner --lint Read 755 hostnames from the phishing whitelist MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav > Umm no.. never, a '/sbin/nologin' is just fine. Yes, that's what I thinking too. > are you the same 'Gerhard Mourani' as the one who ... Yes is me, I please to see that people recognise my name ;) Regards, > Gerhard Mourani wrote: >> Hi, >> >> Thanks for your reply, I've see that the spamassassin binary was in mode >> 511 and changed this to mode 555. After that Mailscanner seem to work >> and >> generated the output message you've see below. > > You can also use the in-built 'MailScanner --lint or --debug-sa' to > check if everything is normal. > >> Another question (maybe you can help). Does the postfix user need to >> have >> a shell access to the system for Mailscanner to work? > > Umm no.. never, a '/sbin/nologin' is just fine. > > - dhawal > > PS: are you the same 'Gerhard Mourani' as the one who wrote 'securing > and optimizing linux'? > >>> On 17 Oct 2006, at 23:59, Gerhard Mourani wrote: >>> >>>> Here is my output of the /usr/bin/spamassassin --lint -D command >>>> run as >>>> user postfix, maybe you can see something that is not correctely set. >>>> >>>> bash-3.1$ /usr/bin/spamassassin --lint -D >>>> >>>> [13265] dbg: bayes: tie-ing to DB file R/O >>>> /var/spool/MailScanner/spamassassin/bayes_seen >>>> [13265] dbg: bayes: found bayes db version 3 >>>> [13265] dbg: bayes: DB journal sync: last sync: 0 >>>> [13265] dbg: bayes: not available for scanning, only 190 spam(s) in >>>> bayes >>>> DB < 200 >>> There you go then. Another 10 Spam messages learnt and bayes will >>> start kicking in. I suspect that your previous SA set up used a >>> different user so you could always copy over it's bayes database >>> (Don't forget files permissions) so you are running quicker or just >>> teach it 10 more Spam messages using sa-learn. >>> >>> Drew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- PrivalODC Cel: (514) 726-3766 Tel: (450) 761-9973 ext 634 Ce message ?lectronique ainsi que tous les documents annex?s s?adressent exclusivement ? la personne ou ? l?entit? inscrite dans la rubrique destinataire ; il peut contenir des renseignements de nature confidentielle ou privil?gi?e aux termes des lois applicables. Nulle autre personne ne doit y avoir acc?s. Si vous n??tes pas le destinataire convenu, nous vous avisons par la pr?sente qu'il est strictement interdit d'en divulguer le contenu, de le distribuer, le copier ou l?utiliser. Veuillez aviser l?exp?diteur imm?diatement par retour de courrier ?lectronique et supprimer ce message de votre syst?me. Toute diffusion ou reproduction de ce document ainsi que tout mesure prise ? l??gard de la pr?sente sont formellement interdites . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Wed Oct 18 16:35:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 16:40:13 2006 Subject: RulesDuJour blowup? In-Reply-To: References: Message-ID: Craig Retief spake the following on 10/18/2006 12:09 AM: > Im getting the following error from RulesDuJour Updates, don't know if it is > related to the domain problem or not. > > AUTOBAN: Over 500 *.cf requests in 48 hours period - Check your CRON > CONTACT: webmaster@uribl.com > > Check this .cf page (taken from update script) > > http://38.99.66.94/rules/70_sare_obfu.cf > > I pasted the page into my browser and got the error above. > > any1 else seeing this or just me? > > Thx > Your ip address got banned for too many attempts to update. Contact the webmaster with your ip address as they should be forgiving this seeing the domain trouble that is happening. They might automatically clear any bans that happened in this time period, or at least they should! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dhawal at netmagicsolutions.com Wed Oct 18 16:52:52 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Oct 18 16:53:13 2006 Subject: [OT] MailScanner & Postfix In-Reply-To: <4798.70.82.58.187.1161185697.squirrel@webmail.privalodc.com> References: <3136.70.82.58.187.1161115412.squirrel@webmail.privalodc.com> <42615.74.57.238.32.1161125986.squirrel@webmail.privalodc.com> <3991.70.82.58.187.1161179244.squirrel@webmail.privalodc.com> <45363536.9090800@netmagicsolutions.com> <4798.70.82.58.187.1161185697.squirrel@webmail.privalodc.com> Message-ID: <45364DD4.6020803@netmagicsolutions.com> Gerhard Mourani wrote: >> are you the same 'Gerhard Mourani' as the one who ... > Yes is me, I please to see that people recognise my name ;) well, i used your book when i had to recompile the kernel for the first time (umm make that second, the first was a disastrous 'make config').. also used it a LOT during the bad days of redhat 5.x-6.x when not too many third party RPM repositories were available and *good* documentation was scant. Time to thank you for your efforts :-) .. Thanks, - dhawal From ssilva at sgvwater.com Wed Oct 18 16:54:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 16:56:11 2006 Subject: Bayes_toks.expire In-Reply-To: <1964AAFBC212F742958F9275BF63DBB042969B@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB042969B@winchester.andrewscompanies.com> Message-ID: sandrews@andrewscompanies.com spake the following on 10/18/2006 7:54 AM: > I've got a couple out of probably 20 mailscanner servers where the > /etc/MailScanner/bayes directory just fills itself over time with > bayes_toks.expireXXXX files. They are updated to the latest mailscanner > and clamav/sa packages. > > I can't find where these are configured differently than any of the > others... > > What am I doing wrong? > > Thanks, > > Steve That server just might be timing out when the others aren't. Or it could be in the position in MX order that it sees more spam. As it has failed a few times, its bayes db is getting larger than the others, making the problem worse. You could try to do a manual bayes expire so it can "catch up" to the other servers, or shorten its time between expiry runs. The easiest way to check for differences would be to diff the config files from it and another server and look for things that should be the same. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From edwardbruce at sbcglobal.net Wed Oct 18 16:57:58 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Oct 18 16:58:10 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: References: Message-ID: <45364F06.3040307@sbcglobal.net> ajos1@onion.demon.co.uk wrote: > - > > Update... well... > > "giflib seems to be libungif" and "libungif seems to be giflib". > > Just worked out why... "giftext" and so on are missing from Fedora5... the rpms are only installing 3 library files. > > So it is off to http://sourceforge.net/projects/libungif to do it all from scratch without RPM. > I ran into this problem with Redhat AS 3 and just gave up. Too much work and a chance I will hose up my system. From ajcartmell at fonant.com Wed Oct 18 17:03:03 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 18 17:03:17 2006 Subject: FuzzyOcr working but not via MailScanner Message-ID: Hi folks, I have recently installed FuzzyOcr, and it works fine when spamassassin is called directly. However when MailScanner runs it seems to load the FuzzyOcr plugin but then never calls it. Have checked with --lint and logging all the FuzzyOcr debug information. Have tried moving the loadplugin to v310.pre from FuzzyOcr.cf, but that made no difference. Fedora Core 5, Perl 5.8.8, MailScanner 4.56.8, FuzzyOcr 2.3b Any ideas what I can check next? Anthony -- www.fonant.com - Quality web sites From dhawal at netmagicsolutions.com Wed Oct 18 17:23:03 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Oct 18 17:23:24 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <013a01c6f233$b12f5180$3701a8c0@lapxp> References: <013a01c6f233$b12f5180$3701a8c0@lapxp> Message-ID: <453654E7.40709@netmagicsolutions.com> Arthur Sherman wrote: > Hi, > > I am trying to install the FuzzyOCR plugin to work with SpamAssassin on > CentOS-4.4. > > It asks for ImageMagick installation, so I yummed for it and found a great > deal of packages. I hesitate between ImageMagick.i386 and > ImageMagick-perl.i386, while latter seems to be more appropriate. > > Is it right? > May someone share some other tips for installing/configuring the plugin? I have it installed on 3 servers and do not remember the requirement for imagemagick!! Anyways, here is a snippet from my doc (for centos 4.x). yum install netpbm netpbm-devel netpbm-progs gtk+-devel libungif libungif-devel libungif-progs perl -MCPAN -eshell install String::Approx mkdir /root/FuzzyOcrPlugin cd /root/FuzzyOcrPlugin wget http://jaist.dl.sourceforge.net/sourceforge/jocr/gocr-0.41.tar.gz wget http://www-e.uni-magdeburg.de/jschulen/ocr/gocr-0.41-pgm.patch tar xzf gocr-0.41.tar.gz cd gocr-0.41 patch -p0 < ../gocr-0.41-pgm.patch perl -e "s/^%configure --with-netpbm=no/%configure/g;" -pi gocr.spec cd .. tar czf gocr-0.41.custom.tar.gz gocr-0.41 rm -fr gocr-0.41 rpmbuild -ta gocr-0.41.custom.tar.gz cd /usr/src/redhat/RPMS/i386/ rpm -ivh gocr-0.41-1.i386.rpm gocr-devel-0.41-1.i386.rpm cd - wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-latest.tar.gz tar xzf fuzzyocr-latest.tar.gz cd Fuzzy* mv FuzzyOcr.cf FuzzyOcr.pm /etc/mail/spamassassin mv FuzzyOcr.words.sample /etc/mail/spamassassin/FuzzyOcr.words Change FuzzyOcr.cf as required.. and test using 'sa --lint' - dhawal From ajcartmell at fonant.com Wed Oct 18 17:30:00 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 18 17:30:12 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <45364F06.3040307@sbcglobal.net> References: <45364F06.3040307@sbcglobal.net> Message-ID: >> "giflib seems to be libungif" and "libungif seems to be giflib". >> >> Just worked out why... "giftext" and so on are missing from Fedora5... >> the rpms are only installing 3 library files. For Fedora Core 5 you need yum install giflib yum install giflib-utils giflib-utils is the one for giftext. Cheers! Anthony -- www.fonant.com - Quality web sites From Chris at 7of9b.org Wed Oct 18 17:39:23 2006 From: Chris at 7of9b.org (Chris Burton) Date: Wed Oct 18 17:39:31 2006 Subject: OT: need help installing FuzzyOCR References: <45364F06.3040307@sbcglobal.net> Message-ID: <03fe01c6f2d3$f9fb3910$05fea8c0@murphy3> >> "giflib seems to be libungif" and "libungif seems to be giflib". >> >> Just worked out why... "giftext" and so on are missing from Fedora5... >> the rpms are only installing 3 library files. >> >> So it is off to http://sourceforge.net/projects/libungif to do it all >> from scratch without RPM. On my FC5 box "yum whatprovides /usr/bin/giftext" shows I needed giflib-utils for giftext. ChrisB. From MailScanner at ecs.soton.ac.uk Wed Oct 18 18:06:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 18:10:38 2006 Subject: install-Clam-SA freshclam In-Reply-To: <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> References: <45363310.9080106@univ-lille1.fr> <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> Message-ID: <45365EFD.3050906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 18/10/06, Dominique Marant wrote: >> The package install-Clam-SA is updated when there is a new version of >> ClamAv or spamassassin. >> So, in http://www.mailscanner.info/downloads.html, it would better to >> specify the version in the name. For example : >> install-Clam-0-88-5-SA-3-1-5 > > Might be a good thought... How about it Jules? Probably not a bad idea, I get it wrong occasionally myself :-) Do you want it all in the filename, or just in the directory it unpacks into? > >> With install-Clam-SA, could you say me if I have to run a freshclam in >> the crontab or if the signature update is done automaticaly with the >> module Mail-ClamAV ? > > No need to do this by yourself, MailScanner (not the perl Mail-ClamAV > module ....) will do this via the update_virus_scanners script (if > you're not using FreeBSD ports at least:-). It'll find all installed > AV-scanners and run their respective autoupdate scripts. Absolutely. Just make sure that the entry for ClamAV in /etc/MailScanner/virus.scanners.conf points to the right place for your installation of ClamAV. It will be right for my install-Clam-SA package. It may be wrong for some RPM installations. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNl/3EfZZRxQVtlQRAlGcAKCDgSmtKyTQZ11NULT2aguHSUMODwCg7Ql/ W5zyTQd4ttAEQmDvDr5e93A= =CGyf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 18 18:10:53 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 18:15:34 2006 Subject: whitelist a file from the content scanner In-Reply-To: <45363460.7070908@solidstatelogic.com> References: <45363258.2060400@ateb.co.uk> <45363460.7070908@solidstatelogic.com> Message-ID: <4536601D.2080607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Hepworth wrote: > Simon Annetts wrote: >> Hi, >> I need to be able to stop mailscanner from virus checking and >> filetype detecting a particular filename so that our support team can >> send updates via email. The file will always be called (for example >> only:) update.zip and may contain .exe and other type files that are >> normally banned. >> >> At the moment mailscanner always rejects the file and quarantines it >> because it is in the banned filetypes list. If I exempt .zip files or >> specifically update.zip then mailscanner proceeds to unpack the file >> and quarantine any files inside which also are banned. This is all >> good stuff as far as mailscanner doing its job, but I want this file >> to pass through mailscanner completely untouched/unchecked. I want to >> exempt this file name from all checks, - spam virus content and >> filetype. >> >> >> Is this possible??? >> Best Regards >> Simon >> >> > Simon > > I'd do this by originating ip-address if I where you....put a ruleset > on the checks, so if its from you're lan you don't run the extra > filename checks etc... To just allow this one filename, add a new filename.rules.conf file (as per the instructions in the wiki) with 1 rule at the top that says allow ^my\.file\.name$ - - Note those 4 fields are separated with *tab* characters and not spaces. This is the 1 place (filename.rules.conf and filetype.rules.conf) where MailScanner is fussy about the types of spaces you use as a separator. Otherwise, how would you match against a filename pattern that contained a space? You will also have to make sure it passes the file-type checks as well, with a similar trick. You've got a little bit of reading to do, this is about as complex as it can get, sorry. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNmEjEfZZRxQVtlQRAqXGAJ4lwGs3LgGvGjBSXJjAXPlwn8xSMQCg9MaM DBmtAau/m+MwHxU6nSiYSSw= =ipu5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From arturs at netvision.net.il Wed Oct 18 18:30:17 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 18 18:32:26 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: Message-ID: <01d701c6f2db$16346550$3701a8c0@lapxp> Have you restarted MailScanner? Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Cartmell > Sent: Wednesday, October 18, 2006 6:03 PM > To: MailScanner List > Subject: FuzzyOcr working but not via MailScanner > > Hi folks, > > I have recently installed FuzzyOcr, and it works fine when > spamassassin is > called directly. However when MailScanner runs it seems to load the > FuzzyOcr plugin but then never calls it. > > Have checked with --lint and logging all the FuzzyOcr debug > information. > > Have tried moving the loadplugin to v310.pre from > FuzzyOcr.cf, but that > made no difference. > > Fedora Core 5, Perl 5.8.8, MailScanner 4.56.8, FuzzyOcr 2.3b > > Any ideas what I can check next? > > Anthony > -- > www.fonant.com - Quality web sites > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From arturs at netvision.net.il Wed Oct 18 18:30:17 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 18 18:32:30 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <45364F06.3040307@sbcglobal.net> Message-ID: <01d801c6f2db$18920460$3701a8c0@lapxp> I installed all packages on CentOS-4.4 (except for FuzzyOcr itself, obviously) through either base yum, or CPAN, or through yum from DAG's repository. NetPBM and NetPBM-progs through yum; ImageMagick-perl through yum; the package installed dependencies; Libungif through yum; Gocr through yum from DAG repo; String::Approx, MLDBM, DB_File, Storable modules through CPAN; >From FuzzyOCR INSTALL file: --- 2. Installing the plugin: 2.1 Installing the required files Put the FuzzyOcr.cf and the FuzzyOcr.pm files into /etc/mail/spamassassin. The FuzzyOcr.cf file already contains a line to load the plugin, if you want to put the .pm file in a different location, change this line accordingly. Create a wordlist file, a sample wordlist is shipped with this release, and put it also in /etc/mail/spamassassin. --- It works well, up to now. I am still testing. I have seen rpms needed for both Fedora/Redhat on DAG's repo - great one! Hope it helps Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ed Bruce > Sent: Wednesday, October 18, 2006 5:58 PM > To: MailScanner discussion > Subject: Re: OT: need help installing FuzzyOCR > > ajos1@onion.demon.co.uk wrote: > > - > > > > Update... well... > > > > "giflib seems to be libungif" and "libungif seems to be giflib". > > > > Just worked out why... "giftext" and so on are missing from > Fedora5... the rpms are only installing 3 library files. > > > > So it is off to http://sourceforge.net/projects/libungif to > do it all from scratch without RPM. > > > I ran into this problem with Redhat AS 3 and just gave up. > Too much work > and a chance I will hose up my system. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From arturs at netvision.net.il Wed Oct 18 18:35:06 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Oct 18 18:37:09 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <453654E7.40709@netmagicsolutions.com> Message-ID: <01d901c6f2db$c03ef970$3701a8c0@lapxp> Figured it out by myself... But anyway, thanks for this great howto! I will save it for further reference. Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dhawal Doshy > Sent: Wednesday, October 18, 2006 6:23 PM > To: MailScanner discussion > Subject: Re: OT: need help installing FuzzyOCR > > Arthur Sherman wrote: > > Hi, > > > > I am trying to install the FuzzyOCR plugin to work with > SpamAssassin on > > CentOS-4.4. > > > > It asks for ImageMagick installation, so I yummed for it > and found a great > > deal of packages. I hesitate between ImageMagick.i386 and > > ImageMagick-perl.i386, while latter seems to be more appropriate. > > > > Is it right? > > May someone share some other tips for > installing/configuring the plugin? > > I have it installed on 3 servers and do not remember the > requirement for > imagemagick!! > > Anyways, here is a snippet from my doc (for centos 4.x). > > yum install netpbm netpbm-devel netpbm-progs gtk+-devel libungif > libungif-devel libungif-progs > perl -MCPAN -eshell > install String::Approx > mkdir /root/FuzzyOcrPlugin > cd /root/FuzzyOcrPlugin > wget http://jaist.dl.sourceforge.net/sourceforge/jocr/gocr-0.41.tar.gz > wget http://www-e.uni-magdeburg.de/jschulen/ocr/gocr-0.41-pgm.patch > tar xzf gocr-0.41.tar.gz > cd gocr-0.41 > patch -p0 < ../gocr-0.41-pgm.patch > perl -e "s/^%configure --with-netpbm=no/%configure/g;" -pi gocr.spec > cd .. > tar czf gocr-0.41.custom.tar.gz gocr-0.41 > rm -fr gocr-0.41 > rpmbuild -ta gocr-0.41.custom.tar.gz > cd /usr/src/redhat/RPMS/i386/ > rpm -ivh gocr-0.41-1.i386.rpm gocr-devel-0.41-1.i386.rpm > cd - > wget > http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-latest.tar.gz > tar xzf fuzzyocr-latest.tar.gz > cd Fuzzy* > mv FuzzyOcr.cf FuzzyOcr.pm /etc/mail/spamassassin > mv FuzzyOcr.words.sample /etc/mail/spamassassin/FuzzyOcr.words > > Change FuzzyOcr.cf as required.. and test using 'sa --lint' > > - dhawal > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Wed Oct 18 18:40:42 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 18 18:41:18 2006 Subject: Found 385 messages waiting In-Reply-To: References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> Message-ID: <4536671A.7030904@USherbrooke.ca> Scott Silva a ?crit : > Denis Beauchemin spake the following on 10/18/2006 7:46 AM: > >> Mevershosting.nl a ?crit : >> >>> Mike, list, >>> >>> This is the script i use, i doesnt delete files but renames them. You >>> could stop mailscanner first in the script before running this, but i >>> found it doesnt really make a differance. >>> >>> snip >>> >> I use the following one-liner in root's crontab to remove files that >> don't have today's date (uses bash syntax on a RHEL 4 system): >> 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l >> /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date >> '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null >> >> Denis >> >> > It would be better to use something that goes back at least the number of days > your system will retry for, something like; > > ... Scott, Not really since emails never stay that long in the mqueue.in directory. I have been careful enough to program it late in the morning (9:19). The only files that are still in mqueue.in at 9:19 are the leftovers with only one q/d file. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/6950d3fe/smime.bin From Denis.Beauchemin at USherbrooke.ca Wed Oct 18 18:50:00 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 18 18:50:24 2006 Subject: install-Clam-SA freshclam In-Reply-To: <45365EFD.3050906@ecs.soton.ac.uk> References: <45363310.9080106@univ-lille1.fr> <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> <45365EFD.3050906@ecs.soton.ac.uk> Message-ID: <45366948.5010104@USherbrooke.ca> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > >> On 18/10/06, Dominique Marant wrote: >> >>> The package install-Clam-SA is updated when there is a new version of >>> ClamAv or spamassassin. >>> So, in http://www.mailscanner.info/downloads.html, it would better to >>> specify the version in the name. For example : >>> install-Clam-0-88-5-SA-3-1-5 >>> >> Might be a good thought... How about it Jules? >> > Probably not a bad idea, I get it wrong occasionally myself :-) > > Do you want it all in the filename, or just in the directory it unpacks > into? > > Julian, Just modify the file name. It's OK to always use the same directory name. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/9602ddf3/smime-0001.bin From lists at norcomcable.ca Wed Oct 18 19:08:18 2006 From: lists at norcomcable.ca (Dan) Date: Wed Oct 18 19:08:27 2006 Subject: install-Clam-SA freshclam In-Reply-To: <45365EFD.3050906@ecs.soton.ac.uk> Message-ID: > > Glenn Steen wrote: > > On 18/10/06, Dominique Marant > wrote: > >> The package install-Clam-SA is updated when there is a new > version of > >> ClamAv or spamassassin. > >> So, in http://www.mailscanner.info/downloads.html, it > would better to > >> specify the version in the name. For example : > >> install-Clam-0-88-5-SA-3-1-5 > > > > Might be a good thought... How about it Jules? > Probably not a bad idea, I get it wrong occasionally myself :-) > > Do you want it all in the filename, or just in the directory > it unpacks into? > I always unpack and change the dir name so that I have an archive of past installations. It would be nice if it unpacked to include the version names as well. regards, -dan From spamtrap71892316634 at anime.net Wed Oct 18 19:09:21 2006 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Wed Oct 18 19:09:26 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: References: <45364F06.3040307@sbcglobal.net> Message-ID: On Wed, 18 Oct 2006, Anthony Cartmell wrote: >>> "giflib seems to be libungif" and "libungif seems to be giflib". >>> Just worked out why... "giftext" and so on are missing from Fedora5... the >>> rpms are only installing 3 library files. > For Fedora Core 5 you need > > yum install giflib > yum install giflib-utils > > giflib-utils is the one for giftext. Even easier: yum install giflib-utils It will figure the dependencies out itself automagically :) -Dan From MailScanner at ecs.soton.ac.uk Wed Oct 18 19:14:39 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 19:15:27 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <01d901c6f2db$c03ef970$3701a8c0@lapxp> References: <01d901c6f2db$c03ef970$3701a8c0@lapxp> Message-ID: <45366F0F.3000201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you add it to the SpamAssassin section of the MailScanner wiki! It is important to keep and share stuff like this. Arthur Sherman wrote: > Figured it out by myself... > > But anyway, thanks for this great howto! > I will save it for further reference. > > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Dhawal Doshy >> Sent: Wednesday, October 18, 2006 6:23 PM >> To: MailScanner discussion >> Subject: Re: OT: need help installing FuzzyOCR >> >> Arthur Sherman wrote: >> >>> Hi, >>> >>> I am trying to install the FuzzyOCR plugin to work with >>> >> SpamAssassin on >> >>> CentOS-4.4. >>> >>> It asks for ImageMagick installation, so I yummed for it >>> >> and found a great >> >>> deal of packages. I hesitate between ImageMagick.i386 and >>> ImageMagick-perl.i386, while latter seems to be more appropriate. >>> >>> Is it right? >>> May someone share some other tips for >>> >> installing/configuring the plugin? >> >> I have it installed on 3 servers and do not remember the >> requirement for >> imagemagick!! >> >> Anyways, here is a snippet from my doc (for centos 4.x). >> >> yum install netpbm netpbm-devel netpbm-progs gtk+-devel libungif >> libungif-devel libungif-progs >> perl -MCPAN -eshell >> install String::Approx >> mkdir /root/FuzzyOcrPlugin >> cd /root/FuzzyOcrPlugin >> wget http://jaist.dl.sourceforge.net/sourceforge/jocr/gocr-0.41.tar.gz >> wget http://www-e.uni-magdeburg.de/jschulen/ocr/gocr-0.41-pgm.patch >> tar xzf gocr-0.41.tar.gz >> cd gocr-0.41 >> patch -p0 < ../gocr-0.41-pgm.patch >> perl -e "s/^%configure --with-netpbm=no/%configure/g;" -pi gocr.spec >> cd .. >> tar czf gocr-0.41.custom.tar.gz gocr-0.41 >> rm -fr gocr-0.41 >> rpmbuild -ta gocr-0.41.custom.tar.gz >> cd /usr/src/redhat/RPMS/i386/ >> rpm -ivh gocr-0.41-1.i386.rpm gocr-devel-0.41-1.i386.rpm >> cd - >> wget >> http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-latest.tar.gz >> tar xzf fuzzyocr-latest.tar.gz >> cd Fuzzy* >> mv FuzzyOcr.cf FuzzyOcr.pm /etc/mail/spamassassin >> mv FuzzyOcr.words.sample /etc/mail/spamassassin/FuzzyOcr.words >> >> Change FuzzyOcr.cf as required.. and test using 'sa --lint' >> >> - dhawal >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNm8zEfZZRxQVtlQRAqYaAKCzdcpetq5y63m9zXAiTNzDFgVrVQCgxoHJ c7Ursc0CC03bIGbBnynTQLk= =SxUJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 18 19:38:22 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 19:40:12 2006 Subject: install-Clam-SA freshclam In-Reply-To: <45366948.5010104@USherbrooke.ca> References: <45363310.9080106@univ-lille1.fr> <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> <45365EFD.3050906@ecs.soton.ac.uk> <45366948.5010104@USherbrooke.ca> Message-ID: <4536749E.7060704@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You should find the new file in the downloads page. I have done both the filename and the extraction directory, just to be on the safe side. Denis Beauchemin wrote: > Julian Field a ?crit : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 18/10/06, Dominique Marant wrote: >>> >>>> The package install-Clam-SA is updated when there is a new version of >>>> ClamAv or spamassassin. >>>> So, in http://www.mailscanner.info/downloads.html, it would better to >>>> specify the version in the name. For example : >>>> install-Clam-0-88-5-SA-3-1-5 >>>> >>> Might be a good thought... How about it Jules? >>> >> Probably not a bad idea, I get it wrong occasionally myself :-) >> >> Do you want it all in the filename, or just in the directory it >> unpacks into? >> >> > Julian, > > Just modify the file name. It's OK to always use the same directory > name. > > Denis > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: UTF-8 wj8DBQFFNnUAEfZZRxQVtlQRAtFuAJ9U525b6EIQDBPdnvICP920eTjkJwCg+yPD V6b6iEi9nliQlqu2+fHUXZg= =JZVj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Oct 18 19:39:34 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 18 19:40:20 2006 Subject: install-Clam-SA freshclam In-Reply-To: References: Message-ID: <453674E6.2080905@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan wrote: >> Glenn Steen wrote: >> >>> On 18/10/06, Dominique Marant >>> >> wrote: >> >>>> The package install-Clam-SA is updated when there is a new >>>> >> version of >> >>>> ClamAv or spamassassin. >>>> So, in http://www.mailscanner.info/downloads.html, it >>>> >> would better to >> >>>> specify the version in the name. For example : >>>> install-Clam-0-88-5-SA-3-1-5 >>>> >>> Might be a good thought... How about it Jules? >>> >> Probably not a bad idea, I get it wrong occasionally myself :-) >> >> Do you want it all in the filename, or just in the directory >> it unpacks into? >> >> > > I always unpack and change the dir name so that I have an archive of past > installations. > It would be nice if it unpacked to include the version names as well. > Done. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNnUBEfZZRxQVtlQRAipdAJ9UKTIrGR/8p5ORfhnCxZr6WeWpvQCfahW8 7WIitUx+ODIgs8md8TeZo4k= =ZKmF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ewallig at aerocontractors.com Wed Oct 18 19:55:17 2006 From: ewallig at aerocontractors.com (Ed Wallig) Date: Wed Oct 18 19:55:23 2006 Subject: Block outgoing mail w/ bad addressing Message-ID: Hi, I have a number of users that seem to get amnesia when trying to send email to other employees at work. Specifically, they forget what the email domain extension is assigned to our email system and end up sending messages that should be going to our domain to another domain that is not associated w/ our company. Of course, they're getting bounced but I would like to stop the messages from exiting the system and bouncing off of this poor admin's email system. Is there a way to write a rule in MailScanner that would basically do this: * Check to see if the message is for a valid user (in terms of username) for our domain * Check to see if the message has been addressed with an improper email domain (username@maildomain .com instead of maildomain.net, etc) * If both previous checks are yes, bounce the message prior to it leaving the MTA Is this something that can be done w/ MS or should it be addressed by the MTA (Postfix)? Thanks, - Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/cb8fee7e/attachment.html From dhawal at netmagicsolutions.com Wed Oct 18 19:56:25 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Oct 18 19:56:41 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <45366F0F.3000201@ecs.soton.ac.uk> References: <01d901c6f2db$c03ef970$3701a8c0@lapxp> <45366F0F.3000201@ecs.soton.ac.uk> Message-ID: <453678D9.4020009@netmagicsolutions.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you add it to the SpamAssassin section of the MailScanner wiki! > > It is important to keep and share stuff like this. Done, http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:fuzzyocr Now some who actually uses this could please verify/validate the instructions. - dhawal From mike at vesol.com Wed Oct 18 20:08:07 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 18 20:08:28 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: Message-ID: ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ed Wallig Sent: Wednesday, October 18, 2006 1:55 PM To: mailscanner@lists.mailscanner.info Subject: Block outgoing mail w/ bad addressing Hi, I have a number of users that seem to get amnesia when trying to send email to other employees at work. Specifically, they forget what the email domain extension is assigned to our email system and end up sending messages that should be going to our domain to another domain that is not associated w/ our company. Of course, they're getting bounced but I would like to stop the messages from exiting the system and bouncing off of this poor admin's email system. Is there a way to write a rule in MailScanner that would basically do this: * Check to see if the message is for a valid user (in terms of username) for our domain * Check to see if the message has been addressed with an improper email domain (username@maildomain .com instead of maildomain.net, etc) * If both previous checks are yes, bounce the message prior to it leaving the MTA Is this something that can be done w/ MS or should it be addressed by the MTA (Postfix)? Thanks, - Ed _________________________________ I think this would be a job for the MTA. A simple solution would be to make your server think that mail destined for domain.NET is for local delivery as well as domain.COM (or whatever the incorrect TLD is). Mike From ajcartmell at fonant.com Wed Oct 18 20:21:43 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 18 20:21:56 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <01d701c6f2db$16346550$3701a8c0@lapxp> References: <01d701c6f2db$16346550$3701a8c0@lapxp> Message-ID: > Have you restarted MailScanner? Yes, many times :) FuzzyOcr is called if I do "spamassassin -t < test.eml" but not when MailScanner calls spamassassin. Someone else on the FuzzyOcr list seems to have the same problem. Is there anything unusual in the way MailScanner calls/uses spamassassin? Will keep investigating... Anthony -- www.fonant.com - Quality web sites From dhawal at netmagicsolutions.com Wed Oct 18 20:33:32 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Oct 18 20:33:51 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> Message-ID: <4536818C.7080701@netmagicsolutions.com> Anthony Cartmell wrote: >> Have you restarted MailScanner? > > Yes, many times :) > > FuzzyOcr is called if I do "spamassassin -t < test.eml" but not when > MailScanner calls spamassassin. Someone else on the FuzzyOcr list seems > to have the same problem. > > Is there anything unusual in the way MailScanner calls/uses spamassassin? > > Will keep investigating... From the fuzzyocr FAQ ===================== Question 10: I am using MailScanner and I'm getting "Unexpected error in pipe to external programs...." with the graphic tools pipes (like jpegtopnm failing). Answer 10: MailScanner by default only passes the first 30kb of the mail to SpamAssassin. Sometimes, this causes the image to be truncated in the middle if it is bigger. The only way to fix this at the moment is disabling this option in MailScanner (see your documentation). Another thing to try ==================== Also try setting 'focr_verbose 2' in the config file, most messages report something like this.. [2006-10-19 01:00:40] Debug mode: Starting FuzzyOcr... [2006-10-19 01:00:40] Debug mode: Attempting to load personal wordlist... [2006-10-19 01:00:40] Debug mode: No personal wordlist found, skipping... [2006-10-19 01:00:40] Debug mode: Scan canceled, message has already more than 10 points. HTH, - dhawal From brian.duncan at kattenlaw.com Wed Oct 18 20:42:24 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 18 20:42:33 2006 Subject: FuzzyOcr working but not via MailScanner Message-ID: <65234743FE1555428435CE39E6AC4078B38AB1@CHI-US-EXCH-01.us.kmz.com> I had the same issue around a week or so ago. I have seen two causes for this being posted so far. 1st is: > I emailed the original poster about his problem and he said his worked > when he changed his max spamassassin message size from something Like > 60K to 60000. -- The key being not to use K but to list the whole number. 2nd (which fixed it finally for me was:) >I got my plugins working now with MailScanner. Bayes came back also. >I had used a Spam Assassin FC SRPM, removed it and re-installed the newest SpamAssassin version manually with Perl and all started working. >Weird though.. -D --lint showed ALL being loaded fine, all plugins and bayes. Spam Assassin locally would tag properly, just not through > >MailScanner. I even compared all the install dirs between the RPM SpamAssassin and the manual Perl install and they all looked the same. >Thanks > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Cartmell > Sent: Wednesday, October 18, 2006 11:03 AM > To: MailScanner List > Subject: FuzzyOcr working but not via MailScanner > > Hi folks, > > I have recently installed FuzzyOcr, and it works fine when > spamassassin is called directly. However when MailScanner > runs it seems to load the FuzzyOcr plugin but then never calls it. > > Have checked with --lint and logging all the FuzzyOcr debug > information. > > Have tried moving the loadplugin to v310.pre from > FuzzyOcr.cf, but that made no difference. > > Fedora Core 5, Perl 5.8.8, MailScanner 4.56.8, FuzzyOcr 2.3b > > Any ideas what I can check next? > > Anthony > -- > www.fonant.com - Quality web sites > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From brian.duncan at kattenlaw.com Wed Oct 18 20:47:06 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 18 20:47:15 2006 Subject: OT: ImageInfo or some other tool to detect Animated Gifs. Message-ID: <65234743FE1555428435CE39E6AC4078B38AB2@CHI-US-EXCH-01.us.kmz.com> FYI to answer my own IT post: (After monitoring the Spam Assassin mailing list - Very valuable) In my case if the SARE ruleset (when release) works on animated gifs, I will get rid of OCR'ing. > Hi, > > Has anyone come up with a SA method for identifying animated GIFs? > Like some way of getting the properties of the file and checking if > the frame count > 1? > I've looked at mime signatures, but I'm not sure if that will work and > I don't have enough samples to test. Before anyone else slams you. YES. And a 60 second search of the archives would have pulled it up. You can use FuzzyOCR, or the SARE stock ruleset will be updated soon with a less CPU intense solution. --Chris =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From ka at pacific.net Wed Oct 18 20:55:29 2006 From: ka at pacific.net (Ken A) Date: Wed Oct 18 20:53:36 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: References: Message-ID: <453686B1.8090700@pacific.net> Ed Wallig wrote: > Hi, > > I have a number of users that seem to get amnesia when trying to send > email to other employees at work. Specifically, they forget what the > email domain extension is assigned to our email system and end up > sending messages that should be going to our domain to another domain > that is not associated w/ our company. Of course, they're getting > bounced but I would like to stop the messages from exiting the system > and bouncing off of this poor admin's email system. > > Is there a way to write a rule in MailScanner that would basically do > this: > > * Check to see if the message is for a valid user (in terms of > username) for our domain MTA should already be doing this. > * Check to see if the message has been addressed with an improper > email domain (username@maildomain .com instead of maildomain.net, etc) Yeah, our users have fatter fingers than your users! You can do this in sendmail access map. Postfix has something similar, I'm sure.. To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient domain - should be sbcglobal.net Ken A. Pacific.Net > * If both previous checks are yes, bounce the message prior to it > leaving the MTA > Is this something that can be done w/ MS or should it be addressed by > the MTA (Postfix)? > > > Thanks, > > - Ed > > From ajcartmell at fonant.com Wed Oct 18 21:05:25 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 18 21:05:43 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <4536818C.7080701@netmagicsolutions.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: > Answer 10: MailScanner by default only passes the first 30kb of the > mail to SpamAssassin. Interesting. Most of the spam in question is less than 30kb in total size, though, and I don't see any error messages. > Another thing to try > ==================== > Also try setting 'focr_verbose 2' in the config file, most messages > report something like this.. I get a lot of [2006-10-18 20:39:26] Debug mode: Set scansets to values: $gocr -i - $gocr -l 180 -d 2 -i - But only get messages like: [2006-10-18 16:17:11] Debug mode: Starting FuzzyOcr... [2006-10-18 16:17:11] Debug mode: Attempting to load personal wordlist... [2006-10-18 16:17:11] Debug mode: No personal wordlist found, skipping... [2006-10-18 16:17:11] Debug mode: FuzzyOcr ending successfully... when I run the spamassassin test manually, not when it's run via MailScanner :( The spam messages with inline GIFs are found by SARE_GIF_ATTACH, but aren't scoring high enough to be marked. For example, a message that went through unmarked as spam, gets marked as spam if I run spamassassin manually: spamassassin --debug -t < /var/spool/MailScanner/quarantine/20061018/nonspam/k9IHujkc027719 Hmmmm... it also gets a much higher score from this, as other tests also seem to be missed when run from MailScanner... MailScanner score (1.508): 0.75 SARE_GIF_ATTACH Email has a inline gif 0.08 TW_DF Odd Letter Triples with DF 0.08 TW_GG Odd Letter Triples with GG 0.08 TW_GZ Odd Letter Triples with GZ 0.08 TW_RG Odd Letter Triples with RG Manual spamassassin score (38.9): 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.1 TW_GZ BODY: Odd Letter Triples with GZ 0.1 TW_RG BODY: Odd Letter Triples with RG 0.1 TW_GG BODY: Odd Letter Triples with GG 0.1 TW_DF BODY: Odd Letter Triples with DF 1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4908] 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.122.43.158 listed in dnsbl.sorbs.net] 2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [84.122.43.158 listed in sbl-xbl.spamhaus.org] 1.7 SARE_GIF_STOX Inline Gif with little HTML 17 FUZZY_OCR BODY: Mail contains an image with common spam text inside Words found: "alert" in 3 lines "news" in 1 lines "alert" in 3 lines "stock" in 1 lines "investor" in 2 lines "company" in 1 lines "trade" in 1 lines "service" in 1 lines "levitra" in 2 lines (15 word occurrences found) Thanks for the ideas, Anthony -- www.fonant.com - Quality web sites From chandler at chapman.edu Wed Oct 18 21:19:25 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Wed Oct 18 21:19:32 2006 Subject: Per User Black/White lists Message-ID: Migrating our mailservers over from Spam Assassin to use Mailscanner. Ideally this will be relatively seamless from the user standpoint. Right now each user has a directory in their home dir, called .spamassassin. Inside that directory is a file called user_prefs, with content such as: #General Options required_hits 6.00 rewrite_subject 1 subject_tag *****SPAM***** defang_mime 0 use_terse_report 0 #Blacklist/Whitelist Entries #Configured Rules Any suggestions of how to implement this within MailScanner, if it's even possible? -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Ethernet, n. What one uses to catch the Etherbunny. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/3433a478/attachment.html From ssilva at sgvwater.com Wed Oct 18 21:14:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 21:20:24 2006 Subject: Found 385 messages waiting In-Reply-To: <4536671A.7030904@USherbrooke.ca> References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> <4536671A.7030904@USherbrooke.ca> Message-ID: Denis Beauchemin spake the following on 10/18/2006 10:40 AM: > Scott Silva a ?crit : >> Denis Beauchemin spake the following on 10/18/2006 7:46 AM: >> >>> Mevershosting.nl a ?crit : >>> >>>> Mike, list, >>>> >>>> This is the script i use, i doesnt delete files but renames them. You >>>> could stop mailscanner first in the script before running this, but i >>>> found it doesnt really make a differance. >>>> >>>> snip >>>> >>> I use the following one-liner in root's crontab to remove files that >>> don't have today's date (uses bash syntax on a RHEL 4 system): >>> 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l >>> /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date >>> '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null >>> >>> Denis >>> >>> >> It would be better to use something that goes back at least the number >> of days >> your system will retry for, something like; >> >> ... > Scott, > > Not really since emails never stay that long in the mqueue.in > directory. I have been careful enough to program it late in the morning > (9:19). The only files that are still in mqueue.in at 9:19 are the > leftovers with only one q/d file. > > Denis > Sorry, I posted without seeing that you were cleaning the in queue. I/O error on my part. Or more of an ID10T error. I have to read slower in the morning! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From neal.mailscanner at gmail.com Wed Oct 18 21:58:23 2006 From: neal.mailscanner at gmail.com (Neal L) Date: Wed Oct 18 21:58:32 2006 Subject: Double sendmail processes Message-ID: <6f7468cc0610181358g9dd1d26id4727b6d61acb0d2@mail.gmail.com> I would be very interested in this as well. We run several mailscanner boxes here which are handed email in a round-robin fashion. We choose to scan all incoming and outgoing email for spam and viruses so simply whitelisting our internal addresses wouldn't work for me. Unfortunately some users who receive their email on their own systems (after MailScanner has already scanned them) have a forward rule that sends this email back out of our system (for instance, to a gmail account). In this case we end up scanning the same message twice. It would be great if MailScanner could identify a message that has already been identified as spam by looking for the "X-so-MailScanner-SpamCheck" line (one would, of course, want to use a customized line here so that a spammer couldn't just put the generic line in a message) and then just pass it along with the previous score rather than running the spam checks again. My thought is that this would be fairly safe because (1) we would only do this for messages that have already been found to be spam, and (2) because we only trust our own custom headers. To be a bit safter we could only allow this rule to be triggered if a message comes from certain IP addresses. Is there a general interest out there for this kind of a thing? If so, I wonder if it's something Julian would be interested in implementing. Neal L. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/abde4d28/attachment.html From ewallig at aerocontractors.com Wed Oct 18 22:00:12 2006 From: ewallig at aerocontractors.com (Ed Wallig) Date: Wed Oct 18 22:00:19 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <453686B1.8090700@pacific.net> Message-ID: Thanks, I'll look into Postfix options. I wish it were as simple as fat fingers but it's not - they sometimes simply go off into their own world - in this world, all email sent to "user a" goes to "user a" no matter where they send it :( Thanks again... - Ed -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Wednesday, October 18, 2006 3:55 PM To: MailScanner discussion Subject: Re: Block outgoing mail w/ bad addressing Ed Wallig wrote: > Hi, > > I have a number of users that seem to get amnesia when trying to send > email to other employees at work. Specifically, they forget what the > email domain extension is assigned to our email system and end up > sending messages that should be going to our domain to another domain > that is not associated w/ our company. Of course, they're getting > bounced but I would like to stop the messages from exiting the system > and bouncing off of this poor admin's email system. > > Is there a way to write a rule in MailScanner that would basically do > this: > > * Check to see if the message is for a valid user (in terms of > username) for our domain MTA should already be doing this. > * Check to see if the message has been addressed with an improper > email domain (username@maildomain .com instead of maildomain.net, etc) Yeah, our users have fatter fingers than your users! You can do this in sendmail access map. Postfix has something similar, I'm sure.. To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient domain - should be sbcglobal.net Ken A. Pacific.Net > * If both previous checks are yes, bounce the message prior to it > leaving the MTA > Is this something that can be done w/ MS or should it be addressed by > the MTA (Postfix)? > > > Thanks, > > - Ed > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From neal.mailscanner at gmail.com Wed Oct 18 22:07:14 2006 From: neal.mailscanner at gmail.com (Neal L) Date: Wed Oct 18 22:07:20 2006 Subject: Avoid double scan Message-ID: <6f7468cc0610181407i4f8232c7q831473fba98a8ab0@mail.gmail.com> My apoligies to the list: I sent the following message a few minutes ago with the subject line "Re: Double sendmail processes" instead of the correct subject line above. I would be very interested in this as well. We run several mailscanner boxes here which are handed email in a round-robin fashion. We choose to scan all incoming and outgoing email for spam and viruses so simply whitelisting our internal addresses wouldn't work for me. Unfortunately some users who receive their email on their own systems (after MailScanner has already scanned them) have a forward rule that sends this email back out of our system (for instance, to a gmail account). In this case we end up scanning the same message twice. It would be great if MailScanner could identify a message that has already been identified as spam by looking for the "X-so-MailScanner-SpamCheck" line (one would, of course, want to use a customized line here so that a spammer couldn't just put the generic line in a message) and then just pass it along with the previous score rather than running the spam checks again. My thought is that this would be fairly safe because (1) we would only do this for messages that have already been found to be spam, and (2) because we only trust our own custom headers. To be a bit safter we could only allow this rule to be triggered if a message comes from certain IP addresses. Is there a general interest out there for this kind of a thing? If so, I wonder if it's something Julian would be interested in implementing. Neal L. Stefano Carlotto wrote: > Is it possible to make a trusted MailScanner 'sign' email message in > such a way that another MailScanner do not scan messages again? > I was thinking that in a situation with multiple mail server it may be > useful in order to reduce global systems load. Of course the choice of > not to scan messages should be based on the capacity to recognize the > sign of the friendly server and on the time passed from the previous > mailscanner scan. > > thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061018/f4c2eb18/attachment.html From ssilva at sgvwater.com Wed Oct 18 22:10:27 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 22:11:09 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: Anthony Cartmell spake the following on 10/18/2006 1:05 PM: >> Answer 10: MailScanner by default only passes the first 30kb of the >> mail to SpamAssassin. > > Interesting. Most of the spam in question is less than 30kb in total > size, though, and I don't see any error messages. > >> Another thing to try >> ==================== >> Also try setting 'focr_verbose 2' in the config file, most messages >> report something like this.. > > I get a lot of > > [2006-10-18 20:39:26] Debug mode: Set scansets to values: > $gocr -i - > $gocr -l 180 -d 2 -i - > > But only get messages like: > > [2006-10-18 16:17:11] Debug mode: Starting FuzzyOcr... > [2006-10-18 16:17:11] Debug mode: Attempting to load personal wordlist... > [2006-10-18 16:17:11] Debug mode: No personal wordlist found, skipping... > [2006-10-18 16:17:11] Debug mode: FuzzyOcr ending successfully... > > when I run the spamassassin test manually, not when it's run via > MailScanner :( > > The spam messages with inline GIFs are found by SARE_GIF_ATTACH, but > aren't scoring high enough to be marked. > > For example, a message that went through unmarked as spam, gets marked > as spam if I run spamassassin manually: > > spamassassin --debug -t < > /var/spool/MailScanner/quarantine/20061018/nonspam/k9IHujkc027719 > > Hmmmm... it also gets a much higher score from this, as other tests also > seem to be missed when run from MailScanner... > > MailScanner score (1.508): > > 0.75 SARE_GIF_ATTACH Email has a inline gif > 0.08 TW_DF Odd Letter Triples with DF > 0.08 TW_GG Odd Letter Triples with GG > 0.08 TW_GZ Odd Letter Triples with GZ > 0.08 TW_RG Odd Letter Triples with RG > > Manual spamassassin score (38.9): > > 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP > addr 2) > 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= > entry > 0.1 TW_GZ BODY: Odd Letter Triples with GZ > 0.1 TW_RG BODY: Odd Letter Triples with RG > 0.1 TW_GG BODY: Odd Letter Triples with GG > 0.1 TW_DF BODY: Odd Letter Triples with DF > 1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG > 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of > words > 2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to > 60% [score: 0.4908] > 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address [84.122.43.158 listed in dnsbl.sorbs.net] > 2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org > [] > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > [84.122.43.158 listed in sbl-xbl.spamhaus.org] > 1.7 SARE_GIF_STOX Inline Gif with little HTML > 17 FUZZY_OCR BODY: Mail contains an image with common > spam text inside > Words found: > "alert" in 3 lines > "news" in 1 lines > "alert" in 3 lines > "stock" in 1 lines > "investor" in 2 lines > "company" in 1 lines > "trade" in 1 lines > "service" in 1 lines > "levitra" in 2 lines > (15 word occurrences found) > You must have some permission problems, as I did the same thing, and got near identical scores (at least to the first decimal - 32.7 in smamassassin 32.73 in mailscanner. Maybe Julian can confirm if spamassassin called by mailscanner can still load plugins that have their loadplugin line in a .cf file instead of being called in a .pre file.. I seem to remember some sort of privilege change when spamassassin 3.0.0 or maybe 3.1.0 came out. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ajcartmell at fonant.com Wed Oct 18 22:16:36 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 18 22:16:46 2006 Subject: FuzzyOcr working but not via MailScanner: Fixed? In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: OK, getting somewhere now. The rules in /etc/mail/spamassassin were getting run OK but rules in /var/lib/spamassassin/3.001003 were missed when MailScanner runs. I've now added MailScanner.conf to have: SpamAssassin Default Rules Dir = /var/lib/spamassassin/3.001003 And all the rules are now being run :) It's not entirely clear how spamassassin knows to use this directory normally, but obviously MailScanner needs to know about it too. Cheers! Anthony -- www.fonant.com - Quality web sites From paul at welshfamily.com Wed Oct 18 22:30:27 2006 From: paul at welshfamily.com (Paul Welsh) Date: Wed Oct 18 22:30:46 2006 Subject: RBL and exim In-Reply-To: <2BD3058086A2A44896622E7CB3720BC2AFBB70@DRIFTWOOD.corporate.paccoast.com> Message-ID: <200610182130.k9ILUiNM026739@bkserver.blacknight.ie> Can anyone just tell me whether I'm correct in assuming that if I want exim to test incoming mail connections against RBLs I change the following lines in /etc/exim.conf (I'm using DirectAdmin which comes with the SpamBlocker config): # SpamBlocker.exim.conf.2.0-release # # Runtime configuration file for DirectAdmin/Exim 4.24 and above # begin acl # various other lines removed # Here's the SpamCop RBL, it's one of several deny message = Email blocked by SPAMCOP - to unblock see http://www.example.com/ hosts = !+relay_hosts domains = +use_rbl_domains !authenticated = * dnslists = bl.spamcop.net The reason I ask is that a user reported getting this error: "The server responded: 553 Your IP address 212.183.134.65 is blackholed by bl.spamcop.net." What's confusing me is that the error message doesn't correspond to what's in the exim.conf file. In general terms, I can't see much point in using these RBLs at the gateway - most spam comes via my secondary MX which is run by a third party and doesn't do these checks. SpamAssassin will do these checks against mail servers further down the chain anyhow. From ssilva at sgvwater.com Wed Oct 18 23:30:00 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 18 23:30:16 2006 Subject: FuzzyOcr working but not via MailScanner: Fixed? In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: Anthony Cartmell spake the following on 10/18/2006 2:16 PM: > OK, getting somewhere now. > > The rules in /etc/mail/spamassassin were getting run OK but rules in > /var/lib/spamassassin/3.001003 were missed when MailScanner runs. > > I've now added MailScanner.conf to have: > > SpamAssassin Default Rules Dir = /var/lib/spamassassin/3.001003 > > And all the rules are now being run :) > > It's not entirely clear how spamassassin knows to use this directory > normally, but obviously MailScanner needs to know about it too. > > Cheers! > Because there is a lot of glue code in spamc and spamd that mailscanner doesn't use because of its call straight to the perl API's. It adds a lot of speed, but does have a few drawbacks, like the one you have found. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikea at mikea.ath.cx Wed Oct 18 23:31:04 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Oct 18 23:31:08 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <453686B1.8090700@pacific.net>; from ka@pacific.net on Wed, Oct 18, 2006 at 12:55:29PM -0700 References: <453686B1.8090700@pacific.net> Message-ID: <20061018173103.A18468@mikea.ath.cx> On Wed, Oct 18, 2006 at 12:55:29PM -0700, Ken A wrote: > > > Ed Wallig wrote: > > Hi, > > > > I have a number of users that seem to get amnesia when trying to send > > email to other employees at work. Specifically, they forget what the > > email domain extension is assigned to our email system and end up > > sending messages that should be going to our domain to another domain > > that is not associated w/ our company. Of course, they're getting > > bounced but I would like to stop the messages from exiting the system > > and bouncing off of this poor admin's email system. > > > > Is there a way to write a rule in MailScanner that would basically do > > this: > > > > * Check to see if the message is for a valid user (in terms of > > username) for our domain > > MTA should already be doing this. > > > * Check to see if the message has been addressed with an improper > > email domain (username@maildomain .com instead of maildomain.net, etc) > > Yeah, our users have fatter fingers than your users! You can do this in > sendmail access map. Postfix has something similar, I'm sure.. > > To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on > recipient domain - should be sbcglobal.net Next time you're in the OKC area, please let me know, and I'll buy the steak dinner! You just pointed out a way to fix some problems I've been having with ineducable users -- and one that I _should_ have seen for myself. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jethro.binks at strath.ac.uk Wed Oct 18 23:58:47 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Oct 18 23:58:50 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <453686B1.8090700@pacific.net> References: <453686B1.8090700@pacific.net> Message-ID: <20061018235509.D1053@defjam.cc.strath.ac.uk> On Wed, 18 Oct 2006, Ken A wrote: > > * Check to see if the message has been addressed with an improper > > email domain (username@maildomain .com instead of maildomain.net, etc) > > Yeah, our users have fatter fingers than your users! You can do this in > sendmail access map. Postfix has something similar, I'm sure.. Why on earth are you trying to implement a technical solution to this problem? > To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient > domain - should be sbcglobal.net What if you really need to mail sbcgobal.com or maildomain.com some day? Either you can't, or you take this rule away again, in which case your problem comes back. This is a user education issue, not a "crow-bar in any inappropriate fix to compensate for naiive or careless users". At least you could give them an address book, then they don't need to (mis)type anything. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mkettler at evi-inc.com Thu Oct 19 00:13:16 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Oct 19 00:13:27 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <20061018235509.D1053@defjam.cc.strath.ac.uk> References: <453686B1.8090700@pacific.net> <20061018235509.D1053@defjam.cc.strath.ac.uk> Message-ID: <4536B50C.6040404@evi-inc.com> Jethro R Binks wrote: > On Wed, 18 Oct 2006, Ken A wrote: > >>> * Check to see if the message has been addressed with an improper >>> email domain (username@maildomain .com instead of maildomain.net, etc) >> Yeah, our users have fatter fingers than your users! You can do this in >> sendmail access map. Postfix has something similar, I'm sure.. > > Why on earth are you trying to implement a technical solution to this > problem? > >> To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient >> domain - should be sbcglobal.net > > What if you really need to mail sbcgobal.com or maildomain.com some day? Well, I'd agree there, but in this case sbcgobal is an illegal typo-squatter domain that's parked with searchportal. I say screw typo-squatters in every way possible. That said, going back to the original context of the thread, the OP was looking to handle this for typos of his own domain. I can definitely see reasons to do it for your own domain. I'd certainly do this if someone was typo-squatting MY domain. What would you do as a business in this case? What if the typo-squatter was actually a competitor? Sure you'd take the domain back with a trademark infringement case, but that takes time. What if in the meantime they decided to set up a MX that would just accept all the mail sent there from your network and funnel it into a report to their director of marketing? Would you take the risk of one of your users fat-fingering your domain name in an internal email and giving a competitor potentially sensitive company information? (accounting/sales/project status reports) From ka at pacific.net Thu Oct 19 00:21:12 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 19 00:19:18 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <20061018235509.D1053@defjam.cc.strath.ac.uk> References: <453686B1.8090700@pacific.net> <20061018235509.D1053@defjam.cc.strath.ac.uk> Message-ID: <4536B6E8.6000507@pacific.net> Jethro R Binks wrote: > On Wed, 18 Oct 2006, Ken A wrote: > >>> * Check to see if the message has been addressed with an improper >>> email domain (username@maildomain .com instead of maildomain.net, etc) >> Yeah, our users have fatter fingers than your users! You can do this in >> sendmail access map. Postfix has something similar, I'm sure.. > > Why on earth are you trying to implement a technical solution to this > problem? > >> To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient >> domain - should be sbcglobal.net > > What if you really need to mail sbcgobal.com or maildomain.com some day? > Either you can't, or you take this rule away again, in which case your > problem comes back. That could happen, I agree, but most likely typo domains are owned by typosquatters or worse, phishers and are in one or more uri blacklists (sbcgobal.com is). They may well be using mail sent to them to build spam lists. It's just a tool, call it a crowbar if you like. I don't do this with any legitimate domains. Ken A. Pacific.Net > This is a user education issue, not a "crow-bar in any inappropriate fix > to compensate for naiive or careless users". > > At least you could give them an address book, then they don't need to > (mis)type anything. > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services > University Of Strathclyde, Glasgow, UK From jethro.binks at strath.ac.uk Thu Oct 19 00:33:27 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Oct 19 00:33:32 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <4536B50C.6040404@evi-inc.com> References: <453686B1.8090700@pacific.net> <20061018235509.D1053@defjam.cc.strath.ac.uk> <4536B50C.6040404@evi-inc.com> Message-ID: <20061019002528.M1053@defjam.cc.strath.ac.uk> On Wed, 18 Oct 2006, Matt Kettler wrote: > That said, going back to the original context of the thread, the OP was > looking to handle this for typos of his own domain. I can definitely see > reasons to do it for your own domain. > > I'd certainly do this if someone was typo-squatting MY domain. > > What would you do as a business in this case? > > What if the typo-squatter was actually a competitor? Sure you'd take the > domain back with a trademark infringement case, but that takes time. > > What if in the meantime they decided to set up a MX that would just > accept all the mail sent there from your network and funnel it into a > report to their director of marketing? > > Would you take the risk of one of your users fat-fingering your domain > name in an internal email and giving a competitor potentially sensitive > company information? (accounting/sales/project status reports) I'd educate my users and provide them with tools to minimise the chance that their fat-fingers wouldn't be detrimental to their employment status, but I certainly wouldn't attempt to 'fix' this in an MTA (who is going to shout that this is off-topic this time?); like provide them with an address book of company contacts. Neither does this 'solution' prevent people outside the company sending that sensitive company information to the typo-squatting competitor, so you might be stuffed anyway, nor prevent fat-fingered employees from entering the incorrect email address in the myriads of places they may enter it outside your realm. So you are only 'solving' a fraction of the problem. I see outgoing mail to hotmial.com and similar all the time, but I don't do anything about that either. Neither do I put in extra aliases for some-role@strath.ac.uk, because someone thinks that some one might send email to some_role@strath.ac.uk instead. Users have to take responsibility for paying attention some time. The sooner they learn the better, then you don't have to have some ugly kludge knocking around for years. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mailscanner at mango.zw Thu Oct 19 07:25:36 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Oct 19 07:21:19 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <20061019002528.M1053@defjam.cc.strath.ac.uk> Message-ID: On Thu, 19 Oct 2006, Jethro R Binks wrote: > > Would you take the risk of one of your users fat-fingering your domain > > name in an internal email and giving a competitor potentially sensitive > > company information? (accounting/sales/project status reports) > > I'd educate my users and provide them with tools to minimise the chance > that their fat-fingers wouldn't be detrimental to their employment status, > but I certainly wouldn't attempt to 'fix' this in an MTA (who is going to > shout that this is off-topic this time?); like provide them with an > address book of company contacts. > > Neither does this 'solution' prevent people outside the company sending > that sensitive company information to the typo-squatting competitor, so > you might be stuffed anyway, nor prevent fat-fingered employees from > entering the incorrect email address in the myriads of places they may > enter it outside your realm. So you are only 'solving' a fraction of the > problem. > > I see outgoing mail to hotmial.com and similar all the time, but I don't > do anything about that either. Neither do I put in extra aliases for > some-role@strath.ac.uk, because someone thinks that some one might send > email to some_role@strath.ac.uk instead. Users have to take > responsibility for paying attention some time. The sooner they learn the > better, then you don't have to have some ugly kludge knocking around for > years. I agree that you should not fix user problems by automatically rerouting mail to an invalid address to the correct address - then they will never learn. However given a choice between dealing with endless user queries about "Why can't I send mail to this valid address?" and putting up a simple explanatory bounce message in the access file, I have found the latter to be very handy for domains that are constantly mis-spelled or else have stopped functioning, for example. If the user typo simply resulted in an immediate bounce it wouldn't be so bad, but there are some cases where the invalid domains used have nameservers that constantly time out, or have no mail exchangers but the hostname itself is unreachable, so the mail just sits in the mail queue for days until it times out. I prefer to bounce such mail back immediately with an appropriate error message - that is my way of educating the users. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From glenn.steen at gmail.com Thu Oct 19 08:20:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 08:20:59 2006 Subject: Found 385 messages waiting In-Reply-To: References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> <4536671A.7030904@USherbrooke.ca> Message-ID: <223f97700610190020l6ddaa9c6j2960c579f21c928f@mail.gmail.com> On 18/10/06, Scott Silva wrote: > Denis Beauchemin spake the following on 10/18/2006 10:40 AM: > > Scott Silva a ?crit : > >> Denis Beauchemin spake the following on 10/18/2006 7:46 AM: > >> > >>> Mevershosting.nl a ?crit : > >>> > >>>> Mike, list, > >>>> > >>>> This is the script i use, i doesnt delete files but renames them. You > >>>> could stop mailscanner first in the script before running this, but i > >>>> found it doesnt really make a differance. > >>>> > >>>> snip > >>>> > >>> I use the following one-liner in root's crontab to remove files that > >>> don't have today's date (uses bash syntax on a RHEL 4 system): > >>> 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l > >>> /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date > >>> '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null > >>> > >>> Denis > >>> > >>> > >> It would be better to use something that goes back at least the number > >> of days > >> your system will retry for, something like; > >> > >> ... > > Scott, > > > > Not really since emails never stay that long in the mqueue.in > > directory. I have been careful enough to program it late in the morning > > (9:19). The only files that are still in mqueue.in at 9:19 are the > > leftovers with only one q/d file. > > > > Denis > > > Sorry, I posted without seeing that you were cleaning the in queue. > I/O error on my part. Or more of an ID10T error. I have to read slower in the > morning! This is where you need switch beverage from L1QU0R to JAVA.... Sigh, I tire even myself with my lame sense of humour:-). Only thing to be careful with, regarding your cron-scriptlet Denis, would be if (for some unkowable reason) MailScanner wasn't moving things out of the in queue... Like an "extended error" on the weekend or somesuch (you do go on vacation from time tyo time?:-)... Other than that, the logic of it is flawless. Unfortunately (or because I'm just into my first cup of coffee:-) I don't really see a good way to determine that MS is moving things along.... The simple tests (that there are MS children about) would probably be enough, if one would want to implement something like that:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Dominique.Marant at univ-lille1.fr Thu Oct 19 08:24:59 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Thu Oct 19 08:27:38 2006 Subject: install-Clam-SA freshclam In-Reply-To: <4536749E.7060704@ecs.soton.ac.uk> References: <45363310.9080106@univ-lille1.fr> <223f97700610180810oa47ee33t4a3d166eff5546c1@mail.gmail.com> <45365EFD.3050906@ecs.soton.ac.uk> <45366948.5010104@USherbrooke.ca> <4536749E.7060704@ecs.soton.ac.uk> Message-ID: <4537284B.403@univ-lille1.fr> Good ! Thanks. Dominique Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You should find the new file in the downloads page. I have done both the > filename and the extraction directory, just to be on the safe side. > > > Denis Beauchemin wrote: > >> Julian Field a ?crit : >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Glenn Steen wrote: >>> >>> >>>> On 18/10/06, Dominique Marant wrote: >>>> >>>> >>>>> The package install-Clam-SA is updated when there is a new version of >>>>> ClamAv or spamassassin. >>>>> So, in http://www.mailscanner.info/downloads.html, it would better to >>>>> specify the version in the name. For example : >>>>> install-Clam-0-88-5-SA-3-1-5 >>>>> >>>>> >>>> Might be a good thought... How about it Jules? >>>> >>>> >>> Probably not a bad idea, I get it wrong occasionally myself :-) >>> >>> Do you want it all in the filename, or just in the directory it >>> unpacks into? >>> >>> >>> >> Julian, >> >> Just modify the file name. It's OK to always use the same directory >> name. >> >> Denis >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: UTF-8 > > wj8DBQFFNnUAEfZZRxQVtlQRAtFuAJ9U525b6EIQDBPdnvICP920eTjkJwCg+yPD > V6b6iEi9nliQlqu2+fHUXZg= > =JZVj > -----END PGP SIGNATURE----- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061019/ab5306f7/attachment.html From glenn.steen at gmail.com Thu Oct 19 08:33:15 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 08:33:18 2006 Subject: Bayes_toks.expire In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB042969B@winchester.andrewscompanies.com> Message-ID: <223f97700610190033k3ebfd17dyadce4806d2767bae@mail.gmail.com> On 18/10/06, Scott Silva wrote: > sandrews@andrewscompanies.com spake the following on 10/18/2006 7:54 AM: > > I've got a couple out of probably 20 mailscanner servers where the > > /etc/MailScanner/bayes directory just fills itself over time with > > bayes_toks.expireXXXX files. They are updated to the latest mailscanner > > and clamav/sa packages. > > > > I can't find where these are configured differently than any of the > > others... > > > > What am I doing wrong? > > > > Thanks, > > > > Steve > That server just might be timing out when the others aren't. Or it could be in > the position in MX order that it sees more spam. As it has failed a few times, > its bayes db is getting larger than the others, making the problem worse. You > could try to do a manual bayes expire so it can "catch up" to the other > servers, or shorten its time between expiry runs. Other popular suggestions are to up the SA timeout rather much, set "Wait During Bayes Rebuild = yes", set "Rebuild Bayes Every" as appropriate (and the "followups" to that) ... There is quite a bit of variation on what makes specific admins/systems happy:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 19 08:52:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 08:52:48 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> On 18/10/06, Scott Silva wrote: > Anthony Cartmell spake the following on 10/18/2006 1:05 PM: > >> Answer 10: MailScanner by default only passes the first 30kb of the > >> mail to SpamAssassin. > > > > Interesting. Most of the spam in question is less than 30kb in total > > size, though, and I don't see any error messages. > > > >> Another thing to try > >> ==================== > >> Also try setting 'focr_verbose 2' in the config file, most messages > >> report something like this.. > > > > I get a lot of > > > > [2006-10-18 20:39:26] Debug mode: Set scansets to values: > > $gocr -i - > > $gocr -l 180 -d 2 -i - > > > > But only get messages like: > > > > [2006-10-18 16:17:11] Debug mode: Starting FuzzyOcr... > > [2006-10-18 16:17:11] Debug mode: Attempting to load personal wordlist... > > [2006-10-18 16:17:11] Debug mode: No personal wordlist found, skipping... > > [2006-10-18 16:17:11] Debug mode: FuzzyOcr ending successfully... > > > > when I run the spamassassin test manually, not when it's run via > > MailScanner :( > > > > The spam messages with inline GIFs are found by SARE_GIF_ATTACH, but > > aren't scoring high enough to be marked. > > > > For example, a message that went through unmarked as spam, gets marked > > as spam if I run spamassassin manually: > > > > spamassassin --debug -t < > > /var/spool/MailScanner/quarantine/20061018/nonspam/k9IHujkc027719 > > > > Hmmmm... it also gets a much higher score from this, as other tests also > > seem to be missed when run from MailScanner... > > > > MailScanner score (1.508): > > > > 0.75 SARE_GIF_ATTACH Email has a inline gif > > 0.08 TW_DF Odd Letter Triples with DF > > 0.08 TW_GG Odd Letter Triples with GG > > 0.08 TW_GZ Odd Letter Triples with GZ > > 0.08 TW_RG Odd Letter Triples with RG > > > > Manual spamassassin score (38.9): > > > > 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP > > addr 2) > > 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= > > entry > > 0.1 TW_GZ BODY: Odd Letter Triples with GZ > > 0.1 TW_RG BODY: Odd Letter Triples with RG > > 0.1 TW_GG BODY: Odd Letter Triples with GG > > 0.1 TW_DF BODY: Odd Letter Triples with DF > > 1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG > > 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of > > words > > 2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 > > 0.0 HTML_MESSAGE BODY: HTML included in message > > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to > > 60% [score: 0.4908] > > 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif > > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address [84.122.43.158 listed in dnsbl.sorbs.net] > > 2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org > > [] > > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > > [84.122.43.158 listed in sbl-xbl.spamhaus.org] > > 1.7 SARE_GIF_STOX Inline Gif with little HTML > > 17 FUZZY_OCR BODY: Mail contains an image with common > > spam text inside > > Words found: > > "alert" in 3 lines > > "news" in 1 lines > > "alert" in 3 lines > > "stock" in 1 lines > > "investor" in 2 lines > > "company" in 1 lines > > "trade" in 1 lines > > "service" in 1 lines > > "levitra" in 2 lines > > (15 word occurrences found) > > > You must have some permission problems, as I did the same thing, and got near > identical scores (at least to the first decimal - 32.7 in smamassassin 32.73 > in mailscanner. > Maybe Julian can confirm if spamassassin called by mailscanner can still load > plugins that have their loadplugin line in a .cf file instead of being called > in a .pre file.. I seem to remember some sort of privilege change when > spamassassin 3.0.0 or maybe 3.1.0 came out. > I think you are on to something there Scott. I'll offer a guess... Anthony, are you by any chance running Postfix? There likely is a problem for the user your MTA (and hence MailScanner) is running as. You don't get the network tests, bayes etc and that is the real "killer" here. Check your SA lint and testmessage as the user you have for your MTA... Likely you'll see the same result you had in MailScanner then. If you do run Postfix, make sure there is a writable SpamAssassin State Dir set, and/or that you create ~/.spamassassin, ~/.razor and ~/.pyzor (as appropriate for the set of tools you use) for the postfix user, and that that user can write to those directories. Also, make sure you have (in local.cf or mailscanner.cf) a correct bayes_path (which actually end in the first fragment of the bayes filenames) and bayes_file_mode ( it should be 0770, or similar... I need that since I use MailWatch and let the webservers group have write perms...). HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simon at ateb.co.uk Thu Oct 19 09:05:10 2006 From: simon at ateb.co.uk (Simon Annetts) Date: Thu Oct 19 09:05:12 2006 Subject: whitelist a file from the content scanner In-Reply-To: <4536601D.2080607@ecs.soton.ac.uk> References: <45363258.2060400@ateb.co.uk> <45363460.7070908@solidstatelogic.com> <4536601D.2080607@ecs.soton.ac.uk> Message-ID: <453731B6.7060302@ateb.co.uk> Julian Field wrote: > Martin Hepworth wrote: >> Simon Annetts wrote: >>> Hi, >>> I need to be able to stop mailscanner from virus checking and >>> filetype detecting a particular filename so that our support team can >>> send updates via email. The file will always be called (for example >>> only:) update.zip and may contain .exe and other type files that are >>> normally banned. >>> >>> At the moment mailscanner always rejects the file and quarantines it >>> because it is in the banned filetypes list. If I exempt .zip files or >>> specifically update.zip then mailscanner proceeds to unpack the file >>> and quarantine any files inside which also are banned. This is all >>> good stuff as far as mailscanner doing its job, but I want this file >>> to pass through mailscanner completely untouched/unchecked. I want to >>> exempt this file name from all checks, - spam virus content and >>> filetype. >>> >>> >>> Is this possible??? >>> Best Regards >>> Simon >>> >>> >> Simon >> >> I'd do this by originating ip-address if I where you....put a ruleset >> on the checks, so if its from you're lan you don't run the extra >> filename checks etc... > To just allow this one filename, add a new filename.rules.conf file (as > per the instructions in the wiki) with 1 rule at the top that says > allow ^my\.file\.name$ - - > Note those 4 fields are separated with *tab* characters and not spaces. > This is the 1 place (filename.rules.conf and filetype.rules.conf) where > MailScanner is fussy about the types of spaces you use as a separator. > Otherwise, how would you match against a filename pattern that contained > a space? > You will also have to make sure it passes the file-type checks as well, > with a similar trick. > > You've got a little bit of reading to do, this is about as complex as it > can get, sorry. > > Jules Thanks for the info I'll have a go this morning and also schedule some quiet reading time (if only!) :-) Simon > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFNmEjEfZZRxQVtlQRAqXGAJ4lwGs3LgGvGjBSXJjAXPlwn8xSMQCg9MaM > DBmtAau/m+MwHxU6nSiYSSw= > =ipu5 > -----END PGP SIGNATURE----- > From ajcartmell at fonant.com Thu Oct 19 09:11:58 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Oct 19 09:12:09 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> Message-ID: > I think you are on to something there Scott. I'll offer a guess... > Anthony, are you by any chance running Postfix? Nope, sendmail. It seems to be a "search path" issue: MailScanner skips a lot of setup stuff that spamassassin does from the command line. From MailScanner, the whole /var/lib/spamassassin/3.001003 directory was being missed and hence a whole load of default rules. FWIW, although I have all my .cf files being read now, FuzzyOcr still isn't being called. More investigation needed... Anthony -- www.fonant.com - Quality web sites From glenn.steen at gmail.com Thu Oct 19 09:22:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 09:23:04 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> Message-ID: <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> On 19/10/06, Anthony Cartmell wrote: > > I think you are on to something there Scott. I'll offer a guess... > > Anthony, are you by any chance running Postfix? > > Nope, sendmail. OK. Was just a thought:-). > It seems to be a "search path" issue: MailScanner skips a lot of setup > stuff that spamassassin does from the command line. From MailScanner, the > whole /var/lib/spamassassin/3.001003 directory was being missed and hence > a whole load of default rules. Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't have to set the MailScanner option, and it picks up/scores rules only in files present in the update directory). Maybe you should upgrade SA? If so, I can warmly recommend Jules excellent package:). > FWIW, although I have all my .cf files being read now, FuzzyOcr still > isn't being called. More investigation needed... Updating SA might have something to do with this too... And resetting to the normal MailScanner option... As it is now, any cf file in /etc/mail/spamassassin isn't read, right? Sort of like "the wrong fix to the right problem" or some such:-):-). As usual, I might be blathering a load of garbage too:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 19 09:42:23 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 09:42:27 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> Message-ID: <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> On 19/10/06, Glenn Steen wrote: > On 19/10/06, Anthony Cartmell wrote: > > > I think you are on to something there Scott. I'll offer a guess... > > > Anthony, are you by any chance running Postfix? > > > > Nope, sendmail. > > OK. Was just a thought:-). > > > It seems to be a "search path" issue: MailScanner skips a lot of setup > > stuff that spamassassin does from the command line. From MailScanner, the > > whole /var/lib/spamassassin/3.001003 directory was being missed and hence > > a whole load of default rules. > > Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't > have to set the MailScanner option, and it picks up/scores rules only > in files present in the update directory). Maybe you should upgrade > SA? If so, I can warmly recommend Jules excellent package:). > > > FWIW, although I have all my .cf files being read now, FuzzyOcr still > > isn't being called. More investigation needed... > > Updating SA might have something to do with this too... And resetting > to the normal MailScanner option... As it is now, any cf file in > /etc/mail/spamassassin isn't read, right? > Sort of like "the wrong fix to the right problem" or some such:-):-). > As usual, I might be blathering a load of garbage too:-). > (just proving my PF "roots"....) I looked at SpamAssassin.pm, and this snippet is the clicher: ----- @default_rules_path = ( '__local_state_dir__/__version__', '__def_rules_dir__', '__prefix__/share/spamassassin', '/usr/local/share/spamassassin', '/usr/share/spamassassin', ); ----- As you can see, the normal way to find the sa-updated files is via "__local_state_dir__/__version__", where __local_state_dir__ defautls to /var/lib/spamassassin .... and __version__ is set (just above that) to something like 3.00100X ... If you did an upgrade (and perhaps didn't do an sa-update afterwards) I suppose you could end up in a situation where the new SA version couldn't find the updated files, I suppose (someone a bit more fluent (than me) in how SA is instantiated will probably eb able to tell if this supposition is correct). I suppose running sa-update should clear any such problem... And you might clear the FuzzyOcr problem by resetting the MailScanner option for site rules. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 19 09:57:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 09:58:02 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> Message-ID: <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> On 19/10/06, Glenn Steen wrote: > On 19/10/06, Glenn Steen wrote: > > On 19/10/06, Anthony Cartmell wrote: > > > > I think you are on to something there Scott. I'll offer a guess... > > > > Anthony, are you by any chance running Postfix? > > > > > > Nope, sendmail. > > > > OK. Was just a thought:-). > > > > > It seems to be a "search path" issue: MailScanner skips a lot of setup > > > stuff that spamassassin does from the command line. From MailScanner, the > > > whole /var/lib/spamassassin/3.001003 directory was being missed and hence > > > a whole load of default rules. > > > > Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't > > have to set the MailScanner option, and it picks up/scores rules only > > in files present in the update directory). Maybe you should upgrade > > SA? If so, I can warmly recommend Jules excellent package:). > > > > > FWIW, although I have all my .cf files being read now, FuzzyOcr still > > > isn't being called. More investigation needed... > > > > Updating SA might have something to do with this too... And resetting > > to the normal MailScanner option... As it is now, any cf file in > > /etc/mail/spamassassin isn't read, right? > > Sort of like "the wrong fix to the right problem" or some such:-):-). > > As usual, I might be blathering a load of garbage too:-). > > > (just proving my PF "roots"....) > > I looked at SpamAssassin.pm, and this snippet is the clicher: > ----- > @default_rules_path = ( > '__local_state_dir__/__version__', > '__def_rules_dir__', > '__prefix__/share/spamassassin', > '/usr/local/share/spamassassin', > '/usr/share/spamassassin', > ); > ----- > As you can see, the normal way to find the sa-updated files is via > "__local_state_dir__/__version__", where __local_state_dir__ defautls > to /var/lib/spamassassin .... and __version__ is set (just above that) > to something like 3.00100X ... If you did an upgrade (and perhaps > didn't do an sa-update afterwards) I suppose you could end up in a > situation where the new SA version couldn't find the updated files, I > suppose (someone a bit more fluent (than me) in how SA is instantiated > will probably eb able to tell if this supposition is correct). > I suppose running sa-update should clear any such problem... And you > might clear the FuzzyOcr problem by resetting the MailScanner option > for site rules. Hm, went and read the other thread you have (broken off:)... Ok, so you set Default, not Site... Ok, I need more coffee too (not just Scott:-):-)... Anyway, you shouldn't need set that either. It should be automagic (and have nothing to do with spamc/d/assassin "glue", since it is set in the main module...). Oh well. Off to the coffee machine:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 19 10:09:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 10:09:32 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> Message-ID: <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> On 19/10/06, Glenn Steen wrote: > On 19/10/06, Glenn Steen wrote: > > On 19/10/06, Glenn Steen wrote: > > > On 19/10/06, Anthony Cartmell wrote: > > > > > I think you are on to something there Scott. I'll offer a guess... > > > > > Anthony, are you by any chance running Postfix? > > > > > > > > Nope, sendmail. > > > > > > OK. Was just a thought:-). > > > > > > > It seems to be a "search path" issue: MailScanner skips a lot of setup > > > > stuff that spamassassin does from the command line. From MailScanner, the > > > > whole /var/lib/spamassassin/3.001003 directory was being missed and hence > > > > a whole load of default rules. > > > > > > Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't > > > have to set the MailScanner option, and it picks up/scores rules only > > > in files present in the update directory). Maybe you should upgrade > > > SA? If so, I can warmly recommend Jules excellent package:). > > > > > > > FWIW, although I have all my .cf files being read now, FuzzyOcr still > > > > isn't being called. More investigation needed... > > > > > > Updating SA might have something to do with this too... And resetting > > > to the normal MailScanner option... As it is now, any cf file in > > > /etc/mail/spamassassin isn't read, right? > > > Sort of like "the wrong fix to the right problem" or some such:-):-). > > > As usual, I might be blathering a load of garbage too:-). > > > > > (just proving my PF "roots"....) > > > > I looked at SpamAssassin.pm, and this snippet is the clicher: > > ----- > > @default_rules_path = ( > > '__local_state_dir__/__version__', > > '__def_rules_dir__', > > '__prefix__/share/spamassassin', > > '/usr/local/share/spamassassin', > > '/usr/share/spamassassin', > > ); > > ----- > > As you can see, the normal way to find the sa-updated files is via > > "__local_state_dir__/__version__", where __local_state_dir__ defautls > > to /var/lib/spamassassin .... and __version__ is set (just above that) > > to something like 3.00100X ... If you did an upgrade (and perhaps > > didn't do an sa-update afterwards) I suppose you could end up in a > > situation where the new SA version couldn't find the updated files, I > > suppose (someone a bit more fluent (than me) in how SA is instantiated > > will probably eb able to tell if this supposition is correct). > > I suppose running sa-update should clear any such problem... And you > > might clear the FuzzyOcr problem by resetting the MailScanner option > > for site rules. > Hm, went and read the other thread you have (broken off:)... Ok, so > you set Default, not Site... Ok, I need more coffee too (not just > Scott:-):-)... > Anyway, you shouldn't need set that either. It should be automagic > (and have nothing to do with spamc/d/assassin "glue", since it is set > in the main module...). Oh well. Off to the coffee machine:-). > Just a final thought (yeah, this show the slow workings of *my* mind;-)... You wouldn't happen to have multiple SA installs, now would you? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Thu Oct 19 11:10:37 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Oct 19 11:06:26 2006 Subject: OT: How do you block servers sending oversize messages? Message-ID: This is a sendmail problem, but hope it's OK to ask here. MANGO has only a 64k connection to the Internet. We have a major problem with ISPs (mainly Yahoo and Gmail) that don't implement the SMTP SIZE extension. So when they send us a 10 MB message, for example, we can't reject the message until they have sent us the whole message. That is a total and serious waste of bandwidth, particularly when some idiot sends us half a dozen 10 MB bmp files for example. On our side we can see the incoming df file growing in size in mqueue.in, and can suspect from the sending server that it is going to be a problem, but obviously can't be sure until it hits our message size limit (1.5 MB). At that point the df file stops increasing in size and we know it's a problem. The manual solution at that point is to determine the sender's IP address, block that in the access file with an appropriate error message, kill the process id associated with the connection and then delete the df file. Then wait until they next connect and get rejected, and then re-enable the IP in the access file once more (and hope that they don't do it all over again). The above response is definitely worth doing during our peak times as it frees up significant bandwidth. I could (why don't I?) write a script to monitor and automate the process. However the problem is fairly fundamental, and I wonder if others are concerned about this issue and whether they have solutions of their own. I have written to Gmail via a third party who knows the developers there and am told they will think about it and possibly implement an upgrade at some stage. I don't know how to get hold of anyone interested at Yahoo. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From ewallig at aerocontractors.com Thu Oct 19 12:10:05 2006 From: ewallig at aerocontractors.com (Ed Wallig) Date: Thu Oct 19 12:10:11 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <20061018235509.D1053@defjam.cc.strath.ac.uk> Message-ID: They do have an address book (several, actually) and I can jam all the education in the world into them but ultimately if they do not listen or do not care then it mean nothing. You are right - there could be an occasion where the "crow-bar" approach causes problems but in weighing risk / benefit, I would rather stop the existing problem and deal with the occasional issue than have the chronic problem. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jethro R Binks Sent: Wednesday, October 18, 2006 6:59 PM To: MailScanner discussion Subject: Re: Block outgoing mail w/ bad addressing On Wed, 18 Oct 2006, Ken A wrote: > > * Check to see if the message has been addressed with an improper > > email domain (username@maildomain .com instead of maildomain.net, > > etc) > > Yeah, our users have fatter fingers than your users! You can do this > in sendmail access map. Postfix has something similar, I'm sure.. Why on earth are you trying to implement a technical solution to this problem? > To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient > domain - should be sbcglobal.net What if you really need to mail sbcgobal.com or maildomain.com some day? Either you can't, or you take this rule away again, in which case your problem comes back. This is a user education issue, not a "crow-bar in any inappropriate fix to compensate for naiive or careless users". At least you could give them an address book, then they don't need to (mis)type anything. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ewallig at aerocontractors.com Thu Oct 19 12:12:13 2006 From: ewallig at aerocontractors.com (Ed Wallig) Date: Thu Oct 19 12:12:18 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <4536B50C.6040404@evi-inc.com> Message-ID: Yup, this is what is on my mind - typo-squatter (cool term by the way) creates a "catch-all" or actual account based on what he's seeing in the SMTP logs and starts collecting email that is not supposed to be going to him - could be trouble. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Wednesday, October 18, 2006 7:13 PM To: MailScanner discussion Subject: Re: Block outgoing mail w/ bad addressing Jethro R Binks wrote: > On Wed, 18 Oct 2006, Ken A wrote: > >>> * Check to see if the message has been addressed with an improper >>> email domain (username@maildomain .com instead of maildomain.net, >>> etc) >> Yeah, our users have fatter fingers than your users! You can do this >> in sendmail access map. Postfix has something similar, I'm sure.. > > Why on earth are you trying to implement a technical solution to this > problem? > >> To:sbcgobal.com ERROR:5.1.1:550 Please check spelling on recipient >> domain - should be sbcglobal.net > > What if you really need to mail sbcgobal.com or maildomain.com some day? Well, I'd agree there, but in this case sbcgobal is an illegal typo-squatter domain that's parked with searchportal. I say screw typo-squatters in every way possible. That said, going back to the original context of the thread, the OP was looking to handle this for typos of his own domain. I can definitely see reasons to do it for your own domain. I'd certainly do this if someone was typo-squatting MY domain. What would you do as a business in this case? What if the typo-squatter was actually a competitor? Sure you'd take the domain back with a trademark infringement case, but that takes time. What if in the meantime they decided to set up a MX that would just accept all the mail sent there from your network and funnel it into a report to their director of marketing? Would you take the risk of one of your users fat-fingering your domain name in an internal email and giving a competitor potentially sensitive company information? (accounting/sales/project status reports) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Peter.Bates at lshtm.ac.uk Thu Oct 19 12:23:56 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Thu Oct 19 12:24:17 2006 Subject: Disarming Disarm Message-ID: <45376E5B.9729.0076.0@lshtm.ac.uk> Hello all... I have Allow IFrame Tags Allow Script Tags Allow WebBugs and so on set to 'disarm'. Without correlating the logs I'm not sure why a particular email would be '{Disarmed}', but on a request I'd like to bypass this processing for a particular whitelisted sender. Obviously I can make all the 'Allow ... ' settings into pointers to a ruleset, or is there another setting I can easily change to bypass all of this? I'd like to try and avoid using 'Scan Messages' with a ruleset if I could. Thanks. This is MailScanner 4.56. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From glenn.steen at gmail.com Thu Oct 19 12:29:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 12:29:58 2006 Subject: Disarming Disarm In-Reply-To: <45376E5B.9729.0076.0@lshtm.ac.uk> References: <45376E5B.9729.0076.0@lshtm.ac.uk> Message-ID: <223f97700610190429l164f199o1ecb33928652f8fa@mail.gmail.com> On 19/10/06, Peter Bates wrote: > > Hello all... > > I have > > Allow IFrame Tags > Allow Script Tags > Allow WebBugs > > and so on set to 'disarm'. > > Without correlating the logs I'm not sure why a particular > email would be '{Disarmed}', but on a request I'd like to > bypass this processing for a particular whitelisted sender. > > Obviously I can make all the 'Allow ... ' settings into pointers to a > ruleset, > or is there another setting I can easily change to bypass all of this? > > I'd like to try and avoid using 'Scan Messages' with a ruleset if I > could. You could always set it on the Dangerous Content thing... IIRC that should take care of things:-): # Do you want to scan the messages for potentially dangerous content? # Setting this to "no" will disable all the content-based checks except # Virus Scanning, Allow Partial Messages and Allow External Message Bodies. # This can also be the filename of a ruleset. Dangerous Content Scanning = yes (obviously you'd make that one a ruleset then:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Thu Oct 19 14:17:24 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Oct 19 14:17:36 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> Message-ID: <015701c6f380$eb82a910$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: Thursday, October 19, 2006 4:42 AM > To: MailScanner discussion > Subject: Re: FuzzyOcr working but not via MailScanner > > On 19/10/06, Glenn Steen wrote: > > On 19/10/06, Anthony Cartmell wrote: > > > > I think you are on to something there Scott. I'll offer > a guess... > > > > Anthony, are you by any chance running Postfix? > > > > > > Nope, sendmail. > > > > OK. Was just a thought:-). > > > > > It seems to be a "search path" issue: MailScanner skips a > lot of setup > > > stuff that spamassassin does from the command line. From > MailScanner, the > > > whole /var/lib/spamassassin/3.001003 directory was being > missed and hence > > > a whole load of default rules. [...] > (just proving my PF "roots"....) > > I looked at SpamAssassin.pm, and this snippet is the clicher: > ----- > @default_rules_path = ( > '__local_state_dir__/__version__', > '__def_rules_dir__', > '__prefix__/share/spamassassin', > '/usr/local/share/spamassassin', > '/usr/share/spamassassin', > ); > ----- > As you can see, the normal way to find the sa-updated files is via > "__local_state_dir__/__version__", where __local_state_dir__ defautls > to /var/lib/spamassassin .... and __version__ is set (just above that) > to something like 3.00100X ... If you did an upgrade (and perhaps > didn't do an sa-update afterwards) I suppose you could end up in a > situation where the new SA version couldn't find the updated files, I > suppose (someone a bit more fluent (than me) in how SA is instantiated > will probably eb able to tell if this supposition is correct). > I suppose running sa-update should clear any such problem... And you > might clear the FuzzyOcr problem by resetting the MailScanner option > for site rules. I can tell you from experience that if you do not run sa-update following a SA update your /var/lib/spamassassin directory is not created and when SA does it's path checks it will (there is a thread on this on one of the SA lists) 1. check for /var/lib/spamassassin 2. If step one fails it will use the local site dir It's unnecessarily complicated in my opinion compared to how it used to be. One would think you could do something like the old $defaultrules = $test->{default_rules_path}; $defaultrules ||= $test->first_existing_path (@Mail::SpamAssassin::default_rules_path); and use $defaultupdaterules = $test->{default_update_rules_path}; $defaultupdaterules ||= $test->first_existing_path (@Mail::SpamAssassin::default_update_rules_path); If I am remembering the balance of the thread it's now something like my $SAVersion = $Mail::SpamAssassin::VERSION; my $defaultrules = "/var/lib/spamassassin/$SAVersion" if -d "/var/lib/spamassassin/$SAVersion"; $defaultrules ||= $test->first_existing_path (@Mail::SpamAssassin::default_rules_path); In my case I forgot the sa-update after 3.17 and /var/lib/spamassassin/3.001007 was not created so it then defaulted to /usr/share/spamassassin even though /var/lib/spamassassin/3.001001 was still there (yes I skipped some updates, time constraints). I did not change the "SpamAssassin Default Rules Dir" setting from the default (blank) so I guess I am wondering if the proper /var/lib/spamassassin/3.001007 directory is being used when SA is run from MailScanner? Julian can you answer that question? Also, along the lines of the thread. When I first installed FuzzyOcr and was testing it I forgot to set the value of focr_autodisable_score (in FuzzyOcr.cf) lower (I think the default is 10 or something like that) so it appeared that Fuzzy wasn't doing anything because the spams with images were already scoring above that. I lowered the score to 2 (temporarily) and then Fuzzy was hitting. Of course I raised it back to my hit range so it wouldn't waste resources when the messages was already scored as spam. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Oct 19 14:32:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 14:32:37 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <015701c6f380$eb82a910$0301a8c0@SAHOMELT> References: <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <015701c6f380$eb82a910$0301a8c0@SAHOMELT> Message-ID: <223f97700610190632n591efbbcxb5514fa3f0a208c0@mail.gmail.com> On 19/10/06, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Glenn Steen > > Sent: Thursday, October 19, 2006 4:42 AM > > To: MailScanner discussion > > Subject: Re: FuzzyOcr working but not via MailScanner > > > > On 19/10/06, Glenn Steen wrote: > > > On 19/10/06, Anthony Cartmell wrote: > > > > > I think you are on to something there Scott. I'll offer > > a guess... > > > > > Anthony, are you by any chance running Postfix? > > > > > > > > Nope, sendmail. > > > > > > OK. Was just a thought:-). > > > > > > > It seems to be a "search path" issue: MailScanner skips a > > lot of setup > > > > stuff that spamassassin does from the command line. From > > MailScanner, the > > > > whole /var/lib/spamassassin/3.001003 directory was being > > missed and hence > > > > a whole load of default rules. > [...] > > > (just proving my PF "roots"....) > > > > I looked at SpamAssassin.pm, and this snippet is the clicher: > > ----- > > @default_rules_path = ( > > '__local_state_dir__/__version__', > > '__def_rules_dir__', > > '__prefix__/share/spamassassin', > > '/usr/local/share/spamassassin', > > '/usr/share/spamassassin', > > ); > > ----- > > As you can see, the normal way to find the sa-updated files is via > > "__local_state_dir__/__version__", where __local_state_dir__ defautls > > to /var/lib/spamassassin .... and __version__ is set (just above that) > > to something like 3.00100X ... If you did an upgrade (and perhaps > > didn't do an sa-update afterwards) I suppose you could end up in a > > situation where the new SA version couldn't find the updated files, I > > suppose (someone a bit more fluent (than me) in how SA is instantiated > > will probably eb able to tell if this supposition is correct). > > I suppose running sa-update should clear any such problem... And you > > might clear the FuzzyOcr problem by resetting the MailScanner option > > for site rules. > > I can tell you from experience that if you do not run sa-update following a > SA update your /var/lib/spamassassin directory is not created and > when SA does it's path checks it will (there is a thread on this on one of > the SA lists) > > 1. check for /var/lib/spamassassin > 2. If step one fails it will use the local site dir > > It's unnecessarily complicated in my opinion compared to how it used to be. > One would think you could do something like the old > $defaultrules = $test->{default_rules_path}; > $defaultrules ||= $test->first_existing_path > (@Mail::SpamAssassin::default_rules_path); > > and use > > $defaultupdaterules = $test->{default_update_rules_path}; > $defaultupdaterules ||= $test->first_existing_path > (@Mail::SpamAssassin::default_update_rules_path); > > If I am remembering the balance of the thread it's now something like > > my $SAVersion = $Mail::SpamAssassin::VERSION; > my $defaultrules = "/var/lib/spamassassin/$SAVersion" if -d > "/var/lib/spamassassin/$SAVersion"; > $defaultrules ||= $test->first_existing_path > (@Mail::SpamAssassin::default_rules_path); As I thought. Thanks for corroboration Rick. > In my case I forgot the sa-update after 3.17 and > /var/lib/spamassassin/3.001007 was not created so it then defaulted to > /usr/share/spamassassin even though /var/lib/spamassassin/3.001001 was still > there (yes I skipped some updates, time constraints). I did not change the > "SpamAssassin Default Rules Dir" setting from the default (blank) so I guess > I am wondering if the proper /var/lib/spamassassin/3.001007 directory is > being used when SA is run from MailScanner? Julian can you answer that > question? Since MS instantiates two SpamAssassin objects (one for SA, one for MCP) and the logic for this is in the object creation method, I assume this is working without changing that setting. And my MailWatch searches (on what rules fire in the SpamReport) back me up in that assumption:-). But a conciliating comment from jules wouldn't hurt:-D. > Also, along the lines of the thread. When I first installed FuzzyOcr and was > testing it I forgot to set the value of focr_autodisable_score (in > FuzzyOcr.cf) lower (I think the default is 10 or something like that) so it > appeared that Fuzzy wasn't doing anything because the spams with images were > already scoring above that. I lowered the score to 2 (temporarily) and then > Fuzzy was hitting. Of course I raised it back to my hit range so it wouldn't > waste resources when the messages was already scored as spam. Right. Forgot about that. Thanks a bundle Rick. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tim.sattler at nordcapital.com Thu Oct 19 15:07:47 2006 From: tim.sattler at nordcapital.com (Sattler, Tim) Date: Thu Oct 19 15:08:18 2006 Subject: Issues with TNEF and Phishing Net options Message-ID: Hello, after upgrading from 4.49.7 to 4.56.8, I have a problem with two of the new options: 1) TNEF: The option "Use TNEF Contents = replace" does not work if also "Deliver Unparsable TNEF = yes" is set, i.e., the winmail.dat attachment will be delivered unchanged. However, if I set "Deliver Unparsable TNEF = no", the same winmail.dat attachment will be replaced with the files it contains. 2) Phishing Net: If the option "Use Stricter Phishing Net = no" is set, MailScanner does also tag hosts that are whitelisted in "Phishing Safe Sites File". Is this made by design? We run MailScanner 4.56.8 on Solaris 9 with sendmail as MTA. Best regards Tim From brian.duncan at kattenlaw.com Thu Oct 19 15:22:32 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Oct 19 15:22:39 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) Message-ID: <65234743FE1555428435CE39E6AC4078B38ABF@CHI-US-EXCH-01.us.kmz.com> I have been using the spam.whitelist.rules to avoid marking any of my outbound messages as Spam. I have: From: IP yes From: IP yes For each IP of the boxes behind the Mailscanner/SpamAssassin server that relay outbound through it. My question is, is there a way to keep MailScanner from even scanning these messages? For all my outbound mail it lists it as being "white listed" and not Spam in the headers. But it still scans them. And then uses fuzzy ocr, and whatever other rules I have on outgoing mail server. It never marks ANYTHING as Spam so it is working.. but it still does the processing and lists all the rules that it failed, it just adds that it's white listed in there. Thanks =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From MailScanner at ecs.soton.ac.uk Thu Oct 19 16:04:21 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 19 16:08:49 2006 Subject: Issues with TNEF and Phishing Net options In-Reply-To: References: Message-ID: <453793F5.8090704@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sattler, Tim wrote: > Hello, > > after upgrading from 4.49.7 to 4.56.8, I have a problem with two of the > new options: > > 1) TNEF: > The option "Use TNEF Contents = replace" does not work if also "Deliver > Unparsable TNEF = yes" is set, i.e., the winmail.dat attachment will be > delivered unchanged. However, if I set "Deliver Unparsable TNEF = no", > the same winmail.dat attachment will be replaced with the files it > contains. > Err... How come the winmail.dat could be parsed to find the files it contains, when you say that the winmail.dat file was unparsable? > 2) Phishing Net: > If the option "Use Stricter Phishing Net = no" is set, MailScanner does > also tag hosts that are whitelisted in "Phishing Safe Sites File". Is > this made by design? > I have fixed that. Will be in the next release. > We run MailScanner 4.56.8 on Solaris 9 with sendmail as MTA. > > Best regards > Tim > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFN5TNEfZZRxQVtlQRAqvxAJsFg0o2k77OMGnBP20fzy/Tlke/9wCfXXH7 EzgIVaxjCe7WHE2ML6h9K9s= =EyzH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Oct 19 16:10:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 19 16:11:37 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) In-Reply-To: <65234743FE1555428435CE39E6AC4078B38ABF@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38ABF@CHI-US-EXCH-01.us.kmz.com> Message-ID: <4537954B.7010601@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Look up the "Scan Messages" configuration setting. Duncan, Brian M. wrote: > I have been using the spam.whitelist.rules to avoid marking any of my > outbound messages as Spam. > > I have: > > From: IP yes > From: IP yes > > For each IP of the boxes behind the Mailscanner/SpamAssassin server that > relay outbound through it. > > My question is, is there a way to keep MailScanner from even scanning > these messages? For all my outbound mail it lists it as being "white > listed" and not Spam in the headers. But it still scans them. And then > uses fuzzy ocr, and whatever other rules I have on outgoing mail server. > It never marks ANYTHING as Spam so it is working.. but it still does the > processing and lists all the rules that it failed, it just adds that > it's white listed in there. > > Thanks > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFN5V1EfZZRxQVtlQRAgXBAKDPeyvJdZS+wMZTblsW70SBs2Fp8QCg/eCn MYaONKqSkqM5eNVeIIxrJno= =PFvB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Thu Oct 19 16:09:39 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 19 16:15:41 2006 Subject: Found 385 messages waiting In-Reply-To: <223f97700610190020l6ddaa9c6j2960c579f21c928f@mail.gmail.com> References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> <4536671A.7030904@USherbrooke.ca> <223f97700610190020l6ddaa9c6j2960c579f21c928f@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/19/2006 12:20 AM: > On 18/10/06, Scott Silva wrote: >> Denis Beauchemin spake the following on 10/18/2006 10:40 AM: >> > Scott Silva a ?crit : >> >> Denis Beauchemin spake the following on 10/18/2006 7:46 AM: >> >> >> >>> Mevershosting.nl a ?crit : >> >>> >> >>>> Mike, list, >> >>>> >> >>>> This is the script i use, i doesnt delete files but renames them. >> You >> >>>> could stop mailscanner first in the script before running this, >> but i >> >>>> found it doesnt really make a differance. >> >>>> >> >>>> snip >> >>>> >> >>> I use the following one-liner in root's crontab to remove files that >> >>> don't have today's date (uses bash syntax on a RHEL 4 system): >> >>> 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l >> >>> /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date >> >>> '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null >> >>> >> >>> Denis >> >>> >> >>> >> >> It would be better to use something that goes back at least the number >> >> of days >> >> your system will retry for, something like; >> >> >> >> ... >> > Scott, >> > >> > Not really since emails never stay that long in the mqueue.in >> > directory. I have been careful enough to program it late in the >> morning >> > (9:19). The only files that are still in mqueue.in at 9:19 are the >> > leftovers with only one q/d file. >> > >> > Denis >> > >> Sorry, I posted without seeing that you were cleaning the in queue. >> I/O error on my part. Or more of an ID10T error. I have to read slower >> in the >> morning! > > This is where you need switch beverage from L1QU0R to JAVA.... Sigh, I > tire even myself with my lame sense of humour:-). > > Only thing to be careful with, regarding your cron-scriptlet Denis, > would be if (for some unkowable reason) MailScanner wasn't moving > things out of the in queue... Like an "extended error" on the weekend > or somesuch (you do go on vacation from time tyo time?:-)... Other > than that, the logic of it is flawless. Unfortunately (or because I'm > just into my first cup of coffee:-) I don't really see a good way to > determine that MS is moving things along.... The simple tests (that > there are MS children about) would probably be enough, if one would > want to implement something like that:-). > I have seen a script or two on the list that will only delete if there is not a matching pair of qf/df. That should take into account the orphans, but not mess with active mail. Since mailscanner moves the queue files by hard link in new directory/ unlink in old, there should be no danger of hurting files in progress. As for the beverage switch, I would rather go the other direction! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lisa.wu at syntricity.com Thu Oct 19 16:14:58 2006 From: lisa.wu at syntricity.com (Lisa Wu) Date: Thu Oct 19 16:16:17 2006 Subject: Sophos/MailScanner In-Reply-To: <006501c6ee4b$33801df0$9908a8c0@syntricity.com> Message-ID: <048701c6f391$5718fa20$9908a8c0@syntricity.com> Could it be that this line in my Sophos Update script is somehow creating an empty file string? wget -P$tmp $isite/$downloadfile || error_download So that when Mailscanner checks the "Monitors For Sophos Updates = /usr/local/updates/Sophos/savupd.tmp/*ides.zip" and finds an older ide file or a file that got renamed by some bug in wget does it cause the problem I'm experiencing with my queue? I've looked through the script and it seems like it should error out and exit before it even deletes the old ide file. Is there something I should know more about the "Monitors for Sophos Updates" parameter in Mailscanner? What exactly is it doing? Thanks, Lisa > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Lisa Wu > Sent: Thursday, October 12, 2006 3:10 PM > To: 'MailScanner discussion' > Subject: RE: Sophos/MailScanner > > Martin Hepworth wrote: > > > >>> Once in a while the server will fail to download its updates from > > Sophos. > > >>> (The cause being that our T1 line went down). Then the mail log > starts > > >>> posting MailScanner error messages every 10 seconds until a > successful > > >>> update occurs: > > >>> > > >>> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by > > the > > >>> "Monitors For Sophos Updates" patterns exist! > > >>> > > >>> Because of this error the queue starts placing all messages on hold. > > > > > > > > >> Lisa > > >> > > >> how are you updating the virus defs for Sophos? > > > > > > > > > Martin, > > > > > > There is a cron job that runs the Sophos update script running once > > every > > > hour. > > > > > > Thanks, > > > Lisa > > > > > > > > > > Lisa > > > > Can you give a bit more info. Which cron job? is should be > > update_virus_scanners which will do all the scanners you've defined in > > MailScanner.conf. > > > > This script is reasonbly failure proof as it downloads the updates into > > a separate folder and only on success does it move the 'new' to 'live' > > folders as it were. > > > > Also i presume your using the MailScanner Sophos.Install script to > > install your Sophos as well..?? AS mailScanner expects Sophos V4 to be > > in a non-default Sophos Directory. > > > > Hi Martin, > > Here is the cron job that is running. > > 21 0-23/2 * * * /usr/local/updates/Sophos/savupd/savupd.sh > /dev/null > > I've attached a copy of the script that is being run. > > I did not set-up this server, so I don't know if the previous admin used > the > MailScanner Sophos.Install script to install Sophos. From how it looks it > doesn't seem so. > > >From what you stated in your last e-mail, should I be setting up a > cronjob > that uses a preconfigured update_virus_scanners script that was part of > the > MailScanner Sophos install? > > In my MailScanner.conf file > > Virus Scanners = sophossavi > > In my virus.scanners.conf file this is the entry for sophossavi > > sophossavi /bin/false /tmp > > Let me know if there's any other info you need from me. > > Thanks, > Lisa From ssilva at sgvwater.com Thu Oct 19 16:14:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 19 16:20:10 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/19/2006 2:09 AM: > On 19/10/06, Glenn Steen wrote: >> On 19/10/06, Glenn Steen wrote: >> > On 19/10/06, Glenn Steen wrote: >> > > On 19/10/06, Anthony Cartmell wrote: >> > > > > I think you are on to something there Scott. I'll offer a >> guess... >> > > > > Anthony, are you by any chance running Postfix? >> > > > >> > > > Nope, sendmail. >> > > >> > > OK. Was just a thought:-). >> > > >> > > > It seems to be a "search path" issue: MailScanner skips a lot of >> setup >> > > > stuff that spamassassin does from the command line. From >> MailScanner, the >> > > > whole /var/lib/spamassassin/3.001003 directory was being missed >> and hence >> > > > a whole load of default rules. >> > > >> > > Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't >> > > have to set the MailScanner option, and it picks up/scores rules only >> > > in files present in the update directory). Maybe you should upgrade >> > > SA? If so, I can warmly recommend Jules excellent package:). >> > > >> > > > FWIW, although I have all my .cf files being read now, FuzzyOcr >> still >> > > > isn't being called. More investigation needed... >> > > >> > > Updating SA might have something to do with this too... And resetting >> > > to the normal MailScanner option... As it is now, any cf file in >> > > /etc/mail/spamassassin isn't read, right? >> > > Sort of like "the wrong fix to the right problem" or some such:-):-). >> > > As usual, I might be blathering a load of garbage too:-). >> > > >> > (just proving my PF "roots"....) >> > >> > I looked at SpamAssassin.pm, and this snippet is the clicher: >> > ----- >> > @default_rules_path = ( >> > '__local_state_dir__/__version__', >> > '__def_rules_dir__', >> > '__prefix__/share/spamassassin', >> > '/usr/local/share/spamassassin', >> > '/usr/share/spamassassin', >> > ); >> > ----- >> > As you can see, the normal way to find the sa-updated files is via >> > "__local_state_dir__/__version__", where __local_state_dir__ defautls >> > to /var/lib/spamassassin .... and __version__ is set (just above that) >> > to something like 3.00100X ... If you did an upgrade (and perhaps >> > didn't do an sa-update afterwards) I suppose you could end up in a >> > situation where the new SA version couldn't find the updated files, I >> > suppose (someone a bit more fluent (than me) in how SA is instantiated >> > will probably eb able to tell if this supposition is correct). >> > I suppose running sa-update should clear any such problem... And you >> > might clear the FuzzyOcr problem by resetting the MailScanner option >> > for site rules. >> Hm, went and read the other thread you have (broken off:)... Ok, so >> you set Default, not Site... Ok, I need more coffee too (not just >> Scott:-):-)... >> Anyway, you shouldn't need set that either. It should be automagic >> (and have nothing to do with spamc/d/assassin "glue", since it is set >> in the main module...). Oh well. Off to the coffee machine:-). >> > Just a final thought (yeah, this show the slow workings of *my* > mind;-)... You wouldn't happen to have multiple SA installs, now would > you? > See what a cup of coffee can stir up! My turn!! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Oct 19 16:29:46 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 19 16:31:18 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) In-Reply-To: <65234743FE1555428435CE39E6AC4078B38ABF@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38ABF@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 10/19/2006 7:22 AM: > I have been using the spam.whitelist.rules to avoid marking any of my > outbound messages as Spam. > > I have: > > From: IP yes > From: IP yes > > For each IP of the boxes behind the Mailscanner/SpamAssassin server that > relay outbound through it. > > My question is, is there a way to keep MailScanner from even scanning > these messages? For all my outbound mail it lists it as being "white > listed" and not Spam in the headers. But it still scans them. And then > uses fuzzy ocr, and whatever other rules I have on outgoing mail server. > It never marks ANYTHING as Spam so it is working.. but it still does the > processing and lists all the rules that it failed, it just adds that > it's white listed in there. > > Thanks Do you have the option Always Include SpamAssassin Report = yes ? That will have that effect. You can use a ruleset here also. Just the same ip addresses, but no instead of yes. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From tim.sattler at nordcapital.com Thu Oct 19 16:33:53 2006 From: tim.sattler at nordcapital.com (Sattler, Tim) Date: Thu Oct 19 16:34:24 2006 Subject: Issues with TNEF and Phishing Net options In-Reply-To: <453793F5.8090704@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > > The option "Use TNEF Contents = replace" does not work if also "Deliver > > Unparsable TNEF = yes" is set, i.e., the winmail.dat attachment will be > > delivered unchanged. However, if I set "Deliver Unparsable TNEF = no", > > the same winmail.dat attachment will be replaced with the files it > > contains. > > > Err... How come the winmail.dat could be parsed to find the files it > contains, when you say that the winmail.dat file was unparsable? Let me try to clarify things: The winmail.dat that I used for testing is definitely parsable. I can readily extract the files manually with tnef. So if I set "Deliver Unparsable TNEF = no" and the winmail.dat will be replaced, everything works just as one would expect. However, if I set "Deliver Unparsable TNEF = yes", the winmail.dat will _not_ be replaced, although this shouldn't make a difference as the winmail.dat is parsable anyway. Best regards Tim From brian.duncan at kattenlaw.com Thu Oct 19 16:43:14 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Oct 19 16:43:23 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) Message-ID: <65234743FE1555428435CE39E6AC4078B38AC4@CHI-US-EXCH-01.us.kmz.com> > Do you have the option Always Include SpamAssassin Report = yes ? > That will have that effect. You can use a ruleset here also. > Just the same ip addresses, but no instead of yes. Yes I did, doh I only use that because I would like the scores even if stuff does not fail. I did not think about the fact that it would also be used on outgoing. I turned it to no, and then sure enough outgoing was not scanned for Spam. So I can use a ruleset to not include reports on messages originating from my internal relays, so I can still get reports on all incoming messages. Thanks much! =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From brian.duncan at kattenlaw.com Thu Oct 19 16:50:25 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Oct 19 16:50:32 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) Message-ID: <65234743FE1555428435CE39E6AC4078B38AC5@CHI-US-EXCH-01.us.kmz.com> > Do you have the option Always Include SpamAssassin Report = yes ? > That will have that effect. You can use a ruleset here also. > Just the same ip addresses, but no instead of yes. > Just to verify, would this accomplish what I want? (All my internal mail servers are on a 10. subnet) I want everything coming from outside to still always receive the report. (Not sure if I need a From: * yes after the no below) >From MailScanner.conf: Always Include SpamAssassin Report = /etc/MailScanner/report.alwaysinclude.conf >From /etc/MailScanner/report.alwaysinclude.conf: From: 10. no Thanks for you help =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From ka at pacific.net Thu Oct 19 16:54:17 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 19 16:52:23 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: References: Message-ID: <45379FA9.4080208@pacific.net> Why don't you put a box at some well fed colo somewhere else and filter incoming mail at that point? Given that 80% is spam anyway, you'd probably save quite a bit of bandwidth on your 64k frame. As long as you control the DNS you could switch back to your local box if you needed to. Ken A. Pacific.Net Jim Holland wrote: > This is a sendmail problem, but hope it's OK to ask here. > > MANGO has only a 64k connection to the Internet. We have a major problem > with ISPs (mainly Yahoo and Gmail) that don't implement the SMTP SIZE > extension. So when they send us a 10 MB message, for example, we can't > reject the message until they have sent us the whole message. That is a > total and serious waste of bandwidth, particularly when some idiot sends > us half a dozen 10 MB bmp files for example. > > On our side we can see the incoming df file growing in size in mqueue.in, > and can suspect from the sending server that it is going to be a problem, > but obviously can't be sure until it hits our message size limit (1.5 MB). > At that point the df file stops increasing in size and we know it's a > problem. > > The manual solution at that point is to determine the sender's IP address, > block that in the access file with an appropriate error message, kill the > process id associated with the connection and then delete the df file. > Then wait until they next connect and get rejected, and then re-enable the > IP in the access file once more (and hope that they don't do it all over > again). > > The above response is definitely worth doing during our peak times as it > frees up significant bandwidth. I could (why don't I?) write a script to > monitor and automate the process. However the problem is fairly > fundamental, and I wonder if others are concerned about this issue and > whether they have solutions of their own. > > I have written to Gmail via a third party who knows the developers there > and am told they will think about it and possibly implement an upgrade at > some stage. I don't know how to get hold of anyone interested at Yahoo. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > From martinh at solidstatelogic.com Thu Oct 19 17:01:54 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Oct 19 17:02:10 2006 Subject: Sophos/MailScanner In-Reply-To: <048701c6f391$5718fa20$9908a8c0@syntricity.com> References: <048701c6f391$5718fa20$9908a8c0@syntricity.com> Message-ID: <4537A172.4000005@solidstatelogic.com> Lisa Wu wrote: > Could it be that this line in my Sophos Update script is somehow creating an > empty file string? > > wget -P$tmp $isite/$downloadfile || error_download > > So that when Mailscanner checks the "Monitors For Sophos Updates = > /usr/local/updates/Sophos/savupd.tmp/*ides.zip" and finds an older ide file > or a file that got renamed by some bug in wget does it cause the problem I'm > experiencing with my queue? I've looked through the script and it seems like > it should error out and exit before it even deletes the old ide file. > > Is there something I should know more about the "Monitors for Sophos > Updates" parameter in Mailscanner? What exactly is it doing? > > Thanks, > Lisa > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Lisa Wu >> Sent: Thursday, October 12, 2006 3:10 PM >> To: 'MailScanner discussion' >> Subject: RE: Sophos/MailScanner >> >> Martin Hepworth wrote: >> >>>>>> Once in a while the server will fail to download its updates from >>> Sophos. >>>>>> (The cause being that our T1 line went down). Then the mail log >> starts >>>>>> posting MailScanner error messages every 10 seconds until a >> successful >>>>>> update occurs: >>>>>> >>>>>> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched by >>> the >>>>>> "Monitors For Sophos Updates" patterns exist! >>>>>> >>>>>> Because of this error the queue starts placing all messages on hold. >>>> >>>>> Lisa >>>>> >>>>> how are you updating the virus defs for Sophos? >>>> >>>> Martin, >>>> >>>> There is a cron job that runs the Sophos update script running once >>> every >>>> hour. >>>> >>>> Thanks, >>>> Lisa >>>> >>>> >>> Lisa >>> >>> Can you give a bit more info. Which cron job? is should be >>> update_virus_scanners which will do all the scanners you've defined in >>> MailScanner.conf. >>> >>> This script is reasonbly failure proof as it downloads the updates into >>> a separate folder and only on success does it move the 'new' to 'live' >>> folders as it were. >>> >>> Also i presume your using the MailScanner Sophos.Install script to >>> install your Sophos as well..?? AS mailScanner expects Sophos V4 to be >>> in a non-default Sophos Directory. >>> >> Hi Martin, >> >> Here is the cron job that is running. >> >> 21 0-23/2 * * * /usr/local/updates/Sophos/savupd/savupd.sh > /dev/null >> >> I've attached a copy of the script that is being run. >> >> I did not set-up this server, so I don't know if the previous admin used >> the >> MailScanner Sophos.Install script to install Sophos. From how it looks it >> doesn't seem so. >> >> >From what you stated in your last e-mail, should I be setting up a >> cronjob >> that uses a preconfigured update_virus_scanners script that was part of >> the >> MailScanner Sophos install? >> >> In my MailScanner.conf file >> >> Virus Scanners = sophossavi >> >> In my virus.scanners.conf file this is the entry for sophossavi >> >> sophossavi /bin/false /tmp >> >> Let me know if there's any other info you need from me. >> >> Thanks, >> Lisa > Lisa could be - also check the filename. I know the freebsd ones contain a '+' character which can throw things out.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ssilva at sgvwater.com Thu Oct 19 17:14:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 19 17:14:47 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: <45379FA9.4080208@pacific.net> References: <45379FA9.4080208@pacific.net> Message-ID: > Jim Holland wrote: >> This is a sendmail problem, but hope it's OK to ask here. >> >> MANGO has only a 64k connection to the Internet. We have a major >> problem with ISPs (mainly Yahoo and Gmail) that don't implement the >> SMTP SIZE extension. So when they send us a 10 MB message, for >> example, we can't reject the message until they have sent us the whole >> message. That is a total and serious waste of bandwidth, particularly >> when some idiot sends us half a dozen 10 MB bmp files for example. >> >> On our side we can see the incoming df file growing in size in mqueue.in, >> and can suspect from the sending server that it is going to be a problem, >> but obviously can't be sure until it hits our message size limit (1.5 >> MB). At that point the df file stops increasing in size and we know >> it's a >> problem. >> >> The manual solution at that point is to determine the sender's IP >> address, >> block that in the access file with an appropriate error message, kill the >> process id associated with the connection and then delete the df >> file. Then wait until they next connect and get rejected, and then >> re-enable the >> IP in the access file once more (and hope that they don't do it all >> over again). >> >> The above response is definitely worth doing during our peak times as it >> frees up significant bandwidth. I could (why don't I?) write a script to >> monitor and automate the process. However the problem is fairly >> fundamental, and I wonder if others are concerned about this issue and >> whether they have solutions of their own. >> I have written to Gmail via a third party who knows the developers there >> and am told they will think about it and possibly implement an upgrade at >> some stage. I don't know how to get hold of anyone interested at Yahoo. >> >> Regards >> >> Jim Holland >> System Administrator >> MANGO - Zimbabwe's non-profit e-mail service >> > Ken A spake the following on 10/19/2006 8:54 AM: > Why don't you put a box at some well fed colo somewhere else and filter > incoming mail at that point? Given that 80% is spam anyway, you'd > probably save quite a bit of bandwidth on your 64k frame. As long as you > control the DNS you could switch back to your local box if you needed to. > Ken A. > Pacific.Net > If your bandwidth is real expensive, the reduction might even pay for this colocated server,or even save some money. But if you can't find one in Zimbabwe to your liking or budget, how difficult is it for you to get something out of the country? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From H.de.Vries at philos.rug.nl Thu Oct 19 17:49:49 2006 From: H.de.Vries at philos.rug.nl (Hauke de Vries) Date: Thu Oct 19 17:50:21 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <453678D9.4020009@netmagicsolutions.com> References: <01d901c6f2db$c03ef970$3701a8c0@lapxp>, <45366F0F.3000201@ecs.soton.ac.uk>, <453678D9.4020009@netmagicsolutions.com> Message-ID: <4537C8CD.8276.104320DD@H.de.Vries.philos.rug.nl> Good work, but you will see that Jorge Valdes on http://www.joval.info/proj/FuzzyOcr.html has developed further on FuzzyOcr. At early stages ImageMagick was needed, later he abondoned it and Jorge Valdes reintroduced IM. I had a tough time rebuilding PerlMagick. I'm on FC4 so wanted the latest. If you don't like the hassle, then install ImageMagick(-perl) thru yum. First I tried: cpan> install Magick::Perl which failed miserably, because it needs the accompanying libraries. So downloaded IM.tar.bz2 to /usr/src/redhat/SOURCES. Created and edited an IM.spec from an older release and put it in /usr/src/redhat/SPECS and then rpmbuild -ba IM.spec with a lot of warnings. Installed the files and tested FuzzyOcr: "Unknown symbol: InitializeMagick". Weird, and I finally created some symlinks in /usr/lib (for lib{Magick,Wand}), then ldconfig, cwd perl, and perl MakePerl.PL make make test make install This worked and I can't tell you why it couldn't find the correct libs at build-time?!? Anyway I'm running the latest FuzzyOcr in debug mode and so-far-so-good. Only problem seems to be that gocr can't handle text on colored background well. Create an test.eml with graphic and spamassassin -D --lint \ -p /etc/mail/spamassassin/mailscanner.cf \ < test.eml 2&>1 | tee test.debug Restarting MailScanner is not needed because when SA is invoked it seems to reread everything. Hauke On 19 Oct 2006 at 0:26 Dhawal Doshy wrote: > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Please can you add it to the SpamAssassin section of the MailScanner > > wiki! > > > > It is important to keep and share stuff like this. > > Done, > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:fuzzyocr > > Now some who actually uses this could please verify/validate the > instructions. > > - dhawal From daniel.maher at ubisoft.com Thu Oct 19 18:47:14 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Oct 19 18:47:20 2006 Subject: OT: need help installing FuzzyOCR In-Reply-To: <4537C8CD.8276.104320DD@H.de.Vries.philos.rug.nl> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20369FE00@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Hauke de Vries > Sent: October 19, 2006 12:50 PM > To: MailScanner discussion > Subject: Re: OT: need help installing FuzzyOCR > > Good work, but you will see that Jorge Valdes on > http://www.joval.info/proj/FuzzyOcr.html > has developed further on FuzzyOcr. I may be worth noting that Jorge's code is to be considered /beta at best/. As I understand it, when Jorge's code passes peer review and production testing, it will be merged with Decoder's base. YMMV. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From glenn.steen at gmail.com Thu Oct 19 18:55:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 18:55:40 2006 Subject: Found 385 messages waiting In-Reply-To: References: <78964AB012E2A247BA86E219659F235C6DD3B8@mevers1.meverskantoor.nl> <45363E46.1080700@USherbrooke.ca> <4536671A.7030904@USherbrooke.ca> <223f97700610190020l6ddaa9c6j2960c579f21c928f@mail.gmail.com> Message-ID: <223f97700610191055r673fb80etbb468d0bed6b1a3a@mail.gmail.com> On 19/10/06, Scott Silva wrote: > Glenn Steen spake the following on 10/19/2006 12:20 AM: > > On 18/10/06, Scott Silva wrote: > >> Denis Beauchemin spake the following on 10/18/2006 10:40 AM: > >> > Scott Silva a ?crit : > >> >> Denis Beauchemin spake the following on 10/18/2006 7:46 AM: > >> >> > >> >>> Mevershosting.nl a ?crit : > >> >>> > >> >>>> Mike, list, > >> >>>> > >> >>>> This is the script i use, i doesnt delete files but renames them. > >> You > >> >>>> could stop mailscanner first in the script before running this, > >> but i > >> >>>> found it doesnt really make a differance. > >> >>>> > >> >>>> snip > >> >>>> > >> >>> I use the following one-liner in root's crontab to remove files that > >> >>> don't have today's date (uses bash syntax on a RHEL 4 system): > >> >>> 19 9 * * * cd /var/spool/mqueue.in/ && /bin/rm -f $(/bin/ls -l > >> >>> /var/spool/mqueue.in/[dqt]* 2>/dev/null | /bin/grep -v "$(/bin/date > >> >>> '+\%b \%e')"|/bin/awk '{print $NF}') 2>/dev/null > >> >>> > >> >>> Denis > >> >>> > >> >>> > >> >> It would be better to use something that goes back at least the number > >> >> of days > >> >> your system will retry for, something like; > >> >> > >> >> ... > >> > Scott, > >> > > >> > Not really since emails never stay that long in the mqueue.in > >> > directory. I have been careful enough to program it late in the > >> morning > >> > (9:19). The only files that are still in mqueue.in at 9:19 are the > >> > leftovers with only one q/d file. > >> > > >> > Denis > >> > > >> Sorry, I posted without seeing that you were cleaning the in queue. > >> I/O error on my part. Or more of an ID10T error. I have to read slower > >> in the > >> morning! > > > > This is where you need switch beverage from L1QU0R to JAVA.... Sigh, I > > tire even myself with my lame sense of humour:-). > > > > Only thing to be careful with, regarding your cron-scriptlet Denis, > > would be if (for some unkowable reason) MailScanner wasn't moving > > things out of the in queue... Like an "extended error" on the weekend > > or somesuch (you do go on vacation from time tyo time?:-)... Other > > than that, the logic of it is flawless. Unfortunately (or because I'm > > just into my first cup of coffee:-) I don't really see a good way to > > determine that MS is moving things along.... The simple tests (that > > there are MS children about) would probably be enough, if one would > > want to implement something like that:-). > > > I have seen a script or two on the list that will only delete if there is not > a matching pair of qf/df. That should take into account the orphans, but not > mess with active mail. Since mailscanner moves the queue files by hard link in > new directory/ unlink in old, there should be no danger of hurting files in > progress. Yes of course, no argument there. > As for the beverage switch, I would rather go the other direction! ;-) Ah yes... Although I've been told that if one does that too frequently during the week, one might get branded as an "alcoholic":-)... Unfortunately for me I'll be stone sober this whole weekend... I suppose the users/PHB will appreciate this, since that'll make it less likely that I will have done something silly with the new network gear;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 19 18:58:33 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 19 18:58:37 2006 Subject: FuzzyOcr working but not via MailScanner In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> Message-ID: <223f97700610191058l735cb404p2debc2da1556a350@mail.gmail.com> On 19/10/06, Scott Silva wrote: > Glenn Steen spake the following on 10/19/2006 2:09 AM: > > On 19/10/06, Glenn Steen wrote: > >> On 19/10/06, Glenn Steen wrote: > >> > On 19/10/06, Glenn Steen wrote: > >> > > On 19/10/06, Anthony Cartmell wrote: > >> > > > > I think you are on to something there Scott. I'll offer a > >> guess... > >> > > > > Anthony, are you by any chance running Postfix? > >> > > > > >> > > > Nope, sendmail. > >> > > > >> > > OK. Was just a thought:-). > >> > > > >> > > > It seems to be a "search path" issue: MailScanner skips a lot of > >> setup > >> > > > stuff that spamassassin does from the command line. From > >> MailScanner, the > >> > > > whole /var/lib/spamassassin/3.001003 directory was being missed > >> and hence > >> > > > a whole load of default rules. > >> > > > >> > > Are you running 3.1.3? I run 3.1.5 and have no such issues (I don't > >> > > have to set the MailScanner option, and it picks up/scores rules only > >> > > in files present in the update directory). Maybe you should upgrade > >> > > SA? If so, I can warmly recommend Jules excellent package:). > >> > > > >> > > > FWIW, although I have all my .cf files being read now, FuzzyOcr > >> still > >> > > > isn't being called. More investigation needed... > >> > > > >> > > Updating SA might have something to do with this too... And resetting > >> > > to the normal MailScanner option... As it is now, any cf file in > >> > > /etc/mail/spamassassin isn't read, right? > >> > > Sort of like "the wrong fix to the right problem" or some such:-):-). > >> > > As usual, I might be blathering a load of garbage too:-). > >> > > > >> > (just proving my PF "roots"....) > >> > > >> > I looked at SpamAssassin.pm, and this snippet is the clicher: > >> > ----- > >> > @default_rules_path = ( > >> > '__local_state_dir__/__version__', > >> > '__def_rules_dir__', > >> > '__prefix__/share/spamassassin', > >> > '/usr/local/share/spamassassin', > >> > '/usr/share/spamassassin', > >> > ); > >> > ----- > >> > As you can see, the normal way to find the sa-updated files is via > >> > "__local_state_dir__/__version__", where __local_state_dir__ defautls > >> > to /var/lib/spamassassin .... and __version__ is set (just above that) > >> > to something like 3.00100X ... If you did an upgrade (and perhaps > >> > didn't do an sa-update afterwards) I suppose you could end up in a > >> > situation where the new SA version couldn't find the updated files, I > >> > suppose (someone a bit more fluent (than me) in how SA is instantiated > >> > will probably eb able to tell if this supposition is correct). > >> > I suppose running sa-update should clear any such problem... And you > >> > might clear the FuzzyOcr problem by resetting the MailScanner option > >> > for site rules. > >> Hm, went and read the other thread you have (broken off:)... Ok, so > >> you set Default, not Site... Ok, I need more coffee too (not just > >> Scott:-):-)... > >> Anyway, you shouldn't need set that either. It should be automagic > >> (and have nothing to do with spamc/d/assassin "glue", since it is set > >> in the main module...). Oh well. Off to the coffee machine:-). > >> > > Just a final thought (yeah, this show the slow workings of *my* > > mind;-)... You wouldn't happen to have multiple SA installs, now would > > you? > > > See what a cup of coffee can stir up! > > My turn!! ;-) One of the high points of this list is its mature debate and highly intellectual standards... Eh, or not:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lisa.wu at syntricity.com Thu Oct 19 19:03:46 2006 From: lisa.wu at syntricity.com (Lisa Wu) Date: Thu Oct 19 19:04:54 2006 Subject: Sophos/MailScanner In-Reply-To: <4537A172.4000005@solidstatelogic.com> Message-ID: <049c01c6f3a8$ec16a480$9908a8c0@syntricity.com> Martin Hepworth wrote: > > > >> > >>>>>> Once in a while the server will fail to download its updates from > >>> Sophos. > >>>>>> (The cause being that our T1 line went down). Then the mail log > >> starts > >>>>>> posting MailScanner error messages every 10 seconds until a > >> successful > >>>>>> update occurs: > >>>>>> > >>>>>> Sep 6 14:06:50 mail MailScanner[30864]: None of the files matched > by > >>> the > >>>>>> "Monitors For Sophos Updates" patterns exist! > >>>>>> > >>>>>> Because of this error the queue starts placing all messages on > hold. > >>>> > >>>>> Lisa > >>>>> > >>>>> how are you updating the virus defs for Sophos? > >>>> > >>>> Martin, > >>>> > >>>> There is a cron job that runs the Sophos update script running once > >>> every > >>>> hour. > >>>> > >>>> Thanks, > >>>> Lisa > >>>> > >>>> > >>> Lisa > >>> > >>> Can you give a bit more info. Which cron job? is should be > >>> update_virus_scanners which will do all the scanners you've defined in > >>> MailScanner.conf. > >>> > >>> This script is reasonbly failure proof as it downloads the updates > into > >>> a separate folder and only on success does it move the 'new' to 'live' > >>> folders as it were. > >>> > >>> Also i presume your using the MailScanner Sophos.Install script to > >>> install your Sophos as well..?? AS mailScanner expects Sophos V4 to be > >>> in a non-default Sophos Directory. > >>> > >> Hi Martin, > >> > >> Here is the cron job that is running. > >> > >> 21 0-23/2 * * * /usr/local/updates/Sophos/savupd/savupd.sh > /dev/null > >> > >> I've attached a copy of the script that is being run. > >> > >> I did not set-up this server, so I don't know if the previous admin > used > >> the > >> MailScanner Sophos.Install script to install Sophos. From how it looks > it > >> doesn't seem so. > >> > >> >From what you stated in your last e-mail, should I be setting up a > >> cronjob > >> that uses a preconfigured update_virus_scanners script that was part of > >> the > >> MailScanner Sophos install? > >> > >> In my MailScanner.conf file > >> > >> Virus Scanners = sophossavi > >> > >> In my virus.scanners.conf file this is the entry for sophossavi > >> > >> sophossavi /bin/false /tmp > >> > >> Let me know if there's any other info you need from me. > >> > >> Thanks, > >> Lisa > > Could it be that this line in my Sophos Update script is somehow > creating an > > empty file string? > > > > wget -P$tmp $isite/$downloadfile || error_download > > > > So that when Mailscanner checks the "Monitors For Sophos Updates = > > /usr/local/updates/Sophos/savupd.tmp/*ides.zip" and finds an older ide > file > > or a file that got renamed by some bug in wget does it cause the problem > I'm > > experiencing with my queue? I've looked through the script and it seems > like > > it should error out and exit before it even deletes the old ide file. > > > > Is there something I should know more about the "Monitors for Sophos > > Updates" parameter in Mailscanner? What exactly is it doing? > > > > Thanks, > > Lisa > > > Lisa > > could be - also check the filename. I know the freebsd ones contain a > '+' character which can throw things out.. > Martin, Mailscanner is looking for any ides.zip Monitors For Sophos Updates = /usr/local/updates/Sophos/savupd.tmp/*ides.zip Just to make sure I'm following things correctly, if wget fails and Mailscanner finds a file in the directory that does not match the *ides.zip criteria, even though there may be a valid ides.zip file in that directory, will Mailscanner error out? Is it because this random file has an updated time stamp compared to the older ide file? This is all theorizing; since this hasn't happened in a while I'm not sure what files are in that directory path when the download script fails. Thanks, Lisa From brian.duncan at kattenlaw.com Thu Oct 19 20:34:03 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Oct 19 20:34:08 2006 Subject: Spam.whitelist.rules to avoid scanning outbound messages. (Not just marking as whitelisted but still processing) Message-ID: <65234743FE1555428435CE39E6AC4078B38AD1@CHI-US-EXCH-01.us.kmz.com> Thanks I wound up using the part of the comfit that Julian recommended. I wanted to comment that IP's work fine also. Both /32 and /16 listed addresses. Based on the comments of the config it looked like domain names would only be accepted. Thanks allot Julian for your help. # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). Scan Messages = %rules-dir%/scan.messages.rules scan.messages.rules: From: 10.9.1.10 no From: 10.9.1.11 no From: 10.2. no FromOrTo: default yes > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Thursday, October 19, 2006 10:10 AM > To: MailScanner discussion > Subject: Re: Spam.whitelist.rules to avoid scanning outbound > messages. (Not just marking as whitelisted but still processing) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Look up the "Scan Messages" configuration setting. > > Duncan, Brian M. wrote: > > I have been using the spam.whitelist.rules to avoid marking > any of my > > outbound messages as Spam. > > > > I have: > > > > From: IP yes > > From: IP yes > > > > For each IP of the boxes behind the Mailscanner/SpamAssassin server > > that relay outbound through it. > > > > My question is, is there a way to keep MailScanner from > even scanning > > these messages? For all my outbound mail it lists it as > being "white > > listed" and not Spam in the headers. But it still scans them. And > > then uses fuzzy ocr, and whatever other rules I have on > outgoing mail server. > > It never marks ANYTHING as Spam so it is working.. but it > still does > > the processing and lists all the rules that it failed, it just adds > > that it's white listed in there. > > > > Thanks > > > > =========================================================== > > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing > Practice Before the Internal Revenue Service, any tax advice > contained herein is not intended or written to be used and > cannot be used by a taxpayer for the purpose of avoiding tax > penalties that may be imposed on the taxpayer. > > =========================================================== > > CONFIDENTIALITY NOTICE: > > This electronic mail message and any attached files contain > information intended for the exclusive use of the individual > or entity to whom it is addressed and may contain information > that is proprietary, privileged, confidential and/or exempt > from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any viewing, > copying, disclosure or distribution of this information may > be subject to legal restriction or sanction. Please notify > the sender, by electronic mail or telephone, of any > unintended recipients and delete the original message without > making any copies. > > =========================================================== > > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois > limited liability partnership that has elected to be governed > by the Illinois Uniform Partnership Act (1997). > > =========================================================== > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFN5V1EfZZRxQVtlQRAgXBAKDPeyvJdZS+wMZTblsW70SBs2Fp8QCg/eCn > MYaONKqSkqM5eNVeIIxrJno= > =PFvB > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From res at ausics.net Thu Oct 19 21:45:52 2006 From: res at ausics.net (Res) Date: Thu Oct 19 21:46:08 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: References: Message-ID: On Thu, 19 Oct 2006, Ed Wallig wrote: > Yup, this is what is on my mind - typo-squatter (cool term by the way) > creates a "catch-all" or actual account based on what he's seeing in the > SMTP logs and starts collecting email that is not supposed to be going > to him - could be trouble. Very valid point, this is why a lot of companies register names that are other ext's of their domain, to prevent it because of low life type squatters, but access file is still the best solution so IMHO you are doing the best thing. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mailscanner at mango.zw Thu Oct 19 21:57:20 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Oct 19 21:53:07 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: Message-ID: On Thu, 19 Oct 2006, Scott Silva wrote: > > Jim Holland wrote: > >> This is a sendmail problem, but hope it's OK to ask here. > >> > >> MANGO has only a 64k connection to the Internet. We have a major > >> problem with ISPs (mainly Yahoo and Gmail) that don't implement the > >> SMTP SIZE extension. So when they send us a 10 MB message, for > >> example, we can't reject the message until they have sent us the whole > >> message. That is a total and serious waste of bandwidth, particularly > >> when some idiot sends us half a dozen 10 MB bmp files for example. . . . > > Ken A spake the following on 10/19/2006 8:54 AM: > > Why don't you put a box at some well fed colo somewhere else and filter > > incoming mail at that point? Given that 80% is spam anyway, you'd > > probably save quite a bit of bandwidth on your 64k frame. As long as you > > control the DNS you could switch back to your local box if you needed to. > > Ken A. > > Pacific.Net > > > If your bandwidth is real expensive, the reduction might even pay for this > colocated server,or even save some money. But if you can't find one in > Zimbabwe to your liking or budget, how difficult is it for you to get > something out of the country? This option is in fact exactly what we are looking at now, so that will solve the problem at some time in the near future. However I still find the issue very annoying in principle and just wished there was some solution I could adopt even when we get a colocated server. I don't understand why these big guys don't have more consideration. They would also save their own bandwidth, and anyone can see how poor Yahoo's bandwidth is at times. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From res at ausics.net Thu Oct 19 21:53:17 2006 From: res at ausics.net (Res) Date: Thu Oct 19 21:53:30 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: References: <45379FA9.4080208@pacific.net> Message-ID: On Thu, 19 Oct 2006, Scott Silva wrote: > something out of the country? What is the point of that? you lose immediate control and if things die, you have to wait/rely on unknown 3rd parties, some of the stories I've heard are typically "it takes hours and hours to get them to get to it" and that without nameing them, includes some pretty big well known hosting companies in the U.S who try sucker people from all over the world to use them, which is why we never will place hardware offshore. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mkettler at evi-inc.com Thu Oct 19 22:07:48 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Oct 19 22:08:12 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: References: Message-ID: <4537E924.4050403@evi-inc.com> Ed Wallig wrote: > Yup, this is what is on my mind - typo-squatter (cool term by the way) Unfortunately I can't take credit for it.. it's a general industry term http://en.wikipedia.org/wiki/Typosquatting It's actually been around for quite a while too: http://www.wordspy.com/words/typosquatter.asp > creates a "catch-all" or actual account based on what he's seeing in the > SMTP logs and starts collecting email that is not supposed to be going > to him - could be trouble. I agree. Unlike Jethro, who would rather handle this after the fact by firing the resposible party, I'm more interested in prevention, and then lart the hell out of any user that winds up triggering it. After all, if some idiot leaks enough information, that could completely ruin your company. (ie: the competitor gains enough information, like a couple key trade secrets, to completely drive your company out of the market.) Firing the idiot is little consolation when he's cost everyone else in the company their jobs too. And of course what's left of your company can sue the idiot for leaking the information, but they likely don't have enough assets to cover the damages. Some mistakes are big enough you just can't make up for it by firing the person responsible. Those things you try hard to prevent. Even if it is a kludge. From mailscanner at mango.zw Thu Oct 19 22:57:27 2006 From: mailscanner at mango.zw (Jim Holland) Date: Thu Oct 19 22:53:09 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: Message-ID: On Fri, 20 Oct 2006, Res wrote: > > something out of the country? > > What is the point of that? you lose immediate control and if things die, > you have to wait/rely on unknown 3rd parties, some of the stories I've > heard are typically "it takes hours and hours to get them to get to it" > and that without nameing them, includes some pretty big well known > hosting companies in the U.S who try sucker people from all over the > world to use them, which is why we never will place hardware offshore. I agree. We will definitely do it locally, and at a place where we can get access to E1 lines for our members to dial in to (instead of our current creaky old bank of 6 US Robotics modems). 24/7 backup and physical access is essential, and we also plan to move to a real server for the first time instead of the desktop clones we have always used. All this has to be financed from our current subs of 10 cents US equivalent per user per month - time for a modest increase I would say! Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From ssilva at sgvwater.com Thu Oct 19 23:59:28 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 19 23:59:40 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: References: <45379FA9.4080208@pacific.net> Message-ID: Res spake the following on 10/19/2006 1:53 PM: > On Thu, 19 Oct 2006, Scott Silva wrote: > >> something out of the country? > > What is the point of that? you lose immediate control and if things die, > you have to wait/rely on unknown 3rd parties, some of the stories I've > heard are typically "it takes hours and hours to get them to get to it" > and that without nameing them, includes some pretty big well known > hosting companies in the U.S who try sucker people from all over the > world to use them, which is why we never will place hardware offshore. > You are right. There is nothing like being able to drive to a colo and reset your own server. I just remember Jim's comments from previous posts about dealing with the communications carriers. And you don't have to go offshore to have colocation outside of Zimbabwe. There is Botswana, Zambia, Mozambique, and South Africa. I was just giving options for him and his users. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Fri Oct 20 00:05:14 2006 From: res at ausics.net (Res) Date: Fri Oct 20 00:05:27 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: References: Message-ID: On Thu, 19 Oct 2006, Jim Holland wrote: > On Fri, 20 Oct 2006, Res wrote: > >>> something out of the country? >> >> What is the point of that? you lose immediate control and if things die, >> you have to wait/rely on unknown 3rd parties, some of the stories I've >> heard are typically "it takes hours and hours to get them to get to it" >> and that without nameing them, includes some pretty big well known >> hosting companies in the U.S who try sucker people from all over the >> world to use them, which is why we never will place hardware offshore. > > I agree. We will definitely do it locally, and at a place where we can > get access to E1 lines for our members to dial in to (instead of our > current creaky old bank of 6 US Robotics modems). 24/7 backup and Might be a good idea if finances permit. > physical access is essential, and we also plan to move to a real server > for the first time instead of the desktop clones we have always used. > All this has to be financed from our current subs of 10 cents US > equivalent per user per month - time for a modest increase I would say! 10c? I'll say it's time for an increase :) It's fine if its just running cost recovery, but that does become a problem if something dies compeltely thats worth a few K. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From ssilva at sgvwater.com Fri Oct 20 00:34:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 20 00:35:24 2006 Subject: OT: How do you block servers sending oversize messages? In-Reply-To: References: Message-ID: Res spake the following on 10/19/2006 4:05 PM: > On Thu, 19 Oct 2006, Jim Holland wrote: > >> On Fri, 20 Oct 2006, Res wrote: >> >>>> something out of the country? >>> >>> What is the point of that? you lose immediate control and if things die, >>> you have to wait/rely on unknown 3rd parties, some of the stories I've >>> heard are typically "it takes hours and hours to get them to get to it" >>> and that without nameing them, includes some pretty big well known >>> hosting companies in the U.S who try sucker people from all over the >>> world to use them, which is why we never will place hardware offshore. >> >> I agree. We will definitely do it locally, and at a place where we can >> get access to E1 lines for our members to dial in to (instead of our >> current creaky old bank of 6 US Robotics modems). 24/7 backup and > > Might be a good idea if finances permit. > >> physical access is essential, and we also plan to move to a real server >> for the first time instead of the desktop clones we have always used. >> All this has to be financed from our current subs of 10 cents US >> equivalent per user per month - time for a modest increase I would say! > > 10c? I'll say it's time for an increase :) > It's fine if its just running cost recovery, but that does become a > problem if something dies compeltely thats worth a few K. > His users probably cannot afford a large increase. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From chandler at chapman.edu Fri Oct 20 01:43:01 2006 From: chandler at chapman.edu (Jay Chandler) Date: Fri Oct 20 01:43:12 2006 Subject: Per-User Whitelisting possible? Message-ID: <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu> If this is the wrong place to ask this, I apologize in advance. Right now, I'm running an older version of SpamAssassin, with user_prefs in each user's .spamassassin folder. Is there any way to migrate this to MailScanner and still use per- user whitelisting (and ideally other settings), or do I have to run SA as a separate program? -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061019/87acd122/attachment.html From mrm at medicine.wisc.edu Fri Oct 20 04:32:30 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Oct 20 04:33:00 2006 Subject: Per-User Whitelisting possible? In-Reply-To: <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu> References: <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu> Message-ID: <4537FCFE.7FBE.00FC.3@medicine.wisc.edu> I don't know of anything readily available offhand, but it should be fairly trivial to write a script that could recursively grep through everyone's .spamassassin/user_prefs file to snatch out all of the whitelist entries that could then be inserted into Mailscanner's spam.whitelist.rules file. Mike >>> On 10/19/2006 at 7:43 PM, in message <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu>, Jay Chandler wrote: > If this is the wrong place to ask this, I apologize in advance. > > Right now, I'm running an older version of SpamAssassin, with > user_prefs in each user's .spamassassin folder. > > Is there any way to migrate this to MailScanner and still use per- > user whitelisting (and ideally other settings), or do I have to run > SA as a separate program? From derek at adcatanzaro.com Fri Oct 20 05:44:33 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Fri Oct 20 05:45:10 2006 Subject: OT: Reject non local users with sendmail, help Message-ID: <45385431.6070704@adcatanzaro.com> Does anyone out there have a working Reject non local users setup using sendmail? I have pulled all the recipient names via LDAP and cannot find what I need to do next. Basically, I want to only allow mail to the users I have listed in my relay_recipients file. There are plenty of posts on this for postfix and other MTA's but I need this to work with sendmail. I really need to limit the load my servers are seeing right now because it has been causing a small backup for the past week from time to time. If I have to go through another day switching back and forth from my primary and secondary mailscanner servers issuing a "service MailScanner stop" then startout, then check_MailScanner (did this for several hours today) I'm gonna go nuts. If anyone can provide any help on this I would greatly appreciate it. An example of what you did in the /etc/mail/access file or an example of what you had to put in your /etc/mail/sendmail.mc would be great. Also if the relay_recipients file should contain anything other than "jdoe@domain.com OK" that would be good to know as well. Thanks for the help. MailScanner 4.49.7 sendmail 8.13.5 Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Fri Oct 20 06:47:56 2006 From: res at ausics.net (Res) Date: Fri Oct 20 06:48:05 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: <45385431.6070704@adcatanzaro.com> References: <45385431.6070704@adcatanzaro.com> Message-ID: Hi, On Fri, 20 Oct 2006, Derek Catanzaro wrote: > Does anyone out there have a working Reject non local users setup using > sendmail? I have pulled all the recipient names via LDAP and cannot find Sendmail does this by default, if its not told to relay for X then it wont. The first lines of your access file should be to relay for YOU and YOUR ip's, if that file does not exist it wont matter, it just wont relay. make sure your local-host-names file is OK. > If anyone can provide any help on this I would greatly appreciate it. An > example of what you did in the /etc/mail/access file or an example of what An example of one of my boxes is: localhost.localdomain RELAY localhost RELAY ausics.net RELAY 124.148.3 RELAY GreetPause:127.0.0.1 0 GreetPause:ausics.net 0 GreetPause:124.148.3 0 ...after those lines I have other hosts I relay for and a bucket load of rejected domains :) oh and local-host-names file contains each domain i relay for, one each line.... I dont use LDAP but my sendmail.mc file is available offlist if you want it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Fri Oct 20 09:20:40 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 09:20:43 2006 Subject: Per-User Whitelisting possible? In-Reply-To: <4537FCFE.7FBE.00FC.3@medicine.wisc.edu> References: <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu> <4537FCFE.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <223f97700610200120m55642c82tdafc21be615b08fa@mail.gmail.com> On 20/10/06, Michael Masse wrote: > I don't know of anything readily available offhand, but it should be > fairly trivial to write a script that could recursively grep through > everyone's .spamassassin/user_prefs file to snatch out all of the > whitelist entries that could then be inserted into Mailscanner's > spam.whitelist.rules file. > > Mike Remember to split mails/recipient if you go this way. First match would otherwise apply to all... > >>> On 10/19/2006 at 7:43 PM, in message > <78D3082E-2B1F-4682-A962-CFB1A0BFEF03@chapman.edu>, Jay Chandler > wrote: > > If this is the wrong place to ask this, I apologize in advance. > > > > Right now, I'm running an older version of SpamAssassin, with > > user_prefs in each user's .spamassassin folder. > > > > Is there any way to migrate this to MailScanner and still use per- > > user whitelisting (and ideally other settings), or do I have to run > > > SA as a separate program? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Oct 20 09:28:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 09:29:01 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: References: <45385431.6070704@adcatanzaro.com> Message-ID: <223f97700610200128v32c7b319q22597f40b3fa7352@mail.gmail.com> On 20/10/06, Res wrote: > Hi, > > On Fri, 20 Oct 2006, Derek Catanzaro wrote: > > > Does anyone out there have a working Reject non local users setup using > > sendmail? I have pulled all the recipient names via LDAP and cannot find > > Sendmail does this by default, if its not told to relay for X then it > wont. > > The first lines of your access file should be to relay for YOU and YOUR > ip's, if that file does not exist it wont matter, it just wont relay. > > make sure your local-host-names file is OK. > > > If anyone can provide any help on this I would greatly appreciate it. An > > example of what you did in the /etc/mail/access file or an example of what > > An example of one of my boxes is: > > localhost.localdomain RELAY > localhost RELAY > ausics.net RELAY > 124.148.3 RELAY > GreetPause:127.0.0.1 0 > GreetPause:ausics.net 0 > GreetPause:124.148.3 0 > > > ...after those lines I have other hosts I relay for and a bucket load of > rejected domains :) > > oh and local-host-names file contains each domain i relay for, one each > line.... > > I dont use LDAP but my sendmail.mc file is available offlist if you want > it. > I'm not going to contradict you in any way Res, far from it. For local addresses, that is very plausible (AFAICS:-). What Derek has though (if memory serves me) is a need to relay to/from his M-Sexchange servers (AD, hence LDAP)... I might be remembering this wrong, but it is something like that. So the term "local" is very relative:-). I'm sure someone will know the exact syntax for this, but I think he needs a generic "don't accept domain foo" and specific "do accept user@foo"... I don't remember the syntax for that though:-). Sendmail guru's around should know though:-):-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From P.G.M.Peters at utwente.nl Fri Oct 20 10:19:46 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Oct 20 10:19:53 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: References: Message-ID: <453894B2.1010000@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hakon@symfoni.no wrote on 18-10-2006 14:16: > There is always Lotus Domino. Not free, but very nice :-) We did an investigation into Exchange, Lotus and Oracle Collaboration Suite. These three were chosen because we had the experience with all three systems in one way or another. OCS came out best. Lotus was second and Exchange came last. We had some errors in the investigation corrected (by Microsoft) and Exchange came in second. Ofcourse management decided to go for Exchange. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFOJSyelLo80lrIdIRAmBEAJwMVPyXyrTMcLRTkjQRO9LzqWrBGgCfdjua Qn9OXY9oSeAyKFSzaL8PgdA= =+8PP -----END PGP SIGNATURE----- From drew at technologytiger.net Fri Oct 20 11:12:17 2006 From: drew at technologytiger.net (Drew Marshall) Date: Fri Oct 20 11:12:32 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <453894B2.1010000@utwente.nl> References: <453894B2.1010000@utwente.nl> Message-ID: <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> On Fri, October 20, 2006 10:19, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hakon@symfoni.no wrote on 18-10-2006 14:16: > >> There is always Lotus Domino. Not free, but very nice :-) > > We did an investigation into Exchange, Lotus and Oracle Collaboration > Suite. These three were chosen because we had the experience with all > three systems in one way or another. > > OCS came out best. Lotus was second and Exchange came last. We had some > errors in the investigation corrected (by Microsoft) and Exchange came > in second. Are you able to give me any more detail/ information regarding your investigations? > > Ofcourse management decided to go for Exchange. Isn't that why you did the investigation, so they could just pick what they wanted in the first place? :-) Drew From mailscanner at mango.zw Fri Oct 20 11:41:25 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Oct 20 11:37:08 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: <45385431.6070704@adcatanzaro.com> Message-ID: On Fri, 20 Oct 2006, Derek Catanzaro wrote: > Does anyone out there have a working Reject non local users setup using > sendmail? I have pulled all the recipient names via LDAP and cannot > find what I need to do next. Basically, I want to only allow mail to > the users I have listed in my relay_recipients file. There are plenty > of posts on this for postfix and other MTA's but I need this to work > with sendmail. I really need to limit the load my servers are seeing > right now because it has been causing a small backup for the past week > from time to time. If I have to go through another day switching back > and forth from my primary and secondary mailscanner servers issuing a > "service MailScanner stop" then startout, then check_MailScanner (did > this for several hours today) I'm gonna go nuts. > > If anyone can provide any help on this I would greatly appreciate it. > An example of what you did in the /etc/mail/access file or an example of > what you had to put in your /etc/mail/sendmail.mc would be great. Also > if the relay_recipients file should contain anything other than > "jdoe@domain.com OK" that would be good to know as well. Thanks for the > help. > MailScanner 4.49.7 > sendmail 8.13.5 Assuming that you are talking of a gateway machine that is feeding mail to an internal server, then that is exactly what I have here. My approach is to use smf-sav for recipient address verification - a kind of poor man's LDAP. All I need in principle for our main domain are the following entries on the gateway (mail.mango.zw) that is feeding mail to the internal server fido.mango.zw on a private IP address: access: # fido.mango.zw Connect:192.168.10.1 RELAY To:mango.zw RELAY mailertable: mango.zw esmtp:[fido.mango.zw] hosts: 192.168.10.1 fido.mango.zw In addition I run smf-sav: http://smfs.sourceforge.net/smf-sav.html sendmail.mc: dnl smf-sav support define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl You must have milter support compiled into your sendmail - I would recommend upgrading to 8.13.8 anyway. When an incoming connection with mail for user@mango.zw is received, it is intercepted by the smf-sav milter which then queries fido.mango.zw and accepts or rejects the message accordingly. If the link is down or the milter crashes (which hasn't happened to me) then a message is accepted by default, so it is failsafe. I found it rather difficult to get to the above because I had to undo what was previously a rather complex system using files mailed from one server to the other and scripts to auto-generate a virtusertable file, and because I had a number of other domains all being handled in different ways and had to make sure that nothing broke in the changeover. But if you were to start from scratch it could hardly be simpler. I presume that this arrangement would work just as well if the internal server was an Exchange server - as long as it rejected mail to invalid recipients. Is this what you are looking for? Regards Jim Holland -- System Administrator MANGO - Zimbabwe's non-profit e-mail service From glenn.steen at gmail.com Fri Oct 20 12:07:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 12:07:11 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> Message-ID: <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> On 20/10/06, Drew Marshall wrote: > On Fri, October 20, 2006 10:19, Peter Peters wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > hakon@symfoni.no wrote on 18-10-2006 14:16: > > > >> There is always Lotus Domino. Not free, but very nice :-) > > > > We did an investigation into Exchange, Lotus and Oracle Collaboration > > Suite. These three were chosen because we had the experience with all > > three systems in one way or another. > > > > OCS came out best. Lotus was second and Exchange came last. We had some > > errors in the investigation corrected (by Microsoft) and Exchange came > > in second. > > Are you able to give me any more detail/ information regarding your > investigations? I too am very interrested in whatever detail you may give. I may have lost the same (more or less) battle, but that's no reason to give up the war entirely:-). > > > > Ofcourse management decided to go for Exchange. > > Isn't that why you did the investigation, so they could just pick what > they wanted in the first place? :-) You mean the entries in the usual budget for poor management/planning? Or the ones labled "My friend who I trust, who is a car salesman, knows these things better than my highly specialised workforce"? Unfortunately, there is no smiley to go with that...:-( -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Oct 20 12:12:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 12:12:33 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: References: <45385431.6070704@adcatanzaro.com> Message-ID: <223f97700610200412h345a827dr44369d36014ec8a6@mail.gmail.com> On 20/10/06, Jim Holland wrote: (snip) > > I presume that this arrangement would work just as well if the internal > server was an Exchange server - as long as it rejected mail to invalid > recipients. Older M-Sexchange don't seem to know how. In which case one would have to look to more manual/scripted methods, unfortunately. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Fri Oct 20 12:21:07 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Oct 20 12:16:46 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> Message-ID: > > > hakon@symfoni.no wrote on 18-10-2006 14:16: > > > > > >> There is always Lotus Domino. Not free, but very nice :-) > > > > > > We did an investigation into Exchange, Lotus and Oracle Collaboration > > > Suite. These three were chosen because we had the experience with all > > > three systems in one way or another. > > > > > > OCS came out best. Lotus was second and Exchange came last. We had some > > > errors in the investigation corrected (by Microsoft) and Exchange came > > > in second. Having used Lotus Notes, I would say that it is a very clever piece of software, especially with regards to replication of databases. However the one problem is that it has such an appalling piece of client software for mail that I would never recommend it to anyone. It was just broken in so many ways - folders that could be created but not deleted, moving mail to folders in some situations would delete the mail, problems with editing an original message when copied into a reply, and so on. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From G.Pentland at soton.ac.uk Fri Oct 20 13:02:42 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Fri Oct 20 13:02:55 2006 Subject: OT: Reject non local users with sendmail, help Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C632@ISS-CL-EX-V1.soton.ac.uk> I use the following code, with /etc/mail/usermap as a hash map generated every 10 minutes. Gary LOCAL_CONFIG # Usermap - for my code later Kusermap hash -T /etc/mail/usermap LOCAL_RULE_0 SLocal_check_rcpt R$* $: $>3 $1 R$* < @ $=w . > $* $@ $>user_unknown $1 # Is in @ class=w do passwd lookup Suser_unknown R$* $: $>3 $1 R$* <@ $+ > $* $: $1 # Dicard host part of address R$+ $: $(isalias $1 $: $1 $) # call isalias for stuff with a . in R$+ @ $* $: $>check_rcpt $1 @ $2 . # If isalias returns a full email address, jump through loop again RRELAY $#RELAY R$+ $: $(usermap $1 $: notfound $) #call passwd lookup for whats left Rnotfound $#error $@ 5.1.3 $: "User does not exist at this site" From derek at adcatanzaro.com Fri Oct 20 13:13:43 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Fri Oct 20 13:14:07 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: References: <45385431.6070704@adcatanzaro.com> Message-ID: <4538BD77.4010207@adcatanzaro.com> Res wrote: > Hi, > > On Fri, 20 Oct 2006, Derek Catanzaro wrote: > >> Does anyone out there have a working Reject non local users setup >> using sendmail? I have pulled all the recipient names via LDAP and >> cannot find > > Sendmail does this by default, if its not told to relay for X then it > wont. > > The first lines of your access file should be to relay for YOU and > YOUR ip's, if that file does not exist it wont matter, it just wont > relay. > > make sure your local-host-names file is OK. Correct, sendmail will not relay for a domain that you do not allow and this is working for me. The subject line of this message is incorrect, it should have read "RELAY" not reject. My MailScanner/sendmail servers relay to an internal Lotus Domino server. I have compiled a list of addresses that I want sendmail to relay to and if the adddress is not listed I do not want sendmail to accept it. Right now it accepts any address that is sent to mydomain.com, hence the extra load. MailScanner is having to process a bunch of messages that are going to non existent users in mydomain.com. I have the list of receipients that I need to relay for I just need to know how to tell sendmail to only relay to these users and drop the rest. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jethro.binks at strath.ac.uk Fri Oct 20 13:21:19 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Oct 20 13:21:22 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <4537E924.4050403@evi-inc.com> References: <4537E924.4050403@evi-inc.com> Message-ID: <20061020132010.P1053@defjam.cc.strath.ac.uk> On Thu, 19 Oct 2006, Matt Kettler wrote: > I agree. Unlike Jethro, who would rather handle this after the fact by firing > the resposible party For the record, I didn't say I would do that. I'm not in that position. I merely suggested that is what could happen in places who are worried about this sort of thing (I'm not). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mailscanner at mango.zw Fri Oct 20 13:55:04 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Oct 20 13:50:46 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: <4538BD77.4010207@adcatanzaro.com> Message-ID: On Fri, 20 Oct 2006, Derek Catanzaro wrote: > Correct, sendmail will not relay for a domain that you do not allow and > this is working for me. The subject line of this message is incorrect, > it should have read "RELAY" not reject. My MailScanner/sendmail servers > relay to an internal Lotus Domino server. I have compiled a list of > addresses that I want sendmail to relay to and if the adddress is not > listed I do not want sendmail to accept it. Right now it accepts any > address that is sent to mydomain.com, hence the extra load. > MailScanner is having to process a bunch of messages that are going to > non existent users in mydomain.com. > > I have the list of receipients that I need to relay for I just need to > know how to tell sendmail to only relay to these users and drop the > rest. In the access file: To:user1@example.com RELAY To:user2@example.com RELAY To:user3@example.com RELAY To:example.com ERROR:5.1.1:550 No such user Keep your base access file in a separate location, and then generate the above entries with a script, combine it with your base access file and then run "make". Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From edwardbruce at sbcglobal.net Fri Oct 20 15:41:45 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Fri Oct 20 15:41:51 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <453894B2.1010000@utwente.nl> References: <453894B2.1010000@utwente.nl> Message-ID: <4538E029.1000301@sbcglobal.net> Peter Peters wrote: > hakon@symfoni.no wrote on 18-10-2006 14:16: > > > There is always Lotus Domino. Not free, but very nice :-) > > We did an investigation into Exchange, Lotus and Oracle Collaboration > Suite. These three were chosen because we had the experience with all > three systems in one way or another. > > OCS came out best. Lotus was second and Exchange came last. We had some > errors in the investigation corrected (by Microsoft) and Exchange came > in second. > > Ofcourse management decided to go for Exchange. > OCS sounds good, but it was my nightmare for two years. We finally gave up trying to continuely work around all of its failings. The last straw was when we finally started to implement BlackBerry support and Oracle said we would have to install an Exchange Server??? Our CIO told Oracle to go do something anatomically impossible. We decided since we had to install Exchange to get BB support why not just switch over completely. We had been using MS for about a year, which made switching over to Exchange a breeze. We took maybe 2 weeks to prepare and then switched over the weekend and having been running Exchange for just over a year now. From richard.thomas at psysolutions.com Fri Oct 20 15:58:40 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Fri Oct 20 16:00:01 2006 Subject: Outlook "blocked: " insertions Message-ID: <4538E420.5000509@psysolutions.com> Outlook appears to be prepending "blocked:" to some URLs. This makes the MailScanner detect that the URL is not the same as the listed URL and it generates warnings in the emails. Now, in my book that's fine and makes sense. However, it generates support calls which is not so fine. Just wondering how others out there are dealing with this... Thanks Rich From kwang at ucalgary.ca Fri Oct 20 18:31:03 2006 From: kwang at ucalgary.ca (Kai Wang) Date: Fri Oct 20 18:31:08 2006 Subject: How does MailScanner docide which spamassassin rules dir to use Message-ID: <453907D7.60503@ucalgary.ca> I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled sa-update. But I found MailScanner still uses "/usr/share/spamassassin", NOT "/var/lib/spamassassin/3.001005/", for default spamassassin rules dir. What should I change to let user /var/lib/spamassassin/3.001005/? SpamAssassin Auto Whitelist = no SpamAssassin Timeout = 75 SpamAssassin Timeouts History = 30 SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = /var/lib SpamAssassin Default Rules Dir = SpamAssassin Cache Timings = 1800,300,10800,172800,600 $ ls -l /etc/mail/spamassassin total 28 -rw-r--r-- 1 root root 948 Sep 26 10:33 init.pre -rw-r--r-- 1 root root 1208 Sep 26 10:33 local.cf lrwxrwxrwx 1 root root 41 Sep 25 10:59 mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf drwx------ 2 root root 4096 Oct 19 14:02 sa-update-keys -rw-r--r-- 1 root root 2179 Sep 26 10:23 v310.pre -rw-r--r-- 1 root root 2179 Sep 26 10:33 v310.pre.rpmnew -rw-r--r-- 1 root root 806 Sep 26 10:23 v312.pre -rw-r--r-- 1 root root 806 Sep 26 10:33 v312.pre.rpmnew Thanks -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From max at assuredata.com Fri Oct 20 18:41:44 2006 From: max at assuredata.com (Max Kipness) Date: Fri Oct 20 18:41:50 2006 Subject: Headers in Public Folder Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044CD3@addc01.assuredata.local> Hello - I'm trying to figure out what is happening with the spam I have in Exchange 2003 public folders. I've got quite a bit of spam in public folders, and when I right-click on any of them, and select OPTIONS, it seems to show all the original headers as normal, including the MailScanner headers, scoring, etc. I've also have an IMAP account setup on my Outlook 2003 client. When I copy/move these messages to my Spam folder on this IMAP account, them look at the mbox file on the Fedora server it resides on, most of the headers are gone. Now in previous discussions I've read that Exchange PF removes the headers, but here it sounds like IMAP is doing it, since the headers are visible and look fine from the PF. Is this going to affect sa-learn dramatically? When I use spammassassin to run a test on the mbox messages, the SA score is dramatically different obviously because of the loss of headers. Is there anyway to fix this? Thanks, Max From glenn.steen at gmail.com Fri Oct 20 18:53:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 18:53:37 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: <453907D7.60503@ucalgary.ca> References: <453907D7.60503@ucalgary.ca> Message-ID: <223f97700610201053p160ede0em8938b77c690714aa@mail.gmail.com> On 20/10/06, Kai Wang wrote: > > I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled > sa-update. But I found MailScanner still uses "/usr/share/spamassassin", > NOT "/var/lib/spamassassin/3.001005/", for default spamassassin rules > dir. What should I change to let user /var/lib/spamassassin/3.001005/? > > SpamAssassin Auto Whitelist = no > SpamAssassin Timeout = 75 > SpamAssassin Timeouts History = 30 > SpamAssassin Cache Database File = > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > SpamAssassin User State Dir = > SpamAssassin Install Prefix = > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > SpamAssassin Local Rules Dir = > SpamAssassin Local State Dir = /var/lib > SpamAssassin Default Rules Dir = > SpamAssassin Cache Timings = 1800,300,10800,172800,600 > > $ ls -l /etc/mail/spamassassin > total 28 > -rw-r--r-- 1 root root 948 Sep 26 10:33 init.pre > -rw-r--r-- 1 root root 1208 Sep 26 10:33 local.cf > lrwxrwxrwx 1 root root 41 Sep 25 10:59 mailscanner.cf -> > /etc/MailScanner/spam.assassin.prefs.conf > drwx------ 2 root root 4096 Oct 19 14:02 sa-update-keys > -rw-r--r-- 1 root root 2179 Sep 26 10:23 v310.pre > -rw-r--r-- 1 root root 2179 Sep 26 10:33 v310.pre.rpmnew > -rw-r--r-- 1 root root 806 Sep 26 10:23 v312.pre > -rw-r--r-- 1 root root 806 Sep 26 10:33 v312.pre.rpmnew > > Thanks > Did sa-update succeed? Do you have all the rules "moved and updated" to the /var/lib/spamassassin/ directory? Are you sure you are running version 3.1.5? No duplicate SA install? Can the user you run your MTA as (and thus MailScanner ... and SA) read the files in /var/lib/spamassassin/? Short answer "it should work" isn't much help, but perhaps you can find a bit more info from the above questions:-). As a stopgap thing you could set the Default Rules Dir option, but it's probably better to try deduce why it isn't working as intended;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Oct 20 19:02:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 20 19:02:41 2006 Subject: Headers in Public Folder In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044CD3@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044CD3@addc01.assuredata.local> Message-ID: <223f97700610201102n5a459543gd1b8e9bc7080c5c0@mail.gmail.com> On 20/10/06, Max Kipness wrote: > Hello - > > I'm trying to figure out what is happening with the spam I have in > Exchange 2003 public folders. > > I've got quite a bit of spam in public folders, and when I right-click > on any of them, and select OPTIONS, it seems to show all the original > headers as normal, including the MailScanner headers, scoring, etc. > > I've also have an IMAP account setup on my Outlook 2003 client. When I > copy/move these messages to my Spam folder on this IMAP account, them > look at the mbox file on the Fedora server it resides on, most of the > headers are gone. > > Now in previous discussions I've read that Exchange PF removes the > headers, but here it sounds like IMAP is doing it, since the headers are > visible and look fine from the PF. IIRC this happens when you "move" the message from the PF store to the "equivalent" imap store (all inside the same DB, so it shouldn't really be anything but setting/changing a few attributes)... Trust M$ to bork that completely:). Why they insist on making useless "almost-working swiss army knives" for every useless piece of SW.... Sigh. > Is this going to affect sa-learn dramatically? > > When I use spammassassin to run a test on the mbox messages, the SA > score is dramatically different obviously because of the loss of > headers. > > Is there anyway to fix this? Apart from ditching it?:-)... Not that I know:-D Then again, that's kind of a reflex answer on my part.... I'd probably have to ask around with our M-Sexchange server "gurus" come monday, to be sure:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jase at sensis.com Fri Oct 20 19:08:44 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Oct 20 19:09:03 2006 Subject: Headers in Public Folder Message-ID: <1951DC816E1A9F469307B05FA183F4385FF29C@corpatsmail1.corp.sensis.com> > Hello - > > I'm trying to figure out what is happening with the spam I have in > Exchange 2003 public folders. > > I've got quite a bit of spam in public folders, and when I right-click > on any of them, and select OPTIONS, it seems to show all the original > headers as normal, including the MailScanner headers, scoring, etc. > > I've also have an IMAP account setup on my Outlook 2003 client. When I > copy/move these messages to my Spam folder on this IMAP account, them > look at the mbox file on the Fedora server it resides on, most of the > headers are gone. > > Now in previous discussions I've read that Exchange PF removes the > headers, but here it sounds like IMAP is doing it, since the > headers are > visible and look fine from the PF. > > Is this going to affect sa-learn dramatically? > > When I use spammassassin to run a test on the mbox messages, the SA > score is dramatically different obviously because of the loss of > headers. > > Is there anyway to fix this? You could configure MailScanner to quarantine all emails. Then write a script to pull the message id out of the header, then train spamassassin with the real message from the quarantine. Jase From ajcartmell at fonant.com Fri Oct 20 19:19:33 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Oct 20 19:19:42 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: <223f97700610201053p160ede0em8938b77c690714aa@mail.gmail.com> References: <453907D7.60503@ucalgary.ca> <223f97700610201053p160ede0em8938b77c690714aa@mail.gmail.com> Message-ID: >> I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled >> sa-update. But I found MailScanner still uses "/usr/share/spamassassin", >> NOT "/var/lib/spamassassin/3.001005/", for default spamassassin rules >> dir. What should I change to let user /var/lib/spamassassin/3.001005/? I have this too, for 3.001003. > Did sa-update succeed? Yes. > Do you have all the rules "moved and updated" > to the /var/lib/spamassassin/ directory? Yes. > Are you sure you are > running version 3.1.5? Yes (well 3.1.3). > No duplicate SA install? No. > Can the user you run > your MTA as (and thus MailScanner ... and SA) read the files in > /var/lib/spamassassin/? Yes. > Short answer "it should work" isn't much help, but perhaps you can > find a bit more info from the above questions:-). As a stopgap thing > you could set the Default Rules Dir option, but it's probably better > to try deduce why it isn't working as intended;-) spamassassin reads the rules in /var/lib/spamassassin/ when called direct, but not when called from MailScanner :( I'm using spamassassin installed by yum for Fedora Core 5. I might try installing the version from MailScanner's web site... Cheers! Anthony -- www.fonant.com - Quality web sites From derek at adcatanzaro.com Fri Oct 20 19:24:09 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Fri Oct 20 19:24:32 2006 Subject: OT: Reject non local users with sendmail, help In-Reply-To: References: Message-ID: <45391449.6080602@adcatanzaro.com> Jim Holland wrote: > On Fri, 20 Oct 2006, Derek Catanzaro wrote: > > >> Correct, sendmail will not relay for a domain that you do not allow and >> this is working for me. The subject line of this message is incorrect, >> it should have read "RELAY" not reject. My MailScanner/sendmail servers >> relay to an internal Lotus Domino server. I have compiled a list of >> addresses that I want sendmail to relay to and if the adddress is not >> listed I do not want sendmail to accept it. Right now it accepts any >> address that is sent to mydomain.com, hence the extra load. >> MailScanner is having to process a bunch of messages that are going to >> non existent users in mydomain.com. >> >> I have the list of receipients that I need to relay for I just need to >> know how to tell sendmail to only relay to these users and drop the >> rest. >> > > In the access file: > > To:user1@example.com RELAY > To:user2@example.com RELAY > To:user3@example.com RELAY > To:example.com ERROR:5.1.1:550 No such user > > Keep your base access file in a separate location, and then generate the > above entries with a script, combine it with your base access file and > then run "make". > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > Thanks Jim, this did the trick. The load on the servers have definitely gone down. Can't wait to run the numbers in a week to see how much this will cut back on the number of messages MailScanner has to process. Thanks again, have a good weekend. Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kwang at ucalgary.ca Fri Oct 20 20:11:28 2006 From: kwang at ucalgary.ca (Kai Wang) Date: Fri Oct 20 20:11:37 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: References: <453907D7.60503@ucalgary.ca> <223f97700610201053p160ede0em8938b77c690714aa@mail.gmail.com> Message-ID: <45391F60.2060105@ucalgary.ca> The same here. Not sure if this is a bug of MailScanner. $ls -alR /var/lib/spamassassin/ /var/lib/spamassassin/: total 16 drwxr-xr-x 3 root root 4096 Oct 13 13:39 . drwxr-xr-x 20 root root 4096 Oct 13 13:39 .. drwxr-xr-x 7 root root 4096 Oct 19 14:11 3.001005 /var/lib/spamassassin/3.001005: total 56 drwxr-xr-x 7 root root 4096 Oct 19 14:11 . drwxr-xr-x 3 root root 4096 Oct 13 13:39 .. drwxr-xr-x 2 root root 4096 Oct 19 14:02 70_sare_adult_cf_sare_sa-update_dostech_net -rw-r--r-- 1 root root 98 Oct 19 14:02 70_sare_adult_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 root root 4096 Oct 19 14:02 70_sare_oem_cf_sare_sa-update_dostech_net -rw-r--r-- 1 root root 96 Oct 19 14:02 70_sare_oem_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 root root 4096 Oct 19 14:02 70_sare_random_cf_sare_sa-update_dostech_net -rw-r--r-- 1 root root 99 Oct 19 14:02 70_sare_random_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 root root 4096 Oct 19 14:02 70_sare_stocks_cf_sare_sa-update_dostech_net -rw-r--r-- 1 root root 99 Oct 19 14:02 70_sare_stocks_cf_sare_sa-update_dostech_net.cf -rw-r--r-- 1 root root 201 Oct 19 14:11 sare-sa-update-channels.txt drwxr-xr-x 2 root root 4096 Oct 13 13:39 updates_spamassassin_org -rw-r--r-- 1 root root 2195 Oct 13 13:39 updates_spamassassin_org.cf -rw-r--r-- 1 root root 43 Oct 13 13:39 updates_spamassassin_org.pre /var/lib/spamassassin/3.001005/70_sare_adult_cf_sare_sa-update_dostech_net: total 72 drwxr-xr-x 2 root root 4096 Oct 19 14:02 . drwxr-xr-x 7 root root 4096 Oct 19 14:11 .. -rw-r--r-- 1 root root 53868 Oct 19 14:02 200604200900.cf -rw-r--r-- 1 root root 57 Oct 19 14:02 MIRRORED.BY /var/lib/spamassassin/3.001005/70_sare_oem_cf_sare_sa-update_dostech_net: total 28 drwxr-xr-x 2 root root 4096 Oct 19 14:02 . drwxr-xr-x 7 root root 4096 Oct 19 14:11 .. -rw-r--r-- 1 root root 12739 Oct 19 14:02 200512271200.cf -rw-r--r-- 1 root root 55 Oct 19 14:02 MIRRORED.BY /var/lib/spamassassin/3.001005/70_sare_random_cf_sare_sa-update_dostech_net: total 32 drwxr-xr-x 2 root root 4096 Oct 19 14:02 . drwxr-xr-x 7 root root 4096 Oct 19 14:11 .. -rw-r--r-- 1 root root 18190 Oct 19 14:02 200512121000.cf -rw-r--r-- 1 root root 58 Oct 19 14:02 MIRRORED.BY /var/lib/spamassassin/3.001005/70_sare_stocks_cf_sare_sa-update_dostech_net: total 76 drwxr-xr-x 2 root root 4096 Oct 19 14:02 . drwxr-xr-x 7 root root 4096 Oct 19 14:11 .. -rw-r--r-- 1 root root 59515 Oct 19 14:02 200610182000.cf -rw-r--r-- 1 root root 58 Oct 19 14:02 MIRRORED.BY /var/lib/spamassassin/3.001005/updates_spamassassin_org: total 556 drwxr-xr-x 2 root root 4096 Oct 13 13:39 . drwxr-xr-x 7 root root 4096 Oct 19 14:11 .. -rw-r--r-- 1 root root 5495 Oct 13 13:39 10_misc.cf -rw-r--r-- 1 root root 8115 Oct 13 13:39 20_advance_fee.cf -rw-r--r-- 1 root root 1605 Oct 13 13:39 20_anti_ratware.cf -rw-r--r-- 1 root root 6693 Oct 13 13:39 20_body_tests.cf -rw-r--r-- 1 root root 1537 Oct 13 13:39 20_compensate.cf -rw-r--r-- 1 root root 14290 Oct 13 13:39 20_dnsbl_tests.cf -rw-r--r-- 1 root root 15639 Oct 13 13:39 20_drugs.cf -rw-r--r-- 1 root root 11383 Oct 13 13:39 20_fake_helo_tests.cf -rw-r--r-- 1 root root 33145 Oct 13 13:39 20_head_tests.cf -rw-r--r-- 1 root root 17504 Oct 13 13:39 20_html_tests.cf -rw-r--r-- 1 root root 3320 Oct 13 13:39 20_meta_tests.cf -rw-r--r-- 1 root root 2138 Oct 13 13:39 20_net_tests.cf -rw-r--r-- 1 root root 15883 Oct 13 13:39 20_phrases.cf -rw-r--r-- 1 root root 4714 Oct 13 13:39 20_porn.cf -rw-r--r-- 1 root root 16879 Oct 13 13:39 20_ratware.cf -rw-r--r-- 1 root root 9693 Oct 13 13:39 20_uri_tests.cf -rw-r--r-- 1 root root 2231 Oct 13 13:39 23_bayes.cf -rw-r--r-- 1 root root 420 Oct 13 13:39 25_accessdb.cf -rw-r--r-- 1 root root 1345 Oct 13 13:39 25_antivirus.cf -rw-r--r-- 1 root root 9117 Oct 13 13:39 25_body_tests_es.cf -rw-r--r-- 1 root root 17676 Oct 13 13:39 25_body_tests_pl.cf -rw-r--r-- 1 root root 190 Oct 13 13:39 25_dcc.cf -rw-r--r-- 1 root root 1993 Oct 13 13:39 25_dkim.cf -rw-r--r-- 1 root root 1947 Oct 13 13:39 25_domainkeys.cf -rw-r--r-- 1 root root 2738 Oct 13 13:39 25_hashcash.cf -rw-r--r-- 1 root root 189 Oct 13 13:39 25_pyzor.cf -rw-r--r-- 1 root root 2201 Oct 13 13:39 25_razor2.cf -rw-r--r-- 1 root root 8342 Oct 13 13:39 25_replace.cf -rw-r--r-- 1 root root 2873 Oct 13 13:39 25_spf.cf -rw-r--r-- 1 root root 352 Oct 13 13:39 25_textcat.cf -rw-r--r-- 1 root root 7539 Oct 13 13:39 25_uribl.cf -rw-r--r-- 1 root root 47388 Oct 13 13:39 30_text_de.cf -rw-r--r-- 1 root root 34883 Oct 13 13:39 30_text_fr.cf -rw-r--r-- 1 root root 1670 Oct 13 13:39 30_text_it.cf -rw-r--r-- 1 root root 38211 Oct 13 13:39 30_text_nl.cf -rw-r--r-- 1 root root 30284 Oct 13 13:39 30_text_pl.cf -rw-r--r-- 1 root root 2883 Oct 13 13:39 30_text_pt_br.cf -rw-r--r-- 1 root root 33703 Oct 13 13:39 50_scores.cf -rw-r--r-- 1 root root 1116 Oct 13 13:39 60_awl.cf -rw-r--r-- 1 root root 4906 Oct 13 13:39 60_whitelist.cf -rw-r--r-- 1 root root 2370 Oct 13 13:39 60_whitelist_dkim.cf -rw-r--r-- 1 root root 3483 Oct 13 13:39 60_whitelist_spf.cf -rw-r--r-- 1 root root 1726 Oct 13 13:39 60_whitelist_subject.cf -rw-r--r-- 1 root root 11041 Oct 13 13:39 70_iadb.cf -rw-r--r-- 1 root root 12968 Oct 13 13:39 80_additional.cf -rw-r--r-- 1 root root 0 Oct 13 13:39 empty.pre -rw-r--r-- 1 root root 138 Oct 13 13:39 MIRRORED.BY Anthony Cartmell wrote: >>> I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled >>> sa-update. But I found MailScanner still uses >>> "/usr/share/spamassassin", >>> NOT "/var/lib/spamassassin/3.001005/", for default spamassassin rules >>> dir. What should I change to let user /var/lib/spamassassin/3.001005/? > > I have this too, for 3.001003. > >> Did sa-update succeed? > > Yes. > >> Do you have all the rules "moved and updated" >> to the /var/lib/spamassassin/ directory? > > Yes. > >> Are you sure you are >> running version 3.1.5? > > Yes (well 3.1.3). > >> No duplicate SA install? > > No. > >> Can the user you run >> your MTA as (and thus MailScanner ... and SA) read the files in >> /var/lib/spamassassin/? > > Yes. > >> Short answer "it should work" isn't much help, but perhaps you can >> find a bit more info from the above questions:-). As a stopgap thing >> you could set the Default Rules Dir option, but it's probably better >> to try deduce why it isn't working as intended;-) > > spamassassin reads the rules in /var/lib/spamassassin/ when > called direct, but not when called from MailScanner :( > > I'm using spamassassin installed by yum for Fedora Core 5. I might try > installing the version from MailScanner's web site... > > Cheers! > > Anthony > --www.fonant.com - Quality web sites > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sconway at wlnet.com Fri Oct 20 20:41:38 2006 From: sconway at wlnet.com (Stephen Conway) Date: Fri Oct 20 20:41:52 2006 Subject: Too Much Details in Receipts and Rejections Message-ID: <027001c6f47f$c319a6e0$b000a8c0@skyhawk> Hello: I have a couple systems with the following: Intel based systems 1 GB RAM running Slackware Linux Sendmail 8.13.8 MailScanner-4.55.10 SpamAssassin version 3.1.0 Perl 5.6.1 My problem is that for 'Request Server Receipt' option in Outlook, and for rejection and warning messages, if I have a user that aliases to a script, I get all the details of the script, ex as below: ================= The original message was received at Fri, 20 Oct 2006 01:18:49 -0400 from [IP] ----- The following addresses had successful delivery notifications ----- "|/bin/asmv user@domain.com" (successfully delivered to mailbox) (expanded from: Message-ID: <046501c6f477$42f84410$0600a8c0@roger> Hello all... Is there any new virus around sending UDP 137 packets? I'm having a lot of activity on these port in one of my subnets, and McAfee didn't detected anything. So I'm assuming is something new... Something like the old Opaserv virus... Any clues? Regards Roger Jochem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061020/73306e5a/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Oct 20 20:46:36 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Oct 20 20:46:41 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: <453907D7.60503@ucalgary.ca> Message-ID: Kai Wang wrote: > I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled > sa-update. But I found MailScanner still uses > "/usr/share/spamassassin", NOT "/var/lib/spamassassin/3.001005/", for > default spamassassin rules dir. What should I change to let user > /var/lib/spamassassin/3.001005/? How did you determine that it was using /usr/share/spamassassin & not /var/lib/spamassassin/3.001005/? I just enabled sa-update and ran it, and presto, I'm on 3.1.7 and have the /var/lib/... tree all created. But nothing in /var/log/mail (or elsewhere) said what directory it's using. spamassassin --lint -D uses the approprite (updated) folder, but of course, it bypasses MailScanner... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ka at pacific.net Fri Oct 20 21:04:54 2006 From: ka at pacific.net (Ken A) Date: Fri Oct 20 21:03:00 2006 Subject: New virus? In-Reply-To: <046501c6f477$42f84410$0600a8c0@roger> References: <046501c6f477$42f84410$0600a8c0@roger> Message-ID: <45392BE6.8020905@pacific.net> Are you sure it's not a windows box, just doing what windows boxes do, opening file shares and broadcasting all that netbios crap on 137,139.. Ken A Pacific.Net Roger Jochem wrote: > Hello all... > > Is there any new virus around sending UDP 137 packets? I'm having a lot of activity on these port in one of my subnets, and McAfee didn't detected anything. So I'm assuming is something new... Something like the old Opaserv virus... Any clues? > > Regards > > Roger Jochem > From campbell at cnpapers.com Fri Oct 20 21:08:17 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Oct 20 21:08:41 2006 Subject: New virus? References: <046501c6f477$42f84410$0600a8c0@roger> Message-ID: <001001c6f483$7b3dd220$0705000a@DDF5DW71> Roger I get so many of these all the time that I have configured my firewall log analysis tool to ignore them and just not report them. It used to just be a port scan, and seemed harmless, especially since I don't have any Windows machines behind the firewall. There may be a virus somewhere lurking behind this, but up til now, I just didn't care. Steve ----- Original Message ----- From: Roger Jochem To: MailScanner discussion Sent: Friday, October 20, 2006 2:40 PM Subject: New virus? Hello all... Is there any new virus around sending UDP 137 packets? I'm having a lot of activity on these port in one of my subnets, and McAfee didn't detected anything. So I'm assuming is something new... Something like the old Opaserv virus... Any clues? Regards Roger Jochem ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061020/8947754f/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Oct 20 21:41:01 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Oct 20 21:41:08 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: Message-ID: Kevin Miller wrote: > Kai Wang wrote: >> I run MailScanner 4.55.10-3 and spamassassin 3.1.5-1. I enabled >> sa-update. But I found MailScanner still uses >> "/usr/share/spamassassin", NOT "/var/lib/spamassassin/3.001005/", for >> default spamassassin rules dir. What should I change to let user >> /var/lib/spamassassin/3.001005/? > > How did you determine that it was using /usr/share/spamassassin & not > /var/lib/spamassassin/3.001005/? > > I just enabled sa-update and ran it, and presto, I'm on 3.1.7 and have > the /var/lib/... tree all created. But nothing in /var/log/mail (or > elsewhere) said what directory it's using. > > spamassassin --lint -D uses the approprite (updated) folder, but of > course, it bypasses MailScanner... Replying to myself. Sigh. OK, everybody who's ready for a weekend raise their hand. Occurred to me to just run MS in debug mode, so I grabbed my book of the shelf (you've all bought The Book, right?) and did a quick lookup. Long story short, it worked just fine here on my my test box. FWIW, I updated on the 13th using Jules' combined package, and did the auto-update via /etc/cron.daily/sa-update. I'm taking it on faith that if SA is updated in the middle of the night, that MS will sort it out. If not immediately, when it does its auto restart after four hours. So now if clamav would autoupdate the engine as well as the definition files I could just set the cruise control and get back to playing Tux-Racer. :-) S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ajcartmell at fonant.com Fri Oct 20 21:53:23 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Oct 20 21:53:26 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: References: Message-ID: > How did you determine that it was using /usr/share/spamassassin & not > /var/lib/spamassassin/3.001005/? In my case, by comparing the scores given to a spam message by MailScanner and by spamassassin run manually. The manual spamassassin run gave a much higher score as it was using more rules. Checking which the extra rules were lead me to the conclusion that the /var/lib/spamassassin/ tree wasn't being used by MailScanner. Anthony -- www.fonant.com - Quality web sites From TGFurnish at herffjones.com Fri Oct 20 22:00:31 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Fri Oct 20 22:02:21 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> Sorry, this is a bit long with some output from sa-learn --dump, but it's probably just simple questions for someone here... Been running with the same Bayes database for a long time, but lately a lot of uncaught messages that seem as though they ought to be caught very effectively using Bayesian techniques have me wondering if I have a problem with my Bayes database. To be honest I have quite a few questions related to SA's Bayes stuff that I should have tracked down answers to sooner. :-( The messages that caused me to start looking are those that all end with "You must to read". I say it seems like they ought to be caught easily by Bayes because: - They're simple text messages - Most of the words and phrases appear consistently in all of the versions of this spam I receive. - And most importantly, I've been sa-learn'ing them as spam repeatedly. I have about 900 of these listed in mailwatch in the last three days, probably only about 50/50 caught as spam, but I've run sa-learn on probably 100 of them to train it that this is spam. What's worse, many of the ones that are listed as ham are triggering BAYES_00. Even if I send back through the exact same message that I've trained as spam, it never gets caught as spam. So... Looking at the output of sa-learn --dump, I see the following "magic": 0.000 0 3 0 non-token data: bayes db version 0.000 0 1904995 0 non-token data: nspam 0.000 0 213646 0 non-token data: nham 0.000 0 696343 0 non-token data: ntokens 0.000 0 1161225623 0 non-token data: oldest atime 0.000 0 1161377189 0 non-token data: newest atime 0.000 0 1161377169 0 non-token data: last journal sync atime 0.000 0 1161355561 0 non-token data: last expiry atime 0.000 0 64369 0 non-token data: last expire atime delta 0.000 0 1448252 0 non-token data: last expire reduction count And in the data part of the dump I see lots of what seems to be random data. In fact that's all I see in the data dump -- no tokens I'd recognize as anything other than random garbage: 0.978 2 0 1161346932 36dbf22fa5 0.958 1 0 1161345892 79e8adb687 0.958 1 0 1161346781 3519895456 0.958 1 0 1161354304 6c4a3342f2 0.171 3921 2126 1161375277 f6bd08b094 0.000 0 198 1161377487 dd534744d6 0.459 68115 9002 1161377680 b303caafc0 0.088 17 20 1161364153 8edecfaeac 1.000 1464 0 1161353847 aff4ea7b31 0.009 0 6 1161351795 719fddf880 0.143 92 62 1161373089 e54862ab93 0.985 3 0 1161349368 78041875fa 0.259 3 1 1161352844 be2c8315bb 0.992 6 0 1161300413 f063d1aca5 0.999 33 0 1161372814 c411247e8c 0.999 92 0 1161376548 0a404340c8 0.998 24 0 1161376658 40a64bb94f 0.923 749 7 1161377672 fae3ecc1e9 1.000 129 0 1161375875 4438c3c4e2 0.999 78 0 1161348595 0c172e375f 0.999 51 0 1161377759 c3de5f8083 0.011 0 5 1161302064 fab6bc3637 0.991 5 0 1161292292 fad0ce7ecf 0.995 9 0 1161361757 578d39ad23 0.994 8 0 1161321372 f598e1bbac 0.017 0 3 1161339745 472573f9b9 0.985 3 0 1161372321 198a28fcfe 0.958 1 0 1161294047 0c6d083929 0.958 1 0 1161291228 38e29036dd 0.958 1 0 1161292212 85ce2e63d5 Is that the way it should look? I expected to see actual words. Also, one one of the lists (either this one or the mailwatch list) someone said that Bayesian filtering was "4 times as effective" when it has more ham than spam to learn from -- but that makes no sense to me, and it's also not something that seems tenable -- I get about 95% spam. -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator Phone: 317.612.3519 Any sufficiently advanced technology is indistinguishable from Unix. From mkettler at evi-inc.com Fri Oct 20 22:38:05 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Oct 20 22:38:19 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> Message-ID: <453941BD.2020302@evi-inc.com> Furnish, Trever G wrote: > And in the data part of the dump I see lots of what seems to be random > data. In fact that's all I see in the data dump -- no tokens I'd > recognize as anything other than random garbage: > > 0.978 2 0 1161346932 36dbf22fa5 > > Is that the way it should look? I expected to see actual words. Yes, SA 3.0.0 and higher store 40bits of the SHA1 hash of the word, not the word itself. This makes the entries themselves all fixed-size which offers a lot of performance gain. It also makes it impossible to decipher the bayes DB into a human-readable form. This has some ups and downs. One benefit is enhanced security. In the old system if you had a shared bayes DB, any of the users could read the database and figure out a lot about your email: who's been sending mail to your network (H*F tokens) By looking at body tokens, deduce topics of conversation. (hint: specialized terminology really stands out) If you really want to see the tokens, in text form, for a specific message use the following: spamassassin -D bayes < message.txt And you should get some debug output like this: [807] dbg: bayes: token 'I*:what' => 0.99846511627907 [807] dbg: bayes: token 'I*:future' => 0.996181818181818 > > Also, one one of the lists (either this one or the mailwatch list) > someone said that Bayesian filtering was "4 times as effective" when it > has more ham than spam to learn from -- but that makes no sense to me, > and it's also not something that seems tenable -- I get about 95% spam. What's that about 75% of statistics are made up on the spot? $5 says the person was pulling that fact out of their behind, or was parroting a statistic that applies to some other tool that implements bayes in an obscure fashion. Technically, the ideal for SA, or nearly any other bayes, would be an exact 50/50 mix. That is actually supported by the math if you think about how bayes works. Ideally you want "common" words that appear in both spam and nonspam to wind up with a token spam probability of 0.500. You'll get that, on average, if you're training the same number of spam and nonspam messages. Otherwise, your average "common word" token will be biased to be roughly your training ratio. However, SA's use of chi-squared combining makes it really resistant to wild deviations from that ideal. The impact of any "near the middle" tokens is heavily drown out by stronger ones. one 0.000 will completely negate many 0.950's. Unless your training ratio is approaching 99% spam, you should be fine. And even this will only cause you increased false positives. It will definitely NOT cause BAYES_00 problems. That would be an issue if your ratio was approaching 1% spam. It should also be noted, that techincally speaking, SA's "bayes" isn't really bayesian. In fact, nearly all "bayes" filters aren't bayesian. Chi-squared combining works better and runs faster than a real bayes combining. But this term has generally been applied to any statistical token analysis system, regardless of how probabilities are calculated and combined. Fundamentally there are 3 kinds of common "bayes" out there. All of which "work best" at 50/50. The original Paul Graham method, using naive Bayes combining The improved method suggested by Robinson using geometric means. The chi-squared method, also called Fisher's method. Most use chi-sqared nowdays. It's faster, works better, and is highly resistant to being biased by poisoning or uneven training. http://www.bgl.nu/bogofilter/naive.html Be wary of someone who posts generalities about bayes, they might be quoting something that applies to a different bayes methodology. From lhaig at haigmail.com Fri Oct 20 22:42:23 2006 From: lhaig at haigmail.com (Lance Haig) Date: Fri Oct 20 22:42:20 2006 Subject: OT : need to find some rack space Message-ID: <453942BF.4020807@haigmail.com> Hi Sorry for the Off topic I have been using a friends rack space for free for my websites and MS installation but he has sold his online business so I need to move on. Does anyone know of a reasonably priced collocation company in the UK that I could look at? Thanks Lance From Kevin_Miller at ci.juneau.ak.us Fri Oct 20 22:57:42 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Oct 20 22:57:47 2006 Subject: OT : need to find some rack space In-Reply-To: <453942BF.4020807@haigmail.com> Message-ID: Lance Haig wrote: > Hi > Sorry for the Off topic > I have been using a friends rack space for free for my websites and MS > installation but he has sold his online business so I need to move on. > > Does anyone know of a reasonably priced collocation company in the UK > that I could look at? Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's not the UK, but it's just a stone's throw away, the Irish make good beer and music, and Michele Neylon is quite helpful, if his participation in this list is any indication... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ajcartmell at fonant.com Fri Oct 20 23:14:23 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Oct 20 23:14:33 2006 Subject: FuzzyOcr working but not via MailScanner: Fixed! In-Reply-To: References: <01d701c6f2db$16346550$3701a8c0@lapxp> <4536818C.7080701@netmagicsolutions.com> Message-ID: > I've now added MailScanner.conf to have: > > SpamAssassin Default Rules Dir = /var/lib/spamassassin/3.001003 > > And all the rules are now being run :) > > It's not entirely clear how spamassassin knows to use this directory > normally, but obviously MailScanner needs to know about it too. The fix to actually get FuzzyOcr working via MailScanner was to add in "use Mail::SpamAssassin::Timeout;" at the top of FuzzyOcr.pm. It seems that this isn't included by MailScanner whereas it is included by command-line spamassassin. Found by running MailScanner with Debug = yes and Debug SpamAssassin = yes (now why didn't I think of that before!?). Cheers! Anthony -- www.fonant.com - Quality web sites From mailscanner at mango.zw Sat Oct 21 10:23:03 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Oct 21 10:18:49 2006 Subject: Too Much Details in Receipts and Rejections In-Reply-To: <027001c6f47f$c319a6e0$b000a8c0@skyhawk> Message-ID: On Fri, 20 Oct 2006, Stephen Conway wrote: > My problem is that for 'Request Server Receipt' option in Outlook, and for > rejection and warning messages, if I have a user that aliases to a script, I > get all the details of the script, ex as below: > > ================= > The original message was received at Fri, 20 Oct 2006 01:18:49 -0400 from > [IP] > > ----- The following addresses had successful delivery notifications ----- > "|/bin/asmv user@domain.com" (successfully delivered to mailbox) > (expanded from: > ----- Transcript of session follows ----- Name "main::login" used only > once: possible typo at /bin/asend line 25. > Name "main::cont_type" used only once: possible typo at /bin/asend line 23. > Name "main::recfrm" used only once: possible typo at /bin/asend line 21. > Name "main::found" used only once: possible typo at /bin/asend line 27. > Name "main::dom" used only once: possible typo at /bin/asend line 26. > Name "main::eml" used only once: possible typo at /bin/asend line 24. > shell-init: could not get current directory: getcwd: cannot access parent > directories: No such file or directory > "|/bin/asmv user@domain.com"... Successfully delivered > ================= > > A similar respons is sent if you send to an alias list if a user doesn't > exist in the list for example, Any way to tell Sendmail to suppress all this > info? This is not a sendmail issue. You are running some perl script: /bin/asend that is presumably being called by /bin/asmv The script has problems that are being reported when it is run. That is what "perl -w" does - it makes rude remarks about a programme it doesn't like. Fix that script and the problems will go away. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From lhaig at haigmail.com Sat Oct 21 11:04:09 2006 From: lhaig at haigmail.com (Lance Haig) Date: Sat Oct 21 11:04:00 2006 Subject: Backups Message-ID: <4539F099.7070401@haigmail.com> Hi Guys, I am setting up a remote rsync backup of my ms box and was juts wondering if I was backing up the right directories. These are the directories /etc/ /var/lib/mysql /srv/www/ (for a few websites) Have I missed any? Would I be able to DR this server if I had only these? Thanks for your help. Lance From moacyrs at akadnyx.com.br Sat Oct 21 17:39:01 2006 From: moacyrs at akadnyx.com.br (Moacyr Leite da Silva) Date: Sat Oct 21 17:35:39 2006 Subject: Spam Sample :: Need help to get rid these spams Message-ID: <191B7317B2FFA24A8C6E6C01F53206A4201754@w2k-srv01.akadnyx.com.br> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 1807 bytes Desc: akadnyx-skipe_small.PNG Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061021/60f00d86/attachment.png -------------- next part -------------- A non-text attachment was scrubbed... Name: good-bye.gif Type: image/gif Size: 11068 bytes Desc: good-bye.gif Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061021/60f00d86/good-bye.gif From rich at mail.wvnet.edu Sat Oct 21 21:44:09 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sat Oct 21 21:44:35 2006 Subject: SA missing_subject done incorrectly Message-ID: <453A8699.5000507@mail.wvnet.edu> We're getting a lot of reports of people not getting expected messages. Checking through the maillog I'm seeing a lot of messages being flagged by SA with MISSING_SUBJECT. However, further checking on some of them reveals that they do have a subject. This improper action results in adding a score of 1.82 to the messages which causes the message to go over the spam threshold. We're running SA 3.1.7 from Julian's install-Clam-SA package. I just installed that last week and wonder if that might be related. Is anyone else having this problem? I wanted to check here first before taking it to the SA forums. Thanks, Richard Lynch -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061021/188a3ed9/rich.vcf From rich at mail.wvnet.edu Sat Oct 21 22:12:27 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sat Oct 21 22:12:39 2006 Subject: SA missing_subject done incorrectly In-Reply-To: <453A8699.5000507@mail.wvnet.edu> References: <453A8699.5000507@mail.wvnet.edu> Message-ID: <453A8D3B.5040908@mail.wvnet.edu> Richard Lynch wrote: > We're getting a lot of reports of people not getting expected > messages. Checking through the maillog I'm seeing a lot of messages > being flagged by SA with MISSING_SUBJECT. However, further checking > on some of them reveals that they do have a subject. This improper > action results in adding a score of 1.82 to the messages which causes > the message to go over the spam threshold. We're running SA 3.1.7 > from Julian's install-Clam-SA package. I just installed that last > week and wonder if that might be related. Is anyone else having this > problem? I wanted to check here first before taking it to the SA forums. > Thanks, > Richard Lynch > I guess I'll have to answer my own question. I updated my rules_du_jour and there was an update for 70_sare_stocks.cf. For reasons not understood, that corrected the problem. Richard Lynch -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061021/27aa5855/rich.vcf From ugob at camo-route.com Sat Oct 21 23:37:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Oct 21 23:37:40 2006 Subject: Backups In-Reply-To: <4539F099.7070401@haigmail.com> References: <4539F099.7070401@haigmail.com> Message-ID: <453AA123.4040301@camo-route.com> Lance Haig wrote: > Hi Guys, > > I am setting up a remote rsync backup of my ms box and was juts > wondering if I was backing up the right directories. > > These are the directories > > /etc/ > /var/lib/mysql You should do a mysqldump, then rsync the backup, not rsync the DB files. > /srv/www/ (for a few websites) > > Have I missed any? > > Would I be able to DR this server if I had only these? Should be... > > Thanks for your help. > > Lance > From ugob at camo-route.com Sat Oct 21 23:37:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Oct 21 23:37:45 2006 Subject: Backups In-Reply-To: <4539F099.7070401@haigmail.com> References: <4539F099.7070401@haigmail.com> Message-ID: <453AA123.4040301@camo-route.com> Lance Haig wrote: > Hi Guys, > > I am setting up a remote rsync backup of my ms box and was juts > wondering if I was backing up the right directories. > > These are the directories > > /etc/ > /var/lib/mysql You should do a mysqldump, then rsync the backup, not rsync the DB files. > /srv/www/ (for a few websites) > > Have I missed any? > > Would I be able to DR this server if I had only these? Should be... > > Thanks for your help. > > Lance > From ugob at camo-route.com Sat Oct 21 23:39:55 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Oct 21 23:40:10 2006 Subject: Spam Sample :: Need help to get rid these spams In-Reply-To: <191B7317B2FFA24A8C6E6C01F53206A4201754@w2k-srv01.akadnyx.com.br> References: <191B7317B2FFA24A8C6E6C01F53206A4201754@w2k-srv01.akadnyx.com.br> Message-ID: Moacyr Leite da Silva wrote: > How to get rid of these emails? > > We implement GREET_PAUSE, GREYLIST, RBL, SA, MAILSCANNER, etc > > Any clues?! Search on spam images, fuzzyocr, ImageInfo SpamAssassin plugin. Also the SARE_STOCKS rulesets (from rulesdujour). Ugo From glenn.steen at gmail.com Sat Oct 21 23:50:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 21 23:57:29 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: References: Message-ID: <223f97700610211550y43a4980aq14b58b499312da09@mail.gmail.com> On 20/10/06, Anthony Cartmell wrote: > > How did you determine that it was using /usr/share/spamassassin & not > > /var/lib/spamassassin/3.001005/? > > In my case, by comparing the scores given to a spam message by MailScanner > and by spamassassin run manually. The manual spamassassin run gave a much > higher score as it was using more rules. Checking which the extra rules > were lead me to the conclusion that the /var/lib/spamassassin/ > tree wasn't being used by MailScanner. > As good a method as any...:-). What rules differed? Only bayes, or distinct others? Ok, so both you and Kai have installed SA by way of some RPM package you yummed (?)... If so, perhaps one should start wondering if there is a slightly crippled SA rpm floating around... Did you try Jules (excellent and easy) clamav+sa package? Did it help? Cheers (well, in a nice glass of light beer... I'm working all weekend... Sigh) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Oct 22 00:03:17 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Oct 22 00:03:21 2006 Subject: Backups In-Reply-To: <453AA123.4040301@camo-route.com> References: <4539F099.7070401@haigmail.com> <453AA123.4040301@camo-route.com> Message-ID: <223f97700610211603v1b646718i7e9d541acd8acc62@mail.gmail.com> On 22/10/06, Ugo Bellavance wrote: > Lance Haig wrote: > > Hi Guys, > > > > I am setting up a remote rsync backup of my ms box and was juts > > wondering if I was backing up the right directories. > > > > These are the directories > > > > /etc/ > > /var/lib/mysql > > You should do a mysqldump, then rsync the backup, not rsync the DB files. > > > /srv/www/ (for a few websites) > > > > Have I missed any? > > > > Would I be able to DR this server if I had only these? > > Should be... > Eh, you might have to keep a copy of the changes done to /usr/lib/MailScanner too (like adding MailWatch.pm etc...:-), and just perhaps the install files:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From admin at thenamegame.com Sun Oct 22 20:03:01 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Oct 22 19:56:50 2006 Subject: FW: Can't connect to clamd through /var/run/clamav/clamd Message-ID: <200610221856.k9MIukNX002961@bkserver.blacknight.ie> I'm getting the follow error when Clam is installed on a Freebsd server. Oct 22 13:00:02 tx1000 ClamAV-autoupdate[72871]: ClamAV update warning: ERROR: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd I assume this is because clamav is not running in daemon mode. Does clam need to be running in daemon mode on a Freebsd box? On Unix we don't see this error yet clamav is not running in daemon mode either. So why would this be occurring on Freebsd? Mailscanner does not require clamav to be running in the background or does it on Freebsd? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061022/2a197146/attachment.html From r.berber at computer.org Sun Oct 22 20:47:58 2006 From: r.berber at computer.org (=?windows-1252?Q?Ren=E9_Berber?=) Date: Sun Oct 22 20:48:16 2006 Subject: FW: Can't connect to clamd through /var/run/clamav/clamd In-Reply-To: <200610221856.k9MIukNX002961@bkserver.blacknight.ie> References: <200610221856.k9MIukNX002961@bkserver.blacknight.ie> Message-ID: Michael S. wrote: > I?m getting the follow error when Clam is installed on a Freebsd server. > > Oct 22 13:00:02 tx1000 ClamAV-autoupdate[72871]: ClamAV update warning: > ERROR: Clamd was NOT notified: Can't connect to clamd through > /var/run/clamav/clamd That means /etc/freshclam.conf has the option to notify clamd set. > I assume this is because clamav is not running in daemon mode. Does clam > need to be running in daemon mode on a Freebsd box? Not for MailScanner. > On Unix we don?t see > this error yet clamav is not running in daemon mode either. So why would > this be occurring on Freebsd? Different freshclam.conf . > Mailscanner does not require clamav to be > running in the background or does it on Freebsd? No, just edit your freshclam.conf and change the option so you don't get the above message. -- Ren? Berber From doko at cs.tu-berlin.de Sun Oct 22 23:49:25 2006 From: doko at cs.tu-berlin.de (Matthias Klose) Date: Sun Oct 22 23:49:32 2006 Subject: Debian package outdated? In-Reply-To: References: <17655.1438.883294.598086@gargle.gargle.HOWL> Message-ID: <17723.62837.572033.203938@gargle.gargle.HOWL> Stephen Swaney writes: > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Matthias Klose > > Sent: Thursday, August 31, 2006 11:52 AM > > To: MailScanner discussion > > Cc: Martin > > Subject: Re: Debian package outdated? > > > > Martin writes: > > > Glenn Steen wrote: > > > > > > > quite a bit, version-wise. Jules has a debian package on his pages, > > > > but i think you need dpkg it... Or can one set that as a separate apt > > > > repository? > > > > > > Since we're talking about versions here, why is the Debian package only > > > at 4.51.5-1 (link on mailscanner site is pointing to Debian unstable)? > > > There are many versions released after this one. > > > > I have a recent package, but I don't know if it still makes sense to > > provide the package in Debian. The recent releases don't ship any > > documentation. Even the manual pages are dropped. Checked on the > > website, which documentation could be included: > > > > - the online documentation doesn't have any copyright statements. > > In this way it's not distributable by Debian. Please point me > > to the copyright(s), if I'm wrong. > > > > - the online html documentation currently isn't really nice to > > distribute, including all the advertising on every page. > > > > - The MailScanner-Manual-Version-1.0.5.pdf (which I currently cannot > > find on the website anymore) has a copyright, which doesn't allow > > distribution of MailScanner as free documentation. > > > > So we are down to a piece of software which Debian can only ship > > without documentation. I'm not sure if that makes sense. MailScanner > > itself may be still free software, but much of that status is lost > > without free documentation. Julien, please correct me if I'm wrong. > > > > Matthias > > I'm in the process of updating all of the basic Documentation. I can > probably put together a copyright free version for distribution with Debian. > It would be the basic Configuration and Installation instructions in text > format. Hi Stephen, what is the status of distributable documentation? we already did miss the Ubuntu edgy release, and we are likely to miss the Debian etch release with further delay. Before asking on the mailing list, I did ask Julien and you before, but didn't get any response. At this point I would like to know if there are still efforts be made towards distributable documentation. Even if the answer is negative, please give an answer at all. Thanks, Matthias From TGFurnish at herffjones.com Mon Oct 23 00:52:14 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Oct 23 00:52:19 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC256@inex3.herffjones.hj-int> Thanks very much, Matt. Might not have been a direct answer to my question, but I really appreciate the information nonetheless. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Kettler > Sent: Friday, October 20, 2006 5:38 PM > To: MailScanner discussion > Subject: Re: slightly OT: how do i know if i've been poisoned? (Bayes) > > Furnish, Trever G wrote: > > tools below you can probably help yourself> > > > And in the data part of the dump I see lots of what seems > to be random > > data. In fact that's all I see in the data dump -- no tokens I'd > > recognize as anything other than random garbage: > > > > 0.978 2 0 1161346932 36dbf22fa5 > > > > > > Is that the way it should look? I expected to see actual words. > > Yes, SA 3.0.0 and higher store 40bits of the SHA1 hash of the > word, not the word itself. This makes the entries themselves > all fixed-size which offers a lot of performance gain. > > It also makes it impossible to decipher the bayes DB into a > human-readable form. > This has some ups and downs. > > One benefit is enhanced security. In the old system if you > had a shared bayes DB, any of the users could read the > database and figure out a lot about your email: > who's been sending mail to your network (H*F tokens) > By looking at body tokens, deduce topics of > conversation. (hint: specialized terminology really stands out) > > > If you really want to see the tokens, in text form, for a > specific message use the following: > > spamassassin -D bayes < message.txt > > And you should get some debug output like this: > > [807] dbg: bayes: token 'I*:what' => 0.99846511627907 [807] > dbg: bayes: token 'I*:future' => 0.996181818181818 > > > > > > Also, one one of the lists (either this one or the mailwatch list) > > someone said that Bayesian filtering was "4 times as > effective" when > > it has more ham than spam to learn from -- but that makes > no sense to > > me, and it's also not something that seems tenable -- I get > about 95% spam. > > What's that about 75% of statistics are made up on the spot? > $5 says the person was pulling that fact out of their behind, > or was parroting a statistic that applies to some other tool > that implements bayes in an obscure fashion. > > > Technically, the ideal for SA, or nearly any other bayes, > would be an exact 50/50 mix. That is actually supported by > the math if you think about how bayes works. Ideally you want > "common" words that appear in both spam and nonspam to wind > up with a token spam probability of 0.500. You'll get that, > on average, if you're training the same number of spam and > nonspam messages. Otherwise, your average "common word" token > will be biased to be roughly your training ratio. > > However, SA's use of chi-squared combining makes it really > resistant to wild deviations from that ideal. The impact of > any "near the middle" tokens is heavily drown out by stronger > ones. one 0.000 will completely negate many 0.950's. > > Unless your training ratio is approaching 99% spam, you > should be fine. And even this will only cause you increased > false positives. It will definitely NOT cause BAYES_00 > problems. That would be an issue if your ratio was > approaching 1% spam. > > > It should also be noted, that techincally speaking, SA's > "bayes" isn't really bayesian. In fact, nearly all "bayes" > filters aren't bayesian. Chi-squared combining works better > and runs faster than a real bayes combining. But this term > has generally been applied to any statistical token analysis > system, regardless of how probabilities are calculated and combined. > > Fundamentally there are 3 kinds of common "bayes" out there. > All of which "work best" at 50/50. > > The original Paul Graham method, using naive Bayes combining > The improved method suggested by Robinson using geometric means. > The chi-squared method, also called Fisher's method. > > Most use chi-sqared nowdays. It's faster, works better, and > is highly resistant to being biased by poisoning or uneven training. > > http://www.bgl.nu/bogofilter/naive.html > > Be wary of someone who posts generalities about bayes, they > might be quoting something that applies to a different bayes > methodology. > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From telehouse at googlemail.com Mon Oct 23 01:36:19 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Mon Oct 23 01:36:22 2006 Subject: Detection rates, throughput testing etc..? Message-ID: <146f41cd0610221736u2cc71ee4kd0613a62cead713a@mail.gmail.com> Hi, Has anyone got any experience with testing for false positives and getting figures on detection rates? What about throughput testing? Testing a machine with a high message load. I want to do testing along these lines myself but i have no idea where to start. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061023/7923f3d4/attachment.html From alex at nkpanama.com Mon Oct 23 03:02:24 2006 From: alex at nkpanama.com (Alex Neuman) Date: Mon Oct 23 03:02:51 2006 Subject: Block outgoing mail w/ bad addressing In-Reply-To: <20061018235509.D1053@defjam.cc.strath.ac.uk> References: <453686B1.8090700@pacific.net> <20061018235509.D1053@defjam.cc.strath.ac.uk> Message-ID: <453C22B0.2060609@nkpanama.com> Jethro R Binks wrote: > What if you really need to mail sbcgobal.com or maildomain.com some day? > Either you can't, or you take this rule away again, in which case your > problem comes back. > I've had to implement this for users who INSIST on spelling things wrong (i.e., hotmial.com). From Arne at pcsupport.no Mon Oct 23 09:07:38 2006 From: Arne at pcsupport.no (=?iso-8859-1?Q?Arne_Olav_Kj=F8snes?=) Date: Mon Oct 23 09:08:21 2006 Subject: Unsure spam report Message-ID: Hi all! We are experiencing an increase in spam that get through the spam filter. I was wondering if it is possible to make mailscanner quarantine/stop mail that has a score close to 6 and send out a report that contains something like this: We are unsure if this is spam or not. Please use the link below if it is not spam. Link "sample of the mail bellow" Then if the customer clicks on the link he will receive the mail. The report and release I know how to do, but I am unsure if I can do the rest with MailScanner. Is it possible to do this with maybe CustomFunctions? Best regards, Arne Olav -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061023/d079f947/attachment.html From mailscanner at mango.zw Mon Oct 23 09:19:28 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 23 09:15:09 2006 Subject: DoS lack of logs In-Reply-To: <625385e30610160208u31900ff6y47b27dece4dbb9fe@mail.gmail.com> Message-ID: On Mon, 16 Oct 2006, shuttlebox wrote: > On 10/9/06, Jim Holland wrote: > > I am pretty sure that this is only a problem on older versions of > > MailScanner and that if you update to the current version the problem will > > disappear. Not only does the current version minimise the chances of a > > denial of service problem occurring, but if it does occur it will also > > report more helpfully: > > > > Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871 > > > > so that you know where the problem is. The problem message will then be > > quarantined so that it can be dealt with manually if required and the rest > > of the system will carry on without interference. > > I'm now running 4.56.8 and I don't get the above (crystal clear) log > message, instead I get the old: Virus Scanning: Denial Of Service > attack detected! > > There's no sign of it getting quarantined either, maybe it is but I > can't tell from the logs. Every time I get a DoS attempt I want to > check out the message because it's often legit mail causing it. A > message like this would be helpful: > > Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871. > Message quarantined. > > Then you know what happened to which message. Sorry - I missed your reply earlier. Check your /usr/lib/MailScanner/MailScanner/SweepViruses.pm file. It should have the following code in it: MailScanner::Log::WarnLog("Virus Scanning: Denial Of Service " . "attack is in message %s", $id); I am running MailScanner version 4.56.1 but have not checked out version 4.56.8. The new method of processing will in fact give two reports in the log file AFAIK - first the initial "Virus Scanning: Denial Of Service" when there is a problem with a batch. That will not identify the individual problem message. Then MailScanner will process the messages singly, and only if it fails to process one of the messages in the batch will it give the more explicit message. It will then quarantine that problem message so it doesn't delay the rest of the mail. I suspect that in your case when MailScanner reverted to individual message processing there was no further problem, the mail was processed OK, and so there was no need to log anything more in the log file. Under earlier versions the same batch would be processed over and over. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From ajcartmell at fonant.com Mon Oct 23 09:46:18 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Oct 23 09:46:17 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: <223f97700610211550y43a4980aq14b58b499312da09@mail.gmail.com> References: <223f97700610211550y43a4980aq14b58b499312da09@mail.gmail.com> Message-ID: > As good a method as any...:-). What rules differed? Only bayes, or > distinct others? All rules in /etc/mail/spamassassin were run, no rules in /var/lib/spamassassin/ were. That included all the default spamassassin rules, including the bayes ones. > Ok, so both you and Kai have installed SA by way of some RPM package > you yummed (?)... If so, perhaps one should start wondering if there > is a slightly crippled SA rpm floating around... Did you try Jules > (excellent and easy) clamav+sa package? Nope, since I now have everything working OK using the Fedora Core package of spamassassin, I'm leaving it that way. The only issue was including /var/lib/spamassassin, and "use"ing one spamassassin package for FuzzyOcr. Cheers! Anthony -- www.fonant.com - Quality web sites From shuttlebox at gmail.com Mon Oct 23 09:51:08 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Oct 23 09:51:11 2006 Subject: DoS lack of logs In-Reply-To: References: <625385e30610160208u31900ff6y47b27dece4dbb9fe@mail.gmail.com> Message-ID: <625385e30610230151l5cf8a7c3v68fc1251e3df0213@mail.gmail.com> On 10/23/06, Jim Holland wrote: > Sorry - I missed your reply earlier. > > Check your /usr/lib/MailScanner/MailScanner/SweepViruses.pm file. It > should have the following code in it: > > MailScanner::Log::WarnLog("Virus Scanning: Denial Of Service " . > "attack is in message %s", $id); > > I am running MailScanner version 4.56.1 but have not checked out version > 4.56.8. > > The new method of processing will in fact give two reports in the log file > AFAIK - first the initial "Virus Scanning: Denial Of Service" when there > is a problem with a batch. That will not identify the individual problem > message. Then MailScanner will process the messages singly, and only if > it fails to process one of the messages in the batch will it give the more > explicit message. It will then quarantine that problem message so it > doesn't delay the rest of the mail. I suspect that in your case when > MailScanner reverted to individual message processing there was no further > problem, the mail was processed OK, and so there was no need to log > anything more in the log file. Under earlier versions the same batch > would be processed over and over. I do indeed have that line in SweepViruses.pm and this weekend I got a message that was quarantined so it's all working properly. Before I upgraded MS I had some problems with DoS attacks and lowered the scan timeout to 120 seconds, I think that might have been too low and caused a DoS message logged and then when scanned individually the message passed. Thanks for clearing that up for me. -- /peter From michele at blacknight.ie Mon Oct 23 10:13:24 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon Oct 23 10:14:39 2006 Subject: OT : need to find some rack space In-Reply-To: Message-ID: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Kevin Miller wrote: > Lance Haig wrote: >> Hi >> Sorry for the Off topic >> I have been using a friends rack space for free for my websites and >> MS installation but he has sold his online business so I need to >> move on. >> >> Does anyone know of a reasonably priced collocation company in the UK >> that I could look at? > > Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's > not the UK, but it's just a stone's throw away, the Irish make good > beer and music, and Michele Neylon is quite helpful, if his > participation in this list is any indication... Kevin Thanks for your kind words :) Lance - if you need anything we'd be more than happy to find a solution for you Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 Vote Now: http://www.netvisionary.ie/votenom.html From strydom.dave at gmail.com Mon Oct 23 10:47:42 2006 From: strydom.dave at gmail.com (Dave Strydom) Date: Mon Oct 23 10:47:49 2006 Subject: OT : need to find some rack space In-Reply-To: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: www.rackspace.com the best there is in the world. regards Dave Strydom On 10/23/06, Michele Neylon :: Blacknight wrote: > Kevin Miller wrote: > > Lance Haig wrote: > >> Hi > >> Sorry for the Off topic > >> I have been using a friends rack space for free for my websites and > >> MS installation but he has sold his online business so I need to > >> move on. > >> > >> Does anyone know of a reasonably priced collocation company in the UK > >> that I could look at? > > > > Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's > > not the UK, but it's just a stone's throw away, the Irish make good > > beer and music, and Michele Neylon is quite helpful, if his > > participation in this list is any indication... > > Kevin > > Thanks for your kind words :) > > Lance - if you need anything we'd be more than happy to find a solution for > you > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > Vote Now: http://www.netvisionary.ie/votenom.html > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From P.G.M.Peters at utwente.nl Mon Oct 23 10:52:04 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Oct 23 10:52:10 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> Message-ID: <453C90C4.7090101@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 20-10-2006 13:07: > On 20/10/06, Drew Marshall wrote: >> On Fri, October 20, 2006 10:19, Peter Peters wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > hakon@symfoni.no wrote on 18-10-2006 14:16: >> > >> >> There is always Lotus Domino. Not free, but very nice :-) >> > >> > We did an investigation into Exchange, Lotus and Oracle Collaboration >> > Suite. These three were chosen because we had the experience with all >> > three systems in one way or another. >> > >> > OCS came out best. Lotus was second and Exchange came last. We had some >> > errors in the investigation corrected (by Microsoft) and Exchange came >> > in second. >> >> Are you able to give me any more detail/ information regarding your >> investigations? > I too am very interrested in whatever detail you may give. I may have > lost the same (more or less) battle, but that's no reason to give up > the war entirely:-). We are not allowed to publicize the information. It contains data about the contracts we have with Oracle and Microsoft including license fees etc. The investigation was because we needed a new mail (and calendar) system for our students. The reason for choosing Exchange after all was the fact all employees use Exchange/Outlook and integration should be better when the students got Exchange too. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFPJDDelLo80lrIdIRAl6tAJ9DXFa8DOr6bTNERIuRtP/F8I0wsQCcDDd/ yjc5kJe8UUTHtbNkNx+uDeM= =Cf32 -----END PGP SIGNATURE----- From lhaig at haigmail.com Mon Oct 23 10:53:25 2006 From: lhaig at haigmail.com (Lance Haig) Date: Mon Oct 23 10:53:20 2006 Subject: OT : need to find some rack space In-Reply-To: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: <453C9115.6020201@haigmail.com> Hi Michele, I will email you off-line Thanks lance Michele Neylon :: Blacknight wrote: > Kevin Miller wrote: > >> Lance Haig wrote: >> >>> Hi >>> Sorry for the Off topic >>> I have been using a friends rack space for free for my websites and >>> MS installation but he has sold his online business so I need to >>> move on. >>> >>> Does anyone know of a reasonably priced collocation company in the UK >>> that I could look at? >>> >> Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's >> not the UK, but it's just a stone's throw away, the Irish make good >> beer and music, and Michele Neylon is quite helpful, if his >> participation in this list is any indication... >> > > Kevin > > Thanks for your kind words :) > > Lance - if you need anything we'd be more than happy to find a solution for > you > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > Vote Now: http://www.netvisionary.ie/votenom.html > > From lhaig at haigmail.com Mon Oct 23 10:53:53 2006 From: lhaig at haigmail.com (Lance Haig) Date: Mon Oct 23 10:53:46 2006 Subject: OT : need to find some rack space In-Reply-To: References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: <453C9131.5020603@haigmail.com> Dave, I will have a look there as well Thanks Lance Dave Strydom wrote: > www.rackspace.com > > the best there is in the world. > > regards > Dave Strydom > > > On 10/23/06, Michele Neylon :: Blacknight wrote: >> Kevin Miller wrote: >> > Lance Haig wrote: >> >> Hi >> >> Sorry for the Off topic >> >> I have been using a friends rack space for free for my websites and >> >> MS installation but he has sold his online business so I need to >> >> move on. >> >> >> >> Does anyone know of a reasonably priced collocation company in the UK >> >> that I could look at? >> > >> > Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's >> > not the UK, but it's just a stone's throw away, the Irish make good >> > beer and music, and Michele Neylon is quite helpful, if his >> > participation in this list is any indication... >> >> Kevin >> >> Thanks for your kind words :) >> >> Lance - if you need anything we'd be more than happy to find a >> solution for >> you >> >> Michele >> >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Brand Protection >> http://www.blacknight.ie/ >> http://blog.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> UK: 0870 163 0607 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> Vote Now: http://www.netvisionary.ie/votenom.html >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From mailscanner at mango.zw Mon Oct 23 11:07:37 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 23 11:03:03 2006 Subject: OT: New Yahoo behaviour noticed with mailing lists Message-ID: Today I notice that mail from one of our mailing lists is undeliverable to Yahoo. This is a sample sendmail SMTP transaction: >>> MAIL From: SIZE=3376 250 sender ok >>> RCPT To: >>> RCPT To: >>> RCPT To: >>> RCPT To: >>> RCPT To: >>> RCPT To: >>> DATA 250 recipient ok 250 recipient ok 250 recipient ok 250 recipient ok 250 recipient ok 421 Too many recipients >>> QUIT 354 go ahead ... Deferred: 421 Too many recipients ,,,,... Deferred: 421 Too many recipients It is rather curious. Clearly Yahoo is adopting a new policy of not accepting mail to more than 5 recipients at once - fair enough. Then our system should be able to deliver to the first five and queue the message for delivery to the remainder later. However our sendmail 8.13.8 is issuing a QUIT as soon as it sees the "421 Too many recipients" instead of sending the data to the recipients whose addresses have been accepted, in response to the "354 go ahead". As a result of this we have ten undeliverable messages from the list to Yahoo, all with more than five Yahoo recipient addresses in them. I wonder if this is the fault of our sendmail or something unusual being done by Yahoo (eg refusing to accept any data if a message has more than 5 recipients - but the 354 response above would seem to belie that). It is odd that it has not happened in the past. I would have thought that our system should not be issuing the DATA command until it had received the responses to all the RCPT TO commands - it looks like we are trying to slam commands into the recipient system without waiting for a response - but that is the way that sendmail always behaves. Maybe it's time to change to Exim :-) Is anyone else experiencing this problem? Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From drew at technologytiger.net Mon Oct 23 11:16:26 2006 From: drew at technologytiger.net (Drew Marshall) Date: Mon Oct 23 11:16:44 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <453C90C4.7090101@utwente.nl> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> <453C90C4.7090101@utwente.nl> Message-ID: <38064.194.70.180.170.1161598586.squirrel@www.technologytiger.net> On Mon, October 23, 2006 10:52, Peter Peters wrote: > We are not allowed to publicize the information. It contains data about > the contracts we have with Oracle and Microsoft including license fees > etc. I quite understand. Thanks for replying > > The investigation was because we needed a new mail (and calendar) system > for our students. The reason for choosing Exchange after all was the > fact all employees use Exchange/Outlook and integration should be better > when the students got Exchange too. That makes sense. I guess it would be different if there was no Exchange environment in place already (Which is where I am coming from). Thanks again Drew From res at ausics.net Mon Oct 23 12:05:13 2006 From: res at ausics.net (Res) Date: Mon Oct 23 12:05:38 2006 Subject: OT : need to find some rack space In-Reply-To: References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: On Mon, 23 Oct 2006, Dave Strydom wrote: > www.rackspace.com so long as u dont want urgent rectification of faults > the best there is in the world. lol countless would disagree -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From admin at thenamegame.com Mon Oct 23 16:15:22 2006 From: admin at thenamegame.com (Michael S.) Date: Mon Oct 23 16:09:09 2006 Subject: FW: Can't connect to clamd through /var/run/clamav/clamd In-Reply-To: Message-ID: <200610231509.k9NF965s029339@bkserver.blacknight.ie> Thanks. Which option in freshclam.conf needs to be modified. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ren? Berber Sent: Sunday, October 22, 2006 3:48 PM To: mailscanner@lists.mailscanner.info Subject: Re: FW: Can't connect to clamd through /var/run/clamav/clamd Michael S. wrote: > I?m getting the follow error when Clam is installed on a Freebsd server. > > Oct 22 13:00:02 tx1000 ClamAV-autoupdate[72871]: ClamAV update warning: > ERROR: Clamd was NOT notified: Can't connect to clamd through > /var/run/clamav/clamd That means /etc/freshclam.conf has the option to notify clamd set. > I assume this is because clamav is not running in daemon mode. Does clam > need to be running in daemon mode on a Freebsd box? Not for MailScanner. > On Unix we don?t see > this error yet clamav is not running in daemon mode either. So why would > this be occurring on Freebsd? Different freshclam.conf . > Mailscanner does not require clamav to be > running in the background or does it on Freebsd? No, just edit your freshclam.conf and change the option so you don't get the above message. -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Mon Oct 23 16:52:56 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Oct 23 16:53:14 2006 Subject: Spam Re: need help modifying shell script In-Reply-To: References: <4532B95E.5040105@fractalweb.com> <4532E708.8090302@fractalweb.com> <453301D0.2010703@fractalweb.com> Message-ID: <453CE558.5050805@fractalweb.com> Ren?, I have spent a couple of hours tweaking and changing the MailScanner.rpmnew file to get it to do everything that the existing sendmail does with the hopes that I could get it to start a sendmail process that communicates with saslauth. No luck. I think that perhaps I've been trying to solve this the wrong way. Perhaps all I need to do is to stop sendmail from pulling messages out of the queue and delivering the mail to user's mailboxes. Any idea on how to achieve this? Thanks, Chris From itdept at fractalweb.com Mon Oct 23 16:57:54 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Oct 23 16:58:24 2006 Subject: modify sendmail so it doesn't get mail out of the queues Message-ID: <453CE682.4080609@fractalweb.com> Hi Everyone, I need to stop the sendmail that my goofy server starts up from pulling messages out of the queue and delivering the mail to user's mailboxes (without letting MailScanner perform its magic) by modifying the script that starts it up. The sendmail that MailScanner.rpmnew starts up cannot seem to communicate with "saslauth" so nobody can authenticate with the smtp server. I've attached my sendmail_app_init file. Any idea on how to achieve this? Thanks, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: sendmail_app_init.zip Type: application/x-zip-compressed Size: 2074 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061023/83171070/sendmail_app_init.bin From ka at pacific.net Mon Oct 23 17:25:15 2006 From: ka at pacific.net (Ken A) Date: Mon Oct 23 17:23:19 2006 Subject: OT: mcafee no new dats on weekends? Message-ID: <453CECEB.6030505@pacific.net> If you are using Mcafee, can you verify this by taking a look in /usr/local/uvscan/datfiles? I see no weekend release datfiles there. :-( Ken From ssilva at sgvwater.com Mon Oct 23 17:41:33 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 23 17:44:07 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 10/20/2006 2:00 PM: > Sorry, this is a bit long with some output from sa-learn --dump, but > it's probably just simple questions for someone here... > > Been running with the same Bayes database for a long time, but lately a > lot of uncaught messages that seem as though they ought to be caught > very effectively using Bayesian techniques have me wondering if I have a > problem with my Bayes database. > > To be honest I have quite a few questions related to SA's Bayes stuff > that I should have tracked down answers to sooner. :-( > > The messages that caused me to start looking are those that all end with > "You must to read". I say it seems like they ought to be caught easily Have you thought about just making a custom rule to look for that phrase and add enough score to put it over the threshold without hurting if it fires by itself? Something like : body BODY_CUSTOM_1 /You must to read/i describe BODY_CUSTOM_1 (LOCAL RULE) custom rule 1 score BODY_CUSTOM_1 1.0 Nudge the score enough to hit. If you score at 7 and these come in at 5.5 you could add 1.6 or so. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Mon Oct 23 17:48:35 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 23 17:48:39 2006 Subject: OT: mcafee no new dats on weekends? In-Reply-To: <453CECEB.6030505@pacific.net> References: <453CECEB.6030505@pacific.net> Message-ID: <223f97700610230948k2b1a0514raeb0b17a6f8b9f4c@mail.gmail.com> On 23/10/06, Ken A wrote: > If you are using Mcafee, can you verify this by taking a look in > /usr/local/uvscan/datfiles? > I see no weekend release datfiles there. :-( > > Ken They release every "work day", correct. ISTR that they've sometimes released new DATs on weekends, on rare occasions... But not recently, no. I have a separate homegrown (for some older GSE and EPO stuff) mirror thing going with ftp of their CommonUpdater, and that is where I (STR:-) that... Would have to trawl some rather abominable logs to find out for sure though:-). Might be their sorry excuses for ftp mirrors fooling me though:-):-). Why do you ask? You mean you're not satisfied with that:-D... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jimc at laridian.com Mon Oct 23 17:48:40 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Oct 23 17:50:53 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: Message-ID: <044001c6f6c3$183240c0$6401a8c0@zorak> Hello all... I've been looking through a good deal of the image spam that is making it past my MailScanner system and was noticing that almost all of them are tripping the "RCVD_IN_BSP_TRUSTED" test. This is turn reverses the spam score significantly and passes the email. Have any of you been having issues with this test? It seems like it is defeating the very purpose that Bonded Sender was intended for. Thanks, Jim Coates From ka at pacific.net Mon Oct 23 18:05:38 2006 From: ka at pacific.net (Ken A) Date: Mon Oct 23 18:03:41 2006 Subject: OT: mcafee no new dats on weekends? In-Reply-To: <223f97700610230948k2b1a0514raeb0b17a6f8b9f4c@mail.gmail.com> References: <453CECEB.6030505@pacific.net> <223f97700610230948k2b1a0514raeb0b17a6f8b9f4c@mail.gmail.com> Message-ID: <453CF662.3010306@pacific.net> Glenn Steen wrote: > On 23/10/06, Ken A wrote: >> If you are using Mcafee, can you verify this by taking a look in >> /usr/local/uvscan/datfiles? >> I see no weekend release datfiles there. :-( >> >> Ken > They release every "work day", correct. ISTR that they've sometimes > released new DATs on weekends, on rare occasions... But not recently, > no. > > I have a separate homegrown (for some older GSE and EPO stuff) mirror > thing going with ftp of their CommonUpdater, and that is where I > (STR:-) that... Would have to trawl some rather abominable logs to > find out for sure though:-). Might be their sorry excuses for ftp > mirrors fooling me though:-):-). > > Why do you ask? You mean you're not satisfied with that:-D... Well, it's a known fact that virus writers only work on weekdays, so I suppose it's not _really_ a problem. ;-\ Thanks. Ken From mikea at mikea.ath.cx Mon Oct 23 18:12:17 2006 From: mikea at mikea.ath.cx (mikea) Date: Mon Oct 23 18:12:20 2006 Subject: OT: mcafee no new dats on weekends? In-Reply-To: <453CF662.3010306@pacific.net>; from ka@pacific.net on Mon, Oct 23, 2006 at 10:05:38AM -0700 References: <453CECEB.6030505@pacific.net> <223f97700610230948k2b1a0514raeb0b17a6f8b9f4c@mail.gmail.com> <453CF662.3010306@pacific.net> Message-ID: <20061023121216.A44369@mikea.ath.cx> On Mon, Oct 23, 2006 at 10:05:38AM -0700, Ken A wrote: > > > Glenn Steen wrote: > > On 23/10/06, Ken A wrote: > >> If you are using Mcafee, can you verify this by taking a look in > >> /usr/local/uvscan/datfiles? > >> I see no weekend release datfiles there. :-( > >> > >> Ken > > They release every "work day", correct. ISTR that they've sometimes > > released new DATs on weekends, on rare occasions... But not recently, > > no. > > > > I have a separate homegrown (for some older GSE and EPO stuff) mirror > > thing going with ftp of their CommonUpdater, and that is where I > > (STR:-) that... Would have to trawl some rather abominable logs to > > find out for sure though:-). Might be their sorry excuses for ftp > > mirrors fooling me though:-):-). > > > > Why do you ask? You mean you're not satisfied with that:-D... > > Well, it's a known fact that virus writers only work on weekdays, so I > suppose it's not _really_ a problem. ;-\ Yeah. Good thing the malware writers formed a union. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From mkettler at evi-inc.com Mon Oct 23 18:34:00 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 23 18:34:12 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <044001c6f6c3$183240c0$6401a8c0@zorak> References: <044001c6f6c3$183240c0$6401a8c0@zorak> Message-ID: <453CFD08.2060804@evi-inc.com> Jim Coates wrote: > Hello all... > > I've been looking through a good deal of the image spam that is making it > past my MailScanner system and was noticing that almost all of them are > tripping the "RCVD_IN_BSP_TRUSTED" test. This is turn reverses the spam > score significantly and passes the email. > > Have any of you been having issues with this test? It seems like it is > defeating the very purpose that Bonded Sender was intended for. No,I don't have any issues with it. At casual glance it sounds like you have a broken trust path.. Have you been having problems with ALL_TRUSTED, and DUL type RBLs too? http://wiki.apache.org/spamassassin/TrustPath > > Thanks, > Jim Coates > From jimc at laridian.com Mon Oct 23 18:52:48 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Oct 23 18:55:10 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <453CFD08.2060804@evi-inc.com> Message-ID: <045701c6f6cc$0d8be0f0$6401a8c0@zorak> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt >>Kettler >Sent: Monday, October 23, 2006 12:34 PM >To: MailScanner discussion >Subject: Re: RCVD_IN_BSP_TRUSTED > > >Jim Coates wrote: >> Hello all... >> >> I've been looking through a good deal of the image spam that is making >> it past my MailScanner system and was noticing that almost all of them >> are tripping the "RCVD_IN_BSP_TRUSTED" test. This is turn reverses >> the spam score significantly and passes the email. >> >> Have any of you been having issues with this test? It seems like it >> is defeating the very purpose that Bonded Sender was intended for. > >No,I don't have any issues with it. > >At casual glance it sounds like you have a broken trust path.. Have you been having problems with ALL_TRUSTED, and DUL type RBLs too? > >http://wiki.apache.org/spamassassin/TrustPath > >> >> Thanks, >> Jim Coates >> Matt, No - I believe the other tests have been working fine. Here are a few examples of test results: MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.797, required 5, autolearn=not spam, BAYES_20 -1.95, HTML_10_20 0.25, HTML_IMAGE_RATIO_08 0.03, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.18, RCVD_IN_BSP_TRUSTED -4.30, RCVD_NUMERIC_HELO 1.25, SARE_GIF_ATTACH 0.75) MailScanner-SpamCheck: not spam, SpamAssassin (score=4.084, required 5, BAYES_00 -2.60, HTML_10_20 0.25, HTML_IMAGE_ONLY_24 0.50, HTML_IMAGE_RATIO_08 0.03, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.18, RCVD_IN_BL_SPAMCOP_NET 1.22, RCVD_IN_BSP_TRUSTED -4.30, RCVD_IN_NJABL_DUL 0.09, RCVD_IN_SORBS_DUL 1.99, RCVD_IN_XBL 3.08, RCVD_NUMERIC_HELO 1.25, SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 1.66) MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.016, required 5, BAYES_00 -2.60, HTML_10_20 0.25, HTML_IMAGE_ONLY_24 0.50, HTML_IMAGE_RATIO_08 0.03, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.18, RCVD_IN_BL_SPAMCOP_NET 1.22, RCVD_IN_BSP_TRUSTED -4.30, RCVD_IN_XBL 3.08, RCVD_NUMERIC_HELO 1.25, TW_IJ 0.08, TW_IK 0.08, TW_JG 0.08, TW_JK 0.08, TW_JS 0.08) All three of these came from inline image spam. All three managed to get a pretty big boast in the HAM direction because of the BSP_TRUSTED rule. Jim From mkettler at evi-inc.com Mon Oct 23 19:18:22 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 23 19:18:34 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <045701c6f6cc$0d8be0f0$6401a8c0@zorak> References: <045701c6f6cc$0d8be0f0$6401a8c0@zorak> Message-ID: <453D076E.90708@evi-inc.com> Jim Coates wrote: > > > Matt, > > No - I believe the other tests have been working fine. Here are a few > examples of test results: Yeah, but those do not tell me if the other tests are working correctly. > All three of these came from inline image spam. All three managed to get a > pretty big boast in the HAM direction because of the BSP_TRUSTED rule. You have two options: 1) Feed the message manually to spamassassin -t on the command line. This will tell you in the body-text report which IP matched BSP trusted. It should be the IP that delivered the message to your MX. If it's not, your trust path is broken. 2) Find out which IP is delivering the message to your network. That should be the one checked against BSP_TRUSTED. Reverse the IP, and do a manual lookup against sa-trusted.bondedsender.org. ie: to look up 66.135.209.212, an e-bay MX which is BSP listed: # dig 212.209.135.66.sa-trusted.bondedsender.org ;; ANSWER SECTION: 212.209.135.66.sa-trusted.bondedsender.org. 0 IN A 127.0.0.10 If it's not listed, your trust path is broken. You can try the other IPs to see which one SA is testing against. My guess is it's going out one-hop too far and trusting a forged header. From martinh at solidstatelogic.com Mon Oct 23 19:58:11 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Oct 23 19:58:26 2006 Subject: OT : need to find some rack space In-Reply-To: References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: <453D10C3.50603@solidstatelogic.com> Dave Strydom wrote: > www.rackspace.com > > the best there is in the world. > > regards > Dave Strydom > > > On 10/23/06, Michele Neylon :: Blacknight wrote: >> Kevin Miller wrote: >> > Lance Haig wrote: >> >> Hi >> >> Sorry for the Off topic >> >> I have been using a friends rack space for free for my websites and >> >> MS installation but he has sold his online business so I need to >> >> move on. >> >> >> >> Does anyone know of a reasonably priced collocation company in the UK >> >> that I could look at? >> > >> > Well, if 'twere me, I'd go to http://www.blacknight.ie/ - OK, so it's >> > not the UK, but it's just a stone's throw away, the Irish make good >> > beer and music, and Michele Neylon is quite helpful, if his >> > participation in this list is any indication... >> >> Kevin >> >> Thanks for your kind words :) >> >> Lance - if you need anything we'd be more than happy to find a >> solution for >> you >> >> Michele >> >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Brand Protection >> http://www.blacknight.ie/ >> http://blog.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> UK: 0870 163 0607 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> Vote Now: http://www.netvisionary.ie/votenom.html >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Yes, but expensive..... ANother vote for blacknight.ie (and yes I use Rackspace, along with the afore MS-Exch this was a mgmt decision...) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jrudd at ucsc.edu Mon Oct 23 20:27:37 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Oct 23 20:28:08 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC253@inex3.herffjones.hj-int> Message-ID: <453D17A9.3050404@ucsc.edu> Scott Silva wrote: > Furnish, Trever G spake the following on 10/20/2006 2:00 PM: >> Sorry, this is a bit long with some output from sa-learn --dump, but >> it's probably just simple questions for someone here... >> >> Been running with the same Bayes database for a long time, but lately a >> lot of uncaught messages that seem as though they ought to be caught >> very effectively using Bayesian techniques have me wondering if I have a >> problem with my Bayes database. >> >> To be honest I have quite a few questions related to SA's Bayes stuff >> that I should have tracked down answers to sooner. :-( >> >> The messages that caused me to start looking are those that all end with >> "You must to read". I say it seems like they ought to be caught easily > > Have you thought about just making a custom rule to look for that phrase and > add enough score to put it over the threshold without hurting if it fires by > itself? > Something like : > > body BODY_CUSTOM_1 /You must to read/i > describe BODY_CUSTOM_1 (LOCAL RULE) custom rule 1 > score BODY_CUSTOM_1 1.0 > Nudge the score enough to hit. If you score at 7 and these come in at 5.5 you > could add 1.6 or so. > So far, every one of these that I've received at work, had an end-customer relay type hostname for the relay. I'm working on a set of SA rules working against the untrusted relay pseudo-header, which looks like it would have caught every one of them. From TGFurnish at herffjones.com Mon Oct 23 21:55:56 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Oct 23 21:56:00 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC269@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: Monday, October 23, 2006 12:42 PM > Subject: Re: slightly OT: how do i know if i've been poisoned? (Bayes) > > > The messages that caused me to start looking are those that all end > > with "You must to read". I say it seems like they ought to > be caught > > easily > > Have you thought about just making a custom rule to look for > that phrase and add enough score to put it over the threshold > without hurting if it fires by itself? > Something like : > > body BODY_CUSTOM_1 /You must to read/i > describe BODY_CUSTOM_1 (LOCAL RULE) custom rule 1 > score BODY_CUSTOM_1 1.0 > Nudge the score enough to hit. If you score at 7 and these > come in at 5.5 you could add 1.6 or so. Actually, I ended up doing just that (except I scored it a 10 :-) ). Just noticed John Rudd's comment about the "untrusted relay pseudo-header" too -- I'll have a look, time-permitting, and see if that triggered on all of mine as well. > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! How timely. Over the weekend I had an unusual problem where the bayes database was causing spamassassin to time out almost ever time, which had the result of causing all mail to be delivered. Problem started Friday night, I didn't notice till Sunday night, and in the meantime 2500 mailboxes went without protection. Suffice to say, people noticed very quickly this morning that they'd had no spam filtering over the weekend. :-/ I wiped the bayes db and started over by learning on archived spam and ham, and suddenly my catch rate has improved drasticly, along with performance. Hmmm...wonder if I can code up a nagios check based on the rate of spam detection and trigger an alert if the message flow is over X messages per minute while the spam percentage is under Y. My system only handles inbound mail and that's usually 95% spam... That'll go on my to-do list. From jimc at laridian.com Mon Oct 23 21:58:18 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Oct 23 22:00:42 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <453D076E.90708@evi-inc.com> Message-ID: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Kettler > Sent: Monday, October 23, 2006 1:18 PM > To: MailScanner discussion > Subject: Re: RCVD_IN_BSP_TRUSTED > > > Jim Coates wrote: > >> >> >> Matt, >> >> No - I believe the other tests have been working fine. Here are a few >> examples of test results: > > Yeah, but those do not tell me if the other tests are working correctly. > > >> All three of these came from inline image spam. All three managed to >> get a pretty big boast in the HAM direction because of the BSP_TRUSTED >> rule. > > You have two options: > > 1) Feed the message manually to spamassassin -t on the command line. This will tell you in the body-text report which IP > matched BSP trusted. > > It should be the IP that delivered the message to your MX. If it's not, your trust path is broken. > > > > 2) Find out which IP is delivering the message to your network. That should be the one checked against BSP_TRUSTED. > > Reverse the IP, and do a manual lookup against sa-trusted.bondedsender.org. > > ie: to look up 66.135.209.212, an e-bay MX which is BSP listed: > > # dig 212.209.135.66.sa-trusted.bondedsender.org > > > > ;; ANSWER SECTION: > 212.209.135.66.sa-trusted.bondedsender.org. 0 IN A 127.0.0.10 > > > If it's not listed, your trust path is broken. You can try the other IPs to see which one SA is testing against. My > guess is it's going out one-hop too far and trusting a forged header. Matt, I tried running the IPs from the email header (every one I could find) through the sa-trusted.bondedsender.org test and none of them triggered it using "dig". What is interesting is that I tried our own mail server IP (which I know is listed with Bonded Sender) and it didn't trigger it either. However, in my searching, I found a few things: 1) We are allowing SpamAssassin to "guess" the trusted path (rather than specifying it) and 2) All of the emails I looked at where actually retrieved from a common mail server at our ISP via fetchmail to our private mail server. IE - all of those were delivered to a backup mail server, then fetched via fetchmail to our primary box. I don't know if this is part of what's confusing the rule or not. I did some searching on some forums that claim the best use of the RCVD_IN_BSP_TRUSTED rule is to score it at 0 to keep it from doing anything. Regards, Jim Coates From TGFurnish at herffjones.com Mon Oct 23 22:11:37 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Oct 23 22:11:43 2006 Subject: modify sendmail so it doesn't get mail out of the queues Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC26A@inex3.herffjones.hj-int> Well, the MailScanner rpm package init script supplies this option to the "inbound" sendmail to keep it from running the queue: -ODeliveryMode=queueonly But that doesn't help unless you can also figure out how to use different queue directories for your inbound and outbound queues (by outbound I mean only "leaving the system", ie the queue where MS moves messages after it's scanned them). Looks like you've already done that though with "mqueue.scanned". Mind if I ask what distribution this is? I'm 100% RHEL these days, and this doesn't look familiar, though you have a mention of RHEL in the comments. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, October 23, 2006 11:58 AM > To: MailScanner discussion > Subject: modify sendmail so it doesn't get mail out of the queues > > Hi Everyone, > > I need to stop the sendmail that my goofy server starts up > from pulling messages out of the queue and delivering the > mail to user's mailboxes (without letting MailScanner perform > its magic) by modifying the script that starts it up. The > sendmail that MailScanner.rpmnew starts up cannot seem to > communicate with "saslauth" so nobody can authenticate with > the smtp server. > > I've attached my sendmail_app_init file. Any idea on how to > achieve this? > > Thanks, > Chris > > > From r.berber at computer.org Mon Oct 23 22:19:13 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 23 22:19:36 2006 Subject: FW: Can't connect to clamd through /var/run/clamav/clamd In-Reply-To: <200610231509.k9NF965s029339@bkserver.blacknight.ie> References: <200610231509.k9NF965s029339@bkserver.blacknight.ie> Message-ID: Michael S. wrote: > Thanks. Which option in freshclam.conf needs to be modified. You have: # Send the RELOAD command to clamd. # Default: disabled NotifyClamd Just comment the third line. -- Ren? Berber From r.berber at computer.org Mon Oct 23 22:38:16 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Oct 23 22:38:47 2006 Subject: Spam Re: need help modifying shell script In-Reply-To: <453CE558.5050805@fractalweb.com> References: <4532B95E.5040105@fractalweb.com> <4532E708.8090302@fractalweb.com> <453301D0.2010703@fractalweb.com> <453CE558.5050805@fractalweb.com> Message-ID: Chris Yuzik wrote: > Ren?, > > I have spent a couple of hours tweaking and changing the > MailScanner.rpmnew file to get it to do everything that the existing > sendmail does with the hopes that I could get it to start a sendmail > process that communicates with saslauth. No luck. One thing to consider, the MailScanner.rpmnew was created because there was already one startup file, perhaps the installation created other .rpmnew files for other configuration or startup files and all of them have to be activated for this thing to work... I'm thinking that saslauthd has some pending changes, perhaps sendmail's configuration also. > I think that perhaps I've been trying to solve this the wrong way. > Perhaps all I need to do is to stop sendmail from pulling messages out > of the queue and delivering the mail to user's mailboxes. Any idea on > how to achieve this? I don't quite understand what you mean... what does deliver have to do with authentification? (i.e. you can change how the delivery is done but that will not change your inability to send mail if saslauthd is not validating your password). -- Ren? Berber From glenn.steen at gmail.com Mon Oct 23 22:39:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 23 22:39:21 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> References: <453D076E.90708@evi-inc.com> <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> Message-ID: <223f97700610231439k4faad948p949037e132384959@mail.gmail.com> On 23/10/06, Jim Coates wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > > Kettler > > Sent: Monday, October 23, 2006 1:18 PM > > To: MailScanner discussion > > Subject: Re: RCVD_IN_BSP_TRUSTED > > > > > > Jim Coates wrote: > > > >> > >> > >> Matt, > >> > >> No - I believe the other tests have been working fine. Here are a few > >> examples of test results: > > > > Yeah, but those do not tell me if the other tests are working correctly. > > > > > >> All three of these came from inline image spam. All three managed to > >> get a pretty big boast in the HAM direction because of the BSP_TRUSTED > >> rule. > > > > You have two options: > > > > 1) Feed the message manually to spamassassin -t on the command line. This > will tell you in the body-text report which IP > matched BSP trusted. > > > > It should be the IP that delivered the message to your MX. If it's not, > your trust path is broken. > > > > > > > > 2) Find out which IP is delivering the message to your network. That > should be the one checked against BSP_TRUSTED. > > > > Reverse the IP, and do a manual lookup against > sa-trusted.bondedsender.org. > > > > ie: to look up 66.135.209.212, an e-bay MX which is BSP listed: > > > > # dig 212.209.135.66.sa-trusted.bondedsender.org > > > > > > > > ;; ANSWER SECTION: > > 212.209.135.66.sa-trusted.bondedsender.org. 0 IN A 127.0.0.10 > > > > > > If it's not listed, your trust path is broken. You can try the other IPs > to see which one SA is testing against. My > guess is it's going out one-hop > too far and trusting a forged header. > > Matt, > > I tried running the IPs from the email header (every one I could find) > through the sa-trusted.bondedsender.org test and none of them triggered it > using "dig". What is interesting is that I tried our own mail server IP > (which I know is listed with Bonded Sender) and it didn't trigger it either. Ok.... > > However, in my searching, I found a few things: > > 1) We are allowing SpamAssassin to "guess" the trusted path (rather than > specifying it) Right, so things sent "by you" would definitely trigger it then, regardless (well, no.. but:-) if it gets the trust_path right or not. > and > > 2) All of the emails I looked at where actually retrieved from a common mail > server at our ISP via fetchmail to our private mail server. IE - all of > those were delivered to a backup mail server, then fetched via fetchmail to > our primary box. And fetchmail (in its blessedly naive way:-):-) will retransmitt every mail from that "backup MX" as a locally submitted mail. Presto, there you have it. > I don't know if this is part of what's confusing the rule or not. I'd hazard that it does;). > I did some searching on some forums that claim the best use of the > RCVD_IN_BSP_TRUSTED rule is to score it at 0 to keep it from doing anything. Well, you could do that, or perhaps augment it a bit (with a test specific to trigger for those fetchmailed backup-MX thingies). Or you could set up a real backup that would do real MS testing too, and forgo passing it through your "primary". Or something similar. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jimc at laridian.com Mon Oct 23 22:50:59 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Oct 23 22:53:09 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <223f97700610231439k4faad948p949037e132384959@mail.gmail.com> Message-ID: <048901c6f6ed$53c9e460$6401a8c0@zorak> >On 23/10/06, Jim Coates wrote: >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt >> > Kettler >> > Sent: Monday, October 23, 2006 1:18 PM >> > To: MailScanner discussion >> > Subject: Re: RCVD_IN_BSP_TRUSTED >> > >> > >> > Jim Coates wrote: >> > >> >> >> >> >> >> Matt, >> >> >> >> No - I believe the other tests have been working fine. Here are a >> >> few examples of test results: >> > >> > Yeah, but those do not tell me if the other tests are working >> > correctly. >> > >> > >> >> All three of these came from inline image spam. All three managed >> >> to get a pretty big boast in the HAM direction because of the >> >> BSP_TRUSTED rule. >> > >> > You have two options: >> > >> > 1) Feed the message manually to spamassassin -t on the command line. >> > This >> will tell you in the body-text report which IP > matched BSP trusted. >> > >> > It should be the IP that delivered the message to your MX. If it's >> > not, >> your trust path is broken. >> > >> > >> > >> > 2) Find out which IP is delivering the message to your network. That >> should be the one checked against BSP_TRUSTED. >> > >> > Reverse the IP, and do a manual lookup against >> sa-trusted.bondedsender.org. >> > >> > ie: to look up 66.135.209.212, an e-bay MX which is BSP listed: >> > >> > # dig 212.209.135.66.sa-trusted.bondedsender.org >> > >> > >> > >> > ;; ANSWER SECTION: 212.209.135.66.sa-trusted.bondedsender.org. 0 IN >> > A 127.0.0.10 >> > >> > >> > If it's not listed, your trust path is broken. You can try the other >> > IPs >> to see which one SA is testing against. My > guess is it's going out >> one-hop too far and trusting a forged header. >> >> Matt, >> >> I tried running the IPs from the email header (every one I could find) >> through the sa-trusted.bondedsender.org test and none of them triggered it >> using "dig". What is interesting is that I tried our own mail server IP >> (which I know is listed with Bonded Sender) and it didn't trigger it >> either. > >Ok.... > >> >> However, in my searching, I found a few things: >> >> 1) We are allowing SpamAssassin to "guess" the trusted path (rather >> than specifying it) >Right, so things sent "by you" would definitely trigger it then, regardless (well, no.. but:-) if it gets the trust_path right or not. > >> and >> >> 2) All of the emails I looked at where actually retrieved from a >> common mail server at our ISP via fetchmail to our private mail >> server. IE - all of those were delivered to a backup mail server, >> then fetched via fetchmail to our primary box. >And fetchmail (in its blessedly naive way:-):-) will retransmitt every mail from that "backup MX" as a locally submitted >mail. Presto, there you have it. > >> I don't know if this is part of what's confusing the rule or not. >I'd hazard that it does;). > >> I did some searching on some forums that claim the best use of the > RCVD_IN_BSP_TRUSTED rule is to score it at 0 to keep it from doing >> anything. >>Well, you could do that, or perhaps augment it a bit (with a test specific to trigger for those fetchmailed backup-MX thingies). > >Or you could set up a real backup that would do real MS testing too, and forgo passing it through your "primary". Or something similar. > >-- >-- Glenn >email: glenn < dot > steen < at > gmail < dot > com >work: glenn < dot > steen < at > ap1 < dot > se Yes, the backup mail server is one that is shared among various domains hosted at the rack space where our servers are located, so I really don't have the choice of modifying them. I guess I will take a look at modifying the rules since it seems that everything is working properly, and see what happens. Thanks! Jim From mkettler at evi-inc.com Mon Oct 23 23:04:33 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 23 23:05:03 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> References: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> Message-ID: <453D3C71.4070709@evi-inc.com> Jim Coates wrote: > Matt, > > I tried running the IPs from the email header (every one I could find) > through the sa-trusted.bondedsender.org test and none of them triggered it > using "dig". What is interesting is that I tried our own mail server IP > (which I know is listed with Bonded Sender) and it didn't trigger it either. > > However, in my searching, I found a few things: > > 1) We are allowing SpamAssassin to "guess" the trusted path (rather than > specifying it) > In general, I would suggest not using the trust path guesser unless all your mail comes to your network through a mailserver with a public IP address. (literally has an interface with a public IP, not static-nat mapped to one.) > and > > 2) All of the emails I looked at where actually retrieved from a common mail > server at our ISP via fetchmail to our private mail server. IE - all of > those were delivered to a backup mail server, then fetched via fetchmail to > our primary box. > > I don't know if this is part of what's confusing the rule or not. No, it would not confuse the rule, but it could be confusing the trust path-guesser or the Received: parser. By default If SA sees private IPs in the Received: headers, it will assume all the hosts with private IPs, plus the first host in a "by" clause with public IP is a part of your network. In this case, that shouldn't be too bad. SA will assume your ISP's server is yours, but it shouldn't break much to do that unless you think your ISP might start forging Received: headers. The IP SA should be checking against BSP should be the host delivering mail to the host you fetched from. That said, it's highly strange the rule would fire if none of the IPs in the headers is listed upon manual search. (unless one of the IPs was listed, and got dropped after they got hacked and abused.) Do any of the IPs look like they "belong" (ie: aren't part of some random home-user IP block, and might belong to some large legitimate company?) > > I did some searching on some forums that claim the best use of the > RCVD_IN_BSP_TRUSTED rule is to score it at 0 to keep it from doing anything. If you search the forums and web you'll find plenty of folks making the knee-jerk suggestion of zeroing out the score of almost any misbehaving rule. Don't trust them. There's a lot of folks out there jumping to hack-fix problems without understanding them, and advising everyone else to do the same. 9 times out of 10 their suggestions are a bad idea because they're covering up a bigger problem. As far as the rule itself goes, I never have it match anyone that isn't listed in BSP. That said, there's not many folks listed in BSP, so zeroing the rule won't have a huge impact. I'd still suggest keeping it non-zero so you can monitor the problem, but make it like -0.001. For me the sites that do match it are legitimate commercial mass-mailers: ebay, foolsubs.com (Motley fool investment newsletter), hallmark.com, classmates.com ediets.com make up the bulk of my matches. What version of SA are you running? From TGFurnish at herffjones.com Mon Oct 23 23:06:08 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Oct 23 23:06:24 2006 Subject: RCVD_IN_BSP_TRUSTED Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC26F@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Coates > Sent: Monday, October 23, 2006 5:51 PM > To: 'MailScanner discussion' > Subject: RE: RCVD_IN_BSP_TRUSTED > > > >On 23/10/06, Jim Coates wrote: > >> > -----Original Message----- > >> > From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Matt Kettler > >> > Sent: Monday, October 23, 2006 1:18 PM > >> > To: MailScanner discussion > >> > Subject: Re: RCVD_IN_BSP_TRUSTED > >> > > >> > Jim Coates wrote: > >> 2) All of the emails I looked at where actually retrieved from a > >> common mail server at our ISP via fetchmail to our private mail > >> server. IE - all of those were delivered to a backup mail server, > >> then fetched via fetchmail to our primary box. > > > >And fetchmail (in its blessedly naive way:-):-) will retransmitt > >every mail from that "backup MX" as a locally submitted mail. > >Presto, there you have it. > > Yes, the backup mail server is one that is shared among > various domains hosted at the rack space where our servers > are located, so I really don't have the choice of modifying them. > > I guess I will take a look at modifying the rules since it > seems that everything is working properly, and see what happens. > > Thanks! > Jim Forgive me if this isn't helpful -- not completely sure I understand why you're using fetchmail. If your intent in using fetchmail is simply to have all connections from the public go to the ISP mail server, then you don't need to use fetchmail for that. Just use iptables (or whatever the appropriate firewall is in your case) to reject connections on your final mx from everything accept the ISP mx server, and have the ISP server deliver your mail to you "normally" (ie immediately, via smtp initiated by their side) instead of whatever you're doing with fetchmail. Of course, if your reason for using fetchmail is more esoteric than that, this doesn't help you one bit and I apologize for chiming in. :-) -- Trever From mkettler at evi-inc.com Mon Oct 23 23:17:40 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 23 23:17:56 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> References: <047701c6f6e5$f7d1e6f0$6401a8c0@zorak> Message-ID: <453D3F84.4080106@evi-inc.com> Jim Coates wrote: > > Matt, > > I tried running the IPs from the email header (every one I could find) > through the sa-trusted.bondedsender.org test and none of them triggered it > using "dig". What is interesting is that I tried our own mail server IP > (which I know is listed with Bonded Sender) and it didn't trigger it either. Jim, Are you by chance using a version of SA 3.0.x? You should read this bug: The 3.0.x series DNS resolver can get confused. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997 From jimc at laridian.com Mon Oct 23 23:23:50 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Oct 23 23:26:01 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC26F@inex3.herffjones.hj-int> Message-ID: <048a01c6f6f1$eafe1870$6401a8c0@zorak> > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Jim Coates > > Sent: Monday, October 23, 2006 5:51 PM > > To: 'MailScanner discussion' > > Subject: RE: RCVD_IN_BSP_TRUSTED > > > > > > >On 23/10/06, Jim Coates wrote: > > >> > -----Original Message----- > > >> > From: mailscanner-bounces@lists.mailscanner.info > > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Matt Kettler > > >> > Sent: Monday, October 23, 2006 1:18 PM > > >> > To: MailScanner discussion > > >> > Subject: Re: RCVD_IN_BSP_TRUSTED > > >> > > > >> > Jim Coates wrote: > > >> 2) All of the emails I looked at where actually retrieved from a > > >> common mail server at our ISP via fetchmail to our private mail > > >> server. IE - all of those were delivered to a backup mail server, > > >> then fetched via fetchmail to our primary box. > > > > > >And fetchmail (in its blessedly naive way:-):-) will retransmitt > > >every mail from that "backup MX" as a locally submitted mail. Presto, > > >there you have it. > > > > Yes, the backup mail server is one that is shared among > > various domains hosted at the rack space where our servers > > are located, so I really don't have the choice of modifying them. > > > > I guess I will take a look at modifying the rules since it > > seems that everything is working properly, and see what happens. > > > > Thanks! > > Jim > > Forgive me if this isn't helpful -- not completely sure I understand why you're using fetchmail. > > If your intent in using fetchmail is simply to have all connections from the public go to the ISP mail server, then you > don't need to use fetchmail for that. Just use iptables (or whatever the appropriate firewall is in your case) to > reject connections on your final mx from everything accept the ISP mx server, and have the ISP server deliver your mail to > you "normally" (ie immediately, via smtp initiated by their > side) instead of whatever you're doing with fetchmail. > > Of course, if your reason for using fetchmail is more esoteric than that, this doesn't help you one bit and I apologize > for chiming in. :-) > > -- > Trever Trever - I'm using fetchmail because they people who run the backup mx server told me that was they only way they allow me to grab mail from it. Matt - My primary MX box does indeed have a public IP address. I am using an older version of SpamAssassin, which as you just indicated in another email might be the problem. I am on SpamAssassin version 3.0.2. I will check out the DNS resolver issue and perhaps upgrade. Is it any big deal to upgrade SpamAssassin when it is working with MailScanner? Thanks, Jim From jrudd at ucsc.edu Tue Oct 24 00:27:03 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Oct 24 00:27:50 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC269@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC269@inex3.herffjones.hj-int> Message-ID: <453D4FC7.6010802@ucsc.edu> Furnish, Trever G wrote: > > Actually, I ended up doing just that (except I scored it a 10 :-) ). > Just noticed John Rudd's comment about the "untrusted relay > pseudo-header" too -- I'll have a look, time-permitting, and see if that > triggered on all of mine as well. > here's the rules I've been working on, if you want to try them: http://people.ucsc.edu/~jrudd/spamassassin/jr_rfc1912.cf From afb at paradise.net.nz Tue Oct 24 00:37:59 2006 From: afb at paradise.net.nz (Adam Bogacki) Date: Tue Oct 24 00:41:41 2006 Subject: MailScanner config probs .. Message-ID: <20061023233759.GB4039@paradise.net.nz> Hi, I recently set up MailScanner and am pleased to see it constantly popping up in TOP, showing me it is active. A few details remain to be resolved, however. /var/spool/MailScanner was empty so I created dir's archive, incoming, and quarantine .. Tux:/var/spool/MailScanner# ls archive incoming quarantine However syslog tells me it cannot read lines 153 and 157 in 'incoming' and 'quarantine' .. Also, there are problems creating a SpamAssassin cache database, and ownership problems with /var/spool/exim4_incoming/input My user name on the system is 'adam'. I like what I see with MailSscanner and would like to tune it properly. Latest syslog output follows. Oct 24 12:11:11 tux MailScanner[18662]: Could not read directory /var/spool/MailScanner/incoming Oct 24 12:11:11 tux MailScanner[18662]: Error in configuration file line 153, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) Oct 24 12:11:11 tux MailScanner[18662]: Could not read directory /var/spool/MailScanner/quarantine Oct 24 12:11:11 tux MailScanner[18662]: Error in configuration file line 157, directory /var/spool/MailScanner/quarantine for quarantinedir does not exist (or is not readable) Oct 24 12:11:11 tux MailScanner[18662]: Read 710 hostnames from the phishing whitelist Oct 24 12:11:12 tux MailScanner[18662]: Using SpamAssassin results cache Oct 24 12:11:12 tux MailScanner[18662]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db Oct 24 12:11:12 tux MailScanner[18662]: Enabling SpamAssassin auto-whitelist functionality... Oct 24 12:11:16 tux MailScanner[18657]: /var/spool/exim4_incoming/input is not owned by user 102 ! Oct 24 12:11:21 tux Debian-exim: Process did not exit cleanly, returned 255 with signal 0 Oct 24 12:11:21 tux MailScanner[18670]: MailScanner E-Mail Virus Scanner version 4.51.5 starting... Oct 24 12:11:22 tux MailScanner[18670]: Could not read directory /var/spool/MailScanner/incoming Oct 24 12:11:22 tux MailScanner[18670]: Error in configuration file line 153, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) 47865,1 Cheers, Bot -- Adam Bogacki, --------------------------------------------------------------------- email: afb(at)paradise.net.nz VoIP: sip:agike(at)ekiga.net [Zfone] Key: 0x4E553910 - DABB 4963 8973 7CCD 33C0 DC27 D7C5 F516 4E55 3910 --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061024/82e52588/attachment-0001.bin From mrm at medicine.wisc.edu Tue Oct 24 01:48:42 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Oct 24 01:49:17 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion Message-ID: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> http://management.silicon.com/government/0,39024677,39163463,00.htm I'm certainly no lawyer, but how could there even be a hint of a case for something like this? I'm not aware of any email systems that force anyone to use Spamhaus, or any spam deterrent software for that matter. I C H O O S E to run MailScanner, SpamAssassin, etc... and if I decide to trust that software to detect spam for me, then it's MY responsibility if something goes wrong, and in this case it sounds like the e360 insight domain is a true spammer anyways, so what grounds could they possibly be trying to stand on? Mike From pete at enitech.com.au Tue Oct 24 02:16:33 2006 From: pete at enitech.com.au (Peter Russell) Date: Tue Oct 24 02:16:45 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <38064.194.70.180.170.1161598586.squirrel@www.technologytiger.net> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> <453C90C4.7090101@utwente.nl> <38064.194.70.180.170.1161598586.squirrel@www.technologytiger.net> Message-ID: <453D6971.8030505@enitech.com.au> Scalix licensing is nice. Can have 25 ful featured MS Outlook clients in the community license. I have used this with Outlook and its is VERY powerful. Users would assume they connected to Exchange. Best webmail client ever made is Zimbra, but make you pay for Outlook connections. openxchange is not worth the effort compared to the above 2 Drew Marshall wrote: > On Mon, October 23, 2006 10:52, Peter Peters wrote: >> We are not allowed to publicize the information. It contains data about >> the contracts we have with Oracle and Microsoft including license fees >> etc. > > I quite understand. Thanks for replying > >> The investigation was because we needed a new mail (and calendar) system >> for our students. The reason for choosing Exchange after all was the >> fact all employees use Exchange/Outlook and integration should be better >> when the students got Exchange too. > > That makes sense. I guess it would be different if there was no Exchange > environment in place already (Which is where I am coming from). > > Thanks again > > Drew > From arturs at netvision.net.il Tue Oct 24 02:34:21 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 24 02:36:32 2006 Subject: Mailscanner --debug problem Message-ID: <002b01c6f70c$8819fab0$3701a8c0@lapxp> Howdy, This is MS-4.55.7-1 and SA-3.1.7 on CentOS-4.4 When I run 'mailscanner --debug' it stucks on 'dbg: bayes: untie-ing db_seen' forever. The size of the bayes.seen is less than 400K, if it matters. Also, when I run 'mailscanner --lint' it warns about non-existant rules: --- Connected to SpamAssassin cache database config: warning: score set for non-existent rule RCVD_IN_XBL config: warning: score set for non-existent rule RCVD_IN_NJABL_SPAM config: warning: score set for non-existent rule RCVD_IN_SORBS_HTTP config: warning: score set for non-existent rule __RCVD_IN_SORBS config: warning: score set for non-existent rule RCVD_IN_SBL config: warning: score set for non-existent rule BAYES_20 config: warning: score set for non-existent rule BAYES_00 config: warning: score set for non-existent rule __RCVD_IN_SBL_XBL config: warning: score set for non-existent rule RCVD_IN_SORBS_ZOMBIE config: warning: score set for non-existent rule RCVD_IN_BSP_TRUSTED config: warning: score set for non-existent rule BAYES_05 config: warning: score set for non-existent rule RCVD_IN_SORBS_WEB config: warning: score set for non-existent rule DNS_FROM_RFC_WHOIS config: warning: score set for non-existent rule __RCVD_IN_NJABL config: warning: score set for non-existent rule DNS_FROM_RFC_DSN config: warning: score set for non-existent rule RCVD_IN_NJABL_RELAY config: warning: score set for non-existent rule RCVD_IN_SORBS_MISC config: warning: score set for non-existent rule RCVD_IN_BL_SPAMCOP_NET config: warning: score set for non-existent rule DNS_FROM_RFC_BOGUSMX config: warning: score set for non-existent rule RCVD_IN_MAPS_RSS config: warning: score set for non-existent rule RCVD_IN_SORBS_SMTP config: warning: score set for non-existent rule RCVD_IN_SORBS_BLOCK config: warning: score set for non-existent rule RCVD_IN_MAPS_DUL config: warning: score set for non-existent rule BAYES_60 config: warning: score set for non-existent rule RCVD_IN_MAPS_RBL config: warning: score set for non-existent rule RCVD_IN_SORBS_SOCKS config: warning: score set for non-existent rule __RFC_IGNORANT_ENVFROM config: warning: score set for non-existent rule BAYES_40 config: warning: score set for non-existent rule RCVD_IN_SORBS_DUL config: warning: score set for non-existent rule RCVD_IN_NJABL_MULTI config: warning: score set for non-existent rule DNS_FROM_RFC_POST config: warning: score set for non-existent rule RCVD_IN_DSBL config: warning: score set for non-existent rule BAYES_99 config: warning: score set for non-existent rule DNS_FROM_AHBL_RHSBL config: warning: score set for non-existent rule RCVD_IN_NJABL_CGI config: warning: score set for non-existent rule RCVD_IN_BSP_OTHER config: warning: score set for non-existent rule DNS_FROM_RFC_ABUSE config: warning: score set for non-existent rule BAYES_80 config: warning: score set for non-existent rule RCVD_IN_MAPS_NML config: warning: score set for non-existent rule RCVD_IN_NJABL_DUL config: warning: score set for non-existent rule BAYES_95 config: warning: score set for non-existent rule RCVD_IN_NJABL_PROXY --- Have anyone met this before? What was the cure? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From smlists at shaw.ca Tue Oct 24 04:12:07 2006 From: smlists at shaw.ca (Steve Mason (maillist)) Date: Tue Oct 24 04:13:53 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <453D6971.8030505@enitech.com.au> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> <453C90C4.7090101@utwente.nl> <38064.194.70.180.170.1161598586.squirrel@www.technologytiger.net> <453D6971.8030505@enitech.com.au> Message-ID: <453D8487.1010108@shaw.ca> I haven't really looked for a couple of years, but I've gotten quite used to Exchange, it's not so bad :) At my main job we have Exchange 2003, and I don't have many complaints about it. Other than the lack of support for adding disclaimers to outbound messages the way 5.5 did (I know, they're lame, but the PHBs want one A couple of years ago a non-profit client of mine (I volunteer my services) wanted to go Outlook on the desktop, and wanted a cheap server that would do mail and calendering. I seem to recall that Openexchnage was the only thing close, and it wasn't going to be any cheaper. Recently they found a supplier of discounted software for non-profits, and it turned into a no-brainer, Server and the required CALs were dirt cheap. I haven't implemented it yet, we're still planning the wrestling the domain away from the outsourced mail provider etc. I plan to have a Centos/Postfix/Mailscanner box in front of it of course, and I'm sure they can budget in the book ;) From pete at enitech.com.au Tue Oct 24 05:28:00 2006 From: pete at enitech.com.au (Peter Russell) Date: Tue Oct 24 05:28:08 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <048a01c6f6f1$eafe1870$6401a8c0@zorak> References: <048a01c6f6f1$eafe1870$6401a8c0@zorak> Message-ID: <453D9650.3020303@enitech.com.au> > > Is it any big deal to upgrade SpamAssassin when it is working with > MailScanner? > > Thanks, > Jim > www.mailscanner.info download and install the clamav and sa package that Jules maintains at the current release. Installs everything you need to upgrade/install SA. From res at ausics.net Tue Oct 24 06:24:37 2006 From: res at ausics.net (Res) Date: Tue Oct 24 06:25:05 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> Message-ID: On Mon, 23 Oct 2006, Michael Masse wrote: > http://management.silicon.com/government/0,39024677,39163463,00.htm typical yanks, why is it they think the rest of the world is subject to their courts jurisdiction. one day they'll wake up and smell the coffee, they are not earths governing body despite what they think :) > I'm certainly no lawyer, but how could there even be a hint of a case > for something like this? In Australia, and I'm sure in other countries, SH have the law BEHIND them, not awarding low life scummy trash privacy invaders damages. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From strydom.dave at gmail.com Tue Oct 24 07:42:24 2006 From: strydom.dave at gmail.com (Dave Strydom) Date: Tue Oct 24 07:42:27 2006 Subject: OT : need to find some rack space In-Reply-To: References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: You serious? I've always found them to have the most awesome support levels i've ever seen, and not many providers can brag about a 100% uptime. Dave On 10/23/06, Res wrote: > On Mon, 23 Oct 2006, Dave Strydom wrote: > > > www.rackspace.com > so long as u dont want urgent rectification of faults > > > the best there is in the world. > lol countless would disagree > > -- > Cheers > Res > > "Just a world that we all must share, it's not enough just to stand and > stare, is it only a dream that there'll be no more turning away" - Floyd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jrudd at ucsc.edu Tue Oct 24 12:49:20 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Oct 24 12:50:32 2006 Subject: slightly OT: how do i know if i've been poisoned? (Bayes) In-Reply-To: <453D4FC7.6010802@ucsc.edu> References: <57573D714A832C43B9D80EAFBDA48D0302BAC269@inex3.herffjones.hj-int> <453D4FC7.6010802@ucsc.edu> Message-ID: <453DFDC0.3020500@ucsc.edu> John Rudd wrote: > > here's the rules I've been working on, if you want to try them: > > > http://people.ucsc.edu/~jrudd/spamassassin/jr_rfc1912.cf > I had to make an update: The rule for the hostname having keywords for end clients was case sensitive (forgot the /i at the end), and I added one more keyword: dip From lists at kush-t.co.uk Tue Oct 24 12:54:47 2006 From: lists at kush-t.co.uk (Pete Smith) Date: Tue Oct 24 12:55:16 2006 Subject: problem starting MailScanner: dual perl config on raq4 In-Reply-To: <20061023233759.GB4039@paradise.net.nz> References: <20061023233759.GB4039@paradise.net.nz> Message-ID: <20061024115447.M98594@kush-t.co.uk> Hi all I have a problem starting MailScanner on a raq4. The raq has all updates installed. I've gone down the route of installing perl5.8 in /usr/local/bin as the original perl is still required in /usr/bin (raq admin interface breaks if perl is updated). I carefully followed the instructions at http://www.qitc.net/support/mailscanner/ but when I get to staring MailScanner, it pukes with the following output: MailScanner: Can't locate Time/HiRes.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 65. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. This looks like more of a perl issue than a MailScanner one. However, seeing as this list is likely populated by people who have had this issue before, I thought I'd ask here. Anyone care to poke me gently in the right direction? BTW, I've RTFM and STFW but can't find any answer that doesn't say "why are you using a raq" or "use centos" or somesuch. TIA Pete Smith From telehouse at googlemail.com Tue Oct 24 12:55:26 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Tue Oct 24 12:55:30 2006 Subject: OT : need to find some rack space In-Reply-To: References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> Message-ID: <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> Rackspace are super-awesome, however they do not provide colocation, just managed dedicated servers. I have a couple of servers with them and i have not had a problem in two years, not one! On 24/10/06, Dave Strydom wrote: > > You serious? > > I've always found them to have the most awesome support levels i've > ever seen, and not many providers can brag about a 100% uptime. > > Dave > > On 10/23/06, Res wrote: > > On Mon, 23 Oct 2006, Dave Strydom wrote: > > > > > www.rackspace.com > > so long as u dont want urgent rectification of faults > > > > > the best there is in the world. > > lol countless would disagree > > > > -- > > Cheers > > Res > > > > "Just a world that we all must share, it's not enough just to stand and > > stare, is it only a dream that there'll be no more turning away" - Floyd > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061024/214780dd/attachment.html From strydom.dave at gmail.com Tue Oct 24 13:13:15 2006 From: strydom.dave at gmail.com (Dave Strydom) Date: Tue Oct 24 13:13:19 2006 Subject: OT : need to find some rack space In-Reply-To: <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> Message-ID: Oh I thought they also did colocation stuff as well. I also have a few Gentoo dedicated servers with Lunarpages, they pretty awesome! Dave On 10/24/06, Colocation Colocation wrote: > Rackspace are super-awesome, however they do not provide colocation, just > managed dedicated servers. > > I have a couple of servers with them and i have not had a problem in two > years, not one! > > > On 24/10/06, Dave Strydom < strydom.dave@gmail.com> wrote: > > You serious? > > > > I've always found them to have the most awesome support levels i've > > ever seen, and not many providers can brag about a 100% uptime. > > > > Dave > > > > On 10/23/06, Res wrote: > > > On Mon, 23 Oct 2006, Dave Strydom wrote: > > > > > > > www.rackspace.com > > > so long as u dont want urgent rectification of faults > > > > > > > the best there is in the world. > > > lol countless would disagree > > > > > > -- > > > Cheers > > > Res > > > > > > "Just a world that we all must share, it's not enough just to stand and > > > stare, is it only a dream that there'll be no more turning away" - Floyd > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read > http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From P.G.M.Peters at utwente.nl Tue Oct 24 13:24:46 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Oct 24 13:24:52 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: <453D8487.1010108@shaw.ca> References: <453894B2.1010000@utwente.nl> <64891.194.70.180.170.1161339137.squirrel@www.technologytiger.net> <223f97700610200407g60311306ne4e6aac7ea7283e8@mail.gmail.com> <453C90C4.7090101@utwente.nl> <38064.194.70.180.170.1161598586.squirrel@www.technologytiger.net> <453D6971.8030505@enitech.com.au> <453D8487.1010108@shaw.ca> Message-ID: <453E060E.1010505@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Mason (maillist) wrote on 24-10-2006 5:12: > I haven't really looked for a couple of years, but I've gotten quite > used to Exchange, it's not so bad :) At my main job we have Exchange > 2003, and I don't have many complaints about it. We have had some outstanding issues with Microsoft with this. First of all Exchange/Outlook seems to discard all X-MailScanner-* (and perhaps others) headers when a message is forwarded as an attachment. This has happened a few times but probably in some freak situation with MIME-headers, RTF etc combined. The other was the fact Exchange changes the body of NDR's in such a way the user can't trust the information he gets. Students were used to get the correct information about which server did not accept the message and why. Exchange changes that information (leaving out the server that gives the error). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFPgYOelLo80lrIdIRAt+jAKCMeYi+nRWMc8Sz0zOJT600Czxv5ACgiuKa VAKcZy/IqiE6CTD/PQAwTbQ= =wrpd -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Oct 24 14:36:46 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Oct 24 14:36:51 2006 Subject: MS using FF phishing detection Message-ID: <453E16EE.3020009@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Could it be possible to have MS use the same source for (an extra) phishing detection as FF does? Update it like phishing.safe.sites.conf. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFPhbuelLo80lrIdIRAg81AKCQvHdBRkwbGXtO3gOvqH4alqDtkACePA58 HRaePVMwncoWdV64gNw1hBc= =7ryQ -----END PGP SIGNATURE----- From Richard.Frovarp at sendit.nodak.edu Tue Oct 24 15:22:04 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Oct 24 15:22:08 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <453E218C.1050908@sendit.nodak.edu> Res wrote: > On Mon, 23 Oct 2006, Michael Masse wrote: > >> http://management.silicon.com/government/0,39024677,39163463,00.htm > > typical yanks, why is it they think the rest of the world is subject > to their courts jurisdiction. one day they'll wake up and smell the > coffee, they are not earths governing body despite what they think :) Because Spamhaus said so! They told the state court they have no jurisdiction. They asked for the case to be moved to the federal court. Then they decided that the federal court didn't have jurisdiction, and didn't show up. If you don't show up for your case, you lose. I think that is pretty standard around the world. Read this: http://blogs.securiteam.com/index.php/archives/664 > > >> I'm certainly no lawyer, but how could there even be a hint of a case >> for something like this? > > In Australia, and I'm sure in other countries, SH have the law BEHIND > them, not awarding low life scummy trash privacy invaders damages. > > I would check out Dow Jones & Co. Inc v Gutnick. This case didn't go all the way to judgment, but the High Court of Australia decided unanimously that content on US servers could count as defamation in Australia. Dow Jones eventually settled after failing to get the case dismissed due to jurisdictional issues. It would be interesting to see a similar case go to the US Supreme Court. From Dominique.Marant at univ-lille1.fr Tue Oct 24 16:05:57 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Tue Oct 24 16:06:46 2006 Subject: FuzzyOcr Unexpected error in pipe to external programs In-Reply-To: <223f97700610191058l735cb404p2debc2da1556a350@mail.gmail.com> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> <223f97700610191058l735cb404p2debc2da1556a350@mail.gmail.com> Message-ID: <453E2BD5.90806@univ-lille1.fr> Hello I installed FuzzyOcr (debian / MailScanner / Spamassassin) It seems to running : for example : ... is polluriel, SpamAssassin (not cached, score=19.202, requis 7, autolearn=disabled, FUZZY_OCR 14.00, HTML_10_20 0.94, HTML_IMAGE_ONLY_28 1.01, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_SORBS_DUL 1.99, RCVD_NUMERIC_HELO 1.25) But in FuzzyOcr.log, I see : # more FuzzyOcr.log [2006-10-24 16:36:42] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin2537050jAY2tmp") [2006-10-24 16:37:47] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin25926yhpqsstmp") [2006-10-24 16:41:32] FuzzyOcr received timeout after running "10" seconds. [2006-10-24 16:42:33] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin28372mzT0dZtmp") ... Could you help me ? Many thanks in advance Dominique From ssilva at sgvwater.com Tue Oct 24 16:36:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 16:38:05 2006 Subject: problem starting MailScanner: dual perl config on raq4 In-Reply-To: <20061024115447.M98594@kush-t.co.uk> References: <20061023233759.GB4039@paradise.net.nz> <20061024115447.M98594@kush-t.co.uk> Message-ID: Pete Smith spake the following on 10/24/2006 4:54 AM: > Hi all > > I have a problem starting MailScanner on a raq4. The raq has all updates > installed. > > I've gone down the route of installing perl5.8 in /usr/local/bin as the > original perl is still required in /usr/bin (raq admin interface breaks if > perl is updated). > > I carefully followed the instructions at > http://www.qitc.net/support/mailscanner/ > > but when I get to staring MailScanner, it pukes with the following output: > > MailScanner: Can't locate Time/HiRes.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- > linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- > linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) > at /usr/sbin/MailScanner line 65. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > > This looks like more of a perl issue than a MailScanner one. However, seeing > as this list is likely populated by people who have had this issue before, I > thought I'd ask here. > > Anyone care to poke me gently in the right direction? > > BTW, I've RTFM and STFW but can't find any answer that doesn't say "why are > you using a raq" or "use centos" or somesuch. > > TIA > > Pete Smith There is this howto; http://www.nuonce.net/cobalt-howto/1084139083.html If you are in need of something newer for your raq4, you can try BlueQuartz. It is CentOS with the open sourced raq frontends. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 16:42:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 16:44:05 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 10/23/2006 5:48 PM: > http://management.silicon.com/government/0,39024677,39163463,00.htm > > I'm certainly no lawyer, but how could there even be a hint of a case > for something like this? I'm not aware of any email systems that > force anyone to use Spamhaus, or any spam deterrent software for that > matter. I C H O O S E to run MailScanner, SpamAssassin, etc... and if I > decide to trust that software to detect spam for me, then it's MY > responsibility if something goes wrong, and in this case it sounds like > the e360 insight domain is a true spammer anyways, so what grounds could > they possibly be trying to stand on? > > Mike > In the United States, lawsuits are a strongarm tactic that forces a company to either pay lawyers and court costs to defend ones self, losing the time and money no matter what the outcome is, or cave in to the entity suing you to avoid court. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hburbano at novadevices.com Tue Oct 24 17:07:34 2006 From: hburbano at novadevices.com (Henry Burbano) Date: Tue Oct 24 17:05:48 2006 Subject: Problems with huge messages Message-ID: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> Hi everybody I am having problems when I send huge messages (100M ), I dont know how limit the max size to be scanned. The logs show it Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages waiting Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 messages, 172369169 bytes Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from 10.0.10.23 (hburbano@novadevices.com) is whitelisted Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the phishing whitelist Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init function InternalActions Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal account list Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 domains and 0 accounts Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results cache Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin cache database Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the SpamAssassin cache Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages waiting Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 messages, 172369169 bytes Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting And no more mails are proccessed The parameters that I have configured are: Max SpamAssassin Size = 30000 I am using Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061024/5510b0ff/attachment.html From lists at kush-t.co.uk Tue Oct 24 17:18:56 2006 From: lists at kush-t.co.uk (Pete Smith) Date: Tue Oct 24 17:19:00 2006 Subject: problem starting MailScanner: dual perl config on raq4 In-Reply-To: References: <20061023233759.GB4039@paradise.net.nz> <20061024115447.M98594@kush-t.co.uk> Message-ID: <20061024161856.M63934@kush-t.co.uk> > Pete Smith spake the following on 10/24/2006 4:54 AM: > > Hi all > > > > I have a problem starting MailScanner on a raq4. The raq has all updates > > installed. > > > > I've gone down the route of installing perl5.8 in /usr/local/bin as the > > original perl is still required in /usr/bin (raq admin interface breaks if > > perl is updated). > > > > I carefully followed the instructions at > > http://www.qitc.net/support/mailscanner/ > > > > but when I get to staring MailScanner, it pukes with the following output: > > > > MailScanner: Can't locate Time/HiRes.pm in @INC (@INC > > contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- > > linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- > > linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) > > at /usr/sbin/MailScanner line 65. > > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > > > > This looks like more of a perl issue than a MailScanner one. However, seeing > > as this list is likely populated by people who have had this issue before, I > > thought I'd ask here. > > > > Anyone care to poke me gently in the right direction? > > > > BTW, I've RTFM and STFW but can't find any answer that doesn't say "why are > > you using a raq" or "use centos" or somesuch. > > > > TIA > > > > Pete Smith > There is this howto; > http://www.nuonce.net/cobalt-howto/1084139083.html > > If you are in need of something newer for your raq4, you can try BlueQuartz. > It is CentOS with the open sourced raq frontends. Yup, those are the same as the instructions I followed. I think it's the dual perl install that is the problem. As far as I am aware I installed Time::HiRes with perl 5.8, but when I attempt to start MailScanner it pukes with: MailScanner: Can't locate Time/HiRes.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 65. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. which makes me think it's trying to use /usr/bin/perl instead of /usr/local/bin/perl How do I install MailScanner so it uses /usr/local/bin/perl ? Pete From hburbano at novadevices.com Tue Oct 24 17:24:05 2006 From: hburbano at novadevices.com (Henry Burbano) Date: Tue Oct 24 17:22:13 2006 Subject: Problems with huge messages Message-ID: <00c001c6f788$d627bfe0$170a000a@SENADER.LOCAL> Hi everybody Sorry the first mail was incomplete I am having problems when I send huge messages (100 M), I dont know how to limit the max size to be scanned, I guess the problem is the antivir check. The log files: Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages waiting Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 messages, 172369169 bytes Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting Oct 23 09:02:51 kypus MailScanner[16213]: Message k9NE02sE015712 from 10.0.10.23 (hburbano@novadevices.com) is whitelisted Oct 23 09:03:00 kypus MailScanner[16235]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Oct 23 09:03:00 kypus MailScanner[16235]: Read 748 hostnames from the phishing whitelist Oct 23 09:03:00 kypus MailScanner[16235]: Config: calling custom init function InternalActions Oct 23 09:03:00 kypus MailScanner[16235]: Initialising Internal account list Oct 23 09:03:00 kypus MailScanner[16235]: Internal Account List read 0 domains and 0 accounts Oct 23 09:03:01 kypus MailScanner[16235]: Using SpamAssassin results cache Oct 23 09:03:01 kypus MailScanner[16235]: Connected to SpamAssassin cache database Oct 23 09:03:01 kypus MailScanner[16235]: Using locktype = flock Oct 23 09:03:01 kypus MailScanner[16235]: New Batch: Found 2 messages waiting Oct 23 09:03:01 kypus MailScanner[16235]: New Batch: Scanning 1 messages, 172369169 bytes Oct 23 09:03:01 kypus MailScanner[16235]: MCP Checks: Starting Oct 23 09:03:02 kypus MailScanner[16235]: Spam Checks: Starting Oct 23 09:03:02 kypus MailScanner[16235]: Message k9NE02sE015712 from 10.0.10.23 (hburbano@novadevices.com) is whitelisted Oct 23 09:03:11 kypus MailScanner[16241]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Oct 23 09:03:11 kypus MailScanner[16241]: Read 748 hostnames from the phishing whitelist Oct 23 09:03:11 kypus MailScanner[16241]: Config: calling custom init function InternalActions Oct 23 09:03:11 kypus MailScanner[16241]: Initialising Internal account list Oct 23 09:03:11 kypus MailScanner[16241]: Internal Account List read 0 domains and 0 accounts Oct 23 09:03:12 kypus MailScanner[16241]: Using SpamAssassin results cache Oct 23 09:03:12 kypus MailScanner[16241]: Connected to SpamAssassin cache database Oct 23 09:03:12 kypus MailScanner[16241]: Using locktype = flock Oct 23 09:03:12 kypus MailScanner[16241]: New Batch: Found 2 messages waiting Oct 23 09:03:12 kypus MailScanner[16241]: New Batch: Scanning 1 messages, 172369169 bytes Oct 23 09:03:12 kypus MailScanner[16241]: MCP Checks: Starting Oct 23 09:03:13 kypus MailScanner[16241]: Spam Checks: Starting Oct 23 09:03:13 kypus MailScanner[16241]: Message k9NE02sE015712 from 10.0.10.23 (hburbano@novadevices.com) is whitelisted Oct 23 09:03:22 kypus MailScanner[16252]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Oct 23 09:03:22 kypus MailScanner[16252]: Read 748 hostnames from the phishing whitelist Oct 23 09:03:22 kypus MailScanner[16252]: Config: calling custom init function InternalActions Oct 23 09:03:22 kypus MailScanner[16252]: Initialising Internal account list Oct 23 09:03:22 kypus MailScanner[16252]: Internal Account List read 0 domains and 0 accounts Oct 23 09:03:23 kypus MailScanner[16252]: Using SpamAssassin results cache And no ore mails are processed My configuraton parameters: Maximum Message Size = 0 Maximum Attachment Size = -1 Max SpamAssassin Size = 30000 MCP Max SpamAssassin Size = 100000 I am using MailScanner version 4.54.6 ClamAV 0.88. Thanks in advance Henry -------------------------------------------------------------------------------- I am using the free version of SPAMfighter for private users. It has removed 823 spam emails to date. Paying users do not have this message in their emails. Try SPAMfighter for free now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061024/61a86d31/attachment.html From alex at nkpanama.com Tue Oct 24 17:25:52 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 17:26:10 2006 Subject: Problems with huge messages In-Reply-To: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> References: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> Message-ID: <453E3E90.6060906@nkpanama.com> SMTP/POP/IMAP is not well suited for messages that size. You should consider alternatives. Your server is just probably taking too long to process the message because messages this large - and/or MailScanner ;) - can cause swapping. Henry Burbano escribi?: > Hi everybody > > I am having problems when I send huge messages (100M ), I dont know > how limit the max size to be scanned. > The logs show it > > Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages > waiting > Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 > messages, 172369169 bytes > Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting > Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting > Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from > 10.0.10.23 (hburbano@novadevices.com > ) is whitelisted > Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus > Scanner version 4.54.6 starting... > Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the > phishing whitelist > Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init > function InternalActions > Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal > account list > Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 > domains and 0 accounts > Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results > cache > Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin > cache database > Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the > SpamAssassin cache > Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock > Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages > waiting > Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 > messages, 172369169 bytes > Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting > Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting > > And no more mails are proccessed > > The parameters that I have configured are: > > Max SpamAssassin Size = 30000 > > > I am using > > > > Thanks in advance From edwardbruce at sbcglobal.net Tue Oct 24 17:26:38 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Oct 24 17:26:40 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453E218C.1050908@sendit.nodak.edu> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> Message-ID: <453E3EBE.50706@sbcglobal.net> Richard Frovarp wrote: > > Because Spamhaus said so! They told the state court they have no > jurisdiction. They asked for the case to be moved to the federal > court. Then they decided that the federal court didn't have > jurisdiction, and didn't show up. If you don't show up for your case, > you lose. I think that is pretty standard around the world. Read this: > > http://blogs.securiteam.com/index.php/archives/664 > > Thanks for providing an intelligent response to the juvenile posts on this subject. From lists at crossharbour.net Tue Oct 24 17:41:09 2006 From: lists at crossharbour.net (Dan Houghton) Date: Tue Oct 24 17:41:35 2006 Subject: problem starting MailScanner: dual perl config on raq4 In-Reply-To: <20061024161856.M63934@kush-t.co.uk> References: <20061023233759.GB4039@paradise.net.nz> <20061024115447.M98594@kush-t.co.uk> <20061024161856.M63934@kush-t.co.uk> Message-ID: <6.2.5.6.2.20061024173643.038c2010@crossharbour.net> At 17:18 24/10/2006, you wrote: > > Pete Smith spake the following on 10/24/2006 4:54 AM: > > > Hi all > > > > > > I have a problem starting MailScanner on a raq4. The raq has all updates > > > installed. > > > > > > I've gone down the route of installing perl5.8 in /usr/local/bin as the > > > original perl is still required in /usr/bin (raq admin interface breaks >if > > > perl is updated). > > > > > > I carefully followed the instructions at > > > http://www.qitc.net/support/mailscanner/ > > > > > > but when I get to staring MailScanner, it pukes with the following >output: > > > > > > MailScanner: Can't locate Time/HiRes.pm in @INC (@INC > > > contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- > > > linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- > > > linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) > > > at /usr/sbin/MailScanner line 65. > > > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > > > > > > This looks like more of a perl issue than a MailScanner one. However, >seeing > > > as this list is likely populated by people who have had this issue >before, I > > > thought I'd ask here. > > > > > > Anyone care to poke me gently in the right direction? > > > > > > BTW, I've RTFM and STFW but can't find any answer that doesn't say "why >are > > > you using a raq" or "use centos" or somesuch. > > > > > > TIA > > > > > > Pete Smith > > There is this howto; > > http://www.nuonce.net/cobalt-howto/1084139083.html > > > > If you are in need of something newer for your raq4, you can try >BlueQuartz. > > It is CentOS with the open sourced raq frontends. > > >Yup, those are the same as the instructions I followed. I think it's the >dual perl install that is the problem. > >As far as I am aware I installed Time::HiRes with perl 5.8, but when I >attempt to start MailScanner it pukes with: > >MailScanner: Can't locate Time/HiRes.pm in @INC (@INC >contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- >linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- >linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) >at /usr/sbin/MailScanner line 65. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > >which makes me think it's trying to use /usr/bin/perl instead >of /usr/local/bin/perl > >How do I install MailScanner so it uses /usr/local/bin/perl ? I have run MailScanner on a raq4 before and I replaced perl with a more recent version by following instructions found at http://www.depopo.net/idx/37/173/article. Replacing perl on a Cobalt box can be tricky since the GUI relies on it for nearly everything so I would only recommend doing this if you have plenty of time and some basic knowledge of where to look for errors etc. Otherwise, consider moving away from using the raq4 OS and go with CentOS on the same hardware (http://www.osoffice.co.uk/strongbolt_server_appliances.html). You are going to have no end of issues even with the newer version of perl (SpamAssassin for example) on the raq4 with the Sun OS. Dan From hburbano at novadevices.com Tue Oct 24 18:09:37 2006 From: hburbano at novadevices.com (Henry Burbano) Date: Tue Oct 24 18:08:03 2006 Subject: Problems with huge messages References: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> <453E3E90.6060906@nkpanama.com> Message-ID: <000a01c6f78f$32b67480$170a000a@SENADER.LOCAL> Yes, that is the reason that I need to stop huge messages, I have set restrictions in sendmail (5 M), but the mail first is processed by MailScanner and then sendmail stop the message but it causes that MailScanner waste a lot of time scanning the message. I am trying to configure the MailScanner to skip scanning huge messages ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: Tuesday, October 24, 2006 11:25 AM Subject: Re: Problems with huge messages > SMTP/POP/IMAP is not well suited for messages that size. You should > consider alternatives. > > Your server is just probably taking too long to process the message > because messages this large - and/or MailScanner ;) - can cause swapping. > > Henry Burbano escribi?: > > Hi everybody > > > > I am having problems when I send huge messages (100M ), I dont know > > how limit the max size to be scanned. > > The logs show it > > > > Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages > > waiting > > Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 > > messages, 172369169 bytes > > Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting > > Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting > > Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from > > 10.0.10.23 (hburbano@novadevices.com > > ) is whitelisted > > Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus > > Scanner version 4.54.6 starting... > > Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the > > phishing whitelist > > Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init > > function InternalActions > > Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal > > account list > > Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 > > domains and 0 accounts > > Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results > > cache > > Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin > > cache database > > Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the > > SpamAssassin cache > > Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock > > Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages > > waiting > > Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 > > messages, 172369169 bytes > > Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting > > Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting > > > > And no more mails are proccessed > > > > The parameters that I have configured are: > > > > Max SpamAssassin Size = 30000 > > > > > > I am using > > > > > > > > Thanks in advance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------------------- ---- I am using the free version of SPAMfighter for private users. It has removed 842 spam emails to date. Paying users do not have this message in their emails. Try SPAMfighter for free now! From dave.list at pixelhammer.com Tue Oct 24 18:53:20 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Oct 24 18:53:46 2006 Subject: Dictionary Attacks Message-ID: <453E5310.3050601@pixelhammer.com> I spoke to soon last week. Staring Friday we came under a heavy old fashioned dictionary attack. Each day from noon until 4pm EDT. The IPs are so widely scattered it seems it would do no good to track them. Right now milter-grey is consuming over 50% of my CPUs. If it follows the same course as the prior days, about the time the attack on one server starts to ease up it will increase on the next server. Milter-ahead is dealing with the connections that return. It could turn into a DOS with a few thousand more connections. Funny but there are so many connections for non-existant accounts that my load has fallen nearly to the floor. There is no traffic for MailScanner to operate on, the server is so dang busy telling zombies to go away. There has to be a better way to make a living than this 8^( DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From martinh at solidstatelogic.com Tue Oct 24 19:25:29 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Oct 24 19:25:40 2006 Subject: Dictionary Attacks In-Reply-To: <453E5310.3050601@pixelhammer.com> References: <453E5310.3050601@pixelhammer.com> Message-ID: <453E5A99.4030400@solidstatelogic.com> DAve wrote: > I spoke to soon last week. Staring Friday we came under a heavy old > fashioned dictionary attack. Each day from noon until 4pm EDT. > > The IPs are so widely scattered it seems it would do no good to track > them. Right now milter-grey is consuming over 50% of my CPUs. If it > follows the same course as the prior days, about the time the attack on > one server starts to ease up it will increase on the next server. > > Milter-ahead is dealing with the connections that return. It could turn > into a DOS with a few thousand more connections. Funny but there are so > many connections for non-existant accounts that my load has fallen > nearly to the floor. There is no traffic for MailScanner to operate on, > the server is so dang busy telling zombies to go away. > > There has to be a better way to make a living than this 8^( > > DAve > Dave if you've paid for milter-ahead shouldn't it merely reject rctp-to that don't exist???? Or is it the sheer number of connections that are killing you? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From alex at nkpanama.com Tue Oct 24 19:37:38 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 19:37:55 2006 Subject: Problems with huge messages In-Reply-To: <000a01c6f78f$32b67480$170a000a@SENADER.LOCAL> References: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> <453E3E90.6060906@nkpanama.com> <000a01c6f78f$32b67480$170a000a@SENADER.LOCAL> Message-ID: <453E5D72.7020805@nkpanama.com> Then you have it wrong. Sendmail processes messages FIRST, then MailScanner, then Sendmail again. You should enable message size restrictions in sendmail, otherwise MailScanner will have to process the message. enry Burbano escribi?: > Yes, that is the reason that I need to stop huge messages, I have set > restrictions in sendmail (5 M), but the mail first is processed by > MailScanner and then sendmail stop the message but it causes that > MailScanner waste a lot of time scanning the message. > > I am trying to configure the MailScanner to skip scanning huge messages > > > ----- Original Message ----- > From: "Alex Neuman" > To: "MailScanner discussion" > Sent: Tuesday, October 24, 2006 11:25 AM > Subject: Re: Problems with huge messages > > > >> SMTP/POP/IMAP is not well suited for messages that size. You should >> consider alternatives. >> >> Your server is just probably taking too long to process the message >> because messages this large - and/or MailScanner ;) - can cause swapping. >> >> Henry Burbano escribi?: >> >>> Hi everybody >>> >>> I am having problems when I send huge messages (100M ), I dont know >>> how limit the max size to be scanned. >>> The logs show it >>> >>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages >>> waiting >>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 >>> messages, 172369169 bytes >>> Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting >>> Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting >>> Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from >>> 10.0.10.23 (hburbano@novadevices.com >>> ) is whitelisted >>> Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus >>> Scanner version 4.54.6 starting... >>> Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the >>> phishing whitelist >>> Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init >>> function InternalActions >>> Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal >>> account list >>> Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 >>> domains and 0 accounts >>> Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results >>> cache >>> Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin >>> cache database >>> Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the >>> SpamAssassin cache >>> Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock >>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages >>> waiting >>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 >>> messages, 172369169 bytes >>> Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting >>> Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting >>> >>> And no more mails are proccessed >>> >>> The parameters that I have configured are: >>> >>> Max SpamAssassin Size = 30000 >>> >>> >>> I am using >>> >>> >>> >>> Thanks in advance >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > ---------------------------------------------------------------------------- > ---- > I am using the free version of SPAMfighter for private users. > It has removed 842 spam emails to date. > Paying users do not have this message in their emails. > Try SPAMfighter for free now! > > > > From alex at nkpanama.com Tue Oct 24 19:41:48 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 19:42:05 2006 Subject: Dictionary Attacks In-Reply-To: <453E5A99.4030400@solidstatelogic.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> Message-ID: <453E5E6C.2070408@nkpanama.com> You may want to use iptables (or whatever your firewall uses) to rate-limit incoming connections. Although you are probably under attack by a spam zombie army, I'm sure some of those connections must be coming from repeated IPs. Set it so that no more than, say, 4 connections in the last 60 seconds can come in to your smtp port from the same ip address. Legit servers will probably not be affected, but spam zombies will have a hard time getting to you. something like: iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: " iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP for example... Martin Hepworth escribi?: > DAve wrote: >> I spoke to soon last week. Staring Friday we came under a heavy old >> fashioned dictionary attack. Each day from noon until 4pm EDT. >> >> The IPs are so widely scattered it seems it would do no good to track >> them. Right now milter-grey is consuming over 50% of my CPUs. If it >> follows the same course as the prior days, about the time the attack >> on one server starts to ease up it will increase on the next server. >> >> Milter-ahead is dealing with the connections that return. It could >> turn into a DOS with a few thousand more connections. Funny but there >> are so many connections for non-existant accounts that my load has >> fallen nearly to the floor. There is no traffic for MailScanner to >> operate on, the server is so dang busy telling zombies to go away. >> >> There has to be a better way to make a living than this 8^( >> >> DAve >> > Dave > > if you've paid for milter-ahead shouldn't it merely reject rctp-to > that don't exist???? > > Or is it the sheer number of connections that are killing you? > From hburbano at novadevices.com Tue Oct 24 20:01:47 2006 From: hburbano at novadevices.com (Henry Burbano) Date: Tue Oct 24 20:00:06 2006 Subject: Problems with huge messages References: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> <453E3E90.6060906@nkpanama.com><000a01c6f78f$32b67480$170a000a@SENADER.LOCAL> <453E5D72.7020805@nkpanama.com> Message-ID: <000801c6f79e$de0f0ea0$170a000a@SENADER.LOCAL> Sorry I explain in a wrong way, you have the reason, first sendmail , then MailScanner and sendmail again, but sendmail stop the messages after MailScanner has processed the message. I have enable message size restrictions in sendmail. When I work only with sendmail all works fine, the huge messages are stopped and deleted, but when I enable Mailscanner, I have problems. I need your help to configure the MailScanner to skip the scanning. ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: Tuesday, October 24, 2006 1:37 PM Subject: Re: Problems with huge messages > Then you have it wrong. > > Sendmail processes messages FIRST, then MailScanner, then Sendmail > again. You should enable message size restrictions in sendmail, > otherwise MailScanner will have to process the message. > > > enry Burbano escribi?: > > Yes, that is the reason that I need to stop huge messages, I have set > > restrictions in sendmail (5 M), but the mail first is processed by > > MailScanner and then sendmail stop the message but it causes that > > MailScanner waste a lot of time scanning the message. > > > > I am trying to configure the MailScanner to skip scanning huge messages > > > > > > ----- Original Message ----- > > From: "Alex Neuman" > > To: "MailScanner discussion" > > Sent: Tuesday, October 24, 2006 11:25 AM > > Subject: Re: Problems with huge messages > > > > > > > >> SMTP/POP/IMAP is not well suited for messages that size. You should > >> consider alternatives. > >> > >> Your server is just probably taking too long to process the message > >> because messages this large - and/or MailScanner ;) - can cause swapping. > >> > >> Henry Burbano escribi?: > >> > >>> Hi everybody > >>> > >>> I am having problems when I send huge messages (100M ), I dont know > >>> how limit the max size to be scanned. > >>> The logs show it > >>> > >>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages > >>> waiting > >>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 > >>> messages, 172369169 bytes > >>> Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting > >>> Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting > >>> Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from > >>> 10.0.10.23 (hburbano@novadevices.com > >>> ) is whitelisted > >>> Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus > >>> Scanner version 4.54.6 starting... > >>> Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the > >>> phishing whitelist > >>> Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init > >>> function InternalActions > >>> Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal > >>> account list > >>> Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 > >>> domains and 0 accounts > >>> Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results > >>> cache > >>> Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin > >>> cache database > >>> Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the > >>> SpamAssassin cache > >>> Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock > >>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages > >>> waiting > >>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 > >>> messages, 172369169 bytes > >>> Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting > >>> Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting > >>> > >>> And no more mails are proccessed > >>> > >>> The parameters that I have configured are: > >>> > >>> Max SpamAssassin Size = 30000 > >>> > >>> > >>> I am using > >>> > >>> > >>> > >>> Thanks in advance > >>> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > -------------------------------------------------------------------------- -- > > ---- > > I am using the free version of SPAMfighter for private users. > > It has removed 842 spam emails to date. > > Paying users do not have this message in their emails. > > Try SPAMfighter for free now! > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From miguelk at konsultex.com.br Tue Oct 24 20:03:34 2006 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Tue Oct 24 20:06:22 2006 Subject: Inbox fles and possible bug Message-ID: <20061024183715.M93501@konsultex.com.br> Gentlemen; On one server I have Fedora Core 4 running with all the yum updates, Mail Scanner 4.50.10-3 and Clam 0.88.4. This server has about 100 email accounts. Last month and again today the same person complained about not being able to download emails using Outlook configured to access pop accounts, but only on one of his accounts (the same one both times). I checked a telnet to port 110 and found that dovecot reports that the file can not be accessed. This file in /var/spool/mail was there so I checked to permissions and size and all was well. I opened it up and noticed that it had a blank line at the top of the file. So on a hunch I made a copy and removed the blank line. After that everything worked again. This was the only mailbox file with a blank line at the top out of a random sampling of mailbox files I looked at. This is the first malbox "corruption" I have seen since I started using Linux in 1997, so having 2 cases with the same account in a short period seems like something more than coincidence. My conclusion is that dovecot is particularly intolerant of the file format but also that something is putting in the blank line. The blank line does not have space charaters, just a line break. My prime suspect at the moment for doing this is MailScanner because it works on the emails before final delivery. I think that this user gets some type of email content that causes Mail Scanner to insert the spurious character at the start of the header and that if this happens with the first email received after the mailbox is emptied, the problem happens. So the questions are if anybody has seens a similar problem and if my theory about a subtle "bug" in MailScanner make sense? Miguel -- Konsultex Informatica (http://www.konsultex.com.br) -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From dnsadmin at 1bigthink.com Tue Oct 24 20:06:18 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Oct 24 20:06:31 2006 Subject: Dictionary Attacks In-Reply-To: <453E5E6C.2070408@nkpanama.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> Message-ID: <7.0.1.0.0.20061024150124.08445848@1bigthink.com> At 02:41 PM 10/24/2006, you wrote: >You may want to use iptables (or whatever your >firewall uses) to rate-limit incoming connections. > >Although you are probably under attack by a spam >zombie army, I'm sure some of those connections >must be coming from repeated IPs. Set it so that >no more than, say, 4 connections in the last 60 >seconds can come in to your smtp port from the >same ip address. Legit servers will probably not >be affected, but spam zombies will have a hard time getting to you. > >something like: > >iptables -I INPUT -p tcp --dport 25 -i eth0 -m >state --state NEW -m recent --set >iptables -I INPUT -p tcp --dport 25 -i eth0 -m >state --state NEW -m recent --update --seconds >60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: " >iptables -I INPUT -p tcp --dport 25 -i eth0 -m >state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP > >for example... > >Martin Hepworth escribi?: >>DAve wrote: >>>I spoke to soon last week. Staring Friday we >>>came under a heavy old fashioned dictionary >>>attack. Each day from noon until 4pm EDT. >>> >>>The IPs are so widely scattered it seems it >>>would do no good to track them. Right now >>>milter-grey is consuming over 50% of my CPUs. >>>If it follows the same course as the prior >>>days, about the time the attack on one server >>>starts to ease up it will increase on the next server. >>> >>>Milter-ahead is dealing with the connections >>>that return. It could turn into a DOS with a >>>few thousand more connections. Funny but there >>>are so many connections for non-existant >>>accounts that my load has fallen nearly to the >>>floor. There is no traffic for MailScanner to >>>operate on, the server is so dang busy telling zombies to go away. >>> >>>There has to be a better way to make a living than this 8^( >>> >>>DAve >>Dave >> >>if you've paid for milter-ahead shouldn't it >>merely reject rctp-to that don't exist???? >> >>Or is it the sheer number of connections that are killing you? All very good advice.. I don't know if the milter-ahead will work. I know that the iptables advice will not.. but only because the dictionary attacks that I am seeing are almost PERFECTLY distributed. It is a bot army attacking with IP addresses maybe repeating twice in hundreds of tries. I've been watching them with paralysis since late last week. Can't figure anything to throw at them that wouldn't trip some of my outside users. They are attacking a domain with five users and aren't going to get much ;>). Cheers! From alex at nkpanama.com Tue Oct 24 20:13:13 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 20:14:46 2006 Subject: Problems with huge messages In-Reply-To: <000801c6f79e$de0f0ea0$170a000a@SENADER.LOCAL> References: <00a701c6f786$87850d40$170a000a@SENADER.LOCAL> <453E3E90.6060906@nkpanama.com><000a01c6f78f$32b67480$170a000a@SENADER.LOCAL> <453E5D72.7020805@nkpanama.com> <000801c6f79e$de0f0ea0$170a000a@SENADER.LOCAL> Message-ID: <453E65C9.9050604@nkpanama.com> No, you need to make sure you're installing MailScanner correctly. With apologies to the rest of the list, here goes: Henry, Necesitas instalar bien el MailScanner. Tienes que apagar el sendmail (incluyendo hacer que no arranque solo) y prender el MailScanner pa que el agarre y llame una instancia de sendmail pa que apa?e los correos, los mande pa la cola en /var/spool/mqueue.in, y ENTONCES MailScanner lo agarre pa chequearlo de todas las maneras posibles para luego moverlo de ahi pa /var/spool/mqueue, donde el sendmail (segunda instancia) lo recoge y lo manda pa donde tiene que ir (buzon de tu usuario, o pa fuera). Si arrancas MailScanner y no te detiene los mensajes, significa que el sendmail que el mailscanner arranca no esta usando los mismos settings que el sendmail "pelado" que corres supuestamente sin problemas. Asegurate que tengas algo como: define(`MAX_MESSAGE_SIZE', `3000000')dnl en tu sendmail.mc y que lo compiles correctamente, de modo que no te puedan destruir tu servidor cuando se le antoje a cualquiera mandandote un mensaje de chorrocientos gigabytes. Henry Burbano escribi?: > Sorry I explain in a wrong way, you have the reason, first sendmail , then > MailScanner and sendmail again, but sendmail stop the messages after > MailScanner has processed the message. I have enable message size > restrictions in sendmail. When I work only with sendmail all works fine, the > huge messages are stopped and deleted, but when I enable Mailscanner, I have > problems. > > I need your help to configure the MailScanner to skip the scanning. > > > > > > ----- Original Message ----- > From: "Alex Neuman" > To: "MailScanner discussion" > Sent: Tuesday, October 24, 2006 1:37 PM > Subject: Re: Problems with huge messages > > > >> Then you have it wrong. >> >> Sendmail processes messages FIRST, then MailScanner, then Sendmail >> again. You should enable message size restrictions in sendmail, >> otherwise MailScanner will have to process the message. >> >> >> enry Burbano escribi?: >> >>> Yes, that is the reason that I need to stop huge messages, I have set >>> restrictions in sendmail (5 M), but the mail first is processed by >>> MailScanner and then sendmail stop the message but it causes that >>> MailScanner waste a lot of time scanning the message. >>> >>> I am trying to configure the MailScanner to skip scanning huge messages >>> >>> >>> ----- Original Message ----- >>> From: "Alex Neuman" >>> To: "MailScanner discussion" >>> Sent: Tuesday, October 24, 2006 11:25 AM >>> Subject: Re: Problems with huge messages >>> >>> >>> >>> >>>> SMTP/POP/IMAP is not well suited for messages that size. You should >>>> consider alternatives. >>>> >>>> Your server is just probably taking too long to process the message >>>> because messages this large - and/or MailScanner ;) - can cause >>>> > swapping. > >>>> Henry Burbano escribi?: >>>> >>>> >>>>> Hi everybody >>>>> >>>>> I am having problems when I send huge messages (100M ), I dont know >>>>> how limit the max size to be scanned. >>>>> The logs show it >>>>> >>>>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Found 2 messages >>>>> waiting >>>>> Oct 23 09:02:48 kypus MailScanner[15708]: New Batch: Scanning 1 >>>>> messages, 172369169 bytes >>>>> Oct 23 09:02:48 kypus MailScanner[15708]: MCP Checks: Starting >>>>> Oct 23 09:02:48 kypus MailScanner[15708]: Spam Checks: Starting >>>>> Oct 23 09:02:48 kypus MailScanner[15708]: Message k9NE02sE015712 from >>>>> 10.0.10.23 (hburbano@novadevices.com >>>>> ) is whitelisted >>>>> Oct 23 09:02:49 kypus MailScanner[16213]: MailScanner E-Mail Virus >>>>> Scanner version 4.54.6 starting... >>>>> Oct 23 09:02:49 kypus MailScanner[16213]: Read 748 hostnames from the >>>>> phishing whitelist >>>>> Oct 23 09:02:49 kypus MailScanner[16213]: Config: calling custom init >>>>> function InternalActions >>>>> Oct 23 09:02:49 kypus MailScanner[16213]: Initialising Internal >>>>> account list >>>>> Oct 23 09:02:49 kypus MailScanner[16213]: Internal Account List read 0 >>>>> domains and 0 accounts >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: Using SpamAssassin results >>>>> cache >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: Connected to SpamAssassin >>>>> cache database >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: Expired 1 records from the >>>>> SpamAssassin cache >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: Using locktype = flock >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Found 2 messages >>>>> waiting >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: New Batch: Scanning 1 >>>>> messages, 172369169 bytes >>>>> Oct 23 09:02:50 kypus MailScanner[16213]: MCP Checks: Starting >>>>> Oct 23 09:02:51 kypus MailScanner[16213]: Spam Checks: Starting >>>>> >>>>> And no more mails are proccessed >>>>> >>>>> The parameters that I have configured are: >>>>> >>>>> Max SpamAssassin Size = 30000 >>>>> >>>>> >>>>> I am using >>>>> >>>>> >>>>> >>>>> Thanks in advance >>>>> >>>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >> -------------------------------------------------------------------------- >> > -- > >>> ---- >>> I am using the free version of SPAMfighter for private users. >>> It has removed 842 spam emails to date. >>> Paying users do not have this message in their emails. >>> Try SPAMfighter for free now! >>> >>> >>> >>> >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > From r.berber at computer.org Tue Oct 24 20:15:56 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Oct 24 20:16:49 2006 Subject: Dictionary Attacks In-Reply-To: <453E5E6C.2070408@nkpanama.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> Message-ID: Alex Neuman wrote: > You may want to use iptables (or whatever your firewall uses) to > rate-limit incoming connections. Or use the connection control options of sendmail. > Although you are probably under attack by a spam zombie army, I'm sure > some of those connections must be coming from repeated IPs. Set it so > that no more than, say, 4 connections in the last 60 seconds can come in > to your smtp port from the same ip address. Legit servers will probably > not be affected, but spam zombies will have a hard time getting to you. > > something like: > > iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > recent --set > iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: " > iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > recent --update --seconds 60 --hitcount 4 -j DROP Something very close to this is what connection control does (ConnectionRateThrottle) plus you have BadRcptThrottle which is an additional brake, also you should use the greet_pause, and there are a few more measures like milter-error (which will count those graylist responses as errors and blacklist them for a while if they insist) and feature local_sender_check (from http://ultra.ap.krakow.pl/~raj/sendmail/english.html) which will reject non existent users pretending to be from your own domain. > for example... [snip] -- Ren? Berber From alex at nkpanama.com Tue Oct 24 20:26:14 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 20:26:28 2006 Subject: Inbox fles and possible bug In-Reply-To: <20061024183715.M93501@konsultex.com.br> References: <20061024183715.M93501@konsultex.com.br> Message-ID: <453E68D6.5040309@nkpanama.com> Miguel Koren OBrien de Lacy escribi?: > Gentlemen; > > > My conclusion is that dovecot is particularly intolerant of the file format but also > that something is putting in the blank line. Very true. > The blank line does not have space > charaters, just a line break. My prime suspect at the moment for doing this is > MailScanner because it works on the emails before final delivery. I think that this > user gets some type of email content that causes Mail Scanner to insert the spurious > character at the start of the header and that if this happens with the first email > received after the mailbox is emptied, the problem happens. > > So the questions are if anybody has seens a similar problem and if my theory about a > subtle "bug" in MailScanner make sense? > > More likely a bug in how messages get picked up, scanned, and put in the mailbox. I haven't been able to reproduce the behaviour, but I *have* noticed that the problem doesn't present itself when "Max Children =1", and I've noticed it happen only when dovecot is reading the inboxes. What I've done in the meantime when a corrupted message (or line within an mbox file) doesn't allow the user to read mail is: 1. Rename the mbox file 2. do the following formail -s sendmail user@yourdomain.tld < renamed.mbox.file Usually this means that if the user was using POP and leaving messages on the server for an X amount of days, those messages will be redelivered "as new". > Miguel > > -- > Konsultex Informatica (http://www.konsultex.com.br) > > > From ssilva at sgvwater.com Tue Oct 24 20:29:19 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 20:30:17 2006 Subject: Dictionary Attacks In-Reply-To: <7.0.1.0.0.20061024150124.08445848@1bigthink.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> Message-ID: dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM: > At 02:41 PM 10/24/2006, you wrote: > >> You may want to use iptables (or whatever your firewall uses) to >> rate-limit incoming connections. >> >> Although you are probably under attack by a spam zombie army, I'm sure >> some of those connections must be coming from repeated IPs. Set it so >> that no more than, say, 4 connections in the last 60 seconds can come >> in to your smtp port from the same ip address. Legit servers will >> probably not be affected, but spam zombies will have a hard time >> getting to you. >> >> something like: >> >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >> recent --set >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix >> "RATELIMIT: " >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >> recent --update --seconds 60 --hitcount 4 -j DROP >> >> for example... >> >> Martin Hepworth escribi?: >>> DAve wrote: >>>> I spoke to soon last week. Staring Friday we came under a heavy old >>>> fashioned dictionary attack. Each day from noon until 4pm EDT. >>>> >>>> The IPs are so widely scattered it seems it would do no good to >>>> track them. Right now milter-grey is consuming over 50% of my CPUs. >>>> If it follows the same course as the prior days, about the time the >>>> attack on one server starts to ease up it will increase on the next >>>> server. >>>> >>>> Milter-ahead is dealing with the connections that return. It could >>>> turn into a DOS with a few thousand more connections. Funny but >>>> there are so many connections for non-existant accounts that my load >>>> has fallen nearly to the floor. There is no traffic for MailScanner >>>> to operate on, the server is so dang busy telling zombies to go away. >>>> >>>> There has to be a better way to make a living than this 8^( >>>> >>>> DAve >>> Dave >>> >>> if you've paid for milter-ahead shouldn't it merely reject rctp-to >>> that don't exist???? >>> >>> Or is it the sheer number of connections that are killing you? > > All very good advice.. I don't know if the milter-ahead will work. I > know that the iptables advice will not.. but only because the dictionary > attacks that I am seeing are almost PERFECTLY distributed. It is a bot > army attacking with IP addresses maybe repeating twice in hundreds of > tries. > > I've been watching them with paralysis since late last week. Can't > figure anything to throw at them that wouldn't trip some of my outside > users. > > They are attacking a domain with five users and aren't going to get much > ;>). > > Cheers! Are you using ratecontrol in sendmail? http://www.technoids.org/dossed.html You can let in people you know easily, and slow down the rest of the world. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 20:36:28 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 20:37:01 2006 Subject: Inbox fles and possible bug In-Reply-To: <20061024183715.M93501@konsultex.com.br> References: <20061024183715.M93501@konsultex.com.br> Message-ID: Miguel Koren OBrien de Lacy spake the following on 10/24/2006 12:03 PM: > Gentlemen; > > On one server I have Fedora Core 4 running with all the yum updates, Mail Scanner > 4.50.10-3 and Clam 0.88.4. This server has about 100 email accounts. Last month and > again today the same person complained about not being able to download emails using > Outlook configured to access pop accounts, but only on one of his accounts (the same > one both times). I checked a telnet to port 110 and found that dovecot reports that > the file can not be accessed. This file in /var/spool/mail was there so I checked to > permissions and size and all was well. I opened it up and noticed that it had a > blank line at the top of the file. So on a hunch I made a copy and removed the blank > line. After that everything worked again. This was the only mailbox file with a > blank line at the top out of a random sampling of mailbox files I looked at. This is > the first malbox "corruption" I have seen since I started using Linux in 1997, so > having 2 cases with the same account in a short period seems like something more > than coincidence. > > My conclusion is that dovecot is particularly intolerant of the file format but also > that something is putting in the blank line. The blank line does not have space > charaters, just a line break. My prime suspect at the moment for doing this is > MailScanner because it works on the emails before final delivery. I think that this > user gets some type of email content that causes Mail Scanner to insert the spurious > character at the start of the header and that if this happens with the first email > received after the mailbox is emptied, the problem happens. > > So the questions are if anybody has seens a similar problem and if my theory about a > subtle "bug" in MailScanner make sense? > Mailscanner is not involved in this by the time the mail hits /var/spool/mail. It is either your local delivery agent (maybe procmail), or a known issue with Dovecot and Outlook. See http://wiki.dovecot.org/Clients#head-603ef86194a337dc45305f89f8a1378dfcaa8146 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Tue Oct 24 20:54:53 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Oct 24 20:55:16 2006 Subject: Dictionary Attacks In-Reply-To: <453E5A99.4030400@solidstatelogic.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> Message-ID: <453E6F8D.9040908@pixelhammer.com> Martin Hepworth wrote: > DAve wrote: >> I spoke to soon last week. Staring Friday we came under a heavy old >> fashioned dictionary attack. Each day from noon until 4pm EDT. >> >> The IPs are so widely scattered it seems it would do no good to track >> them. Right now milter-grey is consuming over 50% of my CPUs. If it >> follows the same course as the prior days, about the time the attack >> on one server starts to ease up it will increase on the next server. >> >> Milter-ahead is dealing with the connections that return. It could >> turn into a DOS with a few thousand more connections. Funny but there >> are so many connections for non-existant accounts that my load has >> fallen nearly to the floor. There is no traffic for MailScanner to >> operate on, the server is so dang busy telling zombies to go away. >> >> There has to be a better way to make a living than this 8^( >> >> DAve >> > Dave > > if you've paid for milter-ahead shouldn't it merely reject rctp-to that > don't exist???? > > Or is it the sheer number of connections that are killing you? > Sheer number of connections. Right now Milter-grey is handling all it can on all three servers. What does come back is getting caught by Milter-ahead. I've changed my timeouts on Sendmail to as low as I dare and that has helped kick them off earlier it seems. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at mango.zw Tue Oct 24 21:09:15 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 24 21:04:23 2006 Subject: Dictionary Attacks In-Reply-To: <453E5310.3050601@pixelhammer.com> Message-ID: On Tue, 24 Oct 2006, DAve wrote: > Date: Tue, 24 Oct 2006 13:53:20 -0400 > From: DAve > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Dictionary Attacks > > I spoke to soon last week. Staring Friday we came under a heavy old > fashioned dictionary attack. Each day from noon until 4pm EDT. > > The IPs are so widely scattered it seems it would do no good to track > them. Right now milter-grey is consuming over 50% of my CPUs. If it > follows the same course as the prior days, about the time the attack on > one server starts to ease up it will increase on the next server. > > Milter-ahead is dealing with the connections that return. It could turn > into a DOS with a few thousand more connections. Funny but there are so > many connections for non-existant accounts that my load has fallen > nearly to the floor. There is no traffic for MailScanner to operate on, > the server is so dang busy telling zombies to go away. > > There has to be a better way to make a living than this 8^( As a sendmail user, one of the reasons that I am currently playing around with Exim is that it has all kinds of fine-grained options to deal with specific problems like this that sendmail doesn't. One option it has is to enable you to drop a connection as soon as it has attempted to deliver to more than a specified number of bad addresses, for example. That should slow them down very quickly. As you are using sendmail then you have options such as greet_pause, ratecontrol, conncontrol, confBAD_RCPT_THROTTLE, confCONNECTION_RATE_THROTTLE etc to slow things down. It is a pity that the slow down for bad receipts is hard coded to one second, but it would be easy to change the source in srvrsmtp.c and recompile. I am not sure how the above would interact with grey-listing. I would also consider using a safe RBL at SMTP time as well. There are also scripts that can immediately firewall off any host attempting to deliver to more than a specified number of bad recipients, eg: http://forum.ensim.com/showthread.php?t=13264 However if your attack is from a widely distributed army of bots that makes defence extremely difficult. Is there any assistance your upstream provider can offer you with their own firewall? Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From dave.list at pixelhammer.com Tue Oct 24 21:08:51 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Oct 24 21:09:13 2006 Subject: Dictionary Attacks In-Reply-To: References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> Message-ID: <453E72D3.4090600@pixelhammer.com> Scott Silva wrote: > dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM: >> At 02:41 PM 10/24/2006, you wrote: >> >>> You may want to use iptables (or whatever your firewall uses) to >>> rate-limit incoming connections. >>> >>> Although you are probably under attack by a spam zombie army, I'm sure >>> some of those connections must be coming from repeated IPs. Set it so >>> that no more than, say, 4 connections in the last 60 seconds can come >>> in to your smtp port from the same ip address. Legit servers will >>> probably not be affected, but spam zombies will have a hard time >>> getting to you. >>> >>> something like: >>> >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>> recent --set >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix >>> "RATELIMIT: " >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>> recent --update --seconds 60 --hitcount 4 -j DROP >>> >>> for example... >>> >>> Martin Hepworth escribi?: >>>> DAve wrote: >>>>> I spoke to soon last week. Staring Friday we came under a heavy old >>>>> fashioned dictionary attack. Each day from noon until 4pm EDT. >>>>> >>>>> The IPs are so widely scattered it seems it would do no good to >>>>> track them. Right now milter-grey is consuming over 50% of my CPUs. >>>>> If it follows the same course as the prior days, about the time the >>>>> attack on one server starts to ease up it will increase on the next >>>>> server. >>>>> >>>>> Milter-ahead is dealing with the connections that return. It could >>>>> turn into a DOS with a few thousand more connections. Funny but >>>>> there are so many connections for non-existant accounts that my load >>>>> has fallen nearly to the floor. There is no traffic for MailScanner >>>>> to operate on, the server is so dang busy telling zombies to go away. >>>>> >>>>> There has to be a better way to make a living than this 8^( >>>>> >>>>> DAve >>>> Dave >>>> >>>> if you've paid for milter-ahead shouldn't it merely reject rctp-to >>>> that don't exist???? >>>> >>>> Or is it the sheer number of connections that are killing you? >> All very good advice.. I don't know if the milter-ahead will work. I >> know that the iptables advice will not.. but only because the dictionary >> attacks that I am seeing are almost PERFECTLY distributed. It is a bot >> army attacking with IP addresses maybe repeating twice in hundreds of >> tries. >> >> I've been watching them with paralysis since late last week. Can't >> figure anything to throw at them that wouldn't trip some of my outside >> users. >> >> They are attacking a domain with five users and aren't going to get much >> ;>). >> >> Cheers! > Are you using ratecontrol in sendmail? > http://www.technoids.org/dossed.html > You can let in people you know easily, and slow down the rest of the world. > > Same here, the IP addresses are all over the map and nearly never a connection from the same IP. That may be Greylisting's fault though keeping them at bay, and not allowing me to see a trend. Two of the servers are due for upgrades very soon and do not have some of the better features of the newest Sendmail. We are beating them back, but I would prefer to not have to battle this every week. Right now, today, I would get on board a Spamming = Capitol Punishment platform. If it were anything else, bullhorn over a fence, running into traffic with a sign, dumping a million pamphlets into a Super Bowl from the air, they would be arrested. I need a drink. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Tue Oct 24 21:12:43 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 21:13:01 2006 Subject: Inbox fles and possible bug In-Reply-To: References: <20061024183715.M93501@konsultex.com.br> Message-ID: <453E73BB.9070500@nkpanama.com> Scott Silva escribi?: > Mailscanner is not involved in this by the time the mail hits /var/spool/mail. > It is either your local delivery agent (maybe procmail), or a known issue with > Dovecot and Outlook. See > > http://wiki.dovecot.org/Clients#head-603ef86194a337dc45305f89f8a1378dfcaa8146 > > If it's procmail then, what possible workarounds/diags could one implement? From Kevin_Miller at ci.juneau.ak.us Tue Oct 24 21:13:40 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Oct 24 21:13:50 2006 Subject: Just an FYI, slightly OT... Message-ID: For those using the smf-sav milter, a new version was released recently. It's up to 1.3.2 at the moment. Don't recall the release date, but it has some nice improvements over the 1.20 version I started with a couple months ago, particularly in regard to whitelisting... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From alex at nkpanama.com Tue Oct 24 21:26:26 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 21:26:43 2006 Subject: OT: What will they think of next Message-ID: <453E76F2.50908@nkpanama.com> I just finished setting up FuzzyOCR. Guess what greets me a few minutes later: http://nkpanama.com/results.gif Now spammers are adding noise so OCR won't work. Jeez. Now that last suggestion about capital punishment for spammers is starting to sound interesting. From campbell at cnpapers.com Tue Oct 24 21:27:44 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 24 21:28:01 2006 Subject: Amazing number of bounces Message-ID: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> I don't know if anyone else is getting attacked like my domains are, but these "Rave reviews ..." emails are being returned at a very alarming rate. I am seeing the bounces from all of these mailservers who don't check anything apparently, and even though none so far are from my IPs, they send them back to the return address. What a golden opportunity to promote the no-bounce idea that Julian has forever preached. And BTW, has anyone else figured out how to handle these other than killing the blank return address emails? Steve Campbell campbell@cnpapers.com Charleston Newspapers From dnsadmin at 1bigthink.com Tue Oct 24 21:44:33 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Oct 24 21:44:44 2006 Subject: Dictionary Attacks In-Reply-To: References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> Message-ID: <7.0.1.0.0.20061024164250.039a8230@1bigthink.com> At 03:29 PM 10/24/2006, you wrote: >dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM: > > At 02:41 PM 10/24/2006, you wrote: > > > >> You may want to use iptables (or whatever your firewall uses) to > >> rate-limit incoming connections. > >> > >> Although you are probably under attack by a spam zombie army, I'm sure > >> some of those connections must be coming from repeated IPs. Set it so > >> that no more than, say, 4 connections in the last 60 seconds can come > >> in to your smtp port from the same ip address. Legit servers will > >> probably not be affected, but spam zombies will have a hard time > >> getting to you. > >> > >> something like: > >> > >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > >> recent --set > >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > >> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix > >> "RATELIMIT: " > >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > >> recent --update --seconds 60 --hitcount 4 -j DROP > >> > >> for example... > >> > >> Martin Hepworth escribi?: > >>> DAve wrote: > >>>> I spoke to soon last week. Staring Friday we came under a heavy old > >>>> fashioned dictionary attack. Each day from noon until 4pm EDT. > >>>> > >>>> The IPs are so widely scattered it seems it would do no good to > >>>> track them. Right now milter-grey is consuming over 50% of my CPUs. > >>>> If it follows the same course as the prior days, about the time the > >>>> attack on one server starts to ease up it will increase on the next > >>>> server. > >>>> > >>>> Milter-ahead is dealing with the connections that return. It could > >>>> turn into a DOS with a few thousand more connections. Funny but > >>>> there are so many connections for non-existant accounts that my load > >>>> has fallen nearly to the floor. There is no traffic for MailScanner > >>>> to operate on, the server is so dang busy telling zombies to go away. > >>>> > >>>> There has to be a better way to make a living than this 8^( > >>>> > >>>> DAve > >>> Dave > >>> > >>> if you've paid for milter-ahead shouldn't it merely reject rctp-to > >>> that don't exist???? > >>> > >>> Or is it the sheer number of connections that are killing you? > > > > All very good advice.. I don't know if the milter-ahead will work. I > > know that the iptables advice will not.. but only because the dictionary > > attacks that I am seeing are almost PERFECTLY distributed. It is a bot > > army attacking with IP addresses maybe repeating twice in hundreds of > > tries. > > > > I've been watching them with paralysis since late last week. Can't > > figure anything to throw at them that wouldn't trip some of my outside > > users. > > > > They are attacking a domain with five users and aren't going to get much > > ;>). > > > > Cheers! >Are you using ratecontrol in sendmail? >http://www.technoids.org/dossed.html >You can let in people you know easily, and slow down the rest of the world. Thanks Scott! That gave me the ammo I was looking for. Yes, I did have most of that implemented; just not very well after revisiting it. Now to implement this before they start poking at a domain that will really count! Cheers! From evan at espphotography.com Tue Oct 24 21:46:39 2006 From: evan at espphotography.com (Evan Platt) Date: Tue Oct 24 21:46:34 2006 Subject: OT: What will they think of next In-Reply-To: <453E76F2.50908@nkpanama.com> References: <453E76F2.50908@nkpanama.com> Message-ID: <200610242030.NAA15422@partners7.yack.com> At 01:26 PM 10/24/2006, you wrote: >I just finished setting up FuzzyOCR. Guess what greets me a few minutes later: > >http://nkpanama.com/results.gif > >Now spammers are adding noise so OCR won't work. > >Jeez. > >Now that last suggestion about capital punishment for spammers is >starting to sound interesting. http://nkpanama.com/results.gif is giving a 404? From dave.list at pixelhammer.com Tue Oct 24 21:47:54 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Oct 24 21:48:20 2006 Subject: Dictionary Attacks In-Reply-To: References: Message-ID: <453E7BFA.1030909@pixelhammer.com> Jim Holland wrote: > On Tue, 24 Oct 2006, DAve wrote: > >> Date: Tue, 24 Oct 2006 13:53:20 -0400 >> From: DAve >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Dictionary Attacks >> >> I spoke to soon last week. Staring Friday we came under a heavy old >> fashioned dictionary attack. Each day from noon until 4pm EDT. >> >> The IPs are so widely scattered it seems it would do no good to track >> them. Right now milter-grey is consuming over 50% of my CPUs. If it >> follows the same course as the prior days, about the time the attack on >> one server starts to ease up it will increase on the next server. >> >> Milter-ahead is dealing with the connections that return. It could turn >> into a DOS with a few thousand more connections. Funny but there are so >> many connections for non-existant accounts that my load has fallen >> nearly to the floor. There is no traffic for MailScanner to operate on, >> the server is so dang busy telling zombies to go away. >> >> There has to be a better way to make a living than this 8^( > > As a sendmail user, one of the reasons that I am currently playing around > with Exim is that it has all kinds of fine-grained options to deal with > specific problems like this that sendmail doesn't. One option it has is > to enable you to drop a connection as soon as it has attempted to deliver > to more than a specified number of bad addresses, for example. That > should slow them down very quickly. > > As you are using sendmail then you have options such as greet_pause, > ratecontrol, conncontrol, confBAD_RCPT_THROTTLE, > confCONNECTION_RATE_THROTTLE etc to slow things down. It is a pity that > the slow down for bad receipts is hard coded to one second, but it would > be easy to change the source in srvrsmtp.c and recompile. > In the works, but not for a bit. I need to upgrade the servers completely, OS and all. > I am not sure how the above would interact with grey-listing. > > I would also consider using a safe RBL at SMTP time as well. Yep, I trust spamhaus and dnsbl but I can't really run any others. We have clients who do business with the Pacific Rim and Western Europe. > > There are also scripts that can immediately firewall off any host > attempting to deliver to more than a specified number of bad recipients, > eg: > > http://forum.ensim.com/showthread.php?t=13264 > > However if your attack is from a widely distributed army of bots that > makes defence extremely difficult. Is there any assistance your upstream > provider can offer you with their own firewall? > I am the upstream provider, next stop is MCI. I am seriously thinking about using a DUL blocklist. I've tried before but so many shrink wrap admins out there running a business on a DSL and using their own Exchange, makes it tough. I will surely get complaints when my clients can't get an email from someone outside. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From arturs at netvision.net.il Tue Oct 24 21:46:47 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Oct 24 21:48:58 2006 Subject: problem starting MailScanner: dual perl config on raq4 In-Reply-To: <20061024161856.M63934@kush-t.co.uk> Message-ID: <008101c6f7ad$86296320$3701a8c0@lapxp> > > > MailScanner: Can't locate Time/HiRes.pm in @INC (@INC > > > contains: /usr/lib/MailScanner /usr/lib/perl5/5.00503/i386- > > > linux /usr/lib/perl5/5.00503 /usr/lib/perl5/site_perl/5.005/i386- > > > linux /usr/lib/perl5/site_perl/5.005 . /usr/lib/MailScanner) > > > at /usr/sbin/MailScanner line 65. > > > BEGIN failed--compilation aborted at > /usr/sbin/MailScanner line 65. Just locate HiRes.pm and copy it to the path. Best, -- Arthur Sherman +972-52-4878851 CPTeam From alex at nkpanama.com Tue Oct 24 21:57:35 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 21:57:52 2006 Subject: OT: What will they think of next In-Reply-To: <200610242030.NAA15422@partners7.yack.com> References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> Message-ID: <453E7E3F.9040708@nkpanama.com> Evan Platt escribi?: > At 01:26 PM 10/24/2006, you wrote: >> I just finished setting up FuzzyOCR. Guess what greets me a few >> minutes later: >> >> http://nkpanama.com/results.gif >> >> Now spammers are adding noise so OCR won't work. >> >> Jeez. >> >> Now that last suggestion about capital punishment for spammers is >> starting to sound interesting. > > http://nkpanama.com/results.gif is giving a 404? > > Corrected... Thanks... From alex at nkpanama.com Tue Oct 24 21:58:09 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 24 21:58:26 2006 Subject: Amazing number of bounces In-Reply-To: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> References: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> Message-ID: <453E7E61.6000105@nkpanama.com> Steve Campbell escribi?: > I don't know if anyone else is getting attacked like my domains are, > but these "Rave reviews ..." emails are being returned at a very > alarming rate. I am seeing the bounces from all of these mailservers > who don't check anything apparently, and even though none so far are > from my IPs, they send them back to the return address. What a golden > opportunity to promote the no-bounce idea that Julian has forever > preached. > > And BTW, has anyone else figured out how to handle these other than > killing the blank return address emails? > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > Greylisting? Throttling? From glenn.steen at gmail.com Tue Oct 24 22:18:11 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 24 22:18:16 2006 Subject: OT: What will they think of next In-Reply-To: <200610242030.NAA15422@partners7.yack.com> References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> Message-ID: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> On 24/10/06, Evan Platt wrote: > At 01:26 PM 10/24/2006, you wrote: > >I just finished setting up FuzzyOCR. Guess what greets me a few minutes later: > > > >http://nkpanama.com/results.gif > > > >Now spammers are adding noise so OCR won't work. > > > >Jeez. > > > >Now that last suggestion about capital punishment for spammers is > >starting to sound interesting. > > http://nkpanama.com/results.gif is giving a 404? > Works for me... Not pretty indeed:-( At times, flipping burgers as a career choice looks up and coming:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From miguelk at konsultex.com.br Tue Oct 24 22:23:15 2006 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Tue Oct 24 22:23:37 2006 Subject: Inbox fles and possible bug In-Reply-To: <453E73BB.9070500@nkpanama.com> References: <20061024183715.M93501@konsultex.com.br> <453E73BB.9070500@nkpanama.com> Message-ID: <20061024212139.M25643@konsultex.com.br> Thanks for the ideas. I'm going to try it with: client_workarounds = outlook-pop3-no-nuls in /etc/dovecot.conf and see if it helps. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Alex Neuman To: MailScanner discussion Sent: Tue, 24 Oct 2006 15:12:43 -0500 Subject: Re: Inbox fles and possible bug > Scott Silva escribi?: > > Mailscanner is not involved in this by the time the mail hits /var/spool/mail. > > It is either your local delivery agent (maybe procmail), or a known issue with > > Dovecot and Outlook. See > > > > http://wiki.dovecot.org/Clients#head-603ef86194a337dc45305f89f8a1378dfcaa8146 > > > > > If it's procmail then, what possible workarounds/diags could one implement? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From mailscanner at mango.zw Tue Oct 24 22:28:46 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 24 22:24:08 2006 Subject: Dictionary Attacks In-Reply-To: <453E7BFA.1030909@pixelhammer.com> Message-ID: On Tue, 24 Oct 2006, DAve wrote: > I am the upstream provider, next stop is MCI. I am seriously thinking > about using a DUL blocklist. I've tried before but so many shrink wrap > admins out there running a business on a DSL and using their own > Exchange, makes it tough. I will surely get complaints when my clients > can't get an email from someone outside. If you are being seriously DOS'ed then your clients won't get their e-mail anyway. Other sendmail utilities I forgot to mention that I use are: require_rdns which checks for valid PTR records etc. I have hacked my version so that it always gives 451 errors and not fatal errors. However it does require lots of manual whitelisting of non-compliant but valid systems, which is a drag. I rely on users responding to a daily report on blocked mail that I send out to contact me for whitelisting. and smf-sav which does both recipient verification (replacement for milter-ahead) and sender verification. A new version (v1.4.0) is coming out tomorrow which should offer sender verification that is flexible enough to install on a production system (with the current version I am using recipient verification only). It will also have the benefit of slowing down connections and reducing the CPU load. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From sk at foundationcenter.org Tue Oct 24 22:29:11 2006 From: sk at foundationcenter.org (Sukh Khehra) Date: Tue Oct 24 22:27:51 2006 Subject: bypass mailscanner for certain senders In-Reply-To: <7B644D3DEEE2594981C2B8FFAC1737D189F6B7@fcmail.nycnt1a.fdncenter.org> Message-ID: <7B644D3DEEE2594981C2B8FFAC1737D189F6B9@fcmail.nycnt1a.fdncenter.org> Hi I was wondering if I can have mailscanner not do anything to the messages based on the originating IP address. For a given sender, I want it to simply grab the message from the MTA incoming queue ( in my case the postfix hold directory ) and place it in the MTA outgoing queue without performing any of the tests on it. The alternative solution would be to have postfix not put the message in the hold queue to begin with for certain senders. Anyone know how to do either one of these? I'd appreciate the help. Regards, Sukh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061024/5e760af3/attachment.html From ssilva at sgvwater.com Tue Oct 24 22:29:12 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 22:29:46 2006 Subject: Dictionary Attacks In-Reply-To: <453E72D3.4090600@pixelhammer.com> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> <453E72D3.4090600@pixelhammer.com> Message-ID: DAve spake the following on 10/24/2006 1:08 PM: > Scott Silva wrote: >> dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM: >>> At 02:41 PM 10/24/2006, you wrote: >>> >>>> You may want to use iptables (or whatever your firewall uses) to >>>> rate-limit incoming connections. >>>> >>>> Although you are probably under attack by a spam zombie army, I'm sure >>>> some of those connections must be coming from repeated IPs. Set it so >>>> that no more than, say, 4 connections in the last 60 seconds can come >>>> in to your smtp port from the same ip address. Legit servers will >>>> probably not be affected, but spam zombies will have a hard time >>>> getting to you. >>>> >>>> something like: >>>> >>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>>> recent --set >>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>>> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix >>>> "RATELIMIT: " >>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>>> recent --update --seconds 60 --hitcount 4 -j DROP >>>> >>>> for example... >>>> >>>> Martin Hepworth escribi?: >>>>> DAve wrote: >>>>>> I spoke to soon last week. Staring Friday we came under a heavy old >>>>>> fashioned dictionary attack. Each day from noon until 4pm EDT. >>>>>> >>>>>> The IPs are so widely scattered it seems it would do no good to >>>>>> track them. Right now milter-grey is consuming over 50% of my CPUs. >>>>>> If it follows the same course as the prior days, about the time the >>>>>> attack on one server starts to ease up it will increase on the next >>>>>> server. >>>>>> >>>>>> Milter-ahead is dealing with the connections that return. It could >>>>>> turn into a DOS with a few thousand more connections. Funny but >>>>>> there are so many connections for non-existant accounts that my load >>>>>> has fallen nearly to the floor. There is no traffic for MailScanner >>>>>> to operate on, the server is so dang busy telling zombies to go away. >>>>>> >>>>>> There has to be a better way to make a living than this 8^( >>>>>> >>>>>> DAve >>>>> Dave >>>>> >>>>> if you've paid for milter-ahead shouldn't it merely reject rctp-to >>>>> that don't exist???? >>>>> >>>>> Or is it the sheer number of connections that are killing you? >>> All very good advice.. I don't know if the milter-ahead will work. I >>> know that the iptables advice will not.. but only because the dictionary >>> attacks that I am seeing are almost PERFECTLY distributed. It is a bot >>> army attacking with IP addresses maybe repeating twice in hundreds of >>> tries. >>> >>> I've been watching them with paralysis since late last week. Can't >>> figure anything to throw at them that wouldn't trip some of my outside >>> users. >>> >>> They are attacking a domain with five users and aren't going to get much >>> ;>). >>> >>> Cheers! >> Are you using ratecontrol in sendmail? >> http://www.technoids.org/dossed.html >> You can let in people you know easily, and slow down the rest of the >> world. >> >> > > Same here, the IP addresses are all over the map and nearly never a > connection from the same IP. That may be Greylisting's fault though > keeping them at bay, and not allowing me to see a trend. > > Two of the servers are due for upgrades very soon and do not have some > of the better features of the newest Sendmail. We are beating them back, > but I would prefer to not have to battle this every week. > > Right now, today, I would get on board a Spamming = Capitol Punishment > platform. If it were anything else, bullhorn over a fence, running into > traffic with a sign, dumping a million pamphlets into a Super Bowl from > the air, they would be arrested. > > I need a drink. > > DAve > Instead they ( the evil spammers) sue the people intent on stopping them, and anybody even slightly connected. I think I'll join you in needing a drink! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From sk at foundationcenter.org Tue Oct 24 22:35:06 2006 From: sk at foundationcenter.org (Sukh Khehra) Date: Tue Oct 24 22:33:46 2006 Subject: bypass mailscanner for certain senders In-Reply-To: <7B644D3DEEE2594981C2B8FFAC1737D189F6B9@fcmail.nycnt1a.fdncenter.org> Message-ID: <7B644D3DEEE2594981C2B8FFAC1737D189F6BA@fcmail.nycnt1a.fdncenter.org> Hi I was wondering if I can have mailscanner not do anything to the messages based on the originating IP address. For a given sender, I want it to simply grab the message from the MTA incoming queue ( in my case the postfix hold directory ) and place it in the MTA outgoing queue without performing any of the tests on it. The alternative solution would be to have postfix not put the message in the hold queue to begin with for certain senders. Anyone know how to do either one of these? I'd appreciate the help. Regards, Sukh From evan at espphotography.com Tue Oct 24 22:43:20 2006 From: evan at espphotography.com (Evan Platt) Date: Tue Oct 24 22:43:15 2006 Subject: OT: What will they think of next In-Reply-To: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.co m> References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> Message-ID: <200610242126.OAA02589@partners7.yack.com> At 02:18 PM 10/24/2006, you wrote: >Works for me... Not pretty indeed:-( >At times, flipping burgers as a career choice looks up and coming:-) Works now. Yep.. dots or static to throw off the OCR. I've seen quite a few that show a picture of a browser and telling you to type in your browser... From ssilva at sgvwater.com Tue Oct 24 22:44:56 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 22:46:17 2006 Subject: Inbox fles and possible bug In-Reply-To: <453E68D6.5040309@nkpanama.com> References: <20061024183715.M93501@konsultex.com.br> <453E68D6.5040309@nkpanama.com> Message-ID: Alex Neuman spake the following on 10/24/2006 12:26 PM: > Miguel Koren OBrien de Lacy escribi?: >> Gentlemen; >> >> >> My conclusion is that dovecot is particularly intolerant of the file >> format but also that something is putting in the blank line. > Very true. >> The blank line does not have space charaters, just a line break. My >> prime suspect at the moment for doing this is MailScanner because it >> works on the emails before final delivery. I think that this user gets >> some type of email content that causes Mail Scanner to insert the >> spurious character at the start of the header and that if this happens >> with the first email received after the mailbox is emptied, the >> problem happens. >> >> So the questions are if anybody has seens a similar problem and if my >> theory about a subtle "bug" in MailScanner make sense? >> >> > More likely a bug in how messages get picked up, scanned, and put in the > mailbox. I haven't been able to reproduce the behaviour, but I *have* > noticed that the problem doesn't present itself when "Max Children =1", > and I've noticed it happen only when dovecot is reading the inboxes. You should also make sure that dovecot and mailscanner are using compatible locking (flock VS fcntl). I think you would use flock wit sendmail 8.12 or older, and fcntl with 8.13 on. > > What I've done in the meantime when a corrupted message (or line within > an mbox file) doesn't allow the user to read mail is: > > 1. Rename the mbox file > 2. do the following > formail -s sendmail user@yourdomain.tld < renamed.mbox.file > > Usually this means that if the user was using POP and leaving messages > on the server for an X amount of days, those messages will be > redelivered "as new". >> Miguel >> >> -- >> Konsultex Informatica (http://www.konsultex.com.br) >> >> >> > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 22:47:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 22:50:40 2006 Subject: Inbox fles and possible bug In-Reply-To: <453E73BB.9070500@nkpanama.com> References: <20061024183715.M93501@konsultex.com.br> <453E73BB.9070500@nkpanama.com> Message-ID: Alex Neuman spake the following on 10/24/2006 1:12 PM: > Scott Silva escribi?: >> Mailscanner is not involved in this by the time the mail hits >> /var/spool/mail. >> It is either your local delivery agent (maybe procmail), or a known >> issue with >> Dovecot and Outlook. See >> >> http://wiki.dovecot.org/Clients#head-603ef86194a337dc45305f89f8a1378dfcaa8146 >> >> >> > If it's procmail then, what possible workarounds/diags could one implement? Check if dovecot and mailscanner are using the same type of locking. I have mine at fcntl to go with the newer sendmail (8.13). -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 22:50:12 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 22:56:06 2006 Subject: OT: What will they think of next In-Reply-To: <453E76F2.50908@nkpanama.com> References: <453E76F2.50908@nkpanama.com> Message-ID: Alex Neuman spake the following on 10/24/2006 1:26 PM: > I just finished setting up FuzzyOCR. Guess what greets me a few minutes > later: > > http://nkpanama.com/results.gif > > Now spammers are adding noise so OCR won't work. > > Jeez. > > Now that last suggestion about capital punishment for spammers is > starting to sound interesting. Do these messages hit on the sare_stocks rule? You would have to figure that the more evil spammers are reading the lists to see what is being done to thwart their vile wares! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From drew at technologytiger.net Tue Oct 24 23:09:04 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Oct 24 23:09:11 2006 Subject: OT: What will they think of next In-Reply-To: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> Message-ID: <8EBF9500-C22D-4B61-90DA-AEF85B4B9A4C@technologytiger.net> On 24 Oct 2006, at 22:18, Glenn Steen wrote: > On 24/10/06, Evan Platt wrote: >> At 01:26 PM 10/24/2006, you wrote: >> >I just finished setting up FuzzyOCR. Guess what greets me a few >> minutes later: >> > >> >http://nkpanama.com/results.gif >> > >> >Now spammers are adding noise so OCR won't work. >> > >> >Jeez. >> > >> >Now that last suggestion about capital punishment for spammers is >> >starting to sound interesting. >> >> http://nkpanama.com/results.gif is giving a 404? >> > Works for me... Not pretty indeed:-( > At times, flipping burgers as a career choice looks up and coming:-) Yeah, seen one of those before too :-( I can't well you if that's a good deal or not, MailScanner does a reasonable job on the rest so I have nothing much to compare to ;-) Drew From andy at tireswing.net Tue Oct 24 23:11:17 2006 From: andy at tireswing.net (Andy Norris) Date: Tue Oct 24 23:11:17 2006 Subject: Dictionary Attacks In-Reply-To: References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> <453E72D3.4090600@pixelhammer.com> Message-ID: <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> > > I need a drink. > > > > DAve > > >Instead they ( the evil spammers) sue the people intent on stopping them, and >anybody even slightly connected. >I think I'll join you in needing a drink! My frustration with the deluge of spam of late has gotten to the point that I'm fairly convinced I will stop the spam filtering on the domain of the next user that bitches to me about the spam they're getting. Then they can see what spam they've *not* been getting. Where's the drinking happening? It's just past five here...! Andy From ssilva at sgvwater.com Tue Oct 24 23:14:54 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 23:16:16 2006 Subject: Amazing number of bounces In-Reply-To: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> References: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> Message-ID: Steve Campbell spake the following on 10/24/2006 1:27 PM: > I don't know if anyone else is getting attacked like my domains are, but > these "Rave reviews ..." emails are being returned at a very alarming > rate. I am seeing the bounces from all of these mailservers who don't > check anything apparently, and even though none so far are from my IPs, > they send them back to the return address. What a golden opportunity to > promote the no-bounce idea that Julian has forever preached. > > And BTW, has anyone else figured out how to handle these other than > killing the blank return address emails? > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > I think milter-null is supposed to help, but I haven't tried it yet. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 23:24:16 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 23:24:52 2006 Subject: OT: What will they think of next In-Reply-To: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> Message-ID: Glenn Steen spake the following on 10/24/2006 2:18 PM: > On 24/10/06, Evan Platt wrote: >> At 01:26 PM 10/24/2006, you wrote: >> >I just finished setting up FuzzyOCR. Guess what greets me a few >> minutes later: >> > >> >http://nkpanama.com/results.gif >> > >> >Now spammers are adding noise so OCR won't work. >> > >> >Jeez. >> > >> >Now that last suggestion about capital punishment for spammers is >> >starting to sound interesting. >> >> http://nkpanama.com/results.gif is giving a 404? >> > Works for me... Not pretty indeed:-( > At times, flipping burgers as a career choice looks up and coming:-) > I've been leaning toward bartending. At least I can lart the lusers and no one complains! As long as I don't become my best customer!! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Oct 24 23:20:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 24 23:25:13 2006 Subject: bypass mailscanner for certain senders In-Reply-To: <7B644D3DEEE2594981C2B8FFAC1737D189F6BA@fcmail.nycnt1a.fdncenter.org> References: <7B644D3DEEE2594981C2B8FFAC1737D189F6B9@fcmail.nycnt1a.fdncenter.org> <7B644D3DEEE2594981C2B8FFAC1737D189F6BA@fcmail.nycnt1a.fdncenter.org> Message-ID: Sukh Khehra spake the following on 10/24/2006 2:35 PM: > Hi I was wondering if I can have mailscanner not do anything to the > messages based on the originating IP address. For a given sender, I want > it to simply grab the message from the MTA incoming queue ( in my case > the postfix hold directory ) and place it in the MTA outgoing queue > without performing any of the tests on it. > > The alternative solution would be to have postfix not put the message in > the hold queue to begin with for certain senders. Anyone know how to do > either one of these? I'd appreciate the help. > > Regards, > Sukh > Look at this option; # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). Scan Messages = %rules-dir%/scan.messages.rules -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From campbell at cnpapers.com Tue Oct 24 23:41:13 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 24 23:41:28 2006 Subject: Amazing number of bounces In-Reply-To: <453E7E61.6000105@nkpanama.com> References: <002b01c6f7aa$dcda41b0$0705000a@DDF5DW71> <453E7E61.6000105@nkpanama.com> Message-ID: <1161729673.453e9689cf997@perdition.cnpapers.net> Quoting Alex Neuman : > Steve Campbell escribi?: > > I don't know if anyone else is getting attacked like my domains are, > > but these "Rave reviews ..." emails are being returned at a very > > alarming rate. I am seeing the bounces from all of these mailservers > > who don't check anything apparently, and even though none so far are > > from my IPs, they send them back to the return address. What a golden > > opportunity to promote the no-bounce idea that Julian has forever > > preached. > > > > And BTW, has anyone else figured out how to handle these other than > > killing the blank return address emails? > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > > Greylisting? Throttling? > -- I guess that might work, but these are valid (in the sense that the original recipient is invalid) bounces and will probably keep on coming at me. I think I know the answer - there is no real answer other than killing off the bounces. I sort of was just venting about these useless "postmasters" who don't check SPF, IPs, HELOs, and all the other stuff before they turn the mail around back to some innocent recipient. These are coming back from everywhere and aren't originating here. OK, I feel better. Thanks though. Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mike at vesol.com Tue Oct 24 23:50:42 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Oct 24 23:51:13 2006 Subject: Dictionary Attacks In-Reply-To: <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > My frustration with the deluge of spam of late has gotten to > the point that I'm fairly convinced I will stop the spam > filtering on the domain of the next user that bitches to me > about the spam they're getting. Then they can see what spam > they've *not* been getting. > I've done that before. And if they're REALLY pissy, I'll change my config to forward them ALL of the spam for other domains as well. They come crawling back in no time. Mike From ssilva at sgvwater.com Wed Oct 25 00:40:27 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 25 00:40:39 2006 Subject: Dictionary Attacks In-Reply-To: <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> <453E72D3.4090600@pixelhammer.com> <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> Message-ID: Andy Norris spake the following on 10/24/2006 3:11 PM: > >> > I need a drink. >> > >> > DAve >> > >> Instead they ( the evil spammers) sue the people intent on stopping >> them, and >> anybody even slightly connected. >> I think I'll join you in needing a drink! > > > My frustration with the deluge of spam of late has gotten to the point > that I'm fairly convinced I will stop the spam filtering on the domain > of the next user that bitches to me about the spam they're getting. Then > they can see what spam they've *not* been getting. > > Where's the drinking happening? It's just past five here...! > > Andy > > I say we fire back at the spammers! ,: ,' | / : --' / \/ />/ / References: Message-ID: <453EA555.8010209@enitech.com.au> Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >> My frustration with the deluge of spam of late has gotten to >> the point that I'm fairly convinced I will stop the spam >> filtering on the domain of the next user that bitches to me >> about the spam they're getting. Then they can see what spam >> they've *not* been getting. >> > > I've done that before. And if they're REALLY pissy, I'll change my > config to forward them ALL of the spam for other domains as well. They > come crawling back in no time. > > Mike This is a big problem for me at the moment. I am under attack from users more than spammers. At the momement there is a lot of negative talk about the solution we use (MS, SA, MW) because they are getting the stock picture spam, and we stop 1 in 10000 as false positives. Is there any reported info on the web i can use to illustrate that there is a world wide increase in the volume of spam, spammers have far more resources than we do etc etc? Our volume of spam has more than quadrupled in the past 5 months. From andy at tireswing.net Wed Oct 25 00:59:34 2006 From: andy at tireswing.net (Andy Norris) Date: Wed Oct 25 01:00:49 2006 Subject: Dictionary Attacks In-Reply-To: <453EA555.8010209@enitech.com.au> References: <453EA555.8010209@enitech.com.au> Message-ID: <6.2.3.4.2.20061024185504.025dcd90@mail.tireswing.net> When we -- our little company -- talk about how many servers we'll need, it's just stupid that we have to consider spam filtering as the major load. Spammers cost everyone but themselves money. How many of us on this list would have thought -- just five years ago -- that we'd be working part-time / full-time / ALL THE TIME just dealing with other people's junk mail?? Not really sure this is what I wanted to do with my life. I was looking at the Worst Ten on the Spamhaus site last night, and had fantasies of a nature that I cannot put into words on a public forum. ;-) Hey! Where's my beer?! At 06:44 pm 2006-10-24, Peter Russell wrote: >This is a big problem for me at the moment. I am under attack from >users more than spammers. At the momement there is a lot of negative >talk about the solution we use (MS, SA, MW) because they are getting >the stock picture spam, and we stop 1 in 10000 as false positives. > >Is there any reported info on the web i can use to illustrate that >there is a world wide increase in the volume of spam, spammers have >far more resources than we do etc etc? > >Our volume of spam has more than quadrupled in the past 5 months. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From miguelk at konsultex.com.br Wed Oct 25 01:22:13 2006 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Wed Oct 25 01:22:21 2006 Subject: Inbox fles and possible bug In-Reply-To: References: <20061024183715.M93501@konsultex.com.br> <453E73BB.9070500@nkpanama.com> Message-ID: <20061025000957.M1727@konsultex.com.br> I saw that dovecot.conf has fcntl enabled. My MailScanner has the default: # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = Can I put fcntl there? The comments seem to indicate that this is not so. Or should I set dovecot *and* MailScanner to flock? Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Scott Silva To: mailscanner@lists.mailscanner.info Sent: Tue, 24 Oct 2006 14:47:20 -0700 Subject: Re: Inbox fles and possible bug > Alex Neuman spake the following on 10/24/2006 1:12 PM: > > Scott Silva escribi?: > >> Mailscanner is not involved in this by the time the mail hits > >> /var/spool/mail. > >> It is either your local delivery agent (maybe procmail), or a known > >> issue with > >> Dovecot and Outlook. See > >> > >> http://wiki.dovecot.org/Clients#head-603ef86194a337dc45305f89f8a1378dfcaa8146 > >> > >> > >> > > If it's procmail then, what possible workarounds/diags could one implement? > Check if dovecot and mailscanner are using the same type of locking. I have > mine at fcntl to go with the newer sendmail (8.13). > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From bmp at univexsystems.com Wed Oct 25 01:56:44 2006 From: bmp at univexsystems.com (Brian Parish) Date: Wed Oct 25 01:57:37 2006 Subject: Ruleset to lock domain to IP address Message-ID: <453EB64C.8070707@univexsystems.com> We plan to introduce some premium filtering options for some domains. This will result in all incoming mail to a given domain arriving from a single known IP address. To prevent "back-dooring" we'd like to lock that in so any incoming mail to a given domain from any other IP address is rejected or dropped. Can I create a ruleset to achieve that? TIA Brian From mike at vesol.com Wed Oct 25 01:58:26 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Oct 25 01:59:02 2006 Subject: Inbox fles and possible bug In-Reply-To: <20061025000957.M1727@konsultex.com.br> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > I saw that dovecot.conf has fcntl enabled. My MailScanner has > the default: > > # How to lock spool files. > # Don't set this unless you *know* you need to. > # For sendmail, it defaults to "posix". > # For sendmail 8.12 and older, you will probably need to > change it to flock, # particularly on Linux systems. > # For Exim, it defaults to "posix". > # No other type is implemented. > Lock Type = > > Can I put fcntl there? The comments seem to indicate that > this is not so. Or should I set dovecot *and* MailScanner to flock? > > Miguel Your locking options for MailScanner are posix or flock. Use posix for sendmail-8.13.x and flock for 8.12 and lower. Since MailScanner is not responsible for delivery to mailboxes, I don't think this is going to be your solution. Mike From res at ausics.net Wed Oct 25 03:04:40 2006 From: res at ausics.net (Res) Date: Wed Oct 25 03:04:51 2006 Subject: OT : need to find some rack space In-Reply-To: <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> Message-ID: On Tue, 24 Oct 2006, Colocation Colocation wrote: > Rackspace are super-awesome, however they do not provide colocation, just > managed dedicated servers. > > I have a couple of servers with them and i have not had a problem in two > years, not one! your lucky, i know of several, so i guess they are just like any other hosting company, some users have no problems and some users do. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Oct 25 03:07:43 2006 From: res at ausics.net (Res) Date: Wed Oct 25 03:07:56 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453E3EBE.50706@sbcglobal.net> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> <453E3EBE.50706@sbcglobal.net> Message-ID: Richard Frovarp wrote: >> >> Because Spamhaus said so! They told the state court they have no >> jurisdiction. They asked for the case to be moved to the federal >> court. Then they decided that the federal court didn't have >> jurisdiction, and didn't show up. If you don't show up for your case, >> you lose. I think that is pretty standard around the world. Read this: Why should they turn up if they have no jurisdiction? the US courts do not get to tell an organisation of any other country what they can and cant do.. period. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From alex at nkpanama.com Wed Oct 25 03:31:08 2006 From: alex at nkpanama.com (Alex Neuman) Date: Wed Oct 25 03:32:16 2006 Subject: Inbox fles and possible bug In-Reply-To: References: <20061024183715.M93501@konsultex.com.br> <453E68D6.5040309@nkpanama.com> Message-ID: <453ECC6C.5000205@nkpanama.com> Scott Silva escribi?: > > You should also make sure that dovecot and mailscanner are using compatible > locking (flock VS fcntl). I think you would use flock wit sendmail 8.12 or > older, and fcntl with 8.13 on. > Just to make sure we're on the same page, would you know what to check in: MailScanner.conf sendmail itself dovecot.conf in order to check everyone's using the same locking mechanism? From alex at nkpanama.com Wed Oct 25 03:32:06 2006 From: alex at nkpanama.com (Alex Neuman) Date: Wed Oct 25 03:33:04 2006 Subject: Inbox fles and possible bug In-Reply-To: References: Message-ID: <453ECCA6.4020009@nkpanama.com> Mike Kercher escribi?: > Since MailScanner is not responsible for delivery to mailboxes, I don't > think this is going to be your solution. > > Mike > That's why I think it might have to do with procmail's local delivery. Anybody here know how to make sure procmail plays nice? From res at ausics.net Wed Oct 25 03:34:46 2006 From: res at ausics.net (Res) Date: Wed Oct 25 03:35:10 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453E218C.1050908@sendit.nodak.edu> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> Message-ID: On Tue, 24 Oct 2006, Richard Frovarp wrote: > Res wrote: >> On Mon, 23 Oct 2006, Michael Masse wrote: >> >>> http://management.silicon.com/government/0,39024677,39163463,00.htm >> >> typical yanks, why is it they think the rest of the world is subject to >> their courts jurisdiction. one day they'll wake up and smell the coffee, >> they are not earths governing body despite what they think :) > Because Spamhaus said so! They told the state court they have no > jurisdiction. They asked for the case to be moved to the federal court. Then > they decided that the federal court didn't have jurisdiction, and didn't show They prolly got better legal advice that said WTF are you doing. if they are UK based which they are, then the best this low life scumbag spammer company can do, is to challenge SH in the UK court system. > I would check out Dow Jones & Co. Inc v Gutnick. This case didn't go all the > way to judgment, but the High Court of Australia decided unanimously that > content on US servers could count as defamation in Australia. Dow Jones That was an interesting case, yes, but it differs because ... "His Honour concluded that the statements of which Mr Gutnick sought to complain were "published in the State of Victoria when downloaded by Dow Jones subscribers who had met Dow Jones's payment and performance conditions and by the use of their passwords". " So In essence DJ were providing a paid service to Australian residents. If it was a free access site good chance DJ would have got away with it. If DJ did not offer payment for services in this country they would have got away with it. If they did not import the W.S.J into Australia they would have got away with it. (I'm suprised that was not mentioned) S.H do not charge for the use of their service so would not be in the same class as this case. The Australian Spam Act is what protects SH here, just like the courts here threw out that well known t3 direct spam group when they tried to do something along the same sort of lines. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Oct 25 04:39:47 2006 From: res at ausics.net (Res) Date: Wed Oct 25 04:40:02 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> Message-ID: On Wed, 25 Oct 2006, Res wrote: > If they did not import the W.S.J into Australia they would have got away with > it. (I'm suprised that was not mentioned) I have been corrected by a colleuge of mine who recalls the case better than I,apparently there were several copies of the WSJ purchased in Vict newsagents presented in evidence :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jimc at laridian.com Wed Oct 25 05:37:51 2006 From: jimc at laridian.com (Jim Coates) Date: Wed Oct 25 05:40:02 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <453D9650.3020303@enitech.com.au> Message-ID: <013901c6f7ef$553a5b10$6401a8c0@zorak> >> >> Is it any big deal to upgrade SpamAssassin when it is working with >> MailScanner? >> >> Thanks, >> Jim >> >www.mailscanner.info download and install the clamav and sa package that >Jules maintains at the current release. Installs everything you need to >upgrade/install SA. Will Julian's "easy install" for ClamAV and SpamAssassin work for a FreeBSD machine that is already running an older version of SpamAssassin and ClamAV? I'd like to bring everything up to date, but the FreeBSD ports are a little behind. I wasn't sure whether the install.sh from Julian's download would install in the same directories etc that FreeBSD uses (which tend to be different from everyone else). Thanks, Jim From drew at technologytiger.net Wed Oct 25 08:04:09 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Oct 25 08:04:21 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <013901c6f7ef$553a5b10$6401a8c0@zorak> References: <013901c6f7ef$553a5b10$6401a8c0@zorak> Message-ID: <21797DB1-8781-4E20-970A-625A60E4CDB7@technologytiger.net> On 25 Oct 2006, at 05:37, Jim Coates wrote: >>> >>> Is it any big deal to upgrade SpamAssassin when it is working with >>> MailScanner? >>> >>> Thanks, >>> Jim >>> > >> www.mailscanner.info download and install the clamav and sa >> package that >> Jules maintains at the current release. Installs everything you >> need to >> upgrade/install SA. > > Will Julian's "easy install" for ClamAV and SpamAssassin work for a > FreeBSD > machine that is already running an older version of SpamAssassin > and ClamAV? > I'd like to bring everything up to date, but the FreeBSD ports are > a little > behind. Yes but it will be messy as it won't follow the BSD file structure and there is a good chance that there will be libraries that won't be found as they are some where else in BSD. > > I wasn't sure whether the install.sh from Julian's download would > install in > the same directories etc that FreeBSD uses (which tend to be > different from > everyone else). No. I would use the ports. They aren't that far behind (Although the MailScanner port is one version lower currently as Jan-Peter hasn't got round to updating it yet. Don't forget to 'cvsup' your ports tree to make sure. Drew From MCG at mpsistemas.es Wed Oct 25 08:54:51 2006 From: MCG at mpsistemas.es (MANUEL CANSECO GARCIA) Date: Wed Oct 25 08:55:05 2006 Subject: Per domain Whitelist Message-ID: Hello, is possible to configure a per domain whitelist??? i configured a file spam.whitelist.rules but this appear to configure with ipaddress... Gracias. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061025/c5adf2c6/attachment.html From r.berber at computer.org Wed Oct 25 10:09:37 2006 From: r.berber at computer.org (=?windows-1252?Q?Ren=E9_Berber?=) Date: Wed Oct 25 10:09:59 2006 Subject: OT: What will they think of next In-Reply-To: <453E76F2.50908@nkpanama.com> References: <453E76F2.50908@nkpanama.com> Message-ID: Alex Neuman wrote: > I just finished setting up FuzzyOCR. Guess what greets me a few minutes > later: > > http://nkpanama.com/results.gif > > Now spammers are adding noise so OCR won't work. Playing with gocr's (v.0.41) options a little, it does recognize some of it, enough I think to can the spam... $ gocr -d 4 examples/results.gif giftopnm: Reading Image Sequence 0 __- ___ __ fREMIEq f {ARMAcY t Lovvest VIAGRA, _IALIS, LEV)TRA Onllne Prlce I _VIAG_ 3081349_ __CIALIS _30 81699S _ VALIl)i_ 30 _85 4S __ ScMA 30 $75 95 _Ik7''I,,3D$6495 _AM_IEN 30$l_O99 _ xANAx 3o $l_34s t uI_RAson so $_so99 _ Mew__ALI_son 3o $__9s _ Sa_e up to 8D'_o on your pfescrIptIon Mgd???I __G Do mt clIck _pe In y0ur bro vser Ww x rxnn orq The original result looks like this: $ gocr examples/results.gif giftopnm: Reading Image Sequence 0 __'___''''' ' ;' ''i-'"''; '' '''';';'_' '';;' '^ _'''' ' _i''_ 's-''''''_''.'_;';'_'' ;';', ''_' . . ._ __ __, fREMIEqf._{A,RMAcY, , '' _ , _ ' , , ' LO'__eSt, VIA, GR4,t ?, IALISr L. EUI__,_OnI_|ne,_ Pr|Ce! : , _' ' _.IAG_,. 30 _l34,9,_ _ __ '_' _IALIS_ ,_,_.'_,. 30 8,,169',9S , _''__vAjl)i_,,_,_3o,__5,4s_ i_;ScM_ ' ^3,,o $_5,q5 .,._,. , i!R__7_i??_,,_I!__;, 3D $6_,.9_ _ _A,M, BIEN ' 30,__??_O__99,, , _ _ANAx 3o $ l_3:4s ,_ ',t uIMRA son^ ; so ' $_,so ,49 ; ' ,. _i. '_ Mew? LI__son;3o,,$_ ,9 _ ' ' _; , , _ _ Sa_e, u to 8D^_o,'on yo,ur pfescr_pt_o.n_Mgd???! _ , , __ _ _ _; ', __',_: ^,,, - _, ' _ , _ ,,: _ ,,,' Do _t click, _pe in y0ur brj,_,vser Ww_x, rx_n_or_ And I'm not even using ImageMagick wich is supposed to be better at converting and cleaning the gif. -- Ren? Berber From dave.list at pixelhammer.com Wed Oct 25 14:11:55 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Oct 25 14:12:22 2006 Subject: Dictionary Attacks In-Reply-To: <453EA555.8010209@enitech.com.au> References: <453EA555.8010209@enitech.com.au> Message-ID: <453F629B.8060900@pixelhammer.com> Peter Russell wrote: > > > Mike Kercher wrote: >> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >> >> >>> My frustration with the deluge of spam of late has gotten to >>> the point that I'm fairly convinced I will stop the spam >>> filtering on the domain of the next user that bitches to me >>> about the spam they're getting. Then they can see what spam >>> they've *not* been getting. >>> >> >> I've done that before. And if they're REALLY pissy, I'll change my >> config to forward them ALL of the spam for other domains as well. They >> come crawling back in no time. >> >> Mike > > This is a big problem for me at the moment. I am under attack from users > more than spammers. At the momement there is a lot of negative talk > about the solution we use (MS, SA, MW) because they are getting the > stock picture spam, and we stop 1 in 10000 as false positives. I don't see how they could complain. My original post on this thread was to A) ask if anyone else was having problems and B) let Julian know that MailScanner was working for us, even under a huge attack. As for stock spam, we use the SARE stock rules, recently updated, and the image info plugin. Both seem to catch the vast majority of the stock spams, very very few slip by. After watching the performance of the new SARE rules we are about to crank them up to "KILL" score they work so well. > > Is there any reported info on the web i can use to illustrate that there > is a world wide increase in the volume of spam, spammers have far more > resources than we do etc etc? I would like that as well. > > Our volume of spam has more than quadrupled in the past 5 months. Hard to tell, we are constantly changing to meet the demands. It certainly feels like it though. We need to get some stats on the rejections at smtp. I finally gave up last night and added dul.dnsbl.sorbs.net to Sendmail. We now run three RBLs at smtp time. It made an immediate difference, though I am certain there will be problems. Any client who can't send to our servers will just have to start using their ISP's smarthost, as they should be doing anyway. We can no longer afford to be accommodating. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From brian.duncan at kattenlaw.com Wed Oct 25 14:37:04 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Oct 25 14:37:09 2006 Subject: bypass mailscanner for certain senders Message-ID: <65234743FE1555428435CE39E6AC4078B38AE5@CHI-US-EXCH-01.us.kmz.com> I use the following (the IP's are just an example of how specific or unspecific you can be - I personally only list the IP's at a /32 level of my internal mail servers that relay through the servers - We already have 2 levels of email virus scanning for inside going out so we do NOT need MailScanner to do outgoing mail) Change MailScanner.conf line: Scan Messages = yes to: Scan Messages = %rules-dir%/scan.messages.rules Example scan.messages.rules: (which is located in /etc/MailScanner/rules in my case) From: 10.1.10.1 no From: 10.1.10.2 no From: 10.10. no From: 10.2.10. no FromOrTo: default yes The above will do ALL MailScanner related stuff to ALL messages coming from any other IP other then 10.1.10.1, 10.1.10.2, anything on 10.10.x.x subnet, and anything on 10.2.10.x subnet. All other messages will just be passed through with nothing done to them. So keep this in mind if you still need Virus Scanning done and it's NOT just Spam checking you want to turn off on outgoing mail. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Sukh Khehra > Sent: Tuesday, October 24, 2006 4:35 PM > To: mailscanner@lists.mailscanner.info > Subject: bypass mailscanner for certain senders > > Hi I was wondering if I can have mailscanner not do anything > to the messages based on the originating IP address. For a > given sender, I want it to simply grab the message from the > MTA incoming queue ( in my case the postfix hold directory ) > and place it in the MTA outgoing queue without performing any > of the tests on it. > > The alternative solution would be to have postfix not put the > message in the hold queue to begin with for certain senders. > Anyone know how to do either one of these? I'd appreciate the help. > > Regards, > Sukh > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From bpumphrey at woodmclaw.com Wed Oct 25 15:14:00 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Oct 25 15:14:16 2006 Subject: Dictionary Attacks In-Reply-To: <453F629B.8060900@pixelhammer.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C13FCF@woodenex.woodmaclaw.local> > > > > Is there any reported info on the web i can use to illustrate that there > > is a world wide increase in the volume of spam, spammers have far more > > resources than we do etc etc? Here are a few lings that I found. May be short of what you are looking for but here they are: http://spamlinks.net/stats.htm#received-big http://www.commtouch.com/Site/ResearchLab/statistics.asp http://spam-filter-review.toptenreviews.com/spam-statistics.html http://www.cmsconnect.com/blog/2005/11/230-increase-in-spam-attacks.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Wed Oct 25 15:26:46 2006 From: alex at nkpanama.com (Alex Neuman) Date: Wed Oct 25 15:27:14 2006 Subject: Per domain Whitelist In-Reply-To: References: Message-ID: <453F7426.2010902@nkpanama.com> MANUEL CANSECO GARCIA wrote: > Hello, > is possible to configure a per domain whitelist??? > i configured a file spam.whitelist.rules but this appear to configure > with ipaddress... > Gracias. Yes, follow the examples. For clarification: Si, solo tienes que seguir los ejemplos. Si te fijas en el archivo, puedes hacer: From: 192.168. yes # si, quiero que los mensajes de la 192.168 tengan libre paso, From: *@mpsistemas.es yes # si, quiero que los mensajes que digan que son de mpsistemas.es pasen # (lo cual no es recomendable, porque se puede falsificar) Lo mas apropiado seria, por ejemplo, From: 200.46.52.39 and From: *@nkpanama.com yes # Porque se sabe que mi servidor tiene esa direccion, de modo que si viene de otro lado lo revisa. Si no me explique me avisas. From Richard.Frovarp at sendit.nodak.edu Wed Oct 25 15:50:56 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Oct 25 15:51:00 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> <453E3EBE.50706@sbcglobal.net> Message-ID: <453F79D0.5070805@sendit.nodak.edu> Res wrote: > Richard Frovarp wrote: >>> >>> Because Spamhaus said so! They told the state court they have no >>> jurisdiction. They asked for the case to be moved to the federal >>> court. Then they decided that the federal court didn't have >>> jurisdiction, and didn't show up. If you don't show up for your case, >>> you lose. I think that is pretty standard around the world. Read this: > > > Why should they turn up if they have no jurisdiction? > the US courts do not get to tell an organisation of any other country > what they can and cant do.. period. > > By asking for the case to be removed from state court and moved to federal court, they in effect said the federal courts have jurisdiction. You then need to show up. They should have argued from the beginning that no US court has jurisdiction. This may claim may have gone up the chain of courts a distance. However, I do have faith in the system that the end result would have been a precedent in the right direction. I am not aware of any case in the US that has tested this territory. Your second statement is the problem. They do get to tell an organization what they can and can't do if they have a US presence. The question is what constitutes a presence in the current age where brick and motar buildings aren't necessary. The fact that the service is free, really does not matter in the US. The only thing a paid service does is provide revenue to a company making it more appealing as a target. (Now that YouTube has Google's finances, it is a more appealing target to sue, even though it is a "free" site). Yes, in the Australian case the WSJ was imported in, but are not Spamhaus packets imported into the US? The WSJ was a push and Spamhaus is a pull, I will concede there is a difference there. However, look at the case against Lik-Sang.com (http://www.lik-sang.com/news.php?artc=3900), which is a "pull" scenario. Sony did it right and filed a suit in Hong Kong, in addition to the out of jurisdiction UK courts. However, it was the UK court that said it is illegal for Lik-Sang.com to sell PSPs to UK customers. Lik-Sang.com doesn't have a presence anywhere but in HK. So here is an example of UK courts telling an organization of any other country what they can and can't do. Does it make the Spamhaus case right? No. The point is that it does happen in other countries and there is a real problem with jurisdictional issues today. I do think the case is pure baloney. However, Spamhaus has set a precedent in the wrong direction. I hope that they do appeal and get a quick judgment that this case belongs in UK courts. This will make it easier for other groups to defend themselves in the future, at least in US courts. The right call was made by the judge saying that getting Tucows or ICANN to drop their domain is not something the courts should do. This does appear to be a decent judge, but there is only so much a judge can decide to do own their own. From AHKAPLAN at PARTNERS.ORG Wed Oct 25 16:11:35 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Wed Oct 25 16:11:40 2006 Subject: Memory Leak Issues Message-ID: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> Hi there -- I am running Fedora Core 5 that was hardened by Bastille Linux on a system with 1.5 GB of RAM. The system functions as an e-mail server running Sendmail 8.13.7, along with MailScanner 4.55.9, SpamAssassin 3.1.0, and ClamAV 0.88.5. I have noticed over time, via the free -m command, that the amount of cached RAM is going up. This results in the amount of free memory going down to where there is almost nothing left. The end result has been the system to periodically hanging, which forces me to reboot the server. Does anyone know of any memory leak issues with Fedora Core 5 or the applications that I mentioned above? Thanks. From roalda at gmail.com Wed Oct 25 16:29:54 2006 From: roalda at gmail.com (Roald) Date: Wed Oct 25 16:29:57 2006 Subject: Sync config files Message-ID: Hi! As I am now setting up the third MailScanner-server, I was wondering what you use to sync the config files? /etc/MailScanner and /etc/mail are very similar and previously I have been ssh'ing to both servers and making the changes when adding new domains etc. But now I would like to sync them. rsync are one alternative, any better? I have looked at cfengine, but it seems a bit overkill for my task. -- Roald Martin Amundsen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061025/47275043/attachment.html From mkettler at evi-inc.com Wed Oct 25 16:39:47 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 25 16:40:00 2006 Subject: Memory Leak Issues In-Reply-To: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> Message-ID: <453F8543.6080804@evi-inc.com> Kaplan, Andrew H. wrote: > Hi there -- > > I am running Fedora Core 5 that was hardened by Bastille Linux on a system with > 1.5 GB of RAM. The system functions as an e-mail server running Sendmail 8.13.7, > > along with MailScanner 4.55.9, SpamAssassin 3.1.0, and ClamAV 0.88.5. > > I have noticed over time, via the free -m command, that the amount of cached RAM > is going up. This results in the amount of free memory going down to where there > is almost nothing left. That should be normal. Ideally your system should have 0 bytes of truly free, unused physical memory. All of your "free" memory should be used as cache, which can be quickly reallocated whenever an application needs memory. The cache in Linux is highly dynamic and this can happen on-demand with very little overhead. So keep in mind, cache ram is not memory that's permanently tied up in that task. It's simply "on loan" to the cache pool until it is needed elsewhere. The end result has been the system to periodically > hanging, which forces me to reboot the server. That should not be related. Since the cache ram will be reallocated as soon as it's needed, you're not really out of ram. Fundamentally your "free to be used by applications when needed" memory is free+cache, not just free. Free simply means "not used for anything at all" or "wasted due to lack of kernel efficiency". > > Does anyone know of any memory leak issues with Fedora Core 5 or the > applications that I mentioned above? Thanks. > No, it's normal behavior of the linux kernel. It's just trying to make the most of the available physical memory by temporarily turning the otherwise idle memory into disk cache. For what it's worth, modern MS Windows does the same thing, but less aggressively, because there's more overhead associated with reducing the cache size. From chris_d_b71 at yahoo.com Wed Oct 25 16:57:34 2006 From: chris_d_b71 at yahoo.com (Chris Boyd) Date: Wed Oct 25 16:57:38 2006 Subject: Could not read Custom Functions directory Message-ID: <20061025155734.30914.qmail@web54608.mail.yahoo.com> I'm getting this in /var/log/messages after merely editing the Mailscanner.conf file (Mailscanner 4.43.6) and Mailscanner does not run: MailScanner[2064]: MailScanner E-Mail Virus Scanner version 4.43.6 starting... MailScanner[2064]: Could not read Custom Functions directory MailScanner[2064]: Cannot read definitions from /opt/MailScanner/etc/virus.scanners.conf, No such file or directory I can't find any file in the Mailscanner dir that calls that file or path. This started after I edited Mailscanner.conf and then restarted /etc/init.d/openprotect Here is my Mailscanner.conf: %report-dir% = /etc/MailScanner/reports/en # Configuration directory containing this file %etc-dir% = /etc/MailScanner # Rulesets directory containing your ".rules" files %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp %org-name% = USIT %org-long-name% = USIT Ireland Ltd %web-site% = www.mysite.ie #Scan Messages = %rules-dir%/scan.messages.rules Max Children = 10 Run As User = postfix Run As Group = postfix Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Qmail Incoming Hash Directory Number = 23 Qmail Outgoing Hash Directory Number = 23 Qmail Intd Hash Number = 1 Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 14400 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Send instant messages to your online friends http://uk.messenger.yahoo.com From jfagan at firstlightnetworks.com Wed Oct 25 17:08:02 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Wed Oct 25 17:06:12 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <453EB64C.8070707@univexsystems.com> Message-ID: <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> > We plan to introduce some premium filtering options for some domains. > This will result in all incoming mail to a given domain > arriving from a single known IP address. To prevent > "back-dooring" we'd like to lock that in so any incoming mail > to a given domain from any other IP address is rejected or > dropped. Can I create a ruleset to achieve that? > > TIA > Brian > -- We do something similar, but we have it setup at the customers firewall/router to only accept connects on port 25 from one of our IPs (MailScanner boxes). This does stop the drive-by spam. We do this for all our clients permitted they have the hardware to achive this. Not exactly as you want to do it, but its an alternative. Besides most customers don't know anything about ports and routing so you could charge them a maintence fee or something for comfiguring their routers/firewall. Other than that I think you would be looking at some fancy pants iptables. Or maybe there are other solutions? James From ssilva at sgvwater.com Wed Oct 25 17:34:14 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 25 17:35:56 2006 Subject: Inbox fles and possible bug In-Reply-To: <453ECC6C.5000205@nkpanama.com> References: <20061024183715.M93501@konsultex.com.br> <453E68D6.5040309@nkpanama.com> <453ECC6C.5000205@nkpanama.com> Message-ID: Alex Neuman spake the following on 10/24/2006 7:31 PM: > Scott Silva escribi?: >> You should also make sure that dovecot and mailscanner are using >> compatible >> locking (flock VS fcntl). I think you would use flock wit sendmail >> 8.12 or >> older, and fcntl with 8.13 on. >> > Just to make sure we're on the same page, would you know what to check in: > > MailScanner.conf > sendmail itself > dovecot.conf > > in order to check everyone's using the same locking mechanism? MailScanner.conf is usually set to posix with sendmail 8.13, and flock on 8.12 and lower. # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = posix fcntl is called by a posix lock in linux so they are functionally equivalent. You would check dovecot.conf for the locking it has set. # Which locking methods to use for locking mbox. There's three available: # dotlock: Create .lock file. This is the oldest and most NFS-safe # solution. If you want to use /var/mail/ like directory, the users # will need write access to that directory. # fcntl : Use this if possible. Works with NFS too if lockd is used. # flock : May not exist in all systems. Doesn't work with NFS. # # You can use both fcntl and flock too; if you do the order they're declared # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl # and flock. Some operating systems don't allow using both of them # simultaneously, eg. BSDs. If dotlock is used, it's always created first. mbox_locks = fcntl -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Peter.Bates at lshtm.ac.uk Wed Oct 25 17:48:20 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Wed Oct 25 17:48:51 2006 Subject: 'Denial Of Service attack detected' Message-ID: <453FA397.9729.0076.0@lshtm.ac.uk> Hello all... I saw a few of these today: Oct 25 10:20:06 postbox MailScanner[19328]: Commercial scanner clamavmodule timed out! Oct 25 10:20:06 postbox MailScanner[19328]: clamavmodule: Failed to complete, timed out Oct 25 10:20:06 postbox MailScanner[19328]: Virus Scanning: Denial Of Service attack detected! And ended up with a small gathering of 'clamav-xxxxxx' directories in /tmp. Is there any way I can find out which email caused these (on a relatively busy mail server), and should I be submitting the files to the ClamAV developers, Julian, or not be overly concerned at all? Thanks. -- ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From acabrera at etapatelecom.net Wed Oct 25 18:35:54 2006 From: acabrera at etapatelecom.net (Ing. Augusto Cabrera D.) Date: Wed Oct 25 18:43:59 2006 Subject: Problem with mailscanner-mrtg In-Reply-To: <453ECCA6.4020009@nkpanama.com> Message-ID: <200610251754.k9PHs4ZC002144@megatron.etapaonline.net.ec> I have a problem with mailscanner-mrtg is running because in the logs is a error, help me please need resolv this problem. Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a list of mointpoints on your system by using the df command Augusto _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. From daniel.maher at ubisoft.com Wed Oct 25 18:51:25 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Oct 25 18:51:30 2006 Subject: OT: What will they think of next In-Reply-To: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20378CA23@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: October 24, 2006 5:18 PM > To: MailScanner discussion > Subject: Re: OT: What will they think of next > > > > > > >Now that last suggestion about capital punishment for spammers is > > >starting to sound interesting. > > > > http://nkpanama.com/results.gif is giving a 404? > > > Works for me... Not pretty indeed:-( > At times, flipping burgers as a career choice looks up and coming:-) > One of my long-time sysadmin friends recently quit his job, and is taking a wood-working course at a local college. He's abandoned computers entirely, and is planning to live out the rest of his days as a carpenter and general tradesperson. Funny thing is that he'll probably end up making more money, and working fewer hours, than me in the long-run. HMmm.. I wonder if there's still time to sign up? ;) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From pravin.rane at gmail.com Wed Oct 25 18:53:45 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Wed Oct 25 18:53:52 2006 Subject: Problem with mailscanner-mrtg In-Reply-To: <200610251754.k9PHs4ZC002144@megatron.etapaonline.net.ec> References: <453ECCA6.4020009@nkpanama.com> <200610251754.k9PHs4ZC002144@megatron.etapaonline.net.ec> Message-ID: <13c021a90610251053s5b807e2bn55822e71c2516040@mail.gmail.com> Use following settings and check MailScanner Work Directory = / Spool Directory = / On 10/25/06, Ing. Augusto Cabrera D. wrote: > > I have a problem with mailscanner-mrtg is running because in the logs is a > error, help me please need resolv this problem. > > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set > MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint. > You can see a list of mointpoints on your system by using the df command > > > Augusto > > > > > > _____________________________________ > Este mensaje ha sido analizado por el > Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061025/085bc6a3/attachment.html From mrm at medicine.wisc.edu Wed Oct 25 20:24:14 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Wed Oct 25 20:24:43 2006 Subject: block spam based on subject? Message-ID: <453F738D.7FBE.00FC.3@medicine.wisc.edu> Looking through the examples for the whitelist and blacklist settings in MailScanner I see that you can pretty much do just about anything with from and to addresses. Is it possible to create rules based on the subject? We've been getting bombarded with spam that has "re: v??agra" in the subject for the last month. It's always changing ever so slightly so that heuristics doesn't work so good with them, and I didn't think they would be at it for this long to bother with making a special rule for them, but they just keep coming and coming and if I could simply reject any email that has the previous phrase in the subject, life would be much happier. I realize that making special case rules like this isn't the best way to go, because they could simply change something else about it tomorrow, but it would make me feel better right now if nothing else. Mike From glenn.steen at gmail.com Wed Oct 25 20:31:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 20:31:25 2006 Subject: Memory Leak Issues In-Reply-To: <453F8543.6080804@evi-inc.com> References: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> <453F8543.6080804@evi-inc.com> Message-ID: <223f97700610251231u6e7cb308ne543b7139ae89426@mail.gmail.com> On 25/10/06, Matt Kettler wrote: > Kaplan, Andrew H. wrote: > > Hi there -- > > > > I am running Fedora Core 5 that was hardened by Bastille Linux on a system with > > 1.5 GB of RAM. The system functions as an e-mail server running Sendmail 8.13.7, > > > > along with MailScanner 4.55.9, SpamAssassin 3.1.0, and ClamAV 0.88.5. > > > > I have noticed over time, via the free -m command, that the amount of cached RAM > > is going up. This results in the amount of free memory going down to where there > > is almost nothing left. > > That should be normal. Ideally your system should have 0 bytes of truly free, > unused physical memory. > > All of your "free" memory should be used as cache, which can be quickly > reallocated whenever an application needs memory. The cache in Linux is highly > dynamic and this can happen on-demand with very little overhead. > > So keep in mind, cache ram is not memory that's permanently tied up in that > task. It's simply "on loan" to the cache pool until it is needed elsewhere. > > The end result has been the system to periodically > > hanging, which forces me to reboot the server. > > That should not be related. Since the cache ram will be reallocated as soon as > it's needed, you're not really out of ram. > > Fundamentally your "free to be used by applications when needed" memory is > free+cache, not just free. > > Free simply means "not used for anything at all" or "wasted due to lack of > kernel efficiency". > > > > > Does anyone know of any memory leak issues with Fedora Core 5 or the > > applications that I mentioned above? Thanks. > > > > No, it's normal behavior of the linux kernel. It's just trying to make the most > of the available physical memory by temporarily turning the otherwise idle > memory into disk cache. Good summary so far. > For what it's worth, modern MS Windows does the same thing, but less > aggressively, because there's more overhead associated with reducing the cache size. This is a first.... "Justifying" Linux kernel behaviour with the argument that Bill is doing the same... Jesus! What is the world coming to!? :-D Wether the Redmond crowd has picked up a good idea, or not, is immaterial. This behaviour is a _really_ good idea and stands (as you showed in the first part Matt) well on its own:-). As to the "random hang", what made you think memory depletion/swapping was the culprit Andrew? Did you have a vmstat or sar running (writing to file) that gave indication of this? Do you get any "Out of memory" in syslog and/or messages? With the info we have, we can't really help you, apart from some generalities and pointing toward the tools you should be looking at (top is good for some things, but is generally not that suitable in situations like this). As to the generalities.... Always suspect your hardware;-). And look closely at what preceded the "bad behaviour" (like a kernel or driver update). Test your RAM (with a good memory tester like Memtest86), excersise your HDDs (Bonnie could be used for that, as well as dd (with large counds and bs set to something sane for the HDD) from different pseudo-devices (/dev/zero, /dev/random ...)). Oh well, that's enough platitudes for now:-) Cheers (All that talk of drinking in some threads on this list made me thirsty....:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 25 20:40:02 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 20:40:04 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> Message-ID: <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> On 25/10/06, James Fagan wrote: > > > > We plan to introduce some premium filtering options for some domains. > > This will result in all incoming mail to a given domain > > arriving from a single known IP address. To prevent > > "back-dooring" we'd like to lock that in so any incoming mail > > to a given domain from any other IP address is rejected or > > dropped. Can I create a ruleset to achieve that? > > > > TIA > > Brian > > -- > > We do something similar, but we have it setup at the customers > firewall/router > to only accept connects on port 25 from one of our IPs (MailScanner > boxes). This > does stop the drive-by spam. We do this for all our clients permitted > they have the > hardware to achive this. Not exactly as you want to do it, but its an > alternative. > Besides most customers don't know anything about ports and routing so > you could charge > them a maintence fee or something for comfiguring their > routers/firewall. > > Other than that I think you would be looking at some fancy pants > iptables. > > Or maybe there are other solutions? > > James This should be done at MTA level (where you have all the necessary info _and_ the ability to really reject mail (saving resources....). Might be easier with some MTAs than others though:-). Or at least as close a facsimile of that function as possible:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 25 20:44:10 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 20:44:17 2006 Subject: OT: What will they think of next In-Reply-To: References: <453E76F2.50908@nkpanama.com> <200610242030.NAA15422@partners7.yack.com> <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> Message-ID: <223f97700610251244s34893635x25ec700072fe0a81@mail.gmail.com> On 25/10/06, Scott Silva wrote: > Glenn Steen spake the following on 10/24/2006 2:18 PM: > > On 24/10/06, Evan Platt wrote: > >> At 01:26 PM 10/24/2006, you wrote: > >> >I just finished setting up FuzzyOCR. Guess what greets me a few > >> minutes later: > >> > > >> >http://nkpanama.com/results.gif > >> > > >> >Now spammers are adding noise so OCR won't work. > >> > > >> >Jeez. > >> > > >> >Now that last suggestion about capital punishment for spammers is > >> >starting to sound interesting. > >> > >> http://nkpanama.com/results.gif is giving a 404? > >> > > Works for me... Not pretty indeed:-( > > At times, flipping burgers as a career choice looks up and coming:-) > > > I've been leaning toward bartending. At least I can lart the lusers and no one > complains! > As long as I don't become my best customer!! ;-) Getting fat or getting drunk.... Yeah, you're probably right:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 25 20:47:52 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 20:47:59 2006 Subject: OT: What will they think of next In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20378CA23@UBIMAIL1.ubisoft.org> References: <223f97700610241418y644ec7fanece34ddb4aa836ab@mail.gmail.com> <1E293D3FF63A3740B10AD5AAD88535D20378CA23@UBIMAIL1.ubisoft.org> Message-ID: <223f97700610251247u1e4a60bcy813c3c01da31c97c@mail.gmail.com> On 25/10/06, Daniel Maher wrote: > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > > Sent: October 24, 2006 5:18 PM > > To: MailScanner discussion > > Subject: Re: OT: What will they think of next > > > > > > > > > >Now that last suggestion about capital punishment for spammers is > > > >starting to sound interesting. > > > > > > http://nkpanama.com/results.gif is giving a 404? > > > > > Works for me... Not pretty indeed:-( > > At times, flipping burgers as a career choice looks up and coming:-) > > > > One of my long-time sysadmin friends recently quit his job, and is taking a wood-working course at a local college. He's abandoned computers entirely, and is planning to live out the rest of his days as a carpenter and general tradesperson. > > Funny thing is that he'll probably end up making more money, and working fewer hours, than me in the long-run. > > HMmm.. I wonder if there's still time to sign up? > > ;) I recently made some work on the house (changing a few windows... I might have mentioned that before:-). Since it's a two-person-job type of thing, I hired a carpenter to help me... He dropped a line or two to the effect of "Why on earth aren't you a carpenter"... I thought it a moderately funny joke at the time... But now...:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pravin.rane at gmail.com Wed Oct 25 20:49:20 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Wed Oct 25 20:49:24 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> Message-ID: <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> Use SPF :) On 10/26/06, Glenn Steen wrote: > > On 25/10/06, James Fagan wrote: > > > > > > > We plan to introduce some premium filtering options for some domains. > > > This will result in all incoming mail to a given domain > > > arriving from a single known IP address. To prevent > > > "back-dooring" we'd like to lock that in so any incoming mail > > > to a given domain from any other IP address is rejected or > > > dropped. Can I create a ruleset to achieve that? > > > > > > TIA > > > Brian > > > -- > > > > We do something similar, but we have it setup at the customers > > firewall/router > > to only accept connects on port 25 from one of our IPs (MailScanner > > boxes). This > > does stop the drive-by spam. We do this for all our clients permitted > > they have the > > hardware to achive this. Not exactly as you want to do it, but its an > > alternative. > > Besides most customers don't know anything about ports and routing so > > you could charge > > them a maintence fee or something for comfiguring their > > routers/firewall. > > > > Other than that I think you would be looking at some fancy pants > > iptables. > > > > Or maybe there are other solutions? > > > > James > > This should be done at MTA level (where you have all the necessary > info _and_ the ability to really reject mail (saving resources....). > Might be easier with some MTAs than others though:-). Or at least as > close a facsimile of that function as possible:). > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/1f0a4295/attachment.html From glenn.steen at gmail.com Wed Oct 25 20:52:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 20:52:07 2006 Subject: block spam based on subject? In-Reply-To: <453F738D.7FBE.00FC.3@medicine.wisc.edu> References: <453F738D.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <223f97700610251252q4bcb6ec9g82877f11963d2b28@mail.gmail.com> On 25/10/06, Michael Masse wrote: > Looking through the examples for the whitelist and blacklist settings in > MailScanner I see that you can pretty much do just about anything with > from and to addresses. Is it possible to create rules based on the > subject? We've been getting bombarded with spam that has "re: v??agra" > in the subject for the last month. It's always changing ever so > slightly so that heuristics doesn't work so good with them, and I didn't > think they would be at it for this long to bother with making a special > rule for them, but they just keep coming and coming and if I could > simply reject any email that has the previous phrase in the subject, > life would be much happier. I realize that making special case rules > like this isn't the best way to go, because they could simply change > something else about it tomorrow, but it would make me feel better right > now if nothing else. > > Mike If you use Postfix you can do this with a header check. Other than that, this is generally more the domain of SpamAssassin (how to make a rule is well documented in their Wiki, docs etc... Or search this list:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jfagan at firstlightnetworks.com Wed Oct 25 21:05:46 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Wed Oct 25 21:03:55 2006 Subject: block spam based on subject? In-Reply-To: <453F738D.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <59E4A3A1069C2640959AD0F7518C4812064CC9@FLN1.fln.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michael Masse > Sent: Wednesday, October 25, 2006 12:24 PM > To: Subject: block spam based on subject? > > Looking through the examples for the whitelist and blacklist > settings in MailScanner I see that you can pretty much do > just about anything with > from and to addresses. Is it possible to create rules based on the > subject? We've been getting bombarded with spam that has > "re: v??agra" > in the subject for the last month. It's always changing ever so > slightly so that heuristics doesn't work so good with them, > and I didn't think they would be at it for this long to > bother with making a special rule for them, but they just > keep coming and coming and if I could simply reject any email > that has the previous phrase in the subject, > life would be much happier. I realize that making special case rules > like this isn't the best way to go, because they could simply > change something else about it tomorrow, but it would make me > feel better right now if nothing else. > > Mike There is a milter-regex out there somewhere wich will do what you like http://www.benzedrine.cx/index.html I have some notes on the install for a CentOS 4.3 box at http://jfworks.net/linux/milter-regex.html I used this for a while, but then I was getting FP's. So I gave up. James From acabrera at etapatelecom.net Wed Oct 25 21:18:51 2006 From: acabrera at etapatelecom.net (Ing. Augusto Cabrera D.) Date: Wed Oct 25 21:21:29 2006 Subject: Problem with mailscanner-mrtg In-Reply-To: <13c021a90610251053s5b807e2bn55822e71c2516040@mail.gmail.com> Message-ID: <200610252037.k9PKb33R023626@megatron.etapaonline.net.ec> My Linux have directory /var/spool/MailScanner/incoming I don?t now because have it?s a problem Atentamente.- Ing. Augusto Cabrera Duffaut. ISP - ADMINISTRADOR DE SERVIDORES Dep. Valor Agregado ETAPATELECOM S.A. Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) CUENCA - ECUADOR _____ De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] En nombre de Pravin Rane Enviado el: Mi?rcoles, 25 de Octubre de 2006 12:54 Para: MailScanner discussion Asunto: Re: Problem with mailscanner-mrtg Use following settings and check MailScanner Work Directory = / Spool Directory = / On 10/25/06, Ing. Augusto Cabrera D. < acabrera@etapatelecom.net> wrote: I have a problem with mailscanner-mrtg is running because in the logs is a error, help me please need resolv this problem. Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a list of mointpoints on your system by using the df command Augusto _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Regards Pravin _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Protecci?n contra Virus de E-mail de Etapatelecom _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061025/7656d7cc/attachment-0001.html From kte at nexis.be Wed Oct 25 22:02:11 2006 From: kte at nexis.be (kte@nexis.be) Date: Wed Oct 25 22:05:31 2006 Subject: sendmail blacklist Message-ID: Can I create a white list for some domains when I use sendmail blacklists. I'm using Defender MX 1.9.2 Thanks Koen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061025/99d12b8b/attachment.html From ssilva at sgvwater.com Wed Oct 25 22:21:52 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 25 22:22:27 2006 Subject: Problem with mailscanner-mrtg In-Reply-To: <200610252037.k9PKb33R023626@megatron.etapaonline.net.ec> References: <13c021a90610251053s5b807e2bn55822e71c2516040@mail.gmail.com> <200610252037.k9PKb33R023626@megatron.etapaonline.net.ec> Message-ID: Ing. Augusto Cabrera D. spake the following on 10/25/2006 1:18 PM: > My Linux have directory /var/spool/MailScanner/incoming I don?t now > because have it?s a problem > You need to set that to the root mount point of the directory. Run df -h on the server and if /var is mounted by itself, you would put /var as the mountpoint. If you only have /boot and /, then / is the mountpoint. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Wed Oct 25 22:23:29 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 25 22:23:39 2006 Subject: Memory Leak Issues In-Reply-To: <223f97700610251231u6e7cb308ne543b7139ae89426@mail.gmail.com> References: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> <453F8543.6080804@evi-inc.com> <223f97700610251231u6e7cb308ne543b7139ae89426@mail.gmail.com> Message-ID: <453FD5D1.3030905@evi-inc.com> Glenn Steen wrote: > On 25/10/06, Matt Kettler wrote: > >> For what it's worth, modern MS Windows does the same thing, but less >> aggressively, because there's more overhead associated with reducing >> the cache size. > This is a first.... "Justifying" Linux kernel behaviour with the > argument that Bill is doing the same... Jesus! What is the world > coming to!? :-D Well, I wasn't "justifying" it. My point was more like: "Every vaguely modern desktop or server OS does this, even Microsoft Windows, so you should already be familiar with this behavior." ie: What hole have you been hiding in that you've not seen this before? If I'd not seen it before, I'd be terrified at what I see in my Windows task manager right now.. less than 40mb "available", but over 30% of my physical memory is "System Cache". From glenn.steen at gmail.com Wed Oct 25 22:40:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 22:40:33 2006 Subject: Memory Leak Issues In-Reply-To: <453FD5D1.3030905@evi-inc.com> References: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> <453F8543.6080804@evi-inc.com> <223f97700610251231u6e7cb308ne543b7139ae89426@mail.gmail.com> <453FD5D1.3030905@evi-inc.com> Message-ID: <223f97700610251440m25379a86y2c1a31818ff17ee@mail.gmail.com> On 25/10/06, Matt Kettler wrote: > Glenn Steen wrote: > > On 25/10/06, Matt Kettler wrote: > > > >> For what it's worth, modern MS Windows does the same thing, but less > >> aggressively, because there's more overhead associated with reducing > >> the cache size. > > This is a first.... "Justifying" Linux kernel behaviour with the > > argument that Bill is doing the same... Jesus! What is the world > > coming to!? :-D > > Well, I wasn't "justifying" it. > > My point was more like: "Every vaguely modern desktop or server OS does this, > even Microsoft Windows, so you should already be familiar with this behavior." > > ie: What hole have you been hiding in that you've not seen this before? > > If I'd not seen it before, I'd be terrified at what I see in my Windows task > manager right now.. less than 40mb "available", but over 30% of my physical > memory is "System Cache". > Methinks you missed a few smileys there Matt;-). With a modicum of seriosity, of course. But generally speaking, yes, one has to have hidden i a hole for an extended period of time to have missed it, couldn't agree more. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Oct 25 22:45:07 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 25 22:45:10 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> Message-ID: <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> On 25/10/06, Pravin Rane wrote: > Use SPF :) > .... I'm not sure I like SPF anymore... Or rather, the same tired old thing... Bad admin (decisions) defeating its purpose. Like when UBS has this unmoderated and (obviously) unprotected mailing-list (open for anyone to use), that is protected by SPF... Sigh. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Wed Oct 25 22:51:26 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 25 22:51:46 2006 Subject: Memory Leak Issues In-Reply-To: <223f97700610251440m25379a86y2c1a31818ff17ee@mail.gmail.com> References: <9C63A4713C4E3342B90428CE44806A73026799C2@PHSXMB5.partners.org> <453F8543.6080804@evi-inc.com> <223f97700610251231u6e7cb308ne543b7139ae89426@mail.gmail.com> <453FD5D1.3030905@evi-inc.com> <223f97700610251440m25379a86y2c1a31818ff17ee@mail.gmail.com> Message-ID: <453FDC5E.2080400@evi-inc.com> Glenn Steen wrote: > On 25/10/06, Matt Kettler wrote: >> ie: What hole have you been hiding in that you've not seen this before? >> >> If I'd not seen it before, I'd be terrified at what I see in my >> Windows task >> manager right now.. less than 40mb "available", but over 30% of my >> physical >> memory is "System Cache". >> > Methinks you missed a few smileys there Matt;-). True.. I didn't mean that to sound particularly harsh, which it does when simply read as text. Wouldn't want to give anyone the impression I'm a complete BOFH :) > With a modicum of > seriosity, of course. But generally speaking, yes, one has to have > hidden i a hole for an extended period of time to have missed it, > couldn't agree more. Aye. From pete at enitech.com.au Wed Oct 25 22:58:19 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Oct 25 22:58:26 2006 Subject: Postfix Users (and Outlook users) Message-ID: <453FDDFB.3010809@enitech.com.au> Postfix: I was hoping that since there is so many Postfix users using MS we could get an updated discussion on what everyone is doing at the MTA level with regards to a) stopping spam at the MTA b) 3rd party anti spam defences - greylisting? c) specific configs - like the example in the wiki - a dual postfix instance that splits multi recipients messages d) tip and tricks - what have you added to your config that you think could benefit others. I will happily collate the discussion and add it to the wiki. The reason i am asking is because we are receiving so much more spam, so many more complaints from users and i want to consider some of the options available at the MTA - eg a postfix version of greet-pause sounds good because i dont think we could go for greylisting, at least not at the minute. Outlook: Also we have always stopped low spam on the server, but the business is asking us to deliver it with a modified subject. All of our users are outlook users - does any one have any experience with delivering this mail, creating a global rule to deliver anything with [SPAM] in the subject to Junk mail and letting users use Junk mail controls to handle it? Relying on users to create rules etc is not an option, a lot of them are academics. Many thanks and regards Pete From mkettler at evi-inc.com Wed Oct 25 23:12:36 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Oct 25 23:12:57 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> Message-ID: <453FE154.7050106@evi-inc.com> Glenn Steen wrote: > On 25/10/06, Pravin Rane wrote: >> Use SPF :) >> SPF is useless for the original poster's problem. He's worried about limiting the source of all mail TO a domain. SPF is useful for limiting the source of all mail that claims to be FROM a domain. > .... I'm not sure I like SPF anymore... Or rather, the same tired old > thing... Bad admin (decisions) defeating its purpose. Like when UBS > has this unmoderated and (obviously) unprotected mailing-list (open > for anyone to use), that is protected by SPF... Sigh. > What's wrong with that? Anyone who expects SPF to be a spam control measure is doomed to be disappointed, probably in short order. It's a forgery control technology, not a spam control technology. Period. As you've seen, anyone can create a giant "SPF hole", either by SPFing a unmoderated list, or by just creating a SPF record that passes everything. But that's OK. This doesn't break SPF the purpose of SPF. The purpose of SPF isn't to identify "good" messages, it's just to rule some of them as "definitely bad" (ie: forged). In the general case, there's nothing about passing SPF that tells you anything useful you can act on. ie: you can't consider a message that passed SPF to be nonspam, or even less likely to be spam, and you should treat it the same as any other message. Only failing SPF is useful enough to act on. At that point you know the owner of the domain believes this message is forged and not properly sent by an authorized host for his domain. So really when interpreting SPF by itself, you should treat "pass" more-or-less the same as "no record at all". (And this is why SA handles it as such. -0.001 for SPF_PASS is little different from 0 for no record) Now, if you truly trust a particular domain, then you can trust their SPF. So for these cases, you can do things like use SA's whitelist_from_spf on them. But you'd never be able to do this in any kind of general sense. Any spammer could exploit it by creating a "pass all" SPF record. From telehouse at googlemail.com Thu Oct 26 00:05:18 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 00:05:24 2006 Subject: OT : Disaster recovery? Message-ID: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> So I've just spent the past 3 weeks setting up and tweaking my Mailscanner installation. I've done every possible tweak and gone through everything with a magnifying glass and it all looks great. So now my thoughts turn to backups. How best should i protect my investment? I cannot yet justify a second box for redundancy so if all goes wrong i will need to be able to quickly get my mail server back online. I'm considering taking one of my raid mirrors out and rebuilding the array online. That way i will have a spare incase it all goes wrong.... however there are alot of drawbacks to this. My server is equipped with lights out management so really what i want to do is a "bare metal" type backup, that way if anything does go wrong and i happen to be holiday i will still be able to fix it. Dream Scenario : uh oh for x reason my server has totally died and all data is lost. I ssh in, boot off my already connected USB key and reinstall the operating system. (or some kind of restore software?) I then pull my backup from my ISP's san storage and begin the restore. Two hours later my server is back online and serving mail as it should be! Any thoughts? Or am i living in cuckoo land? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/542e08ca/attachment.html From ssilva at sgvwater.com Thu Oct 26 00:20:32 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 26 00:21:18 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> Message-ID: Colocation Colocation spake the following on 10/25/2006 4:05 PM: > So I've just spent the past 3 weeks setting up and tweaking my > Mailscanner installation. I've done every possible tweak and gone > through everything with a magnifying glass and it all looks great. > > So now my thoughts turn to backups. How best should i protect my > investment? I cannot yet justify a second box for redundancy so if all > goes wrong i will need to be able to quickly get my mail server back online. > > I'm considering taking one of my raid mirrors out and rebuilding the > array online. That way i will have a spare incase it all goes wrong.... > however there are alot of drawbacks to this. > > My server is equipped with lights out management so really what i want > to do is a "bare metal" type backup, that way if anything does go wrong > and i happen to be holiday i will still be able to fix it. > > Dream Scenario : uh oh for x reason my server has totally died and all > data is lost. I ssh in, boot off my already connected USB key and > reinstall the operating system. (or some kind of restore software?) I > then pull my backup from my ISP's san storage and begin the restore. Two > hours later my server is back online and serving mail as it should be! > > Any thoughts? Or am i living in cuckoo land? > > > You could use something like mondo for a backup that could give you a bare metal restore. You would need the restore program, mindi, on the usb key. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Oct 26 00:34:58 2006 From: ka at pacific.net (Ken A) Date: Thu Oct 26 00:32:59 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> Message-ID: <453FF4A2.2040309@pacific.net> Colocation Colocation wrote: > So I've just spent the past 3 weeks setting up and tweaking my Mailscanner > installation. I've done every possible tweak and gone through everything > with a magnifying glass and it all looks great. wait 3 weeks. repeat. :-) > So now my thoughts turn to backups. How best should i protect my > investment? > I cannot yet justify a second box for redundancy so if all goes wrong i > will > need to be able to quickly get my mail server back online. > > I'm considering taking one of my raid mirrors out and rebuilding the array > online. That way i will have a spare incase it all goes wrong.... however > there are alot of drawbacks to this. > > My server is equipped with lights out management so really what i want > to do > is a "bare metal" type backup, that way if anything does go wrong and i > happen to be holiday i will still be able to fix it. > > Dream Scenario : uh oh for x reason my server has totally died and all data > is lost. I ssh in, boot off my already connected USB key and reinstall the > operating system. (or some kind of restore software?) I then pull my backup > from my ISP's san storage and begin the restore. Two hours later my server > is back online and serving mail as it should be! > > Any thoughts? Or am i living in cuckoo land? > That's great as long as it dies from something software related. Hardware dies too though. If that happens, on a low budget, your ISP may have a relatively inexpensive virtual box loaded with something useful that can take over for a while, provided you have backed up all your software configs & tweaks, needed src files and have them on your laptop while you are sitting on the beach. Don't count on your ISP's backup, unless you've tested it a few times and really trust it. Ken A. Pacific.Net From pete at enitech.com.au Thu Oct 26 00:38:23 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Oct 26 00:38:34 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> Message-ID: <453FF56F.4020103@enitech.com.au> Colocation Colocation wrote: > So I've just spent the past 3 weeks setting up and tweaking my > Mailscanner installation. I've done every possible tweak and gone > through everything with a magnifying glass and it all looks great. > > So now my thoughts turn to backups. How best should i protect my > investment? I cannot yet justify a second box for redundancy so if all > goes wrong i will need to be able to quickly get my mail server back online. > Are you sure you cant afford redundancy? Sounds like that's what you need when you say you want to get your mail server back online quickly. Consider a redundant machine even its an old server or a PC (depending on your demands) and then at least you can receive mail while you repair your main machine if required. Even if the second one is only a backup MX... From telehouse at googlemail.com Thu Oct 26 00:55:14 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 00:55:25 2006 Subject: OT : Disaster recovery? In-Reply-To: <453FF4A2.2040309@pacific.net> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> <453FF4A2.2040309@pacific.net> Message-ID: <146f41cd0610251655t583abd37u9f3406f3dc1016c3@mail.gmail.com> I've got hardware failures pretty much covered with all the usual spares. (plus a very decent support contract from a HP reseller located 5 minutes away from the DC!) I'm just worried about corruption, or say both disks in my raid dying or even being hacked! Anything thats going to need a full reinstall. I'm looking at mondo now, it seems more focused on backups to media under the assumption you have easy access to the system you are backing up, though it supports NFS + PXE so i wonder how that might work remotely. On 26/10/06, Ken A wrote: > > > Colocation Colocation wrote: > > So I've just spent the past 3 weeks setting up and tweaking my > Mailscanner > > installation. I've done every possible tweak and gone through everything > > with a magnifying glass and it all looks great. > > wait 3 weeks. repeat. :-) > > > So now my thoughts turn to backups. How best should i protect my > > investment? > > I cannot yet justify a second box for redundancy so if all goes wrong i > > will > > need to be able to quickly get my mail server back online. > > > > I'm considering taking one of my raid mirrors out and rebuilding the > array > > online. That way i will have a spare incase it all goes wrong.... > however > > there are alot of drawbacks to this. > > > > My server is equipped with lights out management so really what i want > > to do > > is a "bare metal" type backup, that way if anything does go wrong and i > > happen to be holiday i will still be able to fix it. > > > > Dream Scenario : uh oh for x reason my server has totally died and all > data > > is lost. I ssh in, boot off my already connected USB key and reinstall > the > > operating system. (or some kind of restore software?) I then pull my > backup > > from my ISP's san storage and begin the restore. Two hours later my > server > > is back online and serving mail as it should be! > > > > Any thoughts? Or am i living in cuckoo land? > > > > That's great as long as it dies from something software related. > Hardware dies too though. If that happens, on a low budget, your ISP may > have a relatively inexpensive virtual box loaded with something useful > that can take over for a while, provided you have backed up all your > software configs & tweaks, needed src files and have them on your laptop > while you are sitting on the beach. Don't count on your ISP's backup, > unless you've tested it a few times and really trust it. > > Ken A. > Pacific.Net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/4c262bf4/attachment.html From michel at mitch-it.nl Thu Oct 26 01:17:03 2006 From: michel at mitch-it.nl (Michel van der Klei) Date: Thu Oct 26 01:16:36 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251655t583abd37u9f3406f3dc1016c3@mail.gmail.com> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> <453FF4A2.2040309@pacific.net> <146f41cd0610251655t583abd37u9f3406f3dc1016c3@mail.gmail.com> Message-ID: <20061026021703.446f63be.michel@mitch-it.nl> On Thu, 26 Oct 2006 00:55:14 +0100 "Colocation Colocation" wrote: > I've got hardware failures pretty much covered with all the usual spares. > (plus a very decent support contract from a HP reseller located 5 minutes > away from the DC!) > > I'm just worried about corruption, or say both disks in my raid dying or > even being hacked! I use rsnapshot over ssh for my backups. Works great. Maybe u should take a look at that. (www.rsnapshot.org) -- Kind Regards, Michel van der Klei (BSc. IT) Mitch IT Annendal 11 4761 LK ZEVENBERGEN tel: 0168329316 fax: 0168329639 http://www.mitch-it.nl From telehouse at googlemail.com Thu Oct 26 01:29:24 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 01:29:27 2006 Subject: OT : Disaster recovery? In-Reply-To: <453FF56F.4020103@enitech.com.au> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> <453FF56F.4020103@enitech.com.au> Message-ID: <146f41cd0610251729g151c00c4n15c47a95b1060f3d@mail.gmail.com> Of course you are right! I do have a secondary MX setup to catch all the mail if the primary goes down. That still leaves me having to reinstall the primary as soon as possible! I've just done a full backup of my mail server using mondo - now to do some testing of the restore process! On 26/10/06, Peter Russell wrote: > > > > Colocation Colocation wrote: > > So I've just spent the past 3 weeks setting up and tweaking my > > Mailscanner installation. I've done every possible tweak and gone > > through everything with a magnifying glass and it all looks great. > > > > So now my thoughts turn to backups. How best should i protect my > > investment? I cannot yet justify a second box for redundancy so if all > > goes wrong i will need to be able to quickly get my mail server back > online. > > > > Are you sure you cant afford redundancy? Sounds like that's what you > need when you say you want to get your mail server back online quickly. > > Consider a redundant machine even its an old server or a PC (depending > on your demands) and then at least you can receive mail while you repair > your main machine if required. Even if the second one is only a backup > MX... > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/155ddf6b/attachment.html From pete at enitech.com.au Thu Oct 26 02:21:38 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Oct 26 02:22:07 2006 Subject: Headers in Public Folder In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044CD3@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044CD3@addc01.assuredata.local> Message-ID: <45400DA2.9090407@enitech.com.au> I ahve a python script that reads the exchange 2003 public folder and learns the spam right into bayes and even deletes from public after its been read if that helps. No issues with headers etc being changed. I ahve the public folder available to all users with contributer access (they have drag and drop spma into it but cant opne the spam folder and see in). Max Kipness wrote: > Hello - > > I'm trying to figure out what is happening with the spam I have in > Exchange 2003 public folders. > > I've got quite a bit of spam in public folders, and when I right-click > on any of them, and select OPTIONS, it seems to show all the original > headers as normal, including the MailScanner headers, scoring, etc. > > I've also have an IMAP account setup on my Outlook 2003 client. When I > copy/move these messages to my Spam folder on this IMAP account, them > look at the mbox file on the Fedora server it resides on, most of the > headers are gone. > > Now in previous discussions I've read that Exchange PF removes the > headers, but here it sounds like IMAP is doing it, since the headers are > visible and look fine from the PF. > > Is this going to affect sa-learn dramatically? > > When I use spammassassin to run a test on the mbox messages, the SA > score is dramatically different obviously because of the loss of > headers. > > Is there anyway to fix this? > > Thanks, > Max From marc at marcsnet.com Thu Oct 26 02:39:51 2006 From: marc at marcsnet.com (Marc Lucke) Date: Thu Oct 26 02:40:20 2006 Subject: bayesian spam database Message-ID: <454011E7.5030502@marcsnet.com> Hi list, I was wondering if it is at all possible to use a centralised bayesian database amongst serveral servers. Or better yet whether there are organisations out there that offer theirs? I ask because I am continuously training 2 servers and I'm doing a lot of that lately. It's getting a bit boring. Is this more a spamassassin question? Marc From brent.addis at pronet.co.nz Thu Oct 26 03:10:16 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Oct 26 03:11:15 2006 Subject: bayesian spam database Message-ID: <7EF1F27F7292534D82933F70AB6996CC0C0B78@pro-ak-exch01.hosted.pronet.net.nz> I use a centralized mysql bayes database with multiple mailscanner servers using it. Be sure to set the default bayes username to the same on all mailscanner servers, otherwise they won't share data. Works very well. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marc Lucke Sent: Thursday, October 26, 2006 2:40 PM To: MailScanner discussion Subject: bayesian spam database Hi list, I was wondering if it is at all possible to use a centralised bayesian database amongst serveral servers. Or better yet whether there are organisations out there that offer theirs? I ask because I am continuously training 2 servers and I'm doing a lot of that lately. It's getting a bit boring. Is this more a spamassassin question? Marc -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pete at enitech.com.au Thu Oct 26 03:24:58 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Oct 26 03:25:07 2006 Subject: bayesian spam database In-Reply-To: <454011E7.5030502@marcsnet.com> References: <454011E7.5030502@marcsnet.com> Message-ID: <45401C7A.2080609@enitech.com.au> Marc Lucke wrote: > Hi list, > > I was wondering if it is at all possible to use a centralised bayesian > database amongst serveral servers. I use one DB between 2 servers. Follow the mysql bayes guide in wiki it shows you how to setup bayes via sql, which shows oyu how to connect to a remote bayes mysql. From marc at marcsnet.com Thu Oct 26 03:48:21 2006 From: marc at marcsnet.com (Marc Lucke) Date: Thu Oct 26 03:48:52 2006 Subject: bayesian spam database In-Reply-To: <45401C7A.2080609@enitech.com.au> References: <454011E7.5030502@marcsnet.com> <45401C7A.2080609@enitech.com.au> Message-ID: <454021F5.3050100@marcsnet.com> Of course! Thanks guys. Peter Russell wrote: > > > Marc Lucke wrote: >> Hi list, >> >> I was wondering if it is at all possible to use a centralised >> bayesian database amongst serveral servers. > > I use one DB between 2 servers. Follow the mysql bayes guide in wiki > it shows you how to setup bayes via sql, which shows oyu how to > connect to a remote bayes mysql. > From glenn.steen at gmail.com Thu Oct 26 08:03:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 26 08:03:32 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <453FDDFB.3010809@enitech.com.au> References: <453FDDFB.3010809@enitech.com.au> Message-ID: <223f97700610260003h57826bf1gbc7cc0a65ee133f8@mail.gmail.com> On 25/10/06, Peter Russell wrote: > Postfix: > I was hoping that since there is so many Postfix users using MS we could > get an updated discussion on what everyone is doing at the MTA level > with regards to > a) stopping spam at the MTA > b) 3rd party anti spam defences - greylisting? > c) specific configs - like the example in the wiki - a dual postfix > instance that splits multi recipients messages > d) tip and tricks - what have you added to your config that you think > could benefit others. > > I will happily collate the discussion and add it to the wiki. > > The reason i am asking is because we are receiving so much more spam, so > many more complaints from users and i want to consider some of the > options available at the MTA - eg a postfix version of greet-pause > sounds good because i dont think we could go for greylisting, at least > not at the minute. > > Outlook: > Also we have always stopped low spam on the server, but the business is > asking us to deliver it with a modified subject. All of our users are > outlook users - does any one have any experience with delivering this > mail, creating a global rule to deliver anything with [SPAM] in the > subject to Junk mail and letting users use Junk mail controls to handle > it? Relying on users to create rules etc is not an option, a lot of them > are academics. > > Many thanks and regards > Pete I'd be more than happy to contribute what feeble efforts I can normally, but..... I'm severely stumped for time ATM, perhaps next week (or if the discussion gets interresting enough:-):-)... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Oct 26 08:08:17 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Oct 26 08:08:37 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> Message-ID: <45405EE1.6010205@solidstatelogic.com> Colocation Colocation wrote: > So I've just spent the past 3 weeks setting up and tweaking my > Mailscanner installation. I've done every possible tweak and gone > through everything with a magnifying glass and it all looks great. > > So now my thoughts turn to backups. How best should i protect my > investment? I cannot yet justify a second box for redundancy so if all > goes wrong i will need to be able to quickly get my mail server back online. > > I'm considering taking one of my raid mirrors out and rebuilding the > array online. That way i will have a spare incase it all goes wrong.... > however there are alot of drawbacks to this. > > My server is equipped with lights out management so really what i want > to do is a "bare metal" type backup, that way if anything does go wrong > and i happen to be holiday i will still be able to fix it. > > Dream Scenario : uh oh for x reason my server has totally died and all > data is lost. I ssh in, boot off my already connected USB key and > reinstall the operating system. (or some kind of restore software?) I > then pull my backup from my ISP's san storage and begin the restore. Two > hours later my server is back online and serving mail as it should be! > > Any thoughts? Or am i living in cuckoo land? > > > well 1st thing I'd do is DOCUMENT what you've done! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Thu Oct 26 08:23:49 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 26 08:23:52 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <453FE154.7050106@evi-inc.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> <453FE154.7050106@evi-inc.com> Message-ID: <223f97700610260023o41545d0ckeddabfa6fd7a7b6e@mail.gmail.com> On 26/10/06, Matt Kettler wrote: > Glenn Steen wrote: > > On 25/10/06, Pravin Rane wrote: > >> Use SPF :) > >> > > SPF is useless for the original poster's problem. He's worried about limiting > the source of all mail TO a domain. > > SPF is useful for limiting the source of all mail that claims to be FROM a domain. Of course. Was typing entirely too much too late in the evening yesterday (and after a relaxing G&T to boot:-). Not much brain activity registering on my EEGs then:-). > > .... I'm not sure I like SPF anymore... Or rather, the same tired old > > thing... Bad admin (decisions) defeating its purpose. Like when UBS > > has this unmoderated and (obviously) unprotected mailing-list (open > > for anyone to use), that is protected by SPF... Sigh. > > > > What's wrong with that? > > Anyone who expects SPF to be a spam control measure is doomed to be > disappointed, probably in short order. It's a forgery control technology, not a > spam control technology. Period. > > As you've seen, anyone can create a giant "SPF hole", either by SPFing a > unmoderated list, or by just creating a SPF record that passes everything. But > that's OK. This doesn't break SPF the purpose of SPF. Exactly. And as I said, it's not really SPF I don't like, but the "bad" admin (who has been notified about the problem... Not answering mails to postmaster... Sigh. For everything else, they run a very tidy shop, so .... this just nettles me:). > The purpose of SPF isn't to identify "good" messages, it's just to rule some of > them as "definitely bad" (ie: forged). Yep. And for that it is very good indeed. > In the general case, there's nothing about passing SPF that tells you anything > useful you can act on. ie: you can't consider a message that passed SPF to be > nonspam, or even less likely to be spam, and you should treat it the same as any > other message. > > Only failing SPF is useful enough to act on. At that point you know the owner of > the domain believes this message is forged and not properly sent by an > authorized host for his domain. Yep. Still with you. > So really when interpreting SPF by itself, you should treat "pass" more-or-less > the same as "no record at all". (And this is why SA handles it as such. -0.001 > for SPF_PASS is little different from 0 for no record) As is precisely what I do, mostly;). > Now, if you truly trust a particular domain, then you can trust their SPF. So > for these cases, you can do things like use SA's whitelist_from_spf on them. But > you'd never be able to do this in any kind of general sense. Any spammer could > exploit it by creating a "pass all" SPF record. The difference between UBS and Lehman, in a nutshell:-D. With the latter (and some other big financial players like MSCI) I have to use *something* to bring their score averages down, and it has so far been diverse def_white* things (I'm sure there are better ways to do this, but these suit me ATM:-), mostly because some of their senders use "spammy techniques". UBS on the other hand don't really need that (they play by the book), so... That "SPF hole" is kind of standing out, for them. Ah well. Thanks once more for a very eloquent summary of how things really are. Where I was yesterday (after battling a bl**dy SSL gateway entirely too long... No, not SSL-Explorer...) I couldn't even put my name together reliably:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From carles at unlimitedmail.org Thu Oct 26 09:02:26 2006 From: carles at unlimitedmail.org (Carles Xavier Munyoz =?utf-8?q?Bald=C3=B3?=) Date: Thu Oct 26 09:02:47 2006 Subject: Virus scanning disabled, but MailScanner still runs clamscan. Why? Message-ID: <200610261002.27303.carles@unlimitedmail.org> Hi, I have MailScanner 4.56.8-1 installed on my e-mail server. The Linux distribution installed on the server is Fedora Core 4. I have enabled the virus scanning only for some of my domains. For this I have setup a filename of a ruleset: Virus Scanning = %rules-dir%/virus_scanning.rules with a content like this: To: *@domain1.com yes To: *@domain2.com yes FromOrTo: default no in order to make the virus scanning only available for the e-mails messages destinated to mailboxes under domains domain1.com and domain2.com. The only virus scanning package is ClamAV: Virus Scanners = clamav Recently I have disabled the virus scanning for all my domains, leaving the ruleset file content this way: # To: *@domain1.com yes # To: *@domain2.com yes FromOrTo: default no I have verified that no more virus scanning is made for any of my domains sending e-mail messages with virus infected files to several mailboxes of diferent domains. The problem is that MailScanner is still running the clamscan command. I have seen that, periodically, every 4-5 minutes, MailScanner runs several instances of the clamscan process consuming the 100% of my server CPU during 1-2 minutes. You can see it in this sample output of the pstree command: [...] init,1 ??MailScanner,14803 ? ??MailScanner,14804 ? ? ??MailScanner,16357 ? ??MailScanner,14941 ? ? ??clamav-wrapper,16381 /usr/lib/MailScanner/clamav-wrapper /usr/local -r --disable-summary --stdout ... ? ? ??clamscan,16387 --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.16381 -r --disable-summary ... ? ??MailScanner,15127 ? ? ??MailScanner,16394 ? ? ??pyzor,16400 /usr/bin/pyzor check ? ??MailScanner,15218 ? ? ??clamav-wrapper,16405 /usr/lib/MailScanner/clamav-wrapper /usr/local -r --disable-summary --stdout ... ? ? ??clamscan,16409 --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.16405 -r --disable-summary ... [...] If I have disabled virus scanning for all my domains and verified that no virus scanning is made for any mailbox, then why is MailScanner running this CPU consuming clamscan processes? How can I know the sender and recipient of the e-mail message that MailScanner is analyzing in search of virus infection? How can I get more information about for what is running MailScanner the clamscan processes? Thank you very much for your time and your help. Greetings. --- Carles Xavier Munyoz Bald? cmunyoz@unlimitedmail.net http://www.unlimitedmail.net/ --- From drew at technologytiger.net Thu Oct 26 10:19:53 2006 From: drew at technologytiger.net (Drew Marshall) Date: Thu Oct 26 10:20:13 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <453FDDFB.3010809@enitech.com.au> References: <453FDDFB.3010809@enitech.com.au> Message-ID: <51533.194.70.180.170.1161854393.squirrel@www.technologytiger.net> On Wed, October 25, 2006 22:58, Peter Russell wrote: > Postfix: > I was hoping that since there is so many Postfix users using MS we could > get an updated discussion on what everyone is doing at the MTA level > with regards to > a) stopping spam at the MTA Block using RBLs (Spamhaus & open relays list. I also use the virus RBL, can't remember it's address as I'm not near a config file). I also check and reject non RFC compliant mail, unknown recipients. I also do sender verification on senders claiming to be from Hotmail, MSN and any other frequently forged domains and from any client with out a valid PTR record or one that has DSL or a string of digits (eg 123-456-78-90.DSL.example.com). > b) 3rd party anti spam defences - greylisting? I gave greylisting a go but gave it up. I really want to either take the mail or 55x reject it as quickly as possible but that's my opinion, other I know have a very different take. I veiw greylisting like tar pitting and don't like either (Until I get so much Spam through the current protection and resort to it because it _makes a difference_). > c) specific configs - like the example in the wiki - a dual postfix > instance that splits multi recipients messages > d) tip and tricks - what have you added to your config that you think > could benefit others. Check the rate limiting and hard and soft error levels. Some Postfix versions (Depending on how it's been installed) have these set already or at default levels. They offer great protection against directory attack and DOS. I hope this is something like you were intending. Drew From dhawal at netmagicsolutions.com Thu Oct 26 10:49:01 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Oct 26 10:49:18 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <453FDDFB.3010809@enitech.com.au> References: <453FDDFB.3010809@enitech.com.au> Message-ID: <4540848D.2040901@netmagicsolutions.com> Peter Russell wrote: > Postfix: > I was hoping that since there is so many Postfix users using MS we could > get an updated discussion on what everyone is doing at the MTA level > with regards to > a) stopping spam at the MTA 1. mime_header_checks: Block extensions you anyways reject at the MS level. 2. body_checks: Great for rejecting viruses and keywords 3. helo_required: Must have! 4. helo_checks: reject_invalid_hostname, reject_non_fqdn_hostname, warn_if_reject reject_unknown_hostname 5. public and private RBLs: spamhaus, spamcop, dsbl See securitysage.com for more details. Keep in mind that some postfix checks can cause quite a few FPs. > b) 3rd party anti spam defences - greylisting? policyd-weight + selective greylisting (more below) + throttling (policyd) > c) specific configs - like the example in the wiki - a dual postfix > instance that splits multi recipients messages standard hold method. > d) tip and tricks - what have you added to your config that you think > could benefit others. We use body_checks + mime_header_checks to reject some viruses and known spam keywords. We also are testing out dk+dkim with postfix. > I will happily collate the discussion and add it to the wiki. > > The reason i am asking is because we are receiving so much more spam, so > many more complaints from users and i want to consider some of the > options available at the MTA - eg a postfix version of greet-pause > sounds good because i dont think we could go for greylisting, at least > not at the minute. See this for selective greylisting. http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html OR use the standard regexps that are distributed with sqlgrey. > Many thanks and regards > Pete - dhawal From campbell at cnpapers.com Thu Oct 26 14:37:26 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 26 14:37:38 2006 Subject: OT : Disaster recovery? References: <146f41cd0610251605w30c863a0h5ec95b7c799988d4@mail.gmail.com> Message-ID: <00dc01c6f903$e06e4920$0705000a@DDF5DW71> ----- Original Message ----- From: "Scott Silva" To: Sent: Wednesday, October 25, 2006 7:20 PM Subject: Re: OT : Disaster recovery? > Colocation Colocation spake the following on 10/25/2006 4:05 PM: >> So I've just spent the past 3 weeks setting up and tweaking my >> Mailscanner installation. I've done every possible tweak and gone >> through everything with a magnifying glass and it all looks great. >> >> So now my thoughts turn to backups. How best should i protect my >> investment? I cannot yet justify a second box for redundancy so if all >> goes wrong i will need to be able to quickly get my mail server back >> online. >> >> I'm considering taking one of my raid mirrors out and rebuilding the >> array online. That way i will have a spare incase it all goes wrong.... >> however there are alot of drawbacks to this. >> >> My server is equipped with lights out management so really what i want >> to do is a "bare metal" type backup, that way if anything does go wrong >> and i happen to be holiday i will still be able to fix it. >> >> Dream Scenario : uh oh for x reason my server has totally died and all >> data is lost. I ssh in, boot off my already connected USB key and >> reinstall the operating system. (or some kind of restore software?) I >> then pull my backup from my ISP's san storage and begin the restore. Two >> hours later my server is back online and serving mail as it should be! >> >> Any thoughts? Or am i living in cuckoo land? >> >> >> > You could use something like mondo for a backup that could give you a bare > metal restore. You would need the restore program, mindi, on the usb key. > > -- > I second this solution. Mondo is great (if you are sure it will work for you in the first place) I have restored using Mondo before and a complete restoration, including CD exchanges, would take less than an hour on an older machine with a smaller HD. But I have also had Mondo not work on older machines and some newer machines. It has gone through quite a bit of revision lately, and my main suggestion for using Mondo is to try it first before you put a machine into production. If it works then, you're going to be OK. If it doesn't, it may be fixable (there used to be a grub problem, but could be overcome by rebooting the Mondo CD and running a utility provided as part of the backup, for example). Now, once you have a working OS+Mondo, don't upgrade either. If you do, you should try the test backup+restore all over again. And this is the problem I have with Mondo - you either need a twin machine out of production to test the new release or be able to justify the restore failing for some reason. I _have_ upgraded both before (one at a time, not concurrently) with no problems, but I don't always have the spare machine to test with. You can do a compare against the backup and live system, but I just don't always trust that as I don't know exactly what it is comparing. Mondo was originally for Red Hat, if I'm not mistaken, and was the only utility I found that would restore my RH 6.2 server effortlessly (after telling it to include my SCSI kernel mods on the backup - note that then the SCSI mod was not on the distro and had to be installed separately) when other utilities kept failing. It has now become an all-flavor distro utility, and it's just hard to make it do it all that without some problems. But the dev team works hard to solve a never-ending stream of requests. If you can test this first and it succeeds, you will enjoy how easy it is. Steve Campbell From daniel.maher at ubisoft.com Thu Oct 26 14:57:14 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Oct 26 14:57:18 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <453FDDFB.3010809@enitech.com.au> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20380B2E6@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Russell > Sent: October 25, 2006 5:58 PM > To: MailScanner discussion > Subject: Postfix Users (and Outlook users) > > Postfix: > I was hoping that since there is so many Postfix users using MS we could > get an updated discussion on what everyone is doing at the MTA level > with regards to > a) stopping spam at the MTA > b) 3rd party anti spam defences - greylisting? I cannot stress enough how much adding a recipient map to postfix has helped. Right now, we poll our (Microsoft) Global Directory server once per hour, pull down the entire tree, sanitise the results (there are lots of non-RFC compliant addresses in there) and build a recipient map out of it. This has been the /single greatest step/ we've taken to reduce the amount of spam our internal Exchange servers have to deal with: down from half a million per day to around 85,000. We also use the TrendMicro RBL. Yes, it costs money, but we've found it to be more reliable from a business context. They're not as zealous, and they actually respond to "false entry" issues in a timely fashion. They don't block quite as much spam as, say, Spamhaus, but they also don't block as much ham accidentally either. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From MailScanner at ecs.soton.ac.uk Thu Oct 26 15:48:36 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 26 15:50:03 2006 Subject: [Fwd: MailScanner bug] -- Please try it out Message-ID: <4540CAC4.9050804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is anyone else seeing this problem? - -------- Original Message -------- Subject: MailScanner bug Date: Tue, 24 Oct 2006 12:05:09 +0400 From: Alexandre Kravchenko To: MailScanner@ecs.soton.ac.uk I have problems with MailScanner 4.56.8-1 (Fedora Core 5 x86_64). In sub TryOneCommercial (SweepViruses.pm) Virus Scanner can't write to the pipe without setting $ENV{HOME}. In /var/log/messages: kavscanner[29150]: segfault at 000000000817c26c rip 00000000080cb7da rsp 00000000ffb678d0 error 4. - -- Best regards, Alexander A. Kravchenko Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: koi8-r wj8DBQFFQMrXEfZZRxQVtlQRAsaFAJ9OuE53B9XAyERUTilkNEEEt1ACWACg84OX g4RmThakjXHzOXXU7b1KNV4= =QAHa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Oct 26 15:56:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 26 15:59:43 2006 Subject: [Fwd: mailscanner.info wiki site] -- Help please! Message-ID: <4540CC9D.4080702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looking for a dokuwiki expert who can help me with this one please, if someone has a few minutes? I do not suggest you click the link in the message, it's pretty bad. I have disarmed it... - -------- Original Message -------- Subject: mailscanner.info wiki site Date: Wed, 25 Oct 2006 18:00:58 +1300 (NZDT) From: Barry Murphy Reply-To: barry@unix.co.nz To: mailscanner@ecs.soton.ac.uk Hi, Are you aware of this on your doco site, its linked to porn http: // wiki.mailscanner.info /lib /exe /fetch.php ?id=start& media= bikini- microhtml Regards Barry - -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: iso-8859-1 wj8DBQFFQM0fEfZZRxQVtlQRAot4AJ9N0KM7lc/tLc8BQcBogUSpY9tfBQCdFAnT tDkjkFmNFjZy6T2I3HvXxhg= =pwkz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mrm at medicine.wisc.edu Thu Oct 26 16:14:27 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Oct 26 16:15:01 2006 Subject: block spam based on subject? In-Reply-To: <223f97700610251252q4bcb6ec9g82877f11963d2b28@mail.gmail.com> References: <453F738D.7FBE.00FC.3@medicine.wisc.edu> <223f97700610251252q4bcb6ec9g82877f11963d2b28@mail.gmail.com> Message-ID: <45408A82.7FBE.00FC.3@medicine.wisc.edu> Thanks for the spamassassin rule tip. I created a rule and it seems to be working. I was just wondering if it's necessary to restart MailScanner every time you create or modify a rule? Mike >>> On 10/25/2006 at 2:52 PM, in message <223f97700610251252q4bcb6ec9g82877f11963d2b28@mail.gmail.com>, "Glenn Steen" wrote: > On 25/10/06, Michael Masse wrote: >> Looking through the examples for the whitelist and blacklist settings in >> MailScanner I see that you can pretty much do just about anything with >> from and to addresses. Is it possible to create rules based on the >> subject? We've been getting bombarded with spam that has "re: v??agra" >> in the subject for the last month. It's always changing ever so >> slightly so that heuristics doesn't work so good with them, and I didn't >> think they would be at it for this long to bother with making a special >> rule for them, but they just keep coming and coming and if I could >> simply reject any email that has the previous phrase in the subject, >> life would be much happier. I realize that making special case rules >> like this isn't the best way to go, because they could simply change >> something else about it tomorrow, but it would make me feel better right >> now if nothing else. >> >> Mike > > If you use Postfix you can do this with a header check. Other than > that, this is generally more the domain of SpamAssassin (how to make a > rule is well documented in their Wiki, docs etc... Or search this > list:-). From mkettler at evi-inc.com Thu Oct 26 16:22:47 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Oct 26 16:23:08 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <223f97700610260023o41545d0ckeddabfa6fd7a7b6e@mail.gmail.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> <453FE154.7050106@evi-inc.com> <223f97700610260023o41545d0ckeddabfa6fd7a7b6e@mail.gmail.com> Message-ID: <4540D2C7.5070100@evi-inc.com> Glenn Steen wrote: > On 26/10/06, Matt Kettler wrote: >> As you've seen, anyone can create a giant "SPF hole", either by SPFing a >> unmoderated list, or by just creating a SPF record that passes >> everything. But >> that's OK. This doesn't break SPF the purpose of SPF. > > Exactly. And as I said, it's not really SPF I don't like, but the > "bad" admin (who has been notified about the problem... Not answering > mails to postmaster... Sigh. For everything else, they run a very tidy > shop, so .... this just nettles me:). Yeah, but my point is there's NOTHING WRONG with what this admin is doing. It's perfectly valid and within expected behavior to do this to a public mailing list. Why would this application of SPF be bad? Or am I misunderstanding what you mean by "unprotected"? ie: is it a "anyone can add subscribers" or "anyone can post"? If the later, it's not really much different than sourceforge. > e difference between UBS and Lehman, in a nutshell:-D. > With the latter (and some other big financial players like MSCI) I > have to use *something* to bring their score averages down, and it has > so far been diverse def_white* things (I'm sure there are better ways > to do this, but these suit me ATM:-) Ahh, so your problem here isn't really SPF, it's with using SPF based whitelist for a site that doesn't really fit all the proper criteria for whitelisting, because not all of their activities are trusted. :) I agree.. whitelisting sucks, and I avoid it whenever possible. :) I have a total of 14 whitelist_* entries in my config beyond what SA ships with. If you exclude whitelists for spam discussion lists (ie: this one), and parts of my own network, I only have 8. From joshua.hirsh at partnersolutions.ca Thu Oct 26 16:44:32 2006 From: joshua.hirsh at partnersolutions.ca (Joshua Hirsh) Date: Thu Oct 26 16:44:37 2006 Subject: OT : Disaster recovery? In-Reply-To: <00dc01c6f903$e06e4920$0705000a@DDF5DW71> Message-ID: <0768EC5DB0115C43BF4E84FC8AC17D77534C4D@psims002.pshosting.intranet> I'll just add in a few cents to the pot. If you have everything documented and streamlined, you can easily restore the server using a kickstart process (assuming RedHat-ish, here). In my case, I have a kickstart CD I built for my servers if I ever have to rebuild them quickly. All software I've installed (modules, plugins, etc) are all packaged in RPM files. The kickstart process installs all required RPM's the system will need and all the magic was done in the "post" scripts, where it would either install the latest package from a file repository from the LAN, or use the one burned on the CD. The total time for one of these servers to be restored is 10 minutes (from cold start to finish). That being said, I do also backup my server.. as you don't want to have to re-install the entire thing because you erased one file :-P Cheers, -Joshua From Kevin_Miller at ci.juneau.ak.us Thu Oct 26 16:47:47 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 26 16:47:55 2006 Subject: OT : Disaster recovery? In-Reply-To: <146f41cd0610251729g151c00c4n15c47a95b1060f3d@mail.gmail.com> Message-ID: One thing we're going to be looking at RSN* is virtualization. Be nifty to set up MailScanner, etc. as a virtual machine. Then if you box goes down, you just start up another load the virtual snapshot and away you go. The 'snapshot' could live on a completely different server and be backed up just like a regular file then retrieved instantly as needed. Of course, you'd have to save it afresh every now and then when you updated MS, clamav, sendmail, etc. But that's gotta be a lot easier than building a new box from scratch! Bear in mind that I haven't yet done this yet, so maybe someone that has can chime in if there's some significant gotchas... ...Kevin *Real Soon Now -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Colocation Colocation Sent: Wednesday, October 25, 2006 4:29 PM To: MailScanner discussion Subject: Re: OT : Disaster recovery? Of course you are right! I do have a secondary MX setup to catch all the mail if the primary goes down. That still leaves me having to reinstall the primary as soon as possible! I've just done a full backup of my mail server using mondo - now to do some testing of the restore process! On 26/10/06, Peter Russell wrote: Colocation Colocation wrote: > So I've just spent the past 3 weeks setting up and tweaking my > Mailscanner installation. I've done every possible tweak and gone > through everything with a magnifying glass and it all looks great. > > So now my thoughts turn to backups. How best should i protect my > investment? I cannot yet justify a second box for redundancy so if all > goes wrong i will need to be able to quickly get my mail server back online. > Are you sure you cant afford redundancy? Sounds like that's what you need when you say you want to get your mail server back online quickly. Consider a redundant machine even its an old server or a PC (depending on your demands) and then at least you can receive mail while you repair your main machine if required. Even if the second one is only a backup MX... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Oct 26 17:14:35 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 26 17:15:05 2006 Subject: block spam based on subject? In-Reply-To: <45408A82.7FBE.00FC.3@medicine.wisc.edu> References: <453F738D.7FBE.00FC.3@medicine.wisc.edu> <223f97700610251252q4bcb6ec9g82877f11963d2b28@mail.gmail.com> <45408A82.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 10/26/2006 8:14 AM: > Thanks for the spamassassin rule tip. I created a rule and it seems > to be working. I was just wondering if it's necessary to restart > MailScanner every time you create or modify a rule? > > Mike You just need to issue a reload command, or you can wait until it restarts on its own. But if you are creating multiple rules, you can wait until you are done. Just remember to lint the new rules to catch any typos before you reload. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Oct 26 17:18:32 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 26 17:20:47 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <453FDDFB.3010809@enitech.com.au> References: <453FDDFB.3010809@enitech.com.au> Message-ID: Peter Russell spake the following on 10/25/2006 2:58 PM: > Postfix: > I was hoping that since there is so many Postfix users using MS we could > get an updated discussion on what everyone is doing at the MTA level > with regards to > a) stopping spam at the MTA > b) 3rd party anti spam defences - greylisting? > c) specific configs - like the example in the wiki - a dual postfix > instance that splits multi recipients messages > d) tip and tricks - what have you added to your config that you think > could benefit others. > > I will happily collate the discussion and add it to the wiki. > > The reason i am asking is because we are receiving so much more spam, so > many more complaints from users and i want to consider some of the > options available at the MTA - eg a postfix version of greet-pause > sounds good because i dont think we could go for greylisting, at least > not at the minute. > > Outlook: > Also we have always stopped low spam on the server, but the business is > asking us to deliver it with a modified subject. All of our users are > outlook users - does any one have any experience with delivering this > mail, creating a global rule to deliver anything with [SPAM] in the > subject to Junk mail and letting users use Junk mail controls to handle > it? Relying on users to create rules etc is not an option, a lot of them > are academics. > > Many thanks and regards > Pete > I just send the low scoring stuff through, not only spam tagged, but as an attachment, so the users aren't surprised by things if they have the message preview window open. It just adds an extra layer to the opening of the junk. Most of the users just delete the tagged stuff, unless they are expecting something. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From edwardbruce at sbcglobal.net Thu Oct 26 17:35:31 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Oct 26 17:35:53 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20380B2E6@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20380B2E6@UBIMAIL1.ubisoft.org> Message-ID: <4540E3D3.3010800@sbcglobal.net> Daniel Maher wrote: > I cannot stress enough how much adding a recipient map to postfix has helped. Right now, we poll our (Microsoft) Global Directory server once per hour, pull down the entire tree, sanitise the results (there are lots of non-RFC compliant addresses in there) and build a recipient map out of it. This has been the /single greatest step/ we've taken to reduce the amount of spam our internal Exchange servers have to deal with: down from half a million per day to around 85,000. > What tool do you use to poll your Global Directory? From glenn.steen at gmail.com Thu Oct 26 17:35:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 26 17:35:59 2006 Subject: Ruleset to lock domain to IP address In-Reply-To: <4540D2C7.5070100@evi-inc.com> References: <453EB64C.8070707@univexsystems.com> <59E4A3A1069C2640959AD0F7518C4812064CC4@FLN1.fln.local> <223f97700610251240q4929ed03v1d34faad8549e7f3@mail.gmail.com> <13c021a90610251249u581eea88m8aea4deea54b3180@mail.gmail.com> <223f97700610251445l6057de25ta41c9d5534b132a2@mail.gmail.com> <453FE154.7050106@evi-inc.com> <223f97700610260023o41545d0ckeddabfa6fd7a7b6e@mail.gmail.com> <4540D2C7.5070100@evi-inc.com> Message-ID: <223f97700610260935x3cfae625ud68bf4de1bf328ca@mail.gmail.com> On 26/10/06, Matt Kettler wrote: > Glenn Steen wrote: > > On 26/10/06, Matt Kettler wrote: > >> As you've seen, anyone can create a giant "SPF hole", either by SPFing a > >> unmoderated list, or by just creating a SPF record that passes > >> everything. But > >> that's OK. This doesn't break SPF the purpose of SPF. > > > > Exactly. And as I said, it's not really SPF I don't like, but the > > "bad" admin (who has been notified about the problem... Not answering > > mails to postmaster... Sigh. For everything else, they run a very tidy > > shop, so .... this just nettles me:). > > Yeah, but my point is there's NOTHING WRONG with what this admin is doing. It's > perfectly valid and within expected behavior to do this to a public mailing list. Ok, Ok, I get it...:-). > Why would this application of SPF be bad? > > Or am I misunderstanding what you mean by "unprotected"? ie: is it a "anyone can > add subscribers" or "anyone can post"? > > If the later, it's not really much different than sourceforge. :-) > > e difference between UBS and Lehman, in a nutshell:-D. > > With the latter (and some other big financial players like MSCI) I > > have to use *something* to bring their score averages down, and it has > > so far been diverse def_white* things (I'm sure there are better ways > > to do this, but these suit me ATM:-) > > Ahh, so your problem here isn't really SPF, it's with using SPF based whitelist > for a site that doesn't really fit all the proper criteria for whitelisting, > because not all of their activities are trusted. :) Yup. > I agree.. whitelisting sucks, and I avoid it whenever possible. :) > > I have a total of 14 whitelist_* entries in my config beyond what SA ships with. > If you exclude whitelists for spam discussion lists (ie: this one), and parts of > my own network, I only have 8. > Completely agree. I've got 5... and a PHB that is forever bitching me to add more. So far I've had very selective hearing:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Thu Oct 26 17:44:15 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Oct 26 17:45:53 2006 Subject: [Fwd: mailscanner.info wiki site] -- Help please! In-Reply-To: <4540CC9D.4080702@ecs.soton.ac.uk> References: <4540CC9D.4080702@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Looking for a dokuwiki expert who can help me with this one please, if > someone has a few minutes? > I do not suggest you click the link in the message, it's pretty bad. I > have disarmed it... I could try to help you... just write, we'll see what we can do. > > - -------- Original Message -------- > Subject: mailscanner.info wiki site > Date: Wed, 25 Oct 2006 18:00:58 +1300 (NZDT) > From: Barry Murphy > Reply-To: barry@unix.co.nz > To: mailscanner@ecs.soton.ac.uk > > > > Hi, > > Are you aware of this on your doco site, its linked to porn > > http: // wiki.mailscanner.info /lib /exe /fetch.php ?id=start& media= bikini- microhtml > > Regards > Barry > > > > - -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: iso-8859-1 > > wj8DBQFFQM0fEfZZRxQVtlQRAot4AJ9N0KM7lc/tLc8BQcBogUSpY9tfBQCdFAnT > tDkjkFmNFjZy6T2I3HvXxhg= > =pwkz > -----END PGP SIGNATURE----- > From glenn.steen at gmail.com Thu Oct 26 17:46:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 26 17:46:34 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <4540E3D3.3010800@sbcglobal.net> References: <1E293D3FF63A3740B10AD5AAD88535D20380B2E6@UBIMAIL1.ubisoft.org> <4540E3D3.3010800@sbcglobal.net> Message-ID: <223f97700610260946v797d5ecbtfe6fc6f2a15b1a2d@mail.gmail.com> On 26/10/06, Ed Bruce wrote: > Daniel Maher wrote: > > I cannot stress enough how much adding a recipient map to postfix has helped. Right now, we poll our (Microsoft) Global Directory server once per hour, pull down the entire tree, sanitise the results (there are lots of non-RFC compliant addresses in there) and build a recipient map out of it. This has been the /single greatest step/ we've taken to reduce the amount of spam our internal Exchange servers have to deal with: down from half a million per day to around 85,000. > > > > What tool do you use to poll your Global Directory? Can't really speak for Daniel, but I use a rather simplistic bash script using ldapsearch and some more or less clever grep/sort/uniq statements. The "tricky part" was getting the query right, but not even close to rocket sience:-) (Would've used the perl script, if I hadn't written this one already ...:-):-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dhawal at netmagicsolutions.com Thu Oct 26 17:48:03 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Oct 26 17:48:22 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <4540E3D3.3010800@sbcglobal.net> References: <1E293D3FF63A3740B10AD5AAD88535D20380B2E6@UBIMAIL1.ubisoft.org> <4540E3D3.3010800@sbcglobal.net> Message-ID: <4540E6C3.3010000@netmagicsolutions.com> Ed Bruce wrote: > Daniel Maher wrote: >> I cannot stress enough how much adding a recipient map to postfix has >> helped. Right now, we poll our (Microsoft) Global Directory server >> once per hour, pull down the entire tree, sanitise the results (there >> are lots of non-RFC compliant addresses in there) and build a >> recipient map out of it. This has been the /single greatest step/ >> we've taken to reduce the amount of spam our internal Exchange servers >> have to deal with: down from half a million per day to around 85,000. >> > > What tool do you use to poll your Global Directory? See http://www.postfix.org/docs.html for MS Exchange Integration. http://www.umich.edu/~malth/gaptuning/postfix http://www.unixwiz.net/techtips/postfix-exchange-users.html The 1st one is more popular.. there is also a script on the mailscanner wiki by Peter Russell (IIRC). - dhawal From telehouse at googlemail.com Thu Oct 26 18:35:56 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 18:35:59 2006 Subject: OT : Disaster recovery? In-Reply-To: References: <146f41cd0610251729g151c00c4n15c47a95b1060f3d@mail.gmail.com> Message-ID: <146f41cd0610261035n2206556flaf3a4b2cebc6ec7b@mail.gmail.com> I was considering virtualisation (xen enterprise) but really it didnt make sense unless i had at least two machines. I agree it would be absolutely awesome because you can just instant snapshots and save them as backups. You can also bounce vm's between physical servers quite easily, maintaining service regardless of hardware failures! I believe you can do LIVE transfers which manages to switch stuff even during live transactions with something like a 200ms switch over point. I also the the idea of building beefy boxes so that i can consolidate web-servers, e-mail servers and database servers all together. You can then ofcourse add additional servers and transfer vm's around as your needs change. On 26/10/06, Kevin Miller wrote: > > One thing we're going to be looking at RSN* is virtualization. Be nifty > to set up MailScanner, etc. as a virtual machine. Then if you box goes > down, you just start up another load the virtual snapshot and away you > go. The 'snapshot' could live on a completely different server and be > backed up just like a regular file then retrieved instantly as needed. > > Of course, you'd have to save it afresh every now and then when you > updated MS, clamav, sendmail, etc. But that's gotta be a lot easier > than building a new box from scratch! > > Bear in mind that I haven't yet done this yet, so maybe someone that has > can chime in if there's some significant gotchas... > > ...Kevin > *Real Soon Now > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Colocation Colocation > Sent: Wednesday, October 25, 2006 4:29 PM > To: MailScanner discussion > Subject: Re: OT : Disaster recovery? > > > Of course you are right! I do have a secondary MX setup to catch all the > mail if the primary goes down. That still leaves me having to reinstall > the primary as soon as possible! > > I've just done a full backup of my mail server using mondo - now to do > some testing of the restore process! > > > > On 26/10/06, Peter Russell wrote: > > > > Colocation Colocation wrote: > > So I've just spent the past 3 weeks setting up and tweaking my > > Mailscanner installation. I've done every possible tweak and > gone > > through everything with a magnifying glass and it all looks > great. > > > > So now my thoughts turn to backups. How best should i protect > my > > investment? I cannot yet justify a second box for redundancy > so if all > > goes wrong i will need to be able to quickly get my mail > server back online. > > > > Are you sure you cant afford redundancy? Sounds like that's what > you > need when you say you want to get your mail server back online > quickly. > > Consider a redundant machine even its an old server or a PC > (depending > on your demands) and then at least you can receive mail while > you repair > your main machine if required. Even if the second one is only a > backup MX... > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/df26a89c/attachment.html From daniel.maher at ubisoft.com Thu Oct 26 18:59:37 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Oct 26 18:59:40 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <4540E3D3.3010800@sbcglobal.net> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20380B6E0@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ed Bruce > Sent: October 26, 2006 12:36 PM > To: MailScanner discussion > Subject: Re: Postfix Users (and Outlook users) > > Daniel Maher wrote: > > I cannot stress enough how much adding a recipient map to postfix has > helped. Right now, we poll our (Microsoft) Global Directory server once > per hour, pull down the entire tree, sanitise the results (there are lots > of non-RFC compliant addresses in there) and build a recipient map out of > it. This has been the /single greatest step/ we've taken to reduce the > amount of spam our internal Exchange servers have to deal with: down from > half a million per day to around 85,000. > > > > What tool do you use to poll your Global Directory? http://www-personal.umich.edu/~malth/gaptuning/postfix/ Of course, you'll need to set the configs for your site, but it works like a charm! :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From edwardbruce at sbcglobal.net Thu Oct 26 19:46:40 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Oct 26 19:46:44 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20380B6E0@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20380B6E0@UBIMAIL1.ubisoft.org> Message-ID: <45410290.20009@sbcglobal.net> Daniel Maher wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Ed Bruce >> Sent: October 26, 2006 12:36 PM >> To: MailScanner discussion >> Subject: Re: Postfix Users (and Outlook users) >> >> Daniel Maher wrote: >> >>> I cannot stress enough how much adding a recipient map to postfix has >>> >> helped. Right now, we poll our (Microsoft) Global Directory server once >> per hour, pull down the entire tree, sanitise the results (there are lots >> of non-RFC compliant addresses in there) and build a recipient map out of >> it. This has been the /single greatest step/ we've taken to reduce the >> amount of spam our internal Exchange servers have to deal with: down from >> half a million per day to around 85,000. >> >> What tool do you use to poll your Global Directory? >> > > http://www-personal.umich.edu/~malth/gaptuning/postfix/ > > Of course, you'll need to set the configs for your site, but it works like a charm! :) > Thanks all for the replies. I will look at them and see if I can get one to work. From jimc at laridian.com Thu Oct 26 21:30:00 2006 From: jimc at laridian.com (Jim Coates) Date: Thu Oct 26 21:32:34 2006 Subject: RCVD_IN_BSP_TRUSTED In-Reply-To: <21797DB1-8781-4E20-970A-625A60E4CDB7@technologytiger.net> Message-ID: <002601c6f93d$82f20c20$6401a8c0@zorak> >On 25 Oct 2006, at 05:37, Jim Coates wrote: > >>>> >>>> Is it any big deal to upgrade SpamAssassin when it is working with >>>> MailScanner? >>>> >>>> Thanks, >>>> Jim >>>> >> >>> www.mailscanner.info download and install the clamav and sa >>> package that >>> Jules maintains at the current release. Installs everything you >>> need to >>> upgrade/install SA. >> >> Will Julian's "easy install" for ClamAV and SpamAssassin work for a >> FreeBSD >> machine that is already running an older version of SpamAssassin >> and ClamAV? >> I'd like to bring everything up to date, but the FreeBSD ports are >> a little >> behind. > >Yes but it will be messy as it won't follow the BSD file structure >and there is a good chance that there will be libraries that won't be >found as they are some where else in BSD. > >> >> I wasn't sure whether the install.sh from Julian's download would >> install in >> the same directories etc that FreeBSD uses (which tend to be >> different from >> everyone else). > >No. I would use the ports. They aren't that far behind (Although the >MailScanner port is one version lower currently as Jan-Peter hasn't >got round to updating it yet. Don't forget to 'cvsup' your ports tree >to make sure. > >Drew My woes continue... just trying to do simple upgrade of ClamAV with the FreeBSD ports blew up. Seems that there are great deal of dependencies for the newest ClamAV that aren't supported in the version of FreeBSD we have (4.8). The hosting site is recommending upgrading everything (kernel etc) and hitting MailScanner, SpamAssassin and ClamAV while we are at it. Does that seem the most logical approach to you guys with more experience on FreeBSD? Thanks, Jim From jwilliams at courtesymortgage.com Thu Oct 26 21:57:01 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Thu Oct 26 21:57:10 2006 Subject: Blocking imbedded pictures? Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD131@cmexchange01.CourtesyMortgage.local> Something that has been asked of me lately. It is pretty straightforward to block attached pictures (.gif's, jpegs etc.), but what about the ability to block items that are imbedded into actual e-mails? Is that possible through mailscanner? Is it even a valid solution to implement? I guess management is getting tired of pictures coming into the corporate network. I appreciate it. Cheers, -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/691c9f74/attachment.html From gordon at itnt.co.za Thu Oct 26 22:02:40 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Thu Oct 26 22:03:32 2006 Subject: RBL List selection Message-ID: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> ITNT Banner Campaignhi all, I am finding that my incoming queue is groing to approx 1500 to 2000 messages during high message loads and on investigation it seems that a large delay is in the process of checking against the RBL's. Can anyone suggest the best minimum config to get the best result? Currently I am only pushing approx 30,000 messages a day through the server... I am using; Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL SORBS-SMTP CBL RSL DSBL SORBS-DUL and Spam Domain List = SORBS-BADCONF SORBS-NOMAIL Thanks Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 From steve.freegard at fsl.com Thu Oct 26 22:12:28 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Oct 26 22:12:40 2006 Subject: RBL List selection In-Reply-To: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> Message-ID: <454124BC.3010304@fsl.com> Hi Gordon, Gordon Colyn wrote: > ITNT Banner Campaignhi all, > > I am finding that my incoming queue is groing to approx 1500 to 2000 > messages during high message loads and on investigation it seems that a > large delay is in the process of checking against the RBL's. Can anyone > suggest the best minimum config to get the best result? Currently I am only > pushing approx 30,000 messages a day through the server... > > I am using; > > Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL > SORBS-SMTP CBL RSL DSBL SORBS-DUL > > and > > Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > Personally - I wouldn't use any here at all. Use the sbl-xbl.spamhaus.org in your MTA to reject listed servers at the SMTP level, then let SpamAssassin score the rest of the blacklists. Cheers, Steve. From ssilva at sgvwater.com Thu Oct 26 22:24:38 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 26 22:25:10 2006 Subject: RBL List selection In-Reply-To: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> Message-ID: Gordon Colyn spake the following on 10/26/2006 2:02 PM: > ITNT Banner Campaignhi all, > > I am finding that my incoming queue is groing to approx 1500 to 2000 > messages during high message loads and on investigation it seems that a > large delay is in the process of checking against the RBL's. Can anyone > suggest the best minimum config to get the best result? Currently I am only > pushing approx 30,000 messages a day through the server... > > I am using; > > Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL > SORBS-SMTP CBL RSL DSBL SORBS-DUL > > and > > Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > > Thanks since you are using sbl+xbl, you can drop spamhaus-xbl, spamhaus.org, and CBL as they are all done in the sbl+xbl lookup. That drops 3 extra lookups. You could look in your logs and see if any of the lookups have a very low hitrate, or are redundant with the sbl-xbl list, which hits a lot of stuff. You could try spamassassin, as it will do multiple lookups at once, and Mailscanners spamassassin cache can help lighten the load. Have you done all the optimizing ideas in the wiki? Are you running a caching nameserver on the box? Can you put any of these in the MTA? That will drop mail before your machine even has to touch it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gordon at itnt.co.za Thu Oct 26 22:31:35 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Thu Oct 26 22:32:10 2006 Subject: RBL List selection References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> Message-ID: <011701c6f946$28c3def0$0d02a8c0@Gordon> Hi Steve, Unfortunately some of my clients need to get access to the quarantined blacklisted mail. I used to just reject at the MTA but have too many people complaining about loss of mail and then need to access it in quarantine. I am trying to find some middle ground.... Thanks Gordon ----- Original Message ----- From: "Steve Freegard" To: "MailScanner discussion" Sent: Thursday, October 26, 2006 11:12 PM Subject: Re: RBL List selection Hi Gordon, Gordon Colyn wrote: > ITNT Banner Campaignhi all, > > I am finding that my incoming queue is groing to approx 1500 to 2000 > messages during high message loads and on investigation it seems that a > large delay is in the process of checking against the RBL's. Can anyone > suggest the best minimum config to get the best result? Currently I am > only > pushing approx 30,000 messages a day through the server... > > I am using; > > Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL > SORBS-SMTP CBL RSL DSBL SORBS-DUL > > and > > Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > Personally - I wouldn't use any here at all. Use the sbl-xbl.spamhaus.org in your MTA to reject listed servers at the SMTP level, then let SpamAssassin score the rest of the blacklists. Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Oct 26 22:32:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 26 22:35:18 2006 Subject: RBL List selection In-Reply-To: References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> Message-ID: Scott Silva spake the following on 10/26/2006 2:24 PM: > Gordon Colyn spake the following on 10/26/2006 2:02 PM: >> ITNT Banner Campaignhi all, >> >> I am finding that my incoming queue is groing to approx 1500 to 2000 >> messages during high message loads and on investigation it seems that a >> large delay is in the process of checking against the RBL's. Can anyone >> suggest the best minimum config to get the best result? Currently I am only >> pushing approx 30,000 messages a day through the server... >> >> I am using; >> >> Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL >> SORBS-SMTP CBL RSL DSBL SORBS-DUL >> >> and >> >> Spam Domain List = SORBS-BADCONF SORBS-NOMAIL >> >> Thanks > since you are using sbl+xbl, you can drop spamhaus-xbl, spamhaus.org, and CBL > as they are all done in the sbl+xbl lookup. That drops 3 extra lookups. > You could look in your logs and see if any of the lookups have a very low > hitrate, or are redundant with the sbl-xbl list, which hits a lot of stuff. > You could try spamassassin, as it will do multiple lookups at once, and > Mailscanners spamassassin cache can help lighten the load. > Have you done all the optimizing ideas in the wiki? > Are you running a caching nameserver on the box? > > Can you put any of these in the MTA? That will drop mail before your machine > even has to touch it. > > SBL+XBL also includes NJABL, so there drops another lookup. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From davidn at keymarkinc.com Thu Oct 26 22:50:20 2006 From: davidn at keymarkinc.com (David Nalley) Date: Thu Oct 26 22:49:59 2006 Subject: OT : Disaster recovery? Message-ID: <81214BB68B68BF4586FE1D82E7B3C472D00B02@kmex01.keymark.dom> Several of us on the MailWatch list were discussing putting together a VM with MailScanner + MailWatch to be put up on VMTN, with everything preconfigured as much as possible, and the remaining bits configured via a web interface or interactive firstrun script. We'd welcome any help or input. From telehouse at googlemail.com Thu Oct 26 23:00:22 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 23:00:25 2006 Subject: OT : Disaster recovery? In-Reply-To: <81214BB68B68BF4586FE1D82E7B3C472D00B02@kmex01.keymark.dom> References: <81214BB68B68BF4586FE1D82E7B3C472D00B02@kmex01.keymark.dom> Message-ID: <146f41cd0610261500l1391ef2cxf0e509196f89da80@mail.gmail.com> Super idea! Anything to make it easier for administrators to protect their mail systems can only be good for the fight against spam! On 26/10/06, David Nalley wrote: > > Several of us on the MailWatch list were discussing putting together a > VM with MailScanner + MailWatch to be put up on VMTN, with everything > preconfigured as much as possible, and the remaining bits configured via > a web interface or interactive firstrun script. We'd welcome any help or > input. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/84218c38/attachment.html From telehouse at googlemail.com Thu Oct 26 23:02:47 2006 From: telehouse at googlemail.com (Colocation Colocation) Date: Thu Oct 26 23:02:52 2006 Subject: RBL List selection In-Reply-To: References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> Message-ID: <146f41cd0610261502w8400c3fq621308e0bb2c7030@mail.gmail.com> I installed a local caching name-server and that seemed to help my mail-server quite a bit. I am checking at the spamassasin level, i think its the most accurate but probably the most intensive. It seems to be common to add spamhaus at the MTA level as its considered extremely accurate so unlikely to cause many (if any at all!) false positives! On 26/10/06, Scott Silva wrote: > > Scott Silva spake the following on 10/26/2006 2:24 PM: > > Gordon Colyn spake the following on 10/26/2006 2:02 PM: > >> ITNT Banner Campaignhi all, > >> > >> I am finding that my incoming queue is groing to approx 1500 to 2000 > >> messages during high message loads and on investigation it seems that a > >> large delay is in the process of checking against the RBL's. Can > anyone > >> suggest the best minimum config to get the best result? Currently I am > only > >> pushing approx 30,000 messages a day through the server... > >> > >> I am using; > >> > >> Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL > NJABL > >> SORBS-SMTP CBL RSL DSBL SORBS-DUL > >> > >> and > >> > >> Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > >> > >> Thanks > > since you are using sbl+xbl, you can drop spamhaus-xbl, spamhaus.org, and > CBL > > as they are all done in the sbl+xbl lookup. That drops 3 extra lookups. > > You could look in your logs and see if any of the lookups have a very > low > > hitrate, or are redundant with the sbl-xbl list, which hits a lot of > stuff. > > You could try spamassassin, as it will do multiple lookups at once, and > > Mailscanners spamassassin cache can help lighten the load. > > Have you done all the optimizing ideas in the wiki? > > Are you running a caching nameserver on the box? > > > > Can you put any of these in the MTA? That will drop mail before your > machine > > even has to touch it. > > > > > SBL+XBL also includes NJABL, so there drops another lookup. > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061026/6c786507/attachment.html From pete at enitech.com.au Thu Oct 26 23:32:04 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Oct 26 23:32:12 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <45410290.20009@sbcglobal.net> References: <1E293D3FF63A3740B10AD5AAD88535D20380B6E0@UBIMAIL1.ubisoft.org> <45410290.20009@sbcglobal.net> Message-ID: <45413764.2060700@enitech.com.au> Yeah we grabbed the one from that gaptuning website and built it a lot of error checking - this means that if your ldap query fails for any reason your existing recipient map isnt overwritten with no content, mean you block all mail = not good :) Also now send emails and stuff if it fails with error messages. AND it works for Lotus Domino. (easyt o work for any LDAP i reckon) Thanks for all the other tips I will ciollate them and research them a little further and try and compile them into a useful document. Ed Bruce wrote: > Daniel Maher wrote: >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Ed Bruce >>> Sent: October 26, 2006 12:36 PM >>> To: MailScanner discussion >>> Subject: Re: Postfix Users (and Outlook users) >>> >>> Daniel Maher wrote: >>> >>>> I cannot stress enough how much adding a recipient map to postfix has >>>> >>> helped. Right now, we poll our (Microsoft) Global Directory server once >>> per hour, pull down the entire tree, sanitise the results (there are >>> lots >>> of non-RFC compliant addresses in there) and build a recipient map >>> out of >>> it. This has been the /single greatest step/ we've taken to reduce the >>> amount of spam our internal Exchange servers have to deal with: down >>> from >>> half a million per day to around 85,000. >>> What tool do you use to poll your Global Directory? >>> >> >> http://www-personal.umich.edu/~malth/gaptuning/postfix/ >> >> Of course, you'll need to set the configs for your site, but it works >> like a charm! :) >> > Thanks all for the replies. I will look at them and see if I can get one > to work. From pete at enitech.com.au Thu Oct 26 23:32:17 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Oct 26 23:32:25 2006 Subject: Postfix Users (and Outlook users) In-Reply-To: <45410290.20009@sbcglobal.net> References: <1E293D3FF63A3740B10AD5AAD88535D20380B6E0@UBIMAIL1.ubisoft.org> <45410290.20009@sbcglobal.net> Message-ID: <45413771.3030102@enitech.com.au> Yeah we grabbed the one from that gaptuning website and built it a lot of error checking (see the wiki) - this means that if your ldap query fails for any reason your existing recipient map isnt overwritten with no content, mean you block all mail = not good :) Also now send emails and stuff if it fails with error messages. AND it works for Lotus Domino. (easyt o work for any LDAP i reckon) Thanks for all the other tips I will ciollate them and research them a little further and try and compile them into a useful document. Ed Bruce wrote: > Daniel Maher wrote: >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Ed Bruce >>> Sent: October 26, 2006 12:36 PM >>> To: MailScanner discussion >>> Subject: Re: Postfix Users (and Outlook users) >>> >>> Daniel Maher wrote: >>> >>>> I cannot stress enough how much adding a recipient map to postfix has >>>> >>> helped. Right now, we poll our (Microsoft) Global Directory server once >>> per hour, pull down the entire tree, sanitise the results (there are >>> lots >>> of non-RFC compliant addresses in there) and build a recipient map >>> out of >>> it. This has been the /single greatest step/ we've taken to reduce the >>> amount of spam our internal Exchange servers have to deal with: down >>> from >>> half a million per day to around 85,000. >>> What tool do you use to poll your Global Directory? >>> >> >> http://www-personal.umich.edu/~malth/gaptuning/postfix/ >> >> Of course, you'll need to set the configs for your site, but it works >> like a charm! :) >> > Thanks all for the replies. I will look at them and see if I can get one > to work. From wmcdonald at gmail.com Fri Oct 27 01:26:54 2006 From: wmcdonald at gmail.com (Will McDonald) Date: Fri Oct 27 01:26:57 2006 Subject: Sync config files In-Reply-To: References: Message-ID: <1f8fae340610261726h4c553d6bl87065d74f14c7ad3@mail.gmail.com> On 25/10/06, Roald wrote: > Hi! > > As I am now setting up the third MailScanner-server, I was wondering what > you use to sync the config files? /etc/MailScanner and /etc/mail are very > similar and previously I have been ssh'ing to both servers and making the > changes when adding new domains etc. But now I would like to sync them. > rsync are one alternative, any better? I have looked at cfengine, but it > seems a bit overkill for my task. You could use something like Rdist over SSH with some custom post-install 'cmdspecial' steps to tailor each config to its server if necessary? Will. From martinh at solidstatelogic.com Fri Oct 27 08:22:31 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 27 08:22:52 2006 Subject: RBL List selection In-Reply-To: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> Message-ID: <4541B3B7.1010602@solidstatelogic.com> Gordon Colyn wrote: > ITNT Banner Campaignhi all, > > I am finding that my incoming queue is groing to approx 1500 to 2000 > messages during high message loads and on investigation it seems that a > large delay is in the process of checking against the RBL's. Can anyone > suggest the best minimum config to get the best result? Currently I am only > pushing approx 30,000 messages a day through the server... > > I am using; > > Spam List = spamcop.net ORDB-RBL spamhaus.org spamhaus-XBL SBL+XBL NJABL > SORBS-SMTP CBL RSL DSBL SORBS-DUL > > and > > Spam Domain List = SORBS-BADCONF SORBS-NOMAIL > > Thanks > > Gordon Colyn > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > 086 123 ITNT (4868) > 086 682 5204 (Fax) > +27 (0)83 296 7534 > Gordon do you reject unknown users on the inbound MTA? I find I drop over 66% of my traffic that way. There are examples in the wiki for sendmail, exim and postfix for how to do this. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gordon at itnt.co.za Fri Oct 27 09:09:21 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Oct 27 09:09:57 2006 Subject: core dump files Message-ID: <01e501c6f99f$39fb61d0$0a02a8c0@Gordon> ITNT Banner CampaignIn the last week I am starting to suddenly get 200mb core dump files in my /var/spool/mqueue.in directory which eventually fill my hard drive. core.16104: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, SVR4-style, from 'MailScanner' How do I stop this? I am running Mandriva 2006, sendmail 8.13.4, clamavmodule 0.88.5, spamassassin 3.1.7 and MailScanner 4.55.9 Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From alvaro at hostalia.com Fri Oct 27 09:13:43 2006 From: alvaro at hostalia.com (=?UTF-8?B?QWx2YXJvIE1hcsOtbg==?=) Date: Fri Oct 27 09:13:49 2006 Subject: RBL List selection In-Reply-To: <454124BC.3010304@fsl.com> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> Message-ID: <4541BFB7.5030403@hostalia.com> Hi, > Personally - I wouldn't use any here at all. Use the > sbl-xbl.spamhaus.org in your MTA to reject listed servers at the SMTP > level, then let SpamAssassin score the rest of the blacklists. Yes, and then disable that RBL on SpamAssassin to prevent to be checked 2 times (MTA and SA). Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From lists at kush-t.co.uk Fri Oct 27 09:13:21 2006 From: lists at kush-t.co.uk (Pete Smith) Date: Fri Oct 27 09:15:37 2006 Subject: problem starting MailScanner: dual perl config on raq4: thanks everyone In-Reply-To: <008101c6f7ad$86296320$3701a8c0@lapxp> References: <20061024161856.M63934@kush-t.co.uk> <008101c6f7ad$86296320$3701a8c0@lapxp> Message-ID: <20061027081321.M93110@kush-t.co.uk> Just a quick note to say thanks to all who chipped in with a response to my question. I now have a working MailScanner/Spamassassin on my raq4 with a dual perl install. Time for some more memory methinks! Thanks again. PeTe :) -- Kush-T Web Services (http://www.kush-t.co.uk) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gordon at itnt.co.za Fri Oct 27 09:26:31 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Oct 27 09:27:02 2006 Subject: RBL List selection References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> <4541BFB7.5030403@hostalia.com> Message-ID: <02ae01c6f9a1$a13dca70$0a02a8c0@Gordon> Thanks all for the feedback, have seen a huge improvement already! Where do I disable the RBL in spamassassin? Gordon ----- Original Message ----- From: "Alvaro Mar?n" To: "MailScanner discussion" Sent: Friday, October 27, 2006 10:13 AM Subject: Re: RBL List selection Hi, > Personally - I wouldn't use any here at all. Use the > sbl-xbl.spamhaus.org in your MTA to reject listed servers at the SMTP > level, then let SpamAssassin score the rest of the blacklists. Yes, and then disable that RBL on SpamAssassin to prevent to be checked 2 times (MTA and SA). Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From info at mevershosting.nl Fri Oct 27 09:55:25 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Fri Oct 27 09:55:26 2006 Subject: Server Loads/hardware standards - recommendations Message-ID: <78964AB012E2A247BA86E219659F235C6DD4D6@mevers1.meverskantoor.nl> I just want to say WOW, We installed greylisting yesterday and the load on all our relay servers is around 1% the avarage was around 10% This greylisting gets a lot of spam out, people that worry about the delay, i have the delay set to 30 seconds and it works great, Thanx Julian for this tip. Richard Mevers -----Oorspronkelijk bericht----- Van: Julian Field [mailto:MailScanner@ecs.soton.ac.uk] Verzonden: dinsdag 17 oktober 2006 21:29 Aan: MailScanner discussion Onderwerp: Re: Server Loads/hardware standards - recommendations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Michael Kain spake the following on 10/17/2006 9:52 AM: > >> Recently, I've gone from handling 40k messages /day to nearly 30k/hour. >> The change has surfaced in the last month or so. >> >> My current setup: >> Dual P3 1.13 >> 1GB Ram >> FC5 >> >> Mail gateway running MS/clam/SA forwards scanned mail to internal mail >> server (when there's a problem, users hit send/receive and that doesn't >> cause an error..thus avoiding immediate call) I've used Julian's clam/sa >> install script (which is awesome), and read posts relating to new >> releases before upgrading/such. >> >> With spamassassin enabled, the batch list grows and grows, was up to 95k >> at one point.. disabling SA in MS cleared that out fairly quickly. I've >> wiped the SA/bayes temp files thinking bayes was backing up, however, it >> seems that is not helping. >> >> What I would like an opinion on is this... Am I trying to do too much >> with the hardware that I currently have? Or do I put together a bigger >> beefier machine? >> >> -Mike >> You can make a huge difference to the amount of spam you have to process with 2 tools: 1) milter-gris 2) milter-null Number 1 implements grey-listing. There are a lot of discussions about greylisting on the web, and a lot of people are very wary of it initially. I was too. Then I ran a test with a handful of the fussiest email users I have (I've got about 2000 users in total). I told them I was implementing something new, but refused to tell them what, so they would not have any pre-conceptions about it. They *all* loved it, and none of them reported any problems at all. So I implemented it across all of my users, who are very fussy Computer Science and Electronics academics, as well as the students. That was about 6 months ago, since when I have had *1* complaint, which I dealt with by adding them to the whitelist for it. So my conclusion with greylisting is test it with some very fussy users, then roll it out to everyone. Number 2 implements back-scatter detection. Basically, what this does is get rid of all the "This message could not be delivered..." notices that weren't generated in response to your own users' mail. It doesn't throw away all of them, so that if your users mistype an address, they still get the error message from it. But all the delivery failure messages generated by forged spam get killed. Between these 2, you will remove 80-90% of all the mail coming into your site, without losing any genuine real mail at all. This will make your hardware go a hell of a lot further, and you will find you don't need to spend any money on new hardware at all. My MX servers used to just about cope. Then I implemented these 2 techniques and they now just tick along quite happily, getting very bored. Both of the above techniques can be done very easily in sendmail and Postfix using the milters which are available from www.snertsoft.com. I thoroughly recommend them to everyone. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFNS8QEfZZRxQVtlQRAlVDAKDAcLnmAPCpH7joNTguKkSqKazZXACg5xRc UsdsgAaMsK/YW02xH109FQw= =mOLq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----- Scanned for virus and spam ----- Scanned for virus and spam From alvaro at hostalia.com Fri Oct 27 10:07:52 2006 From: alvaro at hostalia.com (=?UTF-8?B?QWx2YXJvIE1hcsOtbg==?=) Date: Fri Oct 27 10:07:56 2006 Subject: RBL List selection In-Reply-To: <02ae01c6f9a1$a13dca70$0a02a8c0@Gordon> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> <4541BFB7.5030403@hostalia.com> <02ae01c6f9a1$a13dca70$0a02a8c0@Gordon> Message-ID: <4541CC68.5030601@hostalia.com> ello, > Where do I disable the RBL in spamassassin? For example, I use bl.spamcop.net in MTA, so in MailScanner's spam.assassin.prefs.conf I add: score RCVD_IN_BL_SPAMCOP_NET 0 to disable that RBL (you can see the rule's name doing a grep by the RBL in SA's rules directory). Now, reviewing this, I've in MTA sbl.spamhaus.org but I've a few messages with RCVD_IN_SBL (not scored to 0 in spam.assassin.prefs.conf): Oct 27 09:40:18 relay MailScanner[9474]: Message 6F6916E16C3.98A09 from 83.11.59.37 (bdtelepolissro@telepolis.com) to xxxxxx.com is spam, SpamAssassin (no almacenado, puntaje=31.359, requerido 6, BAYES_99 2.00, FORGED_RCVD_HELO 0.14, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 4.00, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_SBL 3.16, RELAYCOUNTRY_ES -0.20, URIBL_AB_SURBL 3.81, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.00, URIBL_OB_SURBL 3.01, URIBL_SC_SURBL 4.50) As I've said, RCVD_IN_SBL only appears on 9 messages...and the IPs are not listed: http://www.spamhaus.org/query/bl?ip=83.11.59.37 The same with the other cases; strange... Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From MailScanner at ecs.soton.ac.uk Fri Oct 27 12:07:52 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 27 12:09:36 2006 Subject: Blocking imbedded pictures? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD131@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD131@cmexchange01.CourtesyMortgage.local> Message-ID: <4541E888.70301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can't do it yet, sorry. Jason Williams wrote: > Something that has been asked of me lately. > > It is pretty straightforward to block attached pictures (.gif's, jpegs > etc.), but what about the ability to block items that are imbedded > into actual e-mails? > > Is that possible through mailscanner? Is it even a valid solution to > implement? > > I guess management is getting tired of pictures coming into the > corporate network. > > I appreciate it. > > Cheers, > > -Jason > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQeiuEfZZRxQVtlQRAhdpAJwNEGcMKJTqvAVtZM/IT6MTGgkTjACfUIfr fkEeKEdi369aUGWlyRarK2U= =ZIbY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Oct 27 12:11:24 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 27 12:12:35 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD4D6@mevers1.meverskantoor.nl> References: <78964AB012E2A247BA86E219659F235C6DD4D6@mevers1.meverskantoor.nl> Message-ID: <4541E95C.5030001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glad you find greylisting to be useful, I certainly did. The next thing for you to install is milter-null from http://www.snertsoft.com/sendmail/milter-null/ This will kill all the "your message could not be delivered" messages you get hundreds of. Completely. Mevershosting.nl wrote: > I just want to say WOW, We installed greylisting yesterday and the load > on all our relay servers is around 1% > the avarage was around 10% > > This greylisting gets a lot of spam out, people that worry about the > delay, i have the delay set to 30 seconds and it works great, > > Thanx Julian for this tip. > > Richard > Mevers > > -----Oorspronkelijk bericht----- > Van: Julian Field [mailto:MailScanner@ecs.soton.ac.uk] > Verzonden: dinsdag 17 oktober 2006 21:29 > Aan: MailScanner discussion > Onderwerp: Re: Server Loads/hardware standards - recommendations > > > > > * PGP Bad Signature, Signed by an unverified key: 10/17/06 at 20:29:20 > * text/plain body > * Julian Field > * 0x1415B654 - Unverified(L) > * PGP Bad Signature, Signed by an unverified key: 10/17/06 at 20:29:20 > > Scott Silva wrote: > >> Michael Kain spake the following on 10/17/2006 9:52 AM: >> >> >>> Recently, I've gone from handling 40k messages /day to nearly >>> > 30k/hour. > >>> The change has surfaced in the last month or so. >>> >>> My current setup: >>> Dual P3 1.13 >>> 1GB Ram >>> FC5 >>> >>> Mail gateway running MS/clam/SA forwards scanned mail to internal >>> > mail > >>> server (when there's a problem, users hit send/receive and that >>> > doesn't > >>> cause an error..thus avoiding immediate call) I've used Julian's >>> > clam/sa > >>> install script (which is awesome), and read posts relating to new >>> releases before upgrading/such. >>> >>> With spamassassin enabled, the batch list grows and grows, was up to >>> > 95k > >>> at one point.. disabling SA in MS cleared that out fairly quickly. >>> > I've > >>> wiped the SA/bayes temp files thinking bayes was backing up, however, >>> > it > >>> seems that is not helping. >>> >>> What I would like an opinion on is this... Am I trying to do too much >>> with the hardware that I currently have? Or do I put together a >>> > bigger > >>> beefier machine? >>> >>> -Mike >>> >>> > You can make a huge difference to the amount of spam you have to process > > with 2 tools: > > 1) milter-gris > 2) milter-null > > Number 1 implements grey-listing. There are a lot of discussions about > greylisting on the web, and a lot of people are very wary of it > initially. I was too. Then I ran a test with a handful of the fussiest > email users I have (I've got about 2000 users in total). I told them I > was implementing something new, but refused to tell them what, so they > would not have any pre-conceptions about it. They *all* loved it, and > none of them reported any problems at all. So I implemented it across > all of my users, who are very fussy Computer Science and Electronics > academics, as well as the students. That was about 6 months ago, since > when I have had *1* complaint, which I dealt with by adding them to the > whitelist for it. > > So my conclusion with greylisting is test it with some very fussy users, > > then roll it out to everyone. > > Number 2 implements back-scatter detection. Basically, what this does is > > get rid of all the "This message could not be delivered..." notices that > > weren't generated in response to your own users' mail. It doesn't throw > away all of them, so that if your users mistype an address, they still > get the error message from it. But all the delivery failure messages > generated by forged spam get killed. > > Between these 2, you will remove 80-90% of all the mail coming into your > > site, without losing any genuine real mail at all. This will make your > hardware go a hell of a lot further, and you will find you don't need to > > spend any money on new hardware at all. > > My MX servers used to just about cope. Then I implemented these 2 > techniques and they now just tick along quite happily, getting very > bored. > > Both of the above techniques can be done very easily in sendmail and > Postfix using the milters which are available from www.snertsoft.com. I > thoroughly recommend them to everyone. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQeljEfZZRxQVtlQRAkbaAJ40bmP3Lr63v5JQBOIV3spTfHLAogCgjSLT Dcqj3gALlYTEJfSN8NZz7s4= =vym2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From denis at croombs.org Fri Oct 27 13:08:56 2006 From: denis at croombs.org (Denis Croombs) Date: Fri Oct 27 13:09:25 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: <4541E95C.5030001@ecs.soton.ac.uk> Message-ID: <200610271211.k9RCB9Jw001369@rack2.justlinux1.net> > Glad you find greylisting to be useful, I certainly did. > > The next thing for you to install is milter-null from > http://www.snertsoft.com/sendmail/milter-null/ > > This will kill all the "your message could not be delivered" > messages you get hundreds of. Completely. > > > Mevershosting.nl wrote: > > I just want to say WOW, We installed greylisting yesterday > and the load > > on all our relay servers is around 1% > > the avarage was around 10% > > > > This greylisting gets a lot of spam out, people that worry about the > > delay, i have the delay set to 30 seconds and it works great, > > Do you know where I can get a copy of this as the web site appears to be down at the moment. Thanks Denis From adrik at salesmanager.nl Fri Oct 27 13:13:33 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Fri Oct 27 13:13:34 2006 Subject: Server Loads/hardware standards - recommendations Message-ID: Julian, > Glad you find greylisting to be useful, I certainly did. > > The next thing for you to install is milter-null from > http://www.snertsoft.com/sendmail/milter-null/ > > This will kill all the "your message could not be delivered" > messages you get hundreds of. Completely. >From the documentation I have read, milter-null works by adding a hash value to each message sent and scans all DSN message for the existance of the hash value and then compares it against the know values for messages sent earlier. As a result of this, milter-null will ONLY work if the message was send by the same smtp server, which receives the DSN report. When using a split send and receive smtp server, or multiple servers, this means some or all DSN reports will be dropped. Adri. From adrik at salesmanager.nl Fri Oct 27 13:15:49 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Fri Oct 27 13:15:51 2006 Subject: Server Loads/hardware standards - recommendations Message-ID: Denis, > > Glad you find greylisting to be useful, I certainly did. > > > > The next thing for you to install is milter-null from > > http://www.snertsoft.com/sendmail/milter-null/ > > > Do you know where I can get a copy of this as the web site > appears to be down at the moment. I just checked, the website was up and running 5 minutes ago. Adri. From glenn.steen at gmail.com Fri Oct 27 13:58:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 27 13:58:37 2006 Subject: Sync config files In-Reply-To: <1f8fae340610261726h4c553d6bl87065d74f14c7ad3@mail.gmail.com> References: <1f8fae340610261726h4c553d6bl87065d74f14c7ad3@mail.gmail.com> Message-ID: <223f97700610270558r22eb48eja6aa95e16a1c0d47@mail.gmail.com> On 27/10/06, Will McDonald wrote: > On 25/10/06, Roald wrote: > > Hi! > > > > As I am now setting up the third MailScanner-server, I was wondering what > > you use to sync the config files? /etc/MailScanner and /etc/mail are very > > similar and previously I have been ssh'ing to both servers and making the > > changes when adding new domains etc. But now I would like to sync them. > > rsync are one alternative, any better? I have looked at cfengine, but it > > seems a bit overkill for my task. > > You could use something like Rdist over SSH with some custom > post-install 'cmdspecial' steps to tailor each config to its server if > necessary? > > Will. I always found rdist to be slightly yucky (:-), and would probably prefer a scripted solution around rsynch (ssh mode) or lftp (mirror function) and straight ssh for any postprocessing. But I suppose one always tend to favour the tools one knows best (it's been quite a few years since last I fiddled with rdist)....:-). Those mirroring tools wouldn't have the pre/post-processing inbuilt, but then... would there really be any need for such, in this case? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Oct 27 14:05:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 27 14:05:03 2006 Subject: core dump files In-Reply-To: <01e501c6f99f$39fb61d0$0a02a8c0@Gordon> References: <01e501c6f99f$39fb61d0$0a02a8c0@Gordon> Message-ID: <223f97700610270604h4655452o313c140d74ccd862@mail.gmail.com> On 27/10/06, Gordon Colyn wrote: > ITNT Banner CampaignIn the last week I am starting to suddenly get 200mb > core dump files in my /var/spool/mqueue.in directory which eventually fill > my hard drive. > > core.16104: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), > SVR4-style, SVR4-style, from 'MailScanner' > > How do I stop this? > > I am running Mandriva 2006, > sendmail 8.13.4, > clamavmodule 0.88.5, > spamassassin 3.1.7 > and MailScanner 4.55.9 > The question is why they'd be created at all... Do you get anything in the logs around the core file creation time? Can you get a GDB "where" from it (will likely not reveal much)? Did you do some "urpmi.update -a && urpmi --auto --auto-select" (or other update) close to these starting (I run the same distro/version... always try to do the updates on my testbed first:-)? Anything in syslog or dmesg indicating a HW problem? The last one is where I'd pool my bets....:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Oct 27 14:10:16 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 27 14:11:34 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: References: Message-ID: <45420538.6050603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adri Koppes wrote: > Julian, > > >> Glad you find greylisting to be useful, I certainly did. >> >> The next thing for you to install is milter-null from >> http://www.snertsoft.com/sendmail/milter-null/ >> >> This will kill all the "your message could not be delivered" >> messages you get hundreds of. Completely. >> > > >From the documentation I have read, milter-null works by adding a hash > value to each message sent and scans all DSN message for the existance > of the hash value and then compares it against the know values for > messages sent earlier. > As a result of this, milter-null will ONLY work if the message was send > by the same smtp server, which receives the DSN report. > When using a split send and receive smtp server, or multiple servers, > this means some or all DSN reports will be dropped. > I use split send and receive smtp servers, and milter-null works fine. Just run it on both servers with the same "secret". Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQgVCEfZZRxQVtlQRAomNAKDMldUheHBYjpiBuTrQba7CSp4avgCgtpAo fRrQqNSAwFVBhNOBI6EnuVA= =AzyG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From joost at waversveld.nl Fri Oct 27 14:11:52 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Oct 27 14:12:13 2006 Subject: Sync config files In-Reply-To: <223f97700610270558r22eb48eja6aa95e16a1c0d47@mail.gmail.com> References: <1f8fae340610261726h4c553d6bl87065d74f14c7ad3@mail.gmail.com> <223f97700610270558r22eb48eja6aa95e16a1c0d47@mail.gmail.com> Message-ID: <45420597.1040101@waversveld.nl> Maybe you can check unison (http://www.cis.upenn.edu/~bcpierce/unison/), we use that one. Works great! Glenn Steen wrote: > On 27/10/06, Will McDonald wrote: >> On 25/10/06, Roald wrote: >> > Hi! >> > >> > As I am now setting up the third MailScanner-server, I was wondering >> what >> > you use to sync the config files? /etc/MailScanner and /etc/mail >> are very >> > similar and previously I have been ssh'ing to both servers and >> making the >> > changes when adding new domains etc. But now I would like to sync them. >> > rsync are one alternative, any better? I have looked at cfengine, >> but it >> > seems a bit overkill for my task. >> >> You could use something like Rdist over SSH with some custom >> post-install 'cmdspecial' steps to tailor each config to its server if >> necessary? >> >> Will. > > I always found rdist to be slightly yucky (:-), and would probably > prefer a scripted solution around rsynch (ssh mode) or lftp (mirror > function) and straight ssh for any postprocessing. But I suppose one > always tend to favour the tools one knows best (it's been quite a few > years since last I fiddled with rdist)....:-). > Those mirroring tools wouldn't have the pre/post-processing inbuilt, > but then... would there really be any need for such, in this case? > From AHKAPLAN at PARTNERS.ORG Fri Oct 27 15:54:06 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Oct 27 15:54:14 2006 Subject: FW: SpamAssassin Troubleshooting Message-ID: <9C63A4713C4E3342B90428CE44806A73026799D0@PHSXMB5.partners.org> Hi there -- I got the following error message this morning concerning SpamAssassin: RulesDuJour Run Summary on hadron.mgh.harvard.edu: ***NOTICE***: /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint failed. This means that you have an error somwhere in your SpamAssassin configuration. To determine what the problem is, please run '/usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint' from a shell and notice the error messages it prints. For more (debug) information, add the -D switch to the command. Usually the problem will be found in local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. Here are the errors that '/usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint' reported: [24833] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [24833] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [24833] warn: lint: 2 issues detected, please rerun with debug enabled for more information -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ---------------------------------------------------------------------------- I ran the spamassassin --lint and -D commands and have included the results as attachments to this e-mail. The first thing that I noticed was there being a large amount of perl modules not being installed on the system. There also appears to be a problem with dcc. I'm guessing that installing the missing perl modules will be the first step, but I'm not sure what the solution is for the dcc issue. Besides that, are there any other steps that I should take to correct this problem? Thanks. -----Original Message----- From: Andrew Kaplan [mailto:ahk@hadron.mgh.harvard.edu] Sent: Friday, October 27, 2006 10:43 AM To: Kaplan, Andrew H. Subject: SpamAssassin Troubleshooting Send this information to the MailScanner group for help. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- [25088] dbg: logger: adding facilities: all [25088] dbg: logger: logging level is DBG [25088] dbg: generic: SpamAssassin version 3.1.0 [25088] dbg: config: score set 0 chosen. [25088] dbg: util: running in taint mode? yes [25088] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [25088] dbg: util: PATH included '/usr/kerberos/bin', keeping [25088] dbg: util: PATH included '/usr/local/bin', keeping [25088] dbg: util: PATH included '/usr/bin', keeping [25088] dbg: util: PATH included '/bin', keeping [25088] dbg: util: PATH included '/usr/X11R6/bin', keeping [25088] dbg: util: PATH included '/home/ahk/bin', which doesn't exist, dropping [25088] dbg: util: final PATH set to: /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin [25088] dbg: dns: is Net::DNS::Resolver available? yes [25088] dbg: dns: Net::DNS version: 0.55 [25088] dbg: dns: name server: 132.183.1.11, family: 2, ipv6: 0 [25088] dbg: diag: perl platform: 5.008008 linux [25088] dbg: diag: module installed: Digest::SHA1, version 2.11 [25088] dbg: diag: module installed: HTML::Parser, version 3.50 [25088] dbg: diag: module installed: MIME::Base64, version 3.05 [25088] dbg: diag: module installed: DB_File, version 1.814 [25088] dbg: diag: module installed: Net::DNS, version 0.55 [25088] dbg: diag: module installed: Net::SMTP, version 2.29 [25088] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [25088] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [25088] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [25088] dbg: diag: module not installed: Net::Ident ('require' failed) [25088] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [25088] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [25088] dbg: diag: module installed: Time::HiRes, version 1.68 [25088] dbg: diag: module installed: DBI, version 1.50 [25088] dbg: diag: module installed: Getopt::Long, version 2.35 [25088] dbg: diag: module installed: LWP::UserAgent, version 2.033 [25088] dbg: diag: module installed: HTTP::Date, version 1.47 [25088] dbg: diag: module not installed: Archive::Tar ('require' failed) [25088] dbg: diag: module not installed: IO::Zlib ('require' failed) [25088] dbg: ignore: using a test message to lint rules [25088] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [25088] dbg: config: read file /etc/mail/spamassassin/init.pre [25088] dbg: config: read file /etc/mail/spamassassin/v310.pre [25088] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [25088] dbg: config: using "/usr/share/spamassassin" for default rules dir [25088] dbg: config: read file /usr/share/spamassassin/10_misc.cf [25088] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf [25088] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf [25088] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_compensate.cf [25088] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_drugs.cf [25088] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/20_phrases.cf [25088] dbg: config: read file /usr/share/spamassassin/20_porn.cf [25088] dbg: config: read file /usr/share/spamassassin/20_ratware.cf [25088] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf [25088] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [25088] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf [25088] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf [25088] dbg: config: read file /usr/share/spamassassin/25_dcc.cf [25088] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf [25088] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf [25088] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [25088] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [25088] dbg: config: read file /usr/share/spamassassin/25_replace.cf [25088] dbg: config: read file /usr/share/spamassassin/25_spf.cf [25088] dbg: config: read file /usr/share/spamassassin/25_textcat.cf [25088] dbg: config: read file /usr/share/spamassassin/25_uribl.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_de.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_it.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf [25088] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf [25088] dbg: config: read file /usr/share/spamassassin/50_scores.cf [25088] dbg: config: read file /usr/share/spamassassin/60_awl.cf [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf [25088] dbg: config: using "/etc/mail/spamassassin" for site rules dir [25088] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf [25088] dbg: config: read file /etc/mail/spamassassin/local.cf [25088] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir [25088] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file [25088] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [25088] dbg: pyzor: network tests on, attempting Pyzor [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [25088] dbg: reporter: network tests on, attempting SpamCop [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa463a10) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa4e7e0c) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa4f65c4) [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) [25088] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [25088] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [25088] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [25088] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [25088] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [25088] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i [25088] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [25088] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) implements 'finish_parsing_end' [25088] dbg: replacetags: replacing tags [25088] dbg: replacetags: done replacing tags [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks [25088] dbg: config: score set 1 chosen. [25088] dbg: message: ---- MIME PARSER START ---- [25088] dbg: message: main message type: text/plain [25088] dbg: message: parsing normal part [25088] dbg: message: added part, type: text/plain [25088] dbg: message: ---- MIME PARSER END ---- [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks [25088] dbg: dns: dns_available set to yes in config file, skipping test [25088] dbg: metadata: X-Spam-Relays-Trusted: [25088] dbg: metadata: X-Spam-Relays-Untrusted: [25088] dbg: message: no encoding detected [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'parsed_metadata' [25088] dbg: uridnsbl: domains to query: [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop [25088] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [25088] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [25088] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop [25088] dbg: dns: checking RBL combined.njabl.org., set njabl [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [25088] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop [25088] dbg: dns: checking RBL bl.spamcop.net., set spamcop [25088] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-notfirsthop [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [25088] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [25088] dbg: check: running tests for priority: 0 [25088] dbg: rules: running header regexp tests; score so far=0 [25088] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [25088] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1161960021@lint_rules> [25088] dbg: rules: " [25088] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [25088] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [25088] dbg: rules: " [25088] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1161960021" [25088] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) [25088] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: spf: message was delivered entirely via trusted relays, not required [25088] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [25088] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) [25088] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) [25088] dbg: eval: all '*To' addrs: [25088] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: spf: message was delivered entirely via trusted relays, not required [25088] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: rules: ran eval rule NO_RELAYS ======> got hit [25088] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: spf: cannot get Envelope-From, cannot use SPF [25088] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [25088] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [25088] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) [25088] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) [25088] dbg: spf: spf_whitelist_from: could not find useable envelope sender [25088] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit [25088] dbg: rules: running body-text per-line regexp tests; score so far=0.738 [25088] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [25088] dbg: uri: running uri tests; score so far=0.738 [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks [25088] dbg: bayes: not scoring message, returning undef [25088] dbg: bayes: opportunistic call attempt failed, DB not readable [25088] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560)) [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 [25088] dbg: rules: running full-text regexp tests; score so far=0.738 [25088] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c)) [25088] dbg: pyzor: pyzor is not available: no pyzor executable found [25088] dbg: pyzor: no pyzor found, disabling Pyzor [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_tick' [25088] dbg: check: running tests for priority: 500 [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_post_dnsbl' [25088] dbg: rules: running meta tests; score so far=0.738 [25088] dbg: rules: running header regexp tests; score so far=2.216 [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [25088] dbg: uri: running uri tests; score so far=2.216 [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [25088] dbg: rules: running full-text regexp tests; score so far=2.216 [25088] dbg: check: running tests for priority: 1000 [25088] dbg: rules: running meta tests; score so far=2.216 [25088] dbg: rules: running header regexp tests; score so far=2.216 [25088] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488)) [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [25088] dbg: uri: running uri tests; score so far=2.216 [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [25088] dbg: rules: running full-text regexp tests; score so far=2.216 [25088] dbg: check: is spam? score=2.216 required=5 [25088] dbg: check: tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [25088] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID [25088] warn: lint: 2 issues detected, please rerun with debug enabled for more information -------------- next part -------------- [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [25071] warn: lint: 2 issues detected, please rerun with debug enabled for more information From info at mevershosting.nl Fri Oct 27 16:08:33 2006 From: info at mevershosting.nl (Mevershosting.nl) Date: Fri Oct 27 16:08:35 2006 Subject: Server Loads/hardware standards - recommendations Message-ID: <78964AB012E2A247BA86E219659F235C6DD4F1@mevers1.meverskantoor.nl> Could somebody send me a copy of the milter-null. I am not able (for a strange reson) to create a download account. Richard ps i do agree to the licence -----Oorspronkelijk bericht----- Van: Julian Field [mailto:MailScanner@ecs.soton.ac.uk] Verzonden: vrijdag 27 oktober 2006 15:10 Aan: MailScanner discussion Onderwerp: Re: Server Loads/hardware standards - recommendations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adri Koppes wrote: > Julian, > > >> Glad you find greylisting to be useful, I certainly did. >> >> The next thing for you to install is milter-null from >> http://www.snertsoft.com/sendmail/milter-null/ >> >> This will kill all the "your message could not be delivered" >> messages you get hundreds of. Completely. >> > > >From the documentation I have read, milter-null works by adding a hash > value to each message sent and scans all DSN message for the existance > of the hash value and then compares it against the know values for > messages sent earlier. > As a result of this, milter-null will ONLY work if the message was send > by the same smtp server, which receives the DSN report. > When using a split send and receive smtp server, or multiple servers, > this means some or all DSN reports will be dropped. > I use split send and receive smtp servers, and milter-null works fine. Just run it on both servers with the same "secret". Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQgVCEfZZRxQVtlQRAomNAKDMldUheHBYjpiBuTrQba7CSp4avgCgtpAo fRrQqNSAwFVBhNOBI6EnuVA= =AzyG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----- Scanned for virus and spam ----- Scanned for virus and spam From MailScanner at ecs.soton.ac.uk Fri Oct 27 16:07:43 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 27 16:09:01 2006 Subject: FW: SpamAssassin Troubleshooting In-Reply-To: <9C63A4713C4E3342B90428CE44806A73026799D0@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A73026799D0@PHSXMB5.partners.org> Message-ID: <454220BF.7010309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My standard advice at this point is this: 1. Remove any SpamAssassin rpm packages you have got. 2. Delete all trace of SpamAssassin from your setup. 3. Download and install the install-ClamAV-SA.tar.gz (or some name like that) from www.mailscanner.info. It's on the downloads page. That will install everything for you and tell you what you need to do to get DCC and such like all working. Kaplan, Andrew H. wrote: > Hi there -- > > I got the following error message this morning concerning SpamAssassin: > > RulesDuJour Run Summary on hadron.mgh.harvard.edu: > > ***NOTICE***: /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf > --lint failed. This means that you have an error somwhere in your SpamAssassin > configuration. To determine what the problem is, please run > '/usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint' from > a shell and notice the error messages it prints. For more (debug) information, > add the -D switch to the command. Usually the problem will be found in > local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. > Here are the errors that '/usr/bin/spamassassin -p > /etc/MailScanner/spam.assassin.prefs.conf --lint' reported: > > [24833] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc [24833] warn: config: failed to parse line, skipping: > dcc_path /usr/local/bin/dccproc [24833] warn: lint: 2 issues detected, please > rerun with debug enabled for more information > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, > and is believed to be clean. > > ---------------------------------------------------------------------------- > > I ran the spamassassin --lint and -D commands and have included the results as > attachments to this e-mail. The first thing that I noticed was there being a > large amount of perl modules not being installed on the system. There also > appears to be a problem with dcc. > > I'm guessing that installing the missing perl modules will be the first step, > but I'm not sure what the solution is for the dcc issue. Besides that, are there > any other steps that I should take to correct this problem? Thanks. > > -----Original Message----- > From: Andrew Kaplan [mailto:ahk@hadron.mgh.harvard.edu] > Sent: Friday, October 27, 2006 10:43 AM > To: Kaplan, Andrew H. > Subject: SpamAssassin Troubleshooting > > Send this information to the MailScanner group for help. > > ------------------------------------------------------------------------ > > [25088] dbg: logger: adding facilities: all > [25088] dbg: logger: logging level is DBG > [25088] dbg: generic: SpamAssassin version 3.1.0 > [25088] dbg: config: score set 0 chosen. > [25088] dbg: util: running in taint mode? yes > [25088] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH > [25088] dbg: util: PATH included '/usr/kerberos/bin', keeping > [25088] dbg: util: PATH included '/usr/local/bin', keeping > [25088] dbg: util: PATH included '/usr/bin', keeping > [25088] dbg: util: PATH included '/bin', keeping > [25088] dbg: util: PATH included '/usr/X11R6/bin', keeping > [25088] dbg: util: PATH included '/home/ahk/bin', which doesn't exist, dropping > [25088] dbg: util: final PATH set to: /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin > [25088] dbg: dns: is Net::DNS::Resolver available? yes > [25088] dbg: dns: Net::DNS version: 0.55 > [25088] dbg: dns: name server: 132.183.1.11, family: 2, ipv6: 0 > [25088] dbg: diag: perl platform: 5.008008 linux > [25088] dbg: diag: module installed: Digest::SHA1, version 2.11 > [25088] dbg: diag: module installed: HTML::Parser, version 3.50 > [25088] dbg: diag: module installed: MIME::Base64, version 3.05 > [25088] dbg: diag: module installed: DB_File, version 1.814 > [25088] dbg: diag: module installed: Net::DNS, version 0.55 > [25088] dbg: diag: module installed: Net::SMTP, version 2.29 > [25088] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) > [25088] dbg: diag: module not installed: IP::Country::Fast ('require' failed) > [25088] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 > [25088] dbg: diag: module not installed: Net::Ident ('require' failed) > [25088] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) > [25088] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) > [25088] dbg: diag: module installed: Time::HiRes, version 1.68 > [25088] dbg: diag: module installed: DBI, version 1.50 > [25088] dbg: diag: module installed: Getopt::Long, version 2.35 > [25088] dbg: diag: module installed: LWP::UserAgent, version 2.033 > [25088] dbg: diag: module installed: HTTP::Date, version 1.47 > [25088] dbg: diag: module not installed: Archive::Tar ('require' failed) > [25088] dbg: diag: module not installed: IO::Zlib ('require' failed) > [25088] dbg: ignore: using a test message to lint rules > [25088] dbg: config: using "/etc/mail/spamassassin" for site rules pre files > [25088] dbg: config: read file /etc/mail/spamassassin/init.pre > [25088] dbg: config: read file /etc/mail/spamassassin/v310.pre > [25088] dbg: config: using "/usr/share/spamassassin" for sys rules pre files > [25088] dbg: config: using "/usr/share/spamassassin" for default rules dir > [25088] dbg: config: read file /usr/share/spamassassin/10_misc.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_compensate.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_drugs.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_phrases.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_porn.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_ratware.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/23_bayes.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_dcc.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_razor2.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_replace.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_spf.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_textcat.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_uribl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_de.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_it.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf > [25088] dbg: config: read file /usr/share/spamassassin/50_scores.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_awl.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf > [25088] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [25088] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf > [25088] dbg: config: read file /etc/mail/spamassassin/local.cf > [25088] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir > [25088] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file > [25088] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [25088] dbg: pyzor: network tests on, attempting Pyzor > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC > [25088] dbg: reporter: network tests on, attempting SpamCop > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa463a10) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa4e7e0c) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa4f65c4) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) > [25088] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i > [25088] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i > [25088] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i > [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) implements 'finish_parsing_end' > [25088] dbg: replacetags: replacing tags > [25088] dbg: replacetags: done replacing tags > [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: config: score set 1 chosen. > [25088] dbg: message: ---- MIME PARSER START ---- > [25088] dbg: message: main message type: text/plain > [25088] dbg: message: parsing normal part > [25088] dbg: message: added part, type: text/plain > [25088] dbg: message: ---- MIME PARSER END ---- > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: dns: dns_available set to yes in config file, skipping test > [25088] dbg: metadata: X-Spam-Relays-Trusted: > [25088] dbg: metadata: X-Spam-Relays-Untrusted: > [25088] dbg: message: no encoding detected > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'parsed_metadata' > [25088] dbg: uridnsbl: domains to query: > [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop > [25088] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted > [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl > [25088] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted > [25088] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop > [25088] dbg: dns: checking RBL combined.njabl.org., set njabl > [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois > [25088] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop > [25088] dbg: dns: checking RBL bl.spamcop.net., set spamcop > [25088] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted > [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-notfirsthop > [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop > [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs > [25088] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [25088] dbg: check: running tests for priority: 0 > [25088] dbg: rules: running header regexp tests; score so far=0 > [25088] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [25088] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1161960021@lint_rules> > [25088] dbg: rules: " > [25088] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" > [25088] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org > [25088] dbg: rules: " > [25088] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1161960021" > [25088] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > [25088] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: message was delivered entirely via trusted relays, not required > [25088] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org > [25088] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > [25088] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > [25088] dbg: eval: all '*To' addrs: > [25088] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: message was delivered entirely via trusted relays, not required > [25088] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [25088] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: cannot get Envelope-From, cannot use SPF > [25088] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender > [25088] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [25088] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > [25088] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: spf_whitelist_from: could not find useable envelope sender > [25088] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit > [25088] dbg: rules: running body-text per-line regexp tests; score so far=0.738 > [25088] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [25088] dbg: uri: running uri tests; score so far=0.738 > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: bayes: not scoring message, returning undef > [25088] dbg: bayes: opportunistic call attempt failed, DB not readable > [25088] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560)) > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 > [25088] dbg: rules: running full-text regexp tests; score so far=0.738 > [25088] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c)) > [25088] dbg: pyzor: pyzor is not available: no pyzor executable found > [25088] dbg: pyzor: no pyzor found, disabling Pyzor > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_tick' > [25088] dbg: check: running tests for priority: 500 > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_post_dnsbl' > [25088] dbg: rules: running meta tests; score so far=0.738 > [25088] dbg: rules: running header regexp tests; score so far=2.216 > [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 > [25088] dbg: uri: running uri tests; score so far=2.216 > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 > [25088] dbg: rules: running full-text regexp tests; score so far=2.216 > [25088] dbg: check: running tests for priority: 1000 > [25088] dbg: rules: running meta tests; score so far=2.216 > [25088] dbg: rules: running header regexp tests; score so far=2.216 > [25088] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488)) > [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 > [25088] dbg: uri: running uri tests; score so far=2.216 > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 > [25088] dbg: rules: running full-text regexp tests; score so far=2.216 > [25088] dbg: check: is spam? score=2.216 required=5 > [25088] dbg: check: tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE > [25088] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID > [25088] warn: lint: 2 issues detected, please rerun with debug enabled for more information > > ------------------------------------------------------------------------ > > [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25071] warn: lint: 2 issues detected, please rerun with debug enabled for more information > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQiDIEfZZRxQVtlQRAofwAKC6b/B2PpXlAqCU5sFBfXFF/0EAIgCePxPw Ua/aYboYHBgQxrFiyWn4v2g= =kq7S -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.freegard at fsl.com Fri Oct 27 16:28:51 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Oct 27 16:29:04 2006 Subject: Server Loads/hardware standards - recommendations In-Reply-To: <78964AB012E2A247BA86E219659F235C6DD4F1@mevers1.meverskantoor.nl> References: <78964AB012E2A247BA86E219659F235C6DD4F1@mevers1.meverskantoor.nl> Message-ID: <454225B3.7010604@fsl.com> Mevershosting.nl wrote: > Could somebody send me a copy of the milter-null. > > I am not able (for a strange reson) to create a download account. > I'd suggest whitelisting snertsoft.com/.net so you can receive the password confirmation, then use the forgotten password link and it will send you a new one. Kind regards, Steve. P.S. I'm on the phone with Anthony at the moment -- these were his instructions, not mine ;-) From brian.duncan at kattenlaw.com Fri Oct 27 16:43:19 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Oct 27 16:43:23 2006 Subject: Spam changes to the end instead of the beginning of the subject line. Message-ID: <65234743FE1555428435CE39E6AC4078B38AFF@CHI-US-EXCH-01.us.kmz.com> We currently on all Spam messages add a unique identifier to the beginning of the subject of all messages that are determined to be normal Scoring spam or high scoring Spam with MailScanner/SpamAssassin. - High scoring is due to RBL failure and gets a slightly different unique ID to help support staff quickly identify a Spam message that failed because of analysis of a message Vs coming from a black-listed source. Management has asked if we can continue to do the same but append the unique ID at the end of the subject instead of the beginning. I see in mailscanner.conf the directive: Scanned Modify Subject = xxx xxx can be "no", "start", or "end" for where the "scanned" text is to go. (We have it set to NO because we DO not mark un-scanned messages) The "Spam modify subject =" directive is set to yes. Can we set the "Spam modify subject =" directive to "end"? And can we set the "High Scoring Spam Modify Subject=" to "end" also? So the actual text for messages that are Spam or High Scoring Spam is added at the end of the subject instead of the beginning? The comments in the mailscanner.conf do not look like it is an option. I was really hoping it is. Thanks =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From listacct at tulsaconnect.com Fri Oct 27 17:08:58 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Oct 27 17:09:07 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV Message-ID: <45422F1A.7080203@tulsaconnect.com> Hi, We're running MS 4.55.9 on FreeBSD 6.x/amd64 with ClamAV 0.88.5 installed from ports. I've installed p5-Mail-ClamAV from the packages collection (it won't compile from ports for some reason -- tried on both x86 and amd64) and have set MS to use the clamavmodule in MailScanner.conf. However, when I start MS, it can't seem to detect the ClamAV module: Oct 27 11:01:28 mscan2 MailScanner[72622]: ClamAV Perl module not found, did you install it? yet it is installed and present in the Perl module database: cpan[1]> install Mail::ClamAV CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Fri, 27 Oct 2006 10:24:39 GMT Mail::ClamAV is up to date (0.17). I've tried just using clamav / clamscan but it can't keep up with our load (400,000 messages a day per box processed).. Any pointers? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From AHKAPLAN at PARTNERS.ORG Fri Oct 27 17:15:52 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Oct 27 17:15:57 2006 Subject: FW: SpamAssassin Troubleshooting In-Reply-To: <454220BF.7010309@ecs.soton.ac.uk> Message-ID: <9C63A4713C4E3342B90428CE44806A73026799D3@PHSXMB5.partners.org> Hi there -- If I go with the procedure you recommend, there are several questions that I need to ask: 1. Will MailScanner, ClamAV, and Sendmail continue to run without SpamAssassin, or will they be disabled until I install the new version? The MailScanner and Sendmail programs are those that came bundled with OS, which in this case is Fedora Core 5. ClamAV is the rpm package group that came from the clamav website. 2. Aside from the rpm packages that I would be removing, what other traces of SpamAssassin should I look for and delete from the system? 3. Will the installation script that you recommend, automatically detect the presence and configuration of MailScanner, ClamAV, and Sendmail or will there be additional configuration steps that will need to be done? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, October 27, 2006 11:08 AM To: MailScanner discussion Subject: Re: FW: SpamAssassin Troubleshooting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My standard advice at this point is this: 1. Remove any SpamAssassin rpm packages you have got. 2. Delete all trace of SpamAssassin from your setup. 3. Download and install the install-ClamAV-SA.tar.gz (or some name like that) from www.mailscanner.info. It's on the downloads page. That will install everything for you and tell you what you need to do to get DCC and such like all working. Kaplan, Andrew H. wrote: > Hi there -- > > I got the following error message this morning concerning SpamAssassin: > > RulesDuJour Run Summary on hadron.mgh.harvard.edu: > > ***NOTICE***: /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf > --lint failed. This means that you have an error somwhere in your SpamAssassin > configuration. To determine what the problem is, please run > '/usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint' from > a shell and notice the error messages it prints. For more (debug) information, > add the -D switch to the command. Usually the problem will be found in > local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. > Here are the errors that '/usr/bin/spamassassin -p > /etc/MailScanner/spam.assassin.prefs.conf --lint' reported: > > [24833] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc [24833] warn: config: failed to parse line, skipping: > dcc_path /usr/local/bin/dccproc [24833] warn: lint: 2 issues detected, please > rerun with debug enabled for more information > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, > and is believed to be clean. > > ---------------------------------------------------------------------------- > > I ran the spamassassin --lint and -D commands and have included the results as > attachments to this e-mail. The first thing that I noticed was there being a > large amount of perl modules not being installed on the system. There also > appears to be a problem with dcc. > > I'm guessing that installing the missing perl modules will be the first step, > but I'm not sure what the solution is for the dcc issue. Besides that, are there > any other steps that I should take to correct this problem? Thanks. > > -----Original Message----- > From: Andrew Kaplan [mailto:ahk@hadron.mgh.harvard.edu] > Sent: Friday, October 27, 2006 10:43 AM > To: Kaplan, Andrew H. > Subject: SpamAssassin Troubleshooting > > Send this information to the MailScanner group for help. > > ------------------------------------------------------------------------ > > [25088] dbg: logger: adding facilities: all > [25088] dbg: logger: logging level is DBG > [25088] dbg: generic: SpamAssassin version 3.1.0 > [25088] dbg: config: score set 0 chosen. > [25088] dbg: util: running in taint mode? yes > [25088] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH > [25088] dbg: util: PATH included '/usr/kerberos/bin', keeping > [25088] dbg: util: PATH included '/usr/local/bin', keeping > [25088] dbg: util: PATH included '/usr/bin', keeping > [25088] dbg: util: PATH included '/bin', keeping > [25088] dbg: util: PATH included '/usr/X11R6/bin', keeping > [25088] dbg: util: PATH included '/home/ahk/bin', which doesn't exist, dropping > [25088] dbg: util: final PATH set to: /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin > [25088] dbg: dns: is Net::DNS::Resolver available? yes > [25088] dbg: dns: Net::DNS version: 0.55 > [25088] dbg: dns: name server: 132.183.1.11, family: 2, ipv6: 0 > [25088] dbg: diag: perl platform: 5.008008 linux > [25088] dbg: diag: module installed: Digest::SHA1, version 2.11 > [25088] dbg: diag: module installed: HTML::Parser, version 3.50 > [25088] dbg: diag: module installed: MIME::Base64, version 3.05 > [25088] dbg: diag: module installed: DB_File, version 1.814 > [25088] dbg: diag: module installed: Net::DNS, version 0.55 > [25088] dbg: diag: module installed: Net::SMTP, version 2.29 > [25088] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) > [25088] dbg: diag: module not installed: IP::Country::Fast ('require' failed) > [25088] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 > [25088] dbg: diag: module not installed: Net::Ident ('require' failed) > [25088] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) > [25088] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) > [25088] dbg: diag: module installed: Time::HiRes, version 1.68 > [25088] dbg: diag: module installed: DBI, version 1.50 > [25088] dbg: diag: module installed: Getopt::Long, version 2.35 > [25088] dbg: diag: module installed: LWP::UserAgent, version 2.033 > [25088] dbg: diag: module installed: HTTP::Date, version 1.47 > [25088] dbg: diag: module not installed: Archive::Tar ('require' failed) > [25088] dbg: diag: module not installed: IO::Zlib ('require' failed) > [25088] dbg: ignore: using a test message to lint rules > [25088] dbg: config: using "/etc/mail/spamassassin" for site rules pre files > [25088] dbg: config: read file /etc/mail/spamassassin/init.pre > [25088] dbg: config: read file /etc/mail/spamassassin/v310.pre > [25088] dbg: config: using "/usr/share/spamassassin" for sys rules pre files > [25088] dbg: config: using "/usr/share/spamassassin" for default rules dir > [25088] dbg: config: read file /usr/share/spamassassin/10_misc.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_compensate.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_drugs.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_phrases.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_porn.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_ratware.cf > [25088] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf > [25088] dbg: config: read file /usr/share/spamassassin/23_bayes.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_dcc.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_razor2.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_replace.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_spf.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_textcat.cf > [25088] dbg: config: read file /usr/share/spamassassin/25_uribl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_de.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_it.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf > [25088] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf > [25088] dbg: config: read file /usr/share/spamassassin/50_scores.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_awl.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf > [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf > [25088] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [25088] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf > [25088] dbg: config: read file /etc/mail/spamassassin/local.cf > [25088] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir > [25088] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file > [25088] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [25088] dbg: pyzor: network tests on, attempting Pyzor > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC > [25088] dbg: reporter: network tests on, attempting SpamCop > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa463a10) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa4e7e0c) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa4f65c4) > [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC > [25088] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) > [25088] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i > [25088] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i > [25088] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i > [25088] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i > [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25088] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) implements 'finish_parsing_end' > [25088] dbg: replacetags: replacing tags > [25088] dbg: replacetags: done replacing tags > [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: config: score set 1 chosen. > [25088] dbg: message: ---- MIME PARSER START ---- > [25088] dbg: message: main message type: text/plain > [25088] dbg: message: parsing normal part > [25088] dbg: message: added part, type: text/plain > [25088] dbg: message: ---- MIME PARSER END ---- > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: dns: dns_available set to yes in config file, skipping test > [25088] dbg: metadata: X-Spam-Relays-Trusted: > [25088] dbg: metadata: X-Spam-Relays-Untrusted: > [25088] dbg: message: no encoding detected > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'parsed_metadata' > [25088] dbg: uridnsbl: domains to query: > [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop > [25088] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted > [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl > [25088] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted > [25088] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop > [25088] dbg: dns: checking RBL combined.njabl.org., set njabl > [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois > [25088] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop > [25088] dbg: dns: checking RBL bl.spamcop.net., set spamcop > [25088] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted > [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-notfirsthop > [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop > [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs > [25088] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [25088] dbg: check: running tests for priority: 0 > [25088] dbg: rules: running header regexp tests; score so far=0 > [25088] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [25088] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1161960021@lint_rules> > [25088] dbg: rules: " > [25088] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" > [25088] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org > [25088] dbg: rules: " > [25088] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1161960021" > [25088] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > [25088] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: message was delivered entirely via trusted relays, not required > [25088] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org > [25088] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > [25088] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > [25088] dbg: eval: all '*To' addrs: > [25088] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: message was delivered entirely via trusted relays, not required > [25088] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [25088] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: cannot get Envelope-From, cannot use SPF > [25088] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender > [25088] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [25088] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > [25088] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > [25088] dbg: spf: spf_whitelist_from: could not find useable envelope sender > [25088] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit > [25088] dbg: rules: running body-text per-line regexp tests; score so far=0.738 > [25088] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [25088] dbg: uri: running uri tests; score so far=0.738 > [25088] dbg: bayes: no dbs present, cannot tie DB R/O: /home/ahk/.spamassassin/bayes_toks > [25088] dbg: bayes: not scoring message, returning undef > [25088] dbg: bayes: opportunistic call attempt failed, DB not readable > [25088] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560)) > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 > [25088] dbg: rules: running full-text regexp tests; score so far=0.738 > [25088] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c)) > [25088] dbg: pyzor: pyzor is not available: no pyzor executable found > [25088] dbg: pyzor: no pyzor found, disabling Pyzor > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_tick' > [25088] dbg: check: running tests for priority: 500 > [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) implements 'check_post_dnsbl' > [25088] dbg: rules: running meta tests; score so far=0.738 > [25088] dbg: rules: running header regexp tests; score so far=2.216 > [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 > [25088] dbg: uri: running uri tests; score so far=2.216 > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 > [25088] dbg: rules: running full-text regexp tests; score so far=2.216 > [25088] dbg: check: running tests for priority: 1000 > [25088] dbg: rules: running meta tests; score so far=2.216 > [25088] dbg: rules: running header regexp tests; score so far=2.216 > [25088] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488)) > [25088] dbg: rules: running body-text per-line regexp tests; score so far=2.216 > [25088] dbg: uri: running uri tests; score so far=2.216 > [25088] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 > [25088] dbg: rules: running full-text regexp tests; score so far=2.216 > [25088] dbg: check: is spam? score=2.216 required=5 > [25088] dbg: check: tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_N ONE > [25088] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MS GID,__UNUSABLE_MSGID > [25088] warn: lint: 2 issues detected, please rerun with debug enabled for more information > > ------------------------------------------------------------------------ > > [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25071] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc > [25071] warn: lint: 2 issues detected, please rerun with debug enabled for more information > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFQiDIEfZZRxQVtlQRAofwAKC6b/B2PpXlAqCU5sFBfXFF/0EAIgCePxPw Ua/aYboYHBgQxrFiyWn4v2g= =kq7S -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rgreen at trayerproducts.com Fri Oct 27 18:26:16 2006 From: rgreen at trayerproducts.com (Rodney Green) Date: Fri Oct 27 18:27:13 2006 Subject: MailScanner/Postfix question Message-ID: <45424138.5030506@trayerproducts.com> Hello, I'm using MailScanner version 4.37.7 and Postfix 2.0.20. Does anyone foresee any problems with an upgrade to the latest version of Postfix, without upgrading MailScanner? Thanks, Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dstraka at caspercollege.edu Fri Oct 27 18:55:10 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Oct 27 18:55:50 2006 Subject: Spam Detection Around 55% Message-ID: <4541F39F.61A4.0000.0@caspercollege.edu> I've seen number of spam detected as high as 82% of all incoming email on Sundays. On weekdays that number drops down to around 55% and I'd say that a lot (2000 or so) are getting through on those days. A lot of them are the stock spam with gif. Here's what spamassassin --lint returns...does this indicate problem that if fixed would make a big difference? I don't know anything about configuring the pyzor or dcc things. mail1:/home/dstraka # spamassassin --lint [13926] warn: config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor [13926] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13926] warn: lint: 2 issues detected, please rerun with debug enabled for more information Thanks...Dan Dan Straka Systems Coordinator Casper College 307.268.2399 -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From mkettler at evi-inc.com Fri Oct 27 19:12:09 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Oct 27 19:12:26 2006 Subject: Spam Detection Around 55% In-Reply-To: <4541F39F.61A4.0000.0@caspercollege.edu> References: <4541F39F.61A4.0000.0@caspercollege.edu> Message-ID: <45424BF9.9000407@evi-inc.com> Daniel Straka wrote: > I've seen number of spam detected as high as 82% of all incoming email > on Sundays. On weekdays that number drops down to around 55% and I'd say > that a lot (2000 or so) are getting through on those days. A lot of them > are the stock spam with gif. Here's what spamassassin --lint > returns...does this indicate problem that if fixed would make a big > difference? I don't know anything about configuring the pyzor or dcc > things. > > mail1:/home/dstraka # spamassassin --lint > [13926] warn: config: SpamAssassin failed to parse line, > "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path > /usr/bin/pyzor > [13926] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc > [13926] warn: lint: 2 issues detected, please rerun with debug enabled > for more information If you don't have DCC, or pyzor, comment out their lines in spam.assassin.prefs.conf. Why those are even present in this file is beyond me. Why does MailScanner decide I've installed dcc in /usr/local/bin. What if I installed it with PREFIX=/usr? It's my own opinion that *everything* in that file should be commented out by default, except "envelope_sender_header". I could *maybe* see keeping "use_auto_whitelist", but only because I think the AWL isn't ready to be run on production servers (it lacks reasonable expiry) the bayes_ignore_header settings are a good idea, but are useless unless manually edited. Thus, they should be commented out by default. All the rest of the options that are in there aren't a function of MailScanner, they're a function of other aspects of your system. The existing file assumes: you have DCC and pyzor installed, and have enabled their plugins you don't use NFS, so flock is safe you have working DNS (likely, but not always true) you don't want to use the AWL. The last 3 are probably safe for 99% of sites, but the NFS bit could really bite someone in the butt. From mikej at rogers.com Fri Oct 27 19:17:16 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Oct 27 19:17:14 2006 Subject: MailScanner/Postfix question In-Reply-To: <45424138.5030506@trayerproducts.com> References: <45424138.5030506@trayerproducts.com> Message-ID: <45424D2C.80205@rogers.com> Rodney Green wrote: > > > Hello, > > I'm using MailScanner version 4.37.7 and Postfix 2.0.20. Does anyone > foresee any problems with an upgrade to the latest version of Postfix, > without upgrading MailScanner? If you want to use postfix 2.3, you should upgrade to the latest version of MS as there are bugs in earlier versions between the two. Otherwise you should be fine with Postfix 2.2. In any case, both are quite old and you should consider upgrading both. From glenn.steen at gmail.com Fri Oct 27 19:17:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 27 19:17:42 2006 Subject: MailScanner/Postfix question In-Reply-To: <45424138.5030506@trayerproducts.com> References: <45424138.5030506@trayerproducts.com> Message-ID: <223f97700610271117l5b4dce32s9008fb6339905356@mail.gmail.com> On 27/10/06, Rodney Green wrote: > > > Hello, > > I'm using MailScanner version 4.37.7 and Postfix 2.0.20. Does anyone > foresee any problems with an upgrade to the latest version of Postfix, > without upgrading MailScanner? > > Thanks, > Rod > Since that old version there have been a slew of patches geared at (better) postfix support (for newer versions of PF). So yes, I'd guess there is a good chance of problems. The exact nature is more than I remember:-). Why not make it one big happy newly updated system, and throw in updates ofr Clam/SA (use Jules package, it is very nice) as well as MailScanner;-). Or do you have some compelling reason to stick with that version? If you have a free host, why not set up a testbed and run things through on that first? That way you'd know what to expect:-). Cheers, -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rgreen at trayerproducts.com Fri Oct 27 19:34:11 2006 From: rgreen at trayerproducts.com (Rodney Green) Date: Fri Oct 27 19:34:52 2006 Subject: MailScanner/Postfix question In-Reply-To: <223f97700610271117l5b4dce32s9008fb6339905356@mail.gmail.com> References: <45424138.5030506@trayerproducts.com> <223f97700610271117l5b4dce32s9008fb6339905356@mail.gmail.com> Message-ID: <45425123.6050900@trayerproducts.com> Glenn Steen wrote: > Since that old version there have been a slew of patches geared at > (better) postfix support (for newer versions of PF). > So yes, I'd guess there is a good chance of problems. The exact nature > is more than I remember:-). > Why not make it one big happy newly updated system, and throw in > updates ofr Clam/SA (use Jules package, it is very nice) as well as > MailScanner;-). > > Or do you have some compelling reason to stick with that version? > If you have a free host, why not set up a testbed and run things > through on that first? That way you'd know what to expect:-). > > Cheers, Thanks guys. The reason I haven't upgraded is that things are working now and I'd hate to mess everything up. The main reason I want to upgrade Postfix is so I can use greylisting. My current version doesn't have the check_policy_service feature. I'll probably just wait a bit and do some testing before upgrading. Thanks again, Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From norbert.schmidt at interactivedata.com Fri Oct 27 20:46:05 2006 From: norbert.schmidt at interactivedata.com (Norbert Schmidt) Date: Fri Oct 27 20:46:22 2006 Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer_Haus=2E?= Message-ID: I will be out of the office starting 27.10.2006 and will not return until 06.11.2006. I'll answer to your mail, when I get back. If it is an urgent problem, please contact joerg.weiskirch@interactivedata.com Ich werde Deine Mail nach meiner R?ckkehr beantworten... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061027/e2d0f421/attachment.html From martinh at solidstatelogic.com Fri Oct 27 20:57:45 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 27 20:57:55 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <45422F1A.7080203@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> Message-ID: <454264B9.8090706@solidstatelogic.com> TCIS List Acct wrote: > Hi, > > We're running MS 4.55.9 on FreeBSD 6.x/amd64 with ClamAV 0.88.5 > installed from ports. I've installed p5-Mail-ClamAV from the packages > collection (it won't compile from ports for some reason -- tried on both > x86 and amd64) and have set MS to use the clamavmodule in > MailScanner.conf. However, when I start MS, it can't seem to detect the > ClamAV module: > > Oct 27 11:01:28 mscan2 MailScanner[72622]: ClamAV Perl module not found, > did you install it? > > yet it is installed and present in the Perl module database: > > cpan[1]> install Mail::ClamAV > CPAN: Storable loaded ok > Going to read /root/.cpan/Metadata > Database was generated on Fri, 27 Oct 2006 10:24:39 GMT > Mail::ClamAV is up to date (0.17). > > I've tried just using clamav / clamscan but it can't keep up with our > load (400,000 messages a day per box processed).. > > Any pointers? > Hi just run the normal clamav scanner from MAilScanner.conf - there's little if any difference in performance. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Fri Oct 27 20:58:47 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 27 20:58:55 2006 Subject: MailScanner/Postfix question In-Reply-To: <45424138.5030506@trayerproducts.com> References: <45424138.5030506@trayerproducts.com> Message-ID: <454264F7.2020200@solidstatelogic.com> Rodney Green wrote: > > > Hello, > > I'm using MailScanner version 4.37.7 and Postfix 2.0.20. Does anyone > foresee any problems with an upgrade to the latest version of Postfix, > without upgrading MailScanner? > > Thanks, > Rod > > > Rod I'd upgrade MaiLScanner first, then Postfix. The latest PF doesn;t do split spools ny default anymore and you'll need a more moderna MailScanner to cope with that. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Fri Oct 27 21:01:24 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Oct 27 21:01:49 2006 Subject: Spam Detection Around 55% In-Reply-To: <4541F39F.61A4.0000.0@caspercollege.edu> References: <4541F39F.61A4.0000.0@caspercollege.edu> Message-ID: <45426594.9020101@solidstatelogic.com> Daniel Straka wrote: > I've seen number of spam detected as high as 82% of all incoming email > on Sundays. On weekdays that number drops down to around 55% and I'd say > that a lot (2000 or so) are getting through on those days. A lot of them > are the stock spam with gif. Here's what spamassassin --lint > returns...does this indicate problem that if fixed would make a big > difference? I don't know anything about configuring the pyzor or dcc > things. > > mail1:/home/dstraka # spamassassin --lint > [13926] warn: config: SpamAssassin failed to parse line, > "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path > /usr/bin/pyzor > [13926] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc > [13926] warn: lint: 2 issues detected, please rerun with debug enabled > for more information > > Thanks...Dan > > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > > > > > ------------------------------------------------------------------------ > > BEGIN:VCARD > VERSION:2.1 > FN:Straka, Daniel > TEL:307.268.2399 > EMAIL:Dstraka@caspercollege.edu > ORG:Casper College > TITLE:Systems Coordinator > URL:http://wind.caspercollege.edu/~dstraka/ > END:VCARD > > Daniel Also could be you've not enables the DCC/pyzor plugins in /etc/mail/spamassassin/*.pre Try the SARE stock rule from www.rulesemporium.com (and the other SARE rules as well), in order to get you're spam detection better. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mrm at medicine.wisc.edu Fri Oct 27 22:09:08 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Oct 27 22:09:45 2006 Subject: dcc logs Message-ID: <45422F22.7FBE.00FC.3@medicine.wisc.edu> I see that the /var/dcc/log folder on my mailscanner machine is getting to be rather large. Do I need to keep these log files around for anything, or can I clean them out? Mike From listacct at tulsaconnect.com Fri Oct 27 22:15:04 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Oct 27 22:15:04 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454264B9.8090706@solidstatelogic.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> Message-ID: <454276D8.4000209@tulsaconnect.com> Martin Hepworth wrote: > Hi > > just run the normal clamav scanner from MAilScanner.conf - there's > little if any difference in performance. > I thought the point of the Perl ClamAV module was increased performance? When I run the normal clamav scanner, the clamscan processes chew up too much CPU and take too long to scan the mail as compared to f-prot on the same box. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mike at vesol.com Fri Oct 27 22:23:18 2006 From: mike at vesol.com (Mike Kercher) Date: Fri Oct 27 22:24:01 2006 Subject: dcc logs In-Reply-To: <45422F22.7FBE.00FC.3@medicine.wisc.edu> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > I see that the /var/dcc/log folder on my mailscanner machine > is getting > to be rather large. Do I need to keep these log files around for > anything, or can I clean them out? > > Mike My dcc logs nothing to that directory. Are you starting a dcc process or do you let MS call it as needed? Mike From pete at enitech.com.au Fri Oct 27 23:00:38 2006 From: pete at enitech.com.au (Pete Russell) Date: Fri Oct 27 23:02:23 2006 Subject: MailScanner/Postfix question In-Reply-To: <45425123.6050900@trayerproducts.com> References: <45424138.5030506@trayerproducts.com> <223f97700610271117l5b4dce32s9008fb6339905356@mail.gmail.com> <45425123.6050900@trayerproducts.com> Message-ID: <45428186.5080403@enitech.com.au> > > Thanks guys. The reason I haven't upgraded is that things are working > now and I'd hate > to mess everything up. The main reason I want to upgrade Postfix is so I > can use greylisting. > My current version doesn't have the check_policy_service feature. I'll > probably just wait > a bit and do some testing before upgrading. > > Thanks again, > Rod > I am the same as you, but following the guide for upgrades in the wiki (on an rpm based machine) is VERY simple, will take you 10-15min. Part of that guide is making a backup so worst case is you roll back to your old version. Upgrade MailScanner first, then clamav-sa using Jules package - its pretty simple, it will surprise you. Make sure you watch the screen for instructions at the end of each task. Ask on the list if you get stuck. I havent upgrade postfix for ages for the same reason but i intend to this week. From kwang at ucalgary.ca Fri Oct 27 23:22:21 2006 From: kwang at ucalgary.ca (Kai Wang) Date: Fri Oct 27 23:22:26 2006 Subject: How does MailScanner docide which spamassassin rules dir to use In-Reply-To: References: <223f97700610211550y43a4980aq14b58b499312da09@mail.gmail.com> Message-ID: <4542869D.8020007@ucalgary.ca> Got it. Everything works after I configured "SpamAssassin Local State Dir =". Anthony Cartmell wrote: >> As good a method as any...:-). What rules differed? Only bayes, or >> distinct others? > > All rules in /etc/mail/spamassassin were run, no rules in > /var/lib/spamassassin/ were. That included all the default > spamassassin rules, including the bayes ones. > >> Ok, so both you and Kai have installed SA by way of some RPM package >> you yummed (?)... If so, perhaps one should start wondering if there >> is a slightly crippled SA rpm floating around... Did you try Jules >> (excellent and easy) clamav+sa package? > > Nope, since I now have everything working OK using the Fedora Core > package of spamassassin, I'm leaving it that way. The only issue was > including /var/lib/spamassassin, and "use"ing one spamassassin package > for FuzzyOcr. > > Cheers! > > Anthony > --www.fonant.com - Quality web sites > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Fri Oct 27 23:42:29 2006 From: res at ausics.net (Res) Date: Fri Oct 27 23:42:39 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454276D8.4000209@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: On Fri, 27 Oct 2006, TCIS List Acct wrote: > > > Martin Hepworth wrote: > >> Hi >> >> just run the normal clamav scanner from MAilScanner.conf - there's little >> if any difference in performance. >> > > I thought the point of the Perl ClamAV module was increased performance? > > When I run the normal clamav scanner, the clamscan processes chew up too much > CPU and take too long to scan the mail as compared to f-prot on the same box. > I found this problem also when doing hundreds of messages per batch, so stopped using it and moved to f-prot and problem gone, the cost of f-prot is well worth it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From ugob at camo-route.com Fri Oct 27 23:56:33 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Oct 27 23:57:14 2006 Subject: dcc logs In-Reply-To: <45422F22.7FBE.00FC.3@medicine.wisc.edu> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse wrote: > I see that the /var/dcc/log folder on my mailscanner machine is getting > to be rather large. Do I need to keep these log files around for > anything, or can I clean them out? > > Mike > Look in /var/dcc/dcc_conf for this line: DBCLEAN_LOGDAYS= I set it a two (you may set it lower). And make sure you run the cronjob that comes with dcc. /var/dcc/libexec/cron-dccd From r.berber at computer.org Sat Oct 28 00:53:26 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Oct 28 00:53:42 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454276D8.4000209@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: TCIS List Acct wrote: > > Martin Hepworth wrote: > >> Hi >> >> just run the normal clamav scanner from MAilScanner.conf - there's >> little if any difference in performance. >> > > I thought the point of the Perl ClamAV module was increased performance? I think Martin is wrong and the MS documentation does recommend using the perl module for performance reasons. > When I run the normal clamav scanner, the clamscan processes chew up too > much CPU and take too long to scan the mail as compared to f-prot on the > same box. If performance is the objective you could modify the clamav wrapper to use clamdscan (and start using clamd). -- Ren? Berber From res at ausics.net Sat Oct 28 01:07:36 2006 From: res at ausics.net (Res) Date: Sat Oct 28 01:07:45 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: On Fri, 27 Oct 2006, Ren? Berber wrote: > I think Martin is wrong and the MS documentation does recommend using the perl > module for performance reasons. The perl module cant handle constantly large batches, it used to bail all the time, although clamscan itself handled it with high loading, installed f-prot and rarely a splirt on the load above spamassassin. f-prot might not be free but its worth every cent, the server could handle several times what it used to, disable SA and it quadruples again. Incidently for those who remember me abusing spamassassin... once I removed dcc on the problem server, the problem rarely became an issue, SA is still overall not super fast, but with all those rules i spose somthing gota give :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From r.berber at computer.org Sat Oct 28 01:38:26 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Oct 28 01:58:21 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: Res wrote: > On Fri, 27 Oct 2006, Ren? Berber wrote: > >> I think Martin is wrong and the MS documentation does recommend using >> the perl >> module for performance reasons. > > The perl module cant handle constantly large batches, it used to bail > all the time, although clamscan itself handled it with high loading, > installed f-prot and rarely a splirt on the load above spamassassin. [snip] Interesting info. Perhaps it is time to _change_ the clamav wrapper and start using clamdscan, why? two reasons: 1. To handle high loads, like Res' experience shows. Some actual experience with clamdscan would be useful; it is designed for situations like the ones where MS works (perhaps this is the 3rd reason). 2. To use when there are no alternatives, f-prot is good for Linux servers but what is available for Solaris/BSD/OS-X/etc. ? -- Ren? Berber From listacct at tulsaconnect.com Sat Oct 28 04:02:17 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 04:02:41 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: <4542C839.50103@tulsaconnect.com> Ren? Berber wrote: > 2. To use when there are no alternatives, f-prot is good for Linux servers but > what is available for Solaris/BSD/OS-X/etc. ? f-prot is available on several UNIX platforms, including Linux, Solaris, and FreeBSD. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From res at ausics.net Sat Oct 28 09:25:54 2006 From: res at ausics.net (Res) Date: Sat Oct 28 09:26:02 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: On Fri, 27 Oct 2006, Ren? Berber wrote: > 2. To use when there are no alternatives, f-prot is good for Linux servers but > what is available for Solaris/BSD/OS-X/etc. ? It is available for Solaris and BSD. Not sure about OS-X The linux "home version" is exactly that, none of us should be using that on our mail servers, OK, you might get away with it for a few hours for a good test, but running it on mail servers 24/7 infringes on license agreement, and its a tax writeoff buying the lic anyway :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Oct 28 09:29:35 2006 From: res at ausics.net (Res) Date: Sat Oct 28 09:29:41 2006 Subject: OT: Spamhaus petition rejected - followup from previous discussion In-Reply-To: <453F79D0.5070805@sendit.nodak.edu> References: <453D1C9A.7FBE.00FC.3@medicine.wisc.edu> <453E218C.1050908@sendit.nodak.edu> <453E3EBE.50706@sbcglobal.net> <453F79D0.5070805@sendit.nodak.edu> Message-ID: On Wed, 25 Oct 2006, Richard Frovarp wrote: Richard I'll get to this post over the weekend, its huge and will take some time :) This is not the SH list, postfix list, spam assassin, list, how to do backups list, legals list and who knows what else list thats clearly OT in fact its so far offtopic like most of the noise to signal ratio lately, I'll respond offlist. -- Res From gordon at itnt.co.za Sat Oct 28 11:13:10 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Oct 28 11:13:41 2006 Subject: Error installing MailScanner 4.57.1.1 Message-ID: <013801c6fa79$b1f5f170$5e7025c4@Gordon> ITNT Banner CampaignI am getting the following error when installing Mailscanner; /usr/share/man/man3/ExtUtils::MakeMaker::vmsish.3pm.gz /usr/share/man/man3/ExtUtils::MakeMaker::Config.3pm.gz /usr/bin/instmodshX' = X ']' + /usr/share/spec-helper/spec-helper Cleaning files...done Compressing files...done Stripping files...done Relativisation of symlinks...done Building libraries symlinks...done Processing files: perl-ExtUtils-MakeMaker-6.30-1 error: File not found: /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man1/instmodsh.1.gz error: File not found: /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man3/ExtUtils::MM_OS2.3pm.gz The above files are definately there..... I am installing on Mandriva 2006, with perl-5.8.7. Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From gordon at itnt.co.za Sat Oct 28 11:58:50 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Oct 28 11:59:16 2006 Subject: Error installing MailScanner 4.57.1.1 References: <013801c6fa79$b1f5f170$5e7025c4@Gordon> Message-ID: <017301c6fa80$104e4280$5e7025c4@Gordon> ok fixed, installed ExtUtils::MakeMaker manually and all worked out fine ----- Original Message ----- From: "Gordon Colyn" To: "MailScanner discussion" Sent: Saturday, October 28, 2006 12:13 PM Subject: Error installing MailScanner 4.57.1.1 ITNT Banner CampaignI am getting the following error when installing Mailscanner; /usr/share/man/man3/ExtUtils::MakeMaker::vmsish.3pm.gz /usr/share/man/man3/ExtUtils::MakeMaker::Config.3pm.gz /usr/bin/instmodshX' = X ']' + /usr/share/spec-helper/spec-helper Cleaning files...done Compressing files...done Stripping files...done Relativisation of symlinks...done Building libraries symlinks...done Processing files: perl-ExtUtils-MakeMaker-6.30-1 error: File not found: /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man1/instmodsh.1.gz error: File not found: /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man3/ExtUtils::MM_OS2.3pm.gz The above files are definately there..... I am installing on Mandriva 2006, with perl-5.8.7. Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sat Oct 28 12:18:40 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 28 12:18:43 2006 Subject: Error installing MailScanner 4.57.1.1 In-Reply-To: <017301c6fa80$104e4280$5e7025c4@Gordon> References: <013801c6fa79$b1f5f170$5e7025c4@Gordon> <017301c6fa80$104e4280$5e7025c4@Gordon> Message-ID: <223f97700610280418t6a611f3bo7fc5a859b7849137@mail.gmail.com> On 28/10/06, Gordon Colyn wrote: > ok fixed, installed ExtUtils::MakeMaker manually and all worked out fine > > ----- Original Message ----- > From: "Gordon Colyn" > To: "MailScanner discussion" > Sent: Saturday, October 28, 2006 12:13 PM > Subject: Error installing MailScanner 4.57.1.1 > > > ITNT Banner CampaignI am getting the following error when installing > Mailscanner; > > /usr/share/man/man3/ExtUtils::MakeMaker::vmsish.3pm.gz > /usr/share/man/man3/ExtUtils::MakeMaker::Config.3pm.gz > /usr/bin/instmodshX' = X ']' > + /usr/share/spec-helper/spec-helper > Cleaning files...done > Compressing files...done > Stripping files...done > Relativisation of symlinks...done > Building libraries symlinks...done > Processing files: perl-ExtUtils-MakeMaker-6.30-1 > error: File not found: > /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man1/instmodsh.1.gz > error: File not found: > /var/tmp/perl-ExtUtils-MakeMaker-6.30-1-root/usr/share/man/man3/ExtUtils::MM_OS2.3pm.gz > > The above files are definately there..... > > I am installing on Mandriva 2006, with perl-5.8.7. Seen this too (same distro/version), but ... Does the install halt with that, or continue? IIRC you already have a fairly modern ExtUtils::MakeMaker module (same version ISTR), so you should be able to just ignore it. I'll just have to VPN a bit.... # rpm -qf /usr/lib/perl5/5.8.7/ExtUtils/MakeMaker.pm perl-5.8.7-3.2.20060mdk Hm, slightly older (version 6.17) but have had no problems with it. The rpm install will conflict with the above package, so won't be able to install anyway. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From root at doctor.nl2k.ab.ca Sat Oct 28 12:38:53 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Oct 28 12:39:22 2006 Subject: MailScanner 4.57 Message-ID: <20061028113853.GB10199@doctor.nl2k.ab.ca> So far so good on my system. Anyone else using this? From root at doctor.nl2k.ab.ca Sat Oct 28 12:38:17 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Oct 28 12:44:46 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <4542C839.50103@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <4542C839.50103@tulsaconnect.com> Message-ID: <20061028113816.GA10199@doctor.nl2k.ab.ca> On Fri, Oct 27, 2006 at 10:02:17PM -0500, TCIS List Acct wrote: > > > Ren? Berber wrote: > > >2. To use when there are no alternatives, f-prot is good for Linux servers > >but > >what is available for Solaris/BSD/OS-X/etc. ? > > f-prot is available on several UNIX platforms, including Linux, Solaris, > and FreeBSD. > Clamav rock AFAIK. > -- > > ----------------------------------------- > Mike Bacher / listacct@tulsaconnect.com > TCIS - TulsaConnect Internet Services > http://www.tulsaconnect.com > ----------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From listacct at tulsaconnect.com Sat Oct 28 15:34:23 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 15:34:35 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <20061028113816.GA10199@doctor.nl2k.ab.ca> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <4542C839.50103@tulsaconnect.com> <20061028113816.GA10199@doctor.nl2k.ab.ca> Message-ID: <45436A6F.50505@tulsaconnect.com> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Clamav rock AFAIK. Yes, it rocks and the rolls over under heavy load.. :-) -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:22:53 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:26:09 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <45422F1A.7080203@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> Message-ID: <454375CD.5050101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you sure you only have 1 Perl installed? TCIS List Acct wrote: > Hi, > > We're running MS 4.55.9 on FreeBSD 6.x/amd64 with ClamAV 0.88.5 > installed from ports. I've installed p5-Mail-ClamAV from the packages > collection (it won't compile from ports for some reason -- tried on > both x86 and amd64) and have set MS to use the clamavmodule in > MailScanner.conf. However, when I start MS, it can't seem to detect > the ClamAV module: > > Oct 27 11:01:28 mscan2 MailScanner[72622]: ClamAV Perl module not > found, did you install it? > > yet it is installed and present in the Perl module database: > > cpan[1]> install Mail::ClamAV > CPAN: Storable loaded ok > Going to read /root/.cpan/Metadata > Database was generated on Fri, 27 Oct 2006 10:24:39 GMT > Mail::ClamAV is up to date (0.17). > > I've tried just using clamav / clamscan but it can't keep up with our > load (400,000 messages a day per box processed).. > > Any pointers? > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3aCEfZZRxQVtlQRAuqyAKCe8DSCs5VZWamd0qpfkTxH4cm37ACfWZG5 HGa/LmS+G5MrOk53ALj9CPY= =dzWP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:25:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:26:19 2006 Subject: FW: SpamAssassin Troubleshooting In-Reply-To: <9C63A4713C4E3342B90428CE44806A73026799D3@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A73026799D3@PHSXMB5.partners.org> Message-ID: <45437672.9030207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kaplan, Andrew H. wrote: > Hi there -- > > If I go with the procedure you recommend, there are several questions that I > need to ask: > > 1. Will MailScanner, ClamAV, and Sendmail continue to run without SpamAssassin, > or will they be disabled until I install the new version? The MailScanner and > Sendmail programs are those that came bundled with OS, which > in this case is Fedora Core 5. ClamAV is the rpm package group that came from > the clamav website. > They should continue to run without SpamAssassin. do a "MailScanner --lint" to check what virus scanners it finds installed. Don't call a virus scanner in "Virus Scanners = " that doesn't get found by a --lint. Remove the ClamAV rpm as well as the SpamAssassin rpms. > 2. Aside from the rpm packages that I would be removing, what other traces of > SpamAssassin should I look for and delete from the system? > Mostly just /etc/mail/spamassassin. > 3. Will the installation script that you recommend, automatically detect > the presence and configuration of MailScanner, ClamAV, and Sendmail or will > there be additional configuration steps that will need to be done? > It will tell you what you need to do at the end, just read the instructions. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, October 27, 2006 11:08 AM > To: MailScanner discussion > Subject: Re: FW: SpamAssassin Troubleshooting > > > > * PGP Bad Signature, Signed by an unverified key: 10/27/06 at 16:07:52 > * text/plain body > * postcards.org > * 0x1415B654 - Unverified(L) > * PGP Bad Signature, Signed by an unverified key: 10/27/06 at 16:07:52 > > My standard advice at this point is this: > > 1. Remove any SpamAssassin rpm packages you have got. > 2. Delete all trace of SpamAssassin from your setup. > 3. Download and install the install-ClamAV-SA.tar.gz (or some name like > that) from www.mailscanner.info. It's on the downloads page. That will > install everything for you and tell you what you need to do to get DCC > and such like all working. > > > Kaplan, Andrew H. wrote: > >> Hi there -- >> >> I got the following error message this morning concerning SpamAssassin: >> >> RulesDuJour Run Summary on hadron.mgh.harvard.edu: >> >> ***NOTICE***: /usr/bin/spamassassin -p >> > /etc/MailScanner/spam.assassin.prefs.conf > >> --lint failed. This means that you have an error somwhere in your >> > SpamAssassin > >> configuration. To determine what the problem is, please run >> '/usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint' >> > from > >> a shell and notice the error messages it prints. For more (debug) >> > information, > >> add the -D switch to the command. Usually the problem will be found in >> local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. >> Here are the errors that '/usr/bin/spamassassin -p >> /etc/MailScanner/spam.assassin.prefs.conf --lint' reported: >> >> [24833] warn: config: failed to parse line, skipping: dcc_path >> /usr/local/bin/dccproc [24833] warn: config: failed to parse line, skipping: >> dcc_path /usr/local/bin/dccproc [24833] warn: lint: 2 issues detected, please >> rerun with debug enabled for more information >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> > MailScanner, > >> and is believed to be clean. >> >> ---------------------------------------------------------------------------- >> >> I ran the spamassassin --lint and -D commands and have included the results as >> attachments to this e-mail. The first thing that I noticed was there being a >> large amount of perl modules not being installed on the system. There also >> appears to be a problem with dcc. >> >> I'm guessing that installing the missing perl modules will be the first step, >> but I'm not sure what the solution is for the dcc issue. Besides that, are >> > there > >> any other steps that I should take to correct this problem? Thanks. >> >> -----Original Message----- >> From: Andrew Kaplan [mailto:ahk@hadron.mgh.harvard.edu] >> Sent: Friday, October 27, 2006 10:43 AM >> To: Kaplan, Andrew H. >> Subject: SpamAssassin Troubleshooting >> >> Send this information to the MailScanner group for help. >> >> ------------------------------------------------------------------------ >> >> [25088] dbg: logger: adding facilities: all >> [25088] dbg: logger: logging level is DBG >> [25088] dbg: generic: SpamAssassin version 3.1.0 >> [25088] dbg: config: score set 0 chosen. >> [25088] dbg: util: running in taint mode? yes >> [25088] dbg: util: taint mode: deleting unsafe environment variables, >> > resetting PATH > >> [25088] dbg: util: PATH included '/usr/kerberos/bin', keeping >> [25088] dbg: util: PATH included '/usr/local/bin', keeping >> [25088] dbg: util: PATH included '/usr/bin', keeping >> [25088] dbg: util: PATH included '/bin', keeping >> [25088] dbg: util: PATH included '/usr/X11R6/bin', keeping >> [25088] dbg: util: PATH included '/home/ahk/bin', which doesn't exist, >> > dropping > >> [25088] dbg: util: final PATH set to: >> > /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin > >> [25088] dbg: dns: is Net::DNS::Resolver available? yes >> [25088] dbg: dns: Net::DNS version: 0.55 >> [25088] dbg: dns: name server: 132.183.1.11, family: 2, ipv6: 0 >> [25088] dbg: diag: perl platform: 5.008008 linux >> [25088] dbg: diag: module installed: Digest::SHA1, version 2.11 >> [25088] dbg: diag: module installed: HTML::Parser, version 3.50 >> [25088] dbg: diag: module installed: MIME::Base64, version 3.05 >> [25088] dbg: diag: module installed: DB_File, version 1.814 >> [25088] dbg: diag: module installed: Net::DNS, version 0.55 >> [25088] dbg: diag: module installed: Net::SMTP, version 2.29 >> [25088] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) >> [25088] dbg: diag: module not installed: IP::Country::Fast ('require' failed) >> [25088] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 >> [25088] dbg: diag: module not installed: Net::Ident ('require' failed) >> [25088] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) >> [25088] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) >> [25088] dbg: diag: module installed: Time::HiRes, version 1.68 >> [25088] dbg: diag: module installed: DBI, version 1.50 >> [25088] dbg: diag: module installed: Getopt::Long, version 2.35 >> [25088] dbg: diag: module installed: LWP::UserAgent, version 2.033 >> [25088] dbg: diag: module installed: HTTP::Date, version 1.47 >> [25088] dbg: diag: module not installed: Archive::Tar ('require' failed) >> [25088] dbg: diag: module not installed: IO::Zlib ('require' failed) >> [25088] dbg: ignore: using a test message to lint rules >> [25088] dbg: config: using "/etc/mail/spamassassin" for site rules pre files >> [25088] dbg: config: read file /etc/mail/spamassassin/init.pre >> [25088] dbg: config: read file /etc/mail/spamassassin/v310.pre >> [25088] dbg: config: using "/usr/share/spamassassin" for sys rules pre files >> [25088] dbg: config: using "/usr/share/spamassassin" for default rules dir >> [25088] dbg: config: read file /usr/share/spamassassin/10_misc.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_compensate.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_drugs.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_phrases.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_porn.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_ratware.cf >> [25088] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf >> [25088] dbg: config: read file /usr/share/spamassassin/23_bayes.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_dcc.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_razor2.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_replace.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_spf.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_textcat.cf >> [25088] dbg: config: read file /usr/share/spamassassin/25_uribl.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_de.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_it.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf >> [25088] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf >> [25088] dbg: config: read file /usr/share/spamassassin/50_scores.cf >> [25088] dbg: config: read file /usr/share/spamassassin/60_awl.cf >> [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf >> [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf >> [25088] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf >> [25088] dbg: config: using "/etc/mail/spamassassin" for site rules dir >> [25088] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf >> [25088] dbg: config: read file /etc/mail/spamassassin/local.cf >> [25088] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf >> [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir >> [25088] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for >> > user prefs file > >> [25088] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC >> [25088] dbg: pyzor: network tests on, attempting Pyzor >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC >> [25088] dbg: reporter: network tests on, attempting SpamCop >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa463a10) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold >> > from @INC > >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa4e7e0c) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from >> > @INC > >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa4f65c4) > >> [25088] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC >> [25088] dbg: plugin: registered >> > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) > >> [25088] dbg: config: adding redirector regex: >> > /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i > >> [25088] dbg: config: adding redirector regex: >> > /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i > >> [25088] dbg: config: adding redirector regex: >> > /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > >> [25088] dbg: config: adding redirector regex: >> > /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i > >> [25088] dbg: config: adding redirector regex: >> > /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i > >> [25088] dbg: config: adding redirector regex: >> > m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i > >> [25088] dbg: config: adding redirector regex: >> > m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i > >> [25088] warn: config: failed to parse line, skipping: dcc_path >> > /usr/local/bin/dccproc > >> [25088] warn: config: failed to parse line, skipping: dcc_path >> > /usr/local/bin/dccproc > >> [25088] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa50337c) >> > implements 'finish_parsing_end' > >> [25088] dbg: replacetags: replacing tags >> [25088] dbg: replacetags: done replacing tags >> [25088] dbg: config: using "/home/ahk/.spamassassin" for user state dir >> [25088] dbg: bayes: no dbs present, cannot tie DB R/O: >> > /home/ahk/.spamassassin/bayes_toks > >> [25088] dbg: config: score set 1 chosen. >> [25088] dbg: message: ---- MIME PARSER START ---- >> [25088] dbg: message: main message type: text/plain >> [25088] dbg: message: parsing normal part >> [25088] dbg: message: added part, type: text/plain >> [25088] dbg: message: ---- MIME PARSER END ---- >> [25088] dbg: bayes: no dbs present, cannot tie DB R/O: >> > /home/ahk/.spamassassin/bayes_toks > >> [25088] dbg: dns: dns_available set to yes in config file, skipping test >> [25088] dbg: metadata: X-Spam-Relays-Trusted: >> [25088] dbg: metadata: X-Spam-Relays-Untrusted: >> [25088] dbg: message: no encoding detected >> [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) >> > implements 'parsed_metadata' > >> [25088] dbg: uridnsbl: domains to query: >> [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop >> [25088] dbg: dns: checking RBL sa-accredit.habeas.com., set >> > habeas-firsttrusted > >> [25088] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl >> [25088] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted >> [25088] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop >> [25088] dbg: dns: checking RBL combined.njabl.org., set njabl >> [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set >> > whois > >> [25088] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop >> [25088] dbg: dns: checking RBL bl.spamcop.net., set spamcop >> [25088] dbg: dns: checking RBL sa-trusted.bondedsender.org., set >> > bsp-firsttrusted > >> [25088] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set >> > whois-notfirsthop > >> [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop >> [25088] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs >> [25088] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted >> [25088] dbg: check: running tests for priority: 0 >> [25088] dbg: rules: running header regexp tests; score so far=0 >> [25088] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" >> [25088] dbg: rules: ran header rule __SANE_MSGID ======> got hit: >> > "<1161960021@lint_rules> > >> [25088] dbg: rules: " >> [25088] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: >> > "@lint_rules>" > >> [25088] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: >> > "ignore@compiling.spamassassin.taint.org > >> [25088] dbg: rules: " >> [25088] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: >> > "1161960021" > >> [25088] dbg: plugin: registering glue method for check_hashcash_double_spend >> > (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > >> [25088] dbg: plugin: registering glue method for check_for_spf_helo_pass >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: spf: message was delivered entirely via trusted relays, not >> > required > >> [25088] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org >> [25088] dbg: plugin: registering glue method for check_subject_in_blacklist >> > (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > >> [25088] dbg: plugin: registering glue method for check_hashcash_value >> > (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa459bc0)) > >> [25088] dbg: eval: all '*To' addrs: >> [25088] dbg: plugin: registering glue method for check_for_spf_neutral >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: spf: message was delivered entirely via trusted relays, not >> > required > >> [25088] dbg: plugin: registering glue method for check_for_spf_softfail >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: rules: ran eval rule NO_RELAYS ======> got hit >> [25088] dbg: plugin: registering glue method for check_for_spf_pass >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: plugin: registering glue method for check_for_spf_helo_softfail >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: plugin: registering glue method for >> > check_for_def_spf_whitelist_from > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: spf: cannot get Envelope-From, cannot use SPF >> [25088] dbg: spf: def_spf_whitelist_from: could not find useable envelope >> > sender > >> [25088] dbg: plugin: registering glue method for check_for_spf_fail >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit >> [25088] dbg: plugin: registering glue method for check_subject_in_whitelist >> > (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa4f5934)) > >> [25088] dbg: plugin: registering glue method for check_for_spf_whitelist_from >> > (Mail::SpamAssassin::Plugin::SPF=HASH(0xa47c8c0)) > >> [25088] dbg: spf: spf_whitelist_from: could not find useable envelope sender >> [25088] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit >> [25088] dbg: rules: running body-text per-line regexp tests; score so >> > far=0.738 > >> [25088] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" >> [25088] dbg: uri: running uri tests; score so far=0.738 >> [25088] dbg: bayes: no dbs present, cannot tie DB R/O: >> > /home/ahk/.spamassassin/bayes_toks > >> [25088] dbg: bayes: not scoring message, returning undef >> [25088] dbg: bayes: opportunistic call attempt failed, DB not readable >> [25088] dbg: plugin: registering glue method for check_uridnsbl >> > (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560)) > >> [25088] dbg: rules: running raw-body-text per-line regexp tests; score so >> > far=0.738 > >> [25088] dbg: rules: running full-text regexp tests; score so far=0.738 >> [25088] dbg: plugin: registering glue method for check_pyzor >> > (Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa424c9c)) > >> [25088] dbg: pyzor: pyzor is not available: no pyzor executable found >> [25088] dbg: pyzor: no pyzor found, disabling Pyzor >> [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) >> > implements 'check_tick' > >> [25088] dbg: check: running tests for priority: 500 >> [25088] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa44e560) >> > implements 'check_post_dnsbl' > >> [25088] dbg: rules: running meta tests; score so far=0.738 >> [25088] dbg: rules: running header regexp tests; score so far=2.216 >> [25088] dbg: rules: running body-text per-line regexp tests; score so >> > far=2.216 > >> [25088] dbg: uri: running uri tests; score so far=2.216 >> [25088] dbg: rules: running raw-body-text per-line regexp tests; score so >> > far=2.216 > >> [25088] dbg: rules: running full-text regexp tests; score so far=2.216 >> [25088] dbg: check: running tests for priority: 1000 >> [25088] dbg: rules: running meta tests; score so far=2.216 >> [25088] dbg: rules: running header regexp tests; score so far=2.216 >> [25088] dbg: plugin: registering glue method for check_from_in_auto_whitelist >> > (Mail::SpamAssassin::Plugin::AWL=HASH(0xa466488)) > >> [25088] dbg: rules: running body-text per-line regexp tests; score so >> > far=2.216 > >> [25088] dbg: uri: running uri tests; score so far=2.216 >> [25088] dbg: rules: running raw-body-text per-line regexp tests; score so >> > far=2.216 > >> [25088] dbg: rules: running full-text regexp tests; score so far=2.216 >> [25088] dbg: check: is spam? score=2.216 required=5 >> [25088] dbg: check: >> > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_N > ONE > >> [25088] dbg: check: >> > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MS > GID,__UNUSABLE_MSGID > >> [25088] warn: lint: 2 issues detected, please rerun with debug enabled for >> > more information > >> >> ------------------------------------------------------------------------ >> >> [25071] warn: config: failed to parse line, skipping: dcc_path >> > /usr/local/bin/dccproc > >> [25071] warn: config: failed to parse line, skipping: dcc_path >> > /usr/local/bin/dccproc > >> [25071] warn: lint: 2 issues detected, please rerun with debug enabled for >> > more information > >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3aEEfZZRxQVtlQRAhEBAKD8Qb9NJobVi7Sf2Q+rFdjc5IZSpQCeNxjc HXqeS+DcFXyQxDEIOxWPiFM= =qMFk -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:22:02 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:26:27 2006 Subject: Spam changes to the end instead of the beginning of the subject line. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38AFF@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38AFF@CHI-US-EXCH-01.us.kmz.com> Message-ID: <4543759A.7060303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think you can do this at the moment, but I guess I could add it. Exactly what options do you want it available in? Would you be prepared to donate to get the feature? Please? Pretty Please? :-) thanks, Jules. Duncan, Brian M. wrote: > We currently on all Spam messages add a unique identifier to the > beginning of the subject of all messages that are determined to be > normal > Scoring spam or high scoring Spam with MailScanner/SpamAssassin. - High > scoring is due to RBL failure and gets a slightly different unique ID to > help support staff quickly identify a Spam message that failed because > of analysis of a message Vs coming from a black-listed source. > > Management has asked if we can continue to do the same but append the > unique ID at the end of the subject instead of the beginning. > > I see in mailscanner.conf the directive: > > Scanned Modify Subject = xxx > > xxx can be "no", "start", or "end" for where the "scanned" text is to > go. (We have it set to NO because we DO not mark un-scanned messages) > > The "Spam modify subject =" directive is set to yes. Can we set the > "Spam modify subject =" directive to "end"? > > And can we set the "High Scoring Spam Modify Subject=" to "end" also? > > So the actual text for messages that are Spam or High Scoring Spam is > added at the end of the subject instead of the beginning? > > The comments in the mailscanner.conf do not look like it is an option. > I was really hoping it is. > > Thanks > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3aBEfZZRxQVtlQRAk19AJwNKQLMzMHS9rr1ZMxwA8/IOVZGtwCg+HQ8 pi2yQzYBiVDgdrl00nmUeQI= =HCzc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:32:28 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:36:05 2006 Subject: Spam Detection Around 55% In-Reply-To: <45424BF9.9000407@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> Message-ID: <4543780C.5010302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Daniel Straka wrote: > >> I've seen number of spam detected as high as 82% of all incoming email >> on Sundays. On weekdays that number drops down to around 55% and I'd say >> that a lot (2000 or so) are getting through on those days. A lot of them >> are the stock spam with gif. Here's what spamassassin --lint >> returns...does this indicate problem that if fixed would make a big >> difference? I don't know anything about configuring the pyzor or dcc >> things. >> >> mail1:/home/dstraka # spamassassin --lint >> [13926] warn: config: SpamAssassin failed to parse line, >> "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path >> /usr/bin/pyzor >> [13926] warn: config: failed to parse line, skipping: dcc_path >> /usr/local/bin/dccproc >> [13926] warn: lint: 2 issues detected, please rerun with debug enabled >> for more information >> > > > If you don't have DCC, or pyzor, comment out their lines in > spam.assassin.prefs.conf. > > Why those are even present in this file is beyond me. > > Why does MailScanner decide I've installed dcc in /usr/local/bin. What if I > installed it with PREFIX=/usr? > > It's my own opinion that *everything* in that file should be commented out by > default, except "envelope_sender_header". > > I could *maybe* see keeping "use_auto_whitelist", but only because I think the > AWL isn't ready to be run on production servers (it lacks reasonable expiry) > > the bayes_ignore_header settings are a good idea, but are useless unless > manually edited. Thus, they should be commented out by default. > > All the rest of the options that are in there aren't a function of MailScanner, > they're a function of other aspects of your system. > > > > The existing file assumes: > > you have DCC and pyzor installed, and have enabled their plugins > you don't use NFS, so flock is safe > you have working DNS (likely, but not always true) > you don't want to use the AWL. > > The last 3 are probably safe for 99% of sites, but the NFS bit could really bite > someone in the butt. > I set them to sensible values that will be correct for 99% of my users, particularly the less knowledgeable ones. I don't know anyone who runs a mail server with no dns, it would make lots of things rather hard. If you run a mail server with no dns successfully, you probably know enough to be able to tweak 1 config file. You are quite entitled to your opinions, and you are quite entitled to edit the config files too. They aren't rules, they are just a starting point for your own edits. I'm not going to get into an argument over this, it's a straight difference of opinion. You have your view, I have mine. Let's just agree to disagree. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3jZEfZZRxQVtlQRAgb7AKDHBtK4WXZ3yo3Vqg84efdvuCBAbQCffTe3 mICwzNqUR8Jm68sPuGpHECA= =pxTn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:37:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:41:10 2006 Subject: dcc logs In-Reply-To: References: Message-ID: <45437928.3040303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >> I see that the /var/dcc/log folder on my mailscanner machine >> is getting >> to be rather large. Do I need to keep these log files around for >> anything, or can I clean them out? >> >> Mike >> > > My dcc logs nothing to that directory. Are you starting a dcc process > or do you let MS call it as needed? > > Mike > I found a rather large dcc log directory myself recently too. The directory metadata (as reported by ls -ld on the directory) was over 70 MBytes! So it must have had a few hundred thousand files in it. I have since changed DCCM_LOG_AT=50 in /var/dcc/dcc_conf and it has stopped it. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3oFEfZZRxQVtlQRAsG9AKCPlgnLEkQMTBiLWMhUX1ucz1f5HQCeJirj DXYSN368O8bcGA3bzsLZj+s= =T5Zc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:39:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:41:15 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: <454379B1.8040404@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote: > On Fri, 27 Oct 2006, TCIS List Acct wrote: > >> >> >> Martin Hepworth wrote: >> >>> Hi >>> >>> just run the normal clamav scanner from MAilScanner.conf - there's >>> little if any difference in performance. >>> >> >> I thought the point of the Perl ClamAV module was increased performance? >> >> When I run the normal clamav scanner, the clamscan processes chew up >> too much CPU and take too long to scan the mail as compared to f-prot >> on the same box. >> > > I found this problem also when doing hundreds of messages per batch, > so stopped using it and moved to f-prot and problem gone, the cost of > f-prot is well worth it. I personally wouldn't recommend hundreds of messages per batch, the process sizes will get enormous. I would recommend clamavmodule as it avoids the startup cost of running the binary. > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3oGEfZZRxQVtlQRArEJAKDHSiPcGfda//EP7VBKechEfZnAQQCeIL2u 6RTe+T7KhTRFYQYAuTuZAoc= =Nvg6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Oct 28 16:44:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 16:46:07 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> Message-ID: <45437AC5.1030902@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ren? Berber wrote: > Res wrote: > > >> On Fri, 27 Oct 2006, Ren? Berber wrote: >> >> >>> I think Martin is wrong and the MS documentation does recommend using >>> the perl >>> module for performance reasons. >>> >> The perl module cant handle constantly large batches, it used to bail >> all the time, although clamscan itself handled it with high loading, >> installed f-prot and rarely a splirt on the load above spamassassin. >> > [snip] > > Interesting info. Perhaps it is time to _change_ the clamav wrapper and start > using clamdscan, why? two reasons: > But that's the point of using clamavmodule, you don't rely on clamdscan. It just talks straight to the libraries and doesn't depend on squirting the message down a socket. That's the whole point of clamavmodule, you don't have to depend on a daemon. What happens when the daemon dies for some unknown reason? You lose your mail transport. Clamavmodule doesn't suffer this problem. That's partially why I wrote it. > 1. To handle high loads, like Res' experience shows. Some actual experience > with clamdscan would be useful; it is designed for situations like the ones > where MS works (perhaps this is the 3rd reason). > > 2. To use when there are no alternatives, f-prot is good for Linux servers but > what is available for Solaris/BSD/OS-X/etc. ? > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ3sxEfZZRxQVtlQRAj/VAKDoldQLARVrQ5FmrIRiZX8Vtrs7MQCg5FVE 01l3W0QhGL1iY7+5HZQLEEI= =nFM8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From listacct at tulsaconnect.com Sat Oct 28 16:50:08 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 16:50:08 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454375CD.5050101@ecs.soton.ac.uk> References: <45422F1A.7080203@tulsaconnect.com> <454375CD.5050101@ecs.soton.ac.uk> Message-ID: <45437C30.1090302@tulsaconnect.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Are you sure you only have 1 Perl installed? > Yep, positive. Perl 5.8.8 (with threading turned on) built from ports. When I installed the OS (FreeBSD 6.x) it didn't even have Perl installed. $ find / -type f -name perl /usr/local/bin/perl $ /usr/local/bin/perl -V Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Platform: osname=freebsd, osvers=6.2-beta2, archname=amd64-freebsd-thread-multi uname='freebsd blah.com 6.2-beta2 freebsd 6.2-beta2 #0: mon oct 2 03:47:17 utc 2006 root@meyers.cse.buffalo.edu:usrobjusrsrcsyssmp amd64 ' config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.8.8/mach -Dprivlib=/usr/local/lib/perl5/5.8.8 -Dman3dir=/usr/local/lib/perl5/5.8.8/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.8/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.8 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.8.8/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -Doptimize=-O2 -fno-strict-aliasing -pipe -Ud_dosuid -Ui_gdbm -Dusethreads=y -Dusemymalloc=n -Duse64bitint' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -Wdeclaration-after-statement', optimize='-O2 -fno-strict-aliasing -pipe ', cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.8/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -Wdeclaration-after-statement' ccversion='', gccversion='3.4.6 [FreeBSD] 20060305', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags ='-pthread -Wl,-E' libpth=/usr/lib libs=-lm -lcrypt -lutil perllibs=-lm -lcrypt -lutil libc=, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE' cccdlflags='-DPIC -fPIC', lddlflags='-shared ' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_REENTRANT_API Locally applied patches: defined-or Built under freebsd Compiled at Oct 12 2006 18:18:34 @INC: /usr/local/lib/perl5/5.8.8/BSDPAN /usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach /usr/local/lib/perl5/5.8.8 . -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From listacct at tulsaconnect.com Sat Oct 28 16:56:12 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 16:56:11 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454379B1.8040404@ecs.soton.ac.uk> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> Message-ID: <45437D9C.4060703@tulsaconnect.com> Julian Field wrote: > I personally wouldn't recommend hundreds of messages per batch, the > process sizes will get enormous. I would recommend clamavmodule as it > avoids the startup cost of running the binary. FWIW we do 50 per batch and clamscan (tested both 0.88.4 and 0.88.5) falls over under the load quite quickly, whereas f-prot on the same box runs without a hiccup. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From MailScanner at ecs.soton.ac.uk Sat Oct 28 17:59:28 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Oct 28 17:59:53 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <45437D9C.4060703@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> Message-ID: <45438C70.9000208@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TCIS List Acct wrote: > > > Julian Field wrote: > >> I personally wouldn't recommend hundreds of messages per batch, the >> process sizes will get enormous. I would recommend clamavmodule as it >> avoids the startup cost of running the binary. > > FWIW we do 50 per batch and clamscan (tested both 0.88.4 and 0.88.5) > falls over under the load quite quickly, whereas f-prot on the same > box runs without a hiccup. > Define 'falls over'. Is it running out of memory? 50 per batch is quite large. How many CPU cores do you have and how much RAM, and how much swap? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFQ4x4EfZZRxQVtlQRAkLYAJkBqZQO7u86zshV8wixx3Hbop2r4gCgqO+x h97r5hXp4cpkig1kqK8ZGig= =GXQO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From listacct at tulsaconnect.com Sat Oct 28 20:24:20 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 20:24:27 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <45438C70.9000208@ecs.soton.ac.uk> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> Message-ID: <4543AE64.4030407@tulsaconnect.com> Julian Field wrote: > Define 'falls over'. Is it running out of memory? 50 per batch is quite > large. How many CPU cores do you have and how much RAM, and how much swap? > Dell 1950, 2 x 2.00GHz "Woodcrest" 5130 Xeons with 2 cores (so 4 cores total), 8GB RAM, 8GB swap (I have four of these boxes doing our scanning, load balanced). The problem is the clamscan processes take so long to finish scanning that the queue starts to pile up. I see about 10-15 clamscan processes running using fairly low amounts of CPU (even though there is free CPU to use). I've changed the batch size back to 30 to see if that makes any difference, but so far it seems identical to the behavior I've seen in the past. After about 5 mins of running, I see: 1699 root 1 112 0 26400K 19964K CPU1 3 0:01 3.37% clamscan 1877 root 1 116 0 12756K 6292K RUN 0 0:00 2.31% clamscan 1733 root 1 112 0 14908K 8448K CPU2 0 0:00 2.03% clamscan 2031 root 1 121 0 8656K 2180K RUN 0 0:00 1.88% clamscan 1804 root 1 -16 0 8656K 2180K wdrain 0 0:00 1.84% clamscan 1951 root 1 -16 0 8656K 2180K wdrain 0 0:00 1.74% clamscan 1950 root 1 -16 0 8656K 2180K wdrain 0 0:00 1.74% clamscan 1908 root 1 -16 0 8656K 2180K wdrain 0 0:00 1.73% clamscan 1768 root 1 113 0 16068K 9612K CPU3 3 0:00 1.65% clamscan 1872 root 1 -16 0 8656K 2180K wdrain 0 0:00 1.50% clamscan 2006 root 1 120 0 8656K 2180K RUN 0 0:00 1.49% clamscan 1867 root 1 -16 0 8656K 2180K wdrain 3 0:00 0.81% clamscan 1848 root 1 -16 0 8656K 2180K wdrain 0 0:00 0.76% clamscan I can't even catch a f-prot process in the process list via top as it runs so fast. I remove "clamav" from the virus scanners list, restart MS, and within 5 mins or so the queue is back to normal levels. ..which is why I was trying to use the Perl ClamAV wrapper thing, but MS doesn't detect it even though it is installed properly.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From listacct at tulsaconnect.com Sat Oct 28 20:46:48 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 20:46:57 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV - fixed In-Reply-To: <45438C70.9000208@ecs.soton.ac.uk> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> Message-ID: <4543B3A8.5030600@tulsaconnect.com> Julian Field wrote: > Define 'falls over'. Is it running out of memory? 50 per batch is quite > large. How many CPU cores do you have and how much RAM, and how much swap? > > Jules Ok, I have this one fixed. Apparently installing the Perl module from the packages collection (pre-compiled) doesn't cut it. As I mentioned before, when I tried to install Mail::ClamAV from ports it wouldn't compile (which is why I resorted to a pre-compiled one). I found another guy having the exact same issue, and he posted a solution at: http://www.phunsites.net/wp/2006/09/13/obscure-perl-module-compilation-error/ After following the steps he outlined, I was able to compile Mail::ClamAV and all is well. Now, to see how much this improves the performance.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From listacct at tulsaconnect.com Sat Oct 28 20:52:56 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sat Oct 28 20:52:54 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV - fixed In-Reply-To: <4543B3A8.5030600@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> <4543B3A8.5030600@tulsaconnect.com> Message-ID: <4543B518.9030001@tulsaconnect.com> TCIS List Acct wrote: > After following the steps he outlined, I was able to compile > Mail::ClamAV and all is well. Now, to see how much this improves the > performance.. > The performance difference after just a few minutes is _very_ noticeable. It looks like the Mail::ClamAV module solved my performance issue with ClamAV. yay! I'll notify Jan-Peter Koopmann (the port maintainer) about the required fix to get the module to compile. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From binaryflow at gmail.com Sat Oct 28 20:59:56 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Sat Oct 28 20:59:59 2006 Subject: Postfix greylist.pl not working in version 2.3 Message-ID: I have been running greylist.pl successfully in Postfix 2.2 for a few days now. After upgrading to 2.3 I see the following errors in /var/log/mail/errors: Oct 28 09:00:21 mx postfix/spawn[15280]: fatal: unknown user name: nobody Is there a user list somewhere in postfix 2.3? Am I missing a setup step? I know this is probably a question for the postfix list but since there has been so much postfix discussion on this list I thought I would give it a shot. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061028/df3f593c/attachment-0001.html From res at ausics.net Sat Oct 28 22:58:24 2006 From: res at ausics.net (Res) Date: Sat Oct 28 22:58:36 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <45436A6F.50505@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <4542C839.50103@tulsaconnect.com> <20061028113816.GA10199@doctor.nl2k.ab.ca> <45436A6F.50505@tulsaconnect.com> Message-ID: On Sat, 28 Oct 2006, TCIS List Acct wrote: > > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem > wrote: > >> Clamav rock AFAIK. > > Yes, it rocks and the rolls over under heavy load.. :-) hehe, did you ever run both at same time? we did on our secondary mx for a while, f-prot had a better hit rate then clamav. on one of our hosting servers one mth-f#r sent a rootkit, that used with qmail and qmailscan (which quarantines infections) clamav PASSED! manual run on clamscan on it and still passed, manual run of f-prot on it and it detected it, it was that which prompted me to piss off clamav and use f-prot everywhere (and remind me i had one server that i had not yet put mailscanner on lol) The sad thing is, that rootkit had been around for at least 2 years! -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Oct 28 23:07:43 2006 From: res at ausics.net (Res) Date: Sat Oct 28 23:07:51 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: <454379B1.8040404@ecs.soton.ac.uk> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> Message-ID: On Sat, 28 Oct 2006, Julian Field wrote: > I personally wouldn't recommend hundreds of messages per batch, the > process sizes will get enormous. I would recommend clamavmodule as it > avoids the startup cost of running the binary. >> With the mail loads a few of the servers did, they had to or it'd take an hour or two to get delivered :( but it worked fine grunty HP's with f-prot. The clamavmodule just can't handle it, it used to bail, I never posted here about it because you dont code that module :) It does work OK if you are only doing a few hundred K messages a day, but when the server does millions a day it doesn't. Maybe they corrected what was ever wrong with it now, this is going back, umm late last year or there abouts. but f-prot works great and like they say "if it aint broke don't fsck it" > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Oct 28 23:19:35 2006 From: res at ausics.net (Res) Date: Sat Oct 28 23:19:43 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> Message-ID: On Sun, 29 Oct 2006, Res wrote: > On Sat, 28 Oct 2006, Julian Field wrote: > >> I personally wouldn't recommend hundreds of messages per batch, the >> process sizes will get enormous. I would recommend clamavmodule as it >> avoids the startup cost of running the binary. >>> > > The clamavmodule just can't handle it, it used to bail, I never posted here > about it because you dont code that module :) It does work OK if you are I stand corrected as per your other post, you did write this module. explains why no one on clamscan list could help back then :P To what level have you tested it to? like, how big of a batch? even with 20 processes, batch of 50 was slow, even 100 would introduce delays, hence why I ran a couple of the boxes at 300 -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From listacct at tulsaconnect.com Sun Oct 29 00:51:13 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Sun Oct 29 00:51:13 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV In-Reply-To: References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> Message-ID: <4543ECF1.5060503@tulsaconnect.com> Res wrote: > To what level have you tested it to? like, how big of a batch? > even with 20 processes, batch of 50 was slow, even 100 would introduce > delays, hence why I ran a couple of the boxes at 300 I've found similar patterns on my new boxes. On my older hardware (slower), I found 30 per batch was about the right number. Now, on the faster hardware with more child processes (50 or so), it seems like 50-60 per batch is the magic number. I tried 30, but the queue didn't drain as quickly as it does with it at 50. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From MailScanner at ecs.soton.ac.uk Sun Oct 29 12:03:30 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 29 12:03:54 2006 Subject: OT: Bad interpreter Message-ID: <45449892.2060202@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone seen this before? [root@102546-web1 tmp]# cat tmp.sh #! /bin/sh echo This is a test. [root@102546-web1 tmp]# /tmp/tmp.sh - -bash: /tmp/tmp.sh: /bin/sh: bad interpreter: Permission denied Any thoughts? Thanks! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFRJiZEfZZRxQVtlQRArGAAKC7VP6L5uW2o5GTbhqHwJySf8oQnwCfYQzA NLBV2XMeTXIYtixDD6wXvVA= =S46f -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Sun Oct 29 12:08:31 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Oct 29 12:08:31 2006 Subject: OT: Bad interpreter In-Reply-To: <45449892.2060202@ecs.soton.ac.uk> References: <45449892.2060202@ecs.soton.ac.uk> Message-ID: Hi! > Anyone seen this before? > > [root@102546-web1 tmp]# cat tmp.sh > #! /bin/sh > > echo This is a test. > > [root@102546-web1 tmp]# /tmp/tmp.sh > - -bash: /tmp/tmp.sh: /bin/sh: bad interpreter: Permission denied Check if /tmp isnt mounted noexec ... Bye, Raymond. From ajcartmell at fonant.com Sun Oct 29 13:33:33 2006 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Sun Oct 29 13:33:37 2006 Subject: OT: Bad interpreter In-Reply-To: <45449892.2060202@ecs.soton.ac.uk> References: <45449892.2060202@ecs.soton.ac.uk> Message-ID: > Anyone seen this before? > > [root@102546-web1 tmp]# cat tmp.sh > #! /bin/sh #!/bin/sh Shouldn't be a space? Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Sun Oct 29 13:50:50 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Oct 29 13:53:42 2006 Subject: OT: Bad interpreter In-Reply-To: References: <45449892.2060202@ecs.soton.ac.uk> Message-ID: <4544B1BA.2090703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond Dijkxhoorn wrote: > Hi! > >> Anyone seen this before? >> >> [root@102546-web1 tmp]# cat tmp.sh >> #! /bin/sh >> >> echo This is a test. >> >> [root@102546-web1 tmp]# /tmp/tmp.sh >> - -bash: /tmp/tmp.sh: /bin/sh: bad interpreter: Permission denied > > Check if /tmp isnt mounted noexec ... That was it. I found it 2 minutes after I posted. Why would anyone do that? If you are trying to keep nasty programs out, then surely they'll just use /var/tmp instead. Confused by why this was set this way... thanks anyway, Jules. > > Bye, > Raymond. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFRLJYEfZZRxQVtlQRAk38AJ9I1mpgsvIxpUJa8zmqhtY1Fg039gCgtXY5 BqIVr/2vjl0KNW+s8zZsCHY= =B3nS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Sun Oct 29 15:26:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Oct 29 15:26:06 2006 Subject: OT: Bad interpreter In-Reply-To: <4544B1BA.2090703@ecs.soton.ac.uk> References: <45449892.2060202@ecs.soton.ac.uk> <4544B1BA.2090703@ecs.soton.ac.uk> Message-ID: Hi! >>> [root@102546-web1 tmp]# /tmp/tmp.sh >>> - -bash: /tmp/tmp.sh: /bin/sh: bad interpreter: Permission denied >> Check if /tmp isnt mounted noexec ... > That was it. I found it 2 minutes after I posted. Why would anyone do > that? If you are trying to keep nasty programs out, then surely they'll > just use /var/tmp instead. > Confused by why this was set this way... Some do this to have 'protection' ... but somehow people know how to get around this anyway. If you exec a script with perl /tmp/blah it still works. Bye, Raymond. From dhawal at netmagicsolutions.com Sun Oct 29 18:45:03 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Sun Oct 29 18:45:26 2006 Subject: Postfix greylist.pl not working in version 2.3 In-Reply-To: References: Message-ID: <20061030001503.ypggrcys8cog40s8@mail.netmagicsolutions.com> Quoting Douglas Ward : > I have been running greylist.pl successfully in Postfix 2.2 for a few days > now. After upgrading to 2.3 I see the following errors in > /var/log/mail/errors: > > Oct 28 09:00:21 mx postfix/spawn[15280]: fatal: unknown user name: nobody > > Is there a user list somewhere in postfix 2.3? Am I missing a setup step? > I know this is probably a question for the postfix list but since there has > been so much postfix discussion on this list I thought I would give it a > shot. Thanks! Are you running postfix in a chroot? if yes, then compare the passwd file in the chroot with /etc/passwd. A 'postfix check' might provide a clue. - dhawal From lars+lister.mailscanner at adventuras.no Mon Oct 30 01:49:50 2006 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Mon Oct 30 01:52:22 2006 Subject: OT: Bad interpreter In-Reply-To: References: <45449892.2060202@ecs.soton.ac.uk> <4544B1BA.2090703@ecs.soton.ac.uk> Message-ID: <45455A3E.9050709@adventuras.no> Raymond Dijkxhoorn skrev: > Hi! > >>>> [root@102546-web1 tmp]# /tmp/tmp.sh >>>> - -bash: /tmp/tmp.sh: /bin/sh: bad interpreter: Permission denied > >>> Check if /tmp isnt mounted noexec ... > >> That was it. I found it 2 minutes after I posted. Why would anyone do >> that? If you are trying to keep nasty programs out, then surely they'll >> just use /var/tmp instead. >> Confused by why this was set this way... > > Some do this to have 'protection' ... but somehow people know how to get > around this anyway. If you exec a script with perl /tmp/blah it still > works. Once upon a php-weakness, I discovered some new and interesting binaries in /tmp. So I thought that if webserver-writeable directories does not need to be mounted executable, why should they? From raymond at prolocation.net Mon Oct 30 07:49:29 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Oct 30 07:49:30 2006 Subject: OT: Bad interpreter In-Reply-To: <45455A3E.9050709@adventuras.no> References: <45449892.2060202@ecs.soton.ac.uk> <4544B1BA.2090703@ecs.soton.ac.uk> <45455A3E.9050709@adventuras.no> Message-ID: Hi! >>> That was it. I found it 2 minutes after I posted. Why would anyone do >>> that? If you are trying to keep nasty programs out, then surely they'll >>> just use /var/tmp instead. >>> Confused by why this was set this way... >> Some do this to have 'protection' ... but somehow people know how to get >> around this anyway. If you exec a script with perl /tmp/blah it still >> works. > Once upon a php-weakness, > I discovered some new and interesting binaries in /tmp. > So I thought that if webserver-writeable directories does not need to be > mounted executable, why should they? Then i assume you also have it mounted nosuid ? Anyway, this is offtopic i guess here :) Bye, Raymond. From P.G.M.Peters at utwente.nl Mon Oct 30 09:42:15 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Oct 30 09:42:22 2006 Subject: Sync config files In-Reply-To: References: Message-ID: <4545C8F7.5010203@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roald wrote on 25-10-2006 17:29: > As I am now setting up the third MailScanner-server, I was wondering > what you use to sync the config files? /etc/MailScanner and /etc/mail > are very similar and previously I have been ssh'ing to both servers and > making the changes when adding new domains etc. But now I would like to > sync them. rsync are one alternative, any better? I have looked at > cfengine, but it seems a bit overkill for my task. I use a Makefile that SCP's the changed files to the other servers. MailScanner configuration files aren't different from one system to the other. But if I need to run some scripts I just SSH those scripts. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFRcj3elLo80lrIdIRAv9UAKCM0SyldX2f/x2+eW9uQ9wh8issTgCbB1jT ARHeu/UigJ21fmA1aVwLlK4= =oHPd -----END PGP SIGNATURE----- From res at ausics.net Mon Oct 30 11:19:06 2006 From: res at ausics.net (Res) Date: Mon Oct 30 11:19:17 2006 Subject: F-Prot integration into mailscanner In-Reply-To: References: Message-ID: On Mon, 30 Oct 2006, Sven De Troch wrote: >> Oct 29 14:06:50 mailscanner sendmail[22787]: k9TD6n0a022787: >> SYSERR(root): savemail: cannot save rejected email anywhere > Apparently this problem occurs as well with the BitDefender antivirus, > so there must be something wrong with my MailScanner of the security > on one of the dirs. do you have the postmaster aliase ? to make sure its ok run: sendmail -v -Am postmaster < /etc/services > > > > Can anyone assist? > Thanks! > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From Dominique.Marant at univ-lille1.fr Mon Oct 30 13:02:52 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Mon Oct 30 13:01:28 2006 Subject: FuzzyOcr Unexpected error only with MailScanner In-Reply-To: <453E2BD5.90806@univ-lille1.fr> References: <01d701c6f2db$16346550$3701a8c0@lapxp> <223f97700610190052u75fd336awd59adf240a394091@mail.gmail.com> <223f97700610190122j133f725eh6c6f7b89199e65cb@mail.gmail.com> <223f97700610190142t4ab45b73jde8ee731e902280e@mail.gmail.com> <223f97700610190157s7f0bfb6fua56e6371bfe3510d@mail.gmail.com> <223f97700610190209t2db0c1e5jf37291839bbcd828@mail.gmail.com> <223f97700610191058l735cb404p2debc2da1556a350@mail.gmail.com> <453E2BD5.90806@univ-lille1.fr> Message-ID: <4545F7FC.5050907@univ-lille1.fr> I sent my problem FuzzyOcr in the devel-spam list. It seems that FuzzyOcr fails because MailScanner truncates emails for spamassassin. How to configure MailScanner for the best compromise ? Perhaps it would be interresting to create a new variable "Max SpamAssassin OCR Size" for size of inserted or attached images ? What do you think of it ? Dominique Dominique Marant wrote: > > Yes, I'm using MailScanner > Mailscanner truncates emails which exceed a given size specified in their config. They also truncate inside attachments, leading to "half" images, which are to be considered as corrupt. jpegtopnm cannot handle these and will fail. This is not a problem of FuzzyOcr but MailScanner's. Best regards, Chris > > > > regards Dom > > > > > > decoder a ?crit : > > > > Dominique Marant wrote: > > > >>>> >>>> I use FuzzyOcr with SA 3.1.7 >>>> >>>> >>>> >>>> In FuzzyOcr.log, I have a lot of error messages like : >>>> >>>> >>>> >>>> [2006-10-30 08:54:30] Unexpected error in pipe to external >>>> >>>> programs. Please check that all helper programs are installed >>>> >>>> and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", >>>> >>>> Pipe >>>> > > exit code > >>>> >>>> 2 (""), Temporary file: "/tmp/.spamassassin18742sUMUDptmp") >>>> >>>> >>>> >>>> How to fix this problem ? >>>> >>>> >>>> > > Are you using third party applications such as mailscanner? > > > > Best regards, > > > > Chris > > > > > >>>> >>>> Regards, Dom >>>> >>>> >>>> >>>> ______________ An other reply : --------------------------------------- > looks like Mailscanner is the issue (according to decoder's mail). Amavis > works perfect, maybe you could consider it. > > rgds, > Joseph --------------------------------------- Dominique Marant a ?crit : > Hello > > I installed FuzzyOcr (debian / MailScanner / Spamassassin) > > It seems to running : > for example : > ... is polluriel, SpamAssassin (not cached, score=19.202, requis 7, > autolearn=disabled, FUZZY_OCR 14.00, HTML_10_20 0.94, > HTML_IMAGE_ONLY_28 1.01, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, > RCVD_IN_SORBS_DUL 1.99, RCVD_NUMERIC_HELO 1.25) > > But in FuzzyOcr.log, I see : > > > # more FuzzyOcr.log > [2006-10-24 16:36:42] Unexpected error in pipe to external programs. > Please check that all helper programs are > installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit > code 2 (""), Temporary file: "/tmp/.spamassassin2537050jAY2tmp") > [2006-10-24 16:37:47] Unexpected error in pipe to external programs. > Please check that all helper programs are > installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit > code 2 (""), Temporary file: "/tmp/.spamassassin25926yhpqsstmp") > [2006-10-24 16:41:32] FuzzyOcr received timeout after running "10" > seconds. > [2006-10-24 16:42:33] Unexpected error in pipe to external programs. > Please check that all helper programs are > installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit > code 2 (""), Temporary file: "/tmp/.spamassassin28372mzT0dZtmp") > ... > > Could you help me ? > > > Many thanks in advance > Dominique -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061030/9d7ffdd6/attachment.html From listacct at tulsaconnect.com Mon Oct 30 14:26:51 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Oct 30 14:27:00 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV - fixed, but still too slow In-Reply-To: <4543B518.9030001@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> <4543B3A8.5030600@tulsaconnect.com> <4543B518.9030001@tulsaconnect.com> Message-ID: <45460BAB.8030103@tulsaconnect.com> TCIS List Acct wrote: > The performance difference after just a few minutes is _very_ > noticeable. It looks like the Mail::ClamAV module solved my performance > issue with ClamAV. yay! > > I'll notify Jan-Peter Koopmann (the port maintainer) about the required > fix to get the module to compile. > I guess I spoke too soon. Even using the clamavmodule, ClamAV simply can't keep up with the load on my boxes. I tried disabling f-prot and using just clamavmodule, but over time the queue starts to pile up much more noticeably that when I just have f-prot running. Oh well. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mkettler at evi-inc.com Mon Oct 30 16:34:04 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 30 16:34:25 2006 Subject: Spam Detection Around 55% In-Reply-To: <4543780C.5010302@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> Message-ID: <4546297C.5080502@evi-inc.com> Julian Field wrote: >>> The existing file assumes: >>> >>> you have DCC and pyzor installed, and have enabled their plugins >>> you don't use NFS, so flock is safe >>> you have working DNS (likely, but not always true) >>> you don't want to use the AWL. >>> >>> The last 3 are probably safe for 99% of sites, but the NFS bit could really bite >>> someone in the butt. >>> > I set them to sensible values that will be correct for 99% of my users, > particularly the less knowledgeable ones. I don't know anyone who runs a > mail server with no dns, it would make lots of things rather hard. If > you run a mail server with no dns successfully, you probably know enough > to be able to tweak 1 config file. > > You are quite entitled to your opinions, and you are quite entitled to > edit the config files too. They aren't rules, they are just a starting > point for your own edits. > > I'm not going to get into an argument over this, it's a straight > difference of opinion. You have your view, I have mine. Let's just agree > to disagree. I will readily agree to disagree on the DNS and AWL ones. It's purely an opinion matter. The NFS one, well.. fine, call it an opinion matter. But don't claim you're doing it because you want to make things easier for the less knowledgeable. You're doing it to get better performance for 99.9% of setups, and considering the NFS users to be experts. You're willing to accept the trade of screwing over a less knowledgeable person who inherits a NFS setup. Which is fine by me, but let's be realistic. This is a performance tweak, not a ease-of-use tweak. That said, I will ask you to consider commenting out the DCC statements. By default, straight out of the box, SA doesn't 3.1.x support this command because the DCC plugin isn't loaded by default. Therefore this causes parse errors, and doesn't belong. Which is of course, what triggered my reply in the first place. The dcc_path statement was causing parse errors. That's bad. It breaks RDJ. From mrm at medicine.wisc.edu Mon Oct 30 16:39:11 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Mon Oct 30 16:39:42 2006 Subject: dcc logs In-Reply-To: References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <4545D649.7FBE.00FC.3@medicine.wisc.edu> >>> On 10/27/2006 at 5:56 PM, in message , Ugo Bellavance wrote: > Michael Masse wrote: >> I see that the /var/dcc/log folder on my mailscanner machine is getting >> to be rather large. Do I need to keep these log files around for >> anything, or can I clean them out? >> >> Mike >> > > Look in /var/dcc/dcc_conf for this line: > > DBCLEAN_LOGDAYS= > > I set it a two (you may set it lower). > > And make sure you run the cronjob that comes with dcc. > > /var/dcc/libexec/cron-dccd Thanks for this. Mine was set to 14 days and it was definately purging files older then 14 days old, but 14 days worth was still a gig of data. I've set it to two days now and it sits around 75 megs now which I can live with a little easier. Mike From mkettler at evi-inc.com Mon Oct 30 16:47:20 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Oct 30 16:47:37 2006 Subject: RBL List selection In-Reply-To: <4541CC68.5030601@hostalia.com> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> <4541BFB7.5030403@hostalia.com> <02ae01c6f9a1$a13dca70$0a02a8c0@Gordon> <4541CC68.5030601@hostalia.com> Message-ID: <45462C98.8020406@evi-inc.com> > > Now, reviewing this, I've in MTA sbl.spamhaus.org but I've a few > messages with RCVD_IN_SBL (not scored to 0 in spam.assassin.prefs.conf): > > Oct 27 09:40:18 relay MailScanner[9474]: Message 6F6916E16C3.98A09 from > 83.11.59.37 (bdtelepolissro@telepolis.com) to xxxxxx.com is spam, > SpamAssassin (no almacenado, puntaje=31.359, requerido 6, BAYES_99 2.00, > FORGED_RCVD_HELO 0.14, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 4.00, RCVD_IN_NJABL_DUL > 1.95, RCVD_IN_SBL 3.16, RELAYCOUNTRY_ES -0.20, URIBL_AB_SURBL 3.81, > URIBL_BLACK 3.00, URIBL_JP_SURBL 4.00, URIBL_OB_SURBL 3.01, > URIBL_SC_SURBL 4.50) > > As I've said, RCVD_IN_SBL only appears on 9 messages...and the IPs are > not listed: > > http://www.spamhaus.org/query/bl?ip=83.11.59.37 What about all the other IPs in the message? SA checks them all. From hmkash at arl.army.mil Mon Oct 30 17:26:48 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Oct 30 17:27:01 2006 Subject: FuzzyOcr Unexpected error only with MailScanner Message-ID: <229A346E44379140A59A48951B56E0C00260CE64@ARLABML01.DS.ARL.ARMY.MIL> Versions 4.56 and 4.57 (beta) have changes to address this. 4.56 extends the "Max SpamAssasin Size" option, and 4.57 adds a new "Max Spam Check Size" option. See MailScanner.conf for details. Beware, there is a bug in the 4.57 version that causes it to not properly detect silent viruses if you have "Max Spam Check Size" set too low. As far as I know, it hasn't been fixed yet. It properly stops the virus, but sends a striped message to the recipient anyway. Howard ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dominique Marant Sent: Monday, October 30, 2006 8:03 AM To: MailScanner discussion Subject: FuzzyOcr Unexpected error only with MailScanner I sent my problem FuzzyOcr in the devel-spam list. It seems that FuzzyOcr fails because MailScanner truncates emails for spamassassin. How to configure MailScanner for the best compromise ? Perhaps it would be interresting to create a new variable "Max SpamAssassin OCR Size" for size of inserted or attached images ? What do you think of it ? Dominique Dominique Marant wrote: > Yes, I'm using MailScanner Mailscanner truncates emails which exceed a given size specified in their config. They also truncate inside attachments, leading to "half" images, which are to be considered as corrupt. jpegtopnm cannot handle these and will fail. This is not a problem of FuzzyOcr but MailScanner's. Best regards, Chris > > regards Dom > > > decoder a ?crit : > > Dominique Marant wrote: > >>>> I use FuzzyOcr with SA 3.1.7 >>>> >>>> In FuzzyOcr.log, I have a lot of error messages like : >>>> >>>> [2006-10-30 08:54:30] Unexpected error in pipe to external >>>> programs. Please check that all helper programs are installed >>>> and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", >>>> Pipe > exit code >>>> 2 (""), Temporary file: "/tmp/.spamassassin18742sUMUDptmp") >>>> >>>> How to fix this problem ? >>>> > Are you using third party applications such as mailscanner? > > Best regards, > > Chris > > >>>> Regards, Dom >>>> >>>> ______________ An other reply : --------------------------------------- looks like Mailscanner is the issue (according to decoder's mail). Amavis works perfect, maybe you could consider it. rgds, Joseph --------------------------------------- Dominique Marant a ?crit : Hello I installed FuzzyOcr (debian / MailScanner / Spamassassin) It seems to running : for example : ... is polluriel, SpamAssassin (not cached, score=19.202, requis 7, autolearn=disabled, FUZZY_OCR 14.00, HTML_10_20 0.94, HTML_IMAGE_ONLY_28 1.01, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_SORBS_DUL 1.99, RCVD_NUMERIC_HELO 1.25) But in FuzzyOcr.log, I see : # more FuzzyOcr.log [2006-10-24 16:36:42] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin2537050jAY2tmp") [2006-10-24 16:37:47] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin25926yhpqsstmp") [2006-10-24 16:41:32] FuzzyOcr received timeout after running "10" seconds. [2006-10-24 16:42:33] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin28372mzT0dZtmp") ... Could you help me ? Many thanks in advance Dominique From hmkash at arl.army.mil Mon Oct 30 17:35:23 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Oct 30 17:37:26 2006 Subject: MailScanner 4.57 Message-ID: <229A346E44379140A59A48951B56E0C00260CE65@ARLABML01.DS.ARL.ARMY.MIL> > So far so good on my system. > Anyone else using this? Working great here except for: http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066251. html http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261. html Had to set "Max Spam Check Size" to a large enough value (350K) to prevent the no-longer-silent Bagle messages from coming thru. Howard From me at falz.net Mon Oct 30 18:29:24 2006 From: me at falz.net (falz) Date: Mon Oct 30 18:29:28 2006 Subject: Mailscanner- Quarantine to SQL DB instead of Filesystem? Message-ID: I'm curious if anyone's written a patch, or know of a trick to quarantine a message to a SQL db INSTEAD OF a filesystem path. This is in conjunction with Mailwatch, which would obviously have to be patched to view this correctly. The reason for this is so that I can have multiple Mailscanner servers with RRDNS or balanced with same weight MX records and have the Mailwatch web interface and SQL database all be seperate. Any suggestions? --falz From vosburgh at dalsemi.com Mon Oct 30 18:35:53 2006 From: vosburgh at dalsemi.com (David Vosburgh) Date: Mon Oct 30 18:36:21 2006 Subject: two messages repeatedly processed Message-ID: <45464609.4010208@dalsemi.com> I have three inbound mail servers with equal weighted MX values, all running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 using sendmail 8.13. The last of these three servers was upgraded about 30 days ago, and all have been running great since then. After getting in this morning (but prior to coffee), I checked out the Vispan web page on each server and noticed that one server had stats much different than the others. To make a long story shorter, there were two messages in mqueue.in that appear to have been processed 1651 and 548 times (but not delivered) during a three hour stretch until I moved them out of the inbound queue. Here's what was showing up in the maillog for one of the messages: Oct 30 06:49:27 xxxxxxx milter-greylist: k9UCnMVr023712: addr 209.151.239.125 from rcpt : autowhitelisted for more 768:00:00 Oct 30 06:49:28 xxxxxxx sendmail[23712]: k9UCnMVr023712: from=, size=5206, class=0, nrcpts=1, msgid=<20061030125050.22896.qmail@bounce.devicelink.com>, proto=SMTP, daemon=MTA, relay=aaa.bbb.com [lll.mmm.nnn.ppp] Oct 30 06:49:28 xxxxxxxx sendmail[23712]: k9UCnMVr023712: Milter add: header: X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-2.0.2 (xxxxxxxx.dalsemi.com [aaa.bbb.ccc.ddd]); Mon, 30 Oct 2006 06:49:28 -0600 (CST) Oct 30 06:49:28 xxxxxxx sendmail[23712]: k9UCnMVr023712: to=, delay=00:00:01, mailer=smtp, pri=35206, stat=queued Oct 30 06:49:45 xxxxxxxx MailScanner[23751]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com Oct 30 06:49:50 xxxxxxxx MailScanner[23790]: SpamAssassin cache hit for message k9UCnMVr023712 Oct 30 06:49:56 xxxxxxxx MailScanner[23790]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com Oct 30 06:49:57 carlsbad MailScanner[23856]: SpamAssassin cache hit for message k9UCnMVr023712 Oct 30 06:50:01 carlsbad MailScanner[23856]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com After about 30 minutes of this, it changed to (caused by SA cache purge?): Oct 30 07:19:47 xxxxxxxx MailScanner[412]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com Oct 30 07:19:52 xxxxxxxx MailScanner[365]: Message k9UCnMVr023712 from 209.151.239.125 (xxx@yyy.zzz.com) to dalsemi.com is spam, SpamAssassin (not cached, score=4.354, required 4, AWL -0.36, BAYES_20 -0.74, EXCUSE_REMOVE 0.11, HTML_IMAGE_ONLY_28 1.90, HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, HTML_TITLE_UNTITLED 0.51, MAILTO_TO_REMOVE 0.38, SARE_HEAD_HDR_XBBOUNC 0.88, SARE_UNSUB24 1.21) Oct 30 07:19:52 xxxxxxxx MailScanner[365]: Spam Actions: message k9UCnMVr023712 actions are store,deliver Oct 30 07:19:57 xxxxxxxx MailScanner[365]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com Oct 30 07:20:03 xxxxxxxx MailScanner[486]: SpamAssassin cache hit for message k9UCnMVr023712 Oct 30 07:20:03 xxxxxxx MailScanner[486]: Message k9UCnMVr023712 from aaa.bbb.ccc.ddd (xxx@yyy.zzz.com) to dalsemi.com is spam, SpamAssassin (cached, score=4.354, required 4, AWL -0.36, BAYES_20 -0.74, EXCUSE_REMOVE 0.11, HTML_IMAGE_ONLY_28 1.90, HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, HTML_TITLE_UNTITLED 0.51, MAILTO_TO_REMOVE 0.38, SARE_HEAD_HDR_XBBOUNC 0.88, SARE_UNSUB24 1.21) Oct 30 07:20:03 xxxxxxxx MailScanner[486]: Spam Actions: message k9UCnMVr023712 actions are store,deliver Oct 30 07:20:09 xxxxxxxx MailScanner[486]: Content Checks: Detected and have disarmed web bug tags in HTML message in k9UCnMVr023712 from xxx@yyy.zzz.com Oct 30 07:20:10 xxxxxxxx MailScanner[558]: SpamAssassin cache hit for message k9UCnMVr023712 Oct 30 07:20:10 xxxxxxxx MailScanner[558]: Message k9UCnMVr023712 from 209.151.239.125 (xxx@yyy.zzz.com) to dalsemi.com is spam, SpamAssassin (cached, score=4.354, required 4, AWL -0.36, BAYES_20 -0.74, EXCUSE_REMOVE 0.11, HTML_IMAGE_ONLY_28 1.90, HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, HTML_TITLE_UNTITLED 0.51, MAILTO_TO_REMOVE 0.38, SARE_HEAD_HDR_XBBOUNC 0.88, SARE_UNSUB24 1.21) Oct 30 07:20:10 xxxxxxxx MailScanner[558]: Spam Actions: message k9UCnMVr023712 actions are store,deliver It proceeded with these messages for several more hours until I moved the message out of the inbound queue. I still have the two message if that helps. Should I just put one of the messages back in the queue and run MS in debug mode to see what's happening? Here's the MailScanner version info: # MailScanner -V Running on Linux xxxx.yyyy.com 2.6.9-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006 i686 i686 i386 GNU/Linux This is CentOS release 4.4 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.55.10 Module versions are: 1.00 AnyDBM_File 1.14 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 1.4 Sys::Hostname::Long 0.17 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.12 DBD::SQLite 1.50 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 0.44 Inline 0.17 Mail::ClamAV 3.001004 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.57 Net::DNS 0.31 Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.56 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI From binaryflow at gmail.com Mon Oct 30 18:40:30 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Mon Oct 30 18:40:32 2006 Subject: Need to reject null characters Message-ID: I need to configure MailScanner or Spamassassin to reject any e-mails with null characters in them. We are getting null character spams occasionally which fouls up our imap users (checking their mailboxes through squirrelmail). I know that postfix has a handy command for this in 2.3 but cannot upgrade to it (due to a long and tortuous Mandriva 2007 upgrade problem). Is there another way to configure this? If not, could we request it as additional functionality in a future version of MailScanner? Any advice would be most appreciated. Thanks! From mrm at medicine.wisc.edu Mon Oct 30 18:51:04 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Mon Oct 30 18:51:44 2006 Subject: two messages repeatedly processed In-Reply-To: <45464609.4010208@dalsemi.com> References: <45464609.4010208@dalsemi.com> Message-ID: <4545F531.7FBE.00FC.3@medicine.wisc.edu> >>> On 10/30/2006 at 12:35 PM, in message <45464609.4010208@dalsemi.com>, David Vosburgh wrote: > I have three inbound mail servers with equal weighted MX values, all > running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 > using sendmail 8.13. The last of these three servers was upgraded about > 30 days ago, and all have been running great since then. After getting > in this morning (but prior to coffee), I checked out the Vispan web page > on each server and noticed that one server had stats much different than > the others. To make a long story shorter, there were two messages in > mqueue.in that appear to have been processed 1651 and 548 times (but not > delivered) during a three hour stretch until I moved them out of the > inbound queue. Here's what was showing up in the maillog for one of the > messages: > This happens to me as well. The only thing I've been able to do is run a script to clean out the mqueue.in folder of older files, which keeps the system from processing the same message thousands of times over, but does not address the source of the problem. Mike From glenn.steen at gmail.com Mon Oct 30 19:46:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 30 19:46:21 2006 Subject: Need to reject null characters In-Reply-To: References: Message-ID: <223f97700610301146s685c2515q209c9999c936c8b8@mail.gmail.com> On 30/10/06, Douglas Ward wrote: > I need to configure MailScanner or Spamassassin to reject any e-mails > with null characters in them. We are getting null character spams > occasionally which fouls up our imap users (checking their mailboxes > through squirrelmail). I know that postfix has a handy command for > this in 2.3 but cannot upgrade to it (due to a long and tortuous > Mandriva 2007 upgrade problem). Is there another way to configure > this? If not, could we request it as additional functionality in a > future version of MailScanner? Any advice would be most appreciated. > Thanks! What's the problem with the update? Might be able to help (off-list, presumably:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Oct 30 20:00:56 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 30 20:16:38 2006 Subject: two messages repeatedly processed In-Reply-To: <45464609.4010208@dalsemi.com> References: <45464609.4010208@dalsemi.com> Message-ID: David Vosburgh spake the following on 10/30/2006 10:35 AM: > I have three inbound mail servers with equal weighted MX values, all > running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 > using sendmail 8.13. The last of these three servers was upgraded about > 30 days ago, and all have been running great since then. After getting > in this morning (but prior to coffee), I checked out the Vispan web page > on each server and noticed that one server had stats much different than > the others. To make a long story shorter, there were two messages in > mqueue.in that appear to have been processed 1651 and 548 times (but not > delivered) during a three hour stretch until I moved them out of the > inbound queue. Here's what was showing up in the maillog for one of the > messages: > Are there any thing common to these messages? TNEF? Mimetype? Encoding? Are they overly large than average? I have seen this in messages that failed the TNEF decoder in the past, but any process that chokes on them could be leaving them un-processed. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From vosburgh at dalsemi.com Mon Oct 30 20:50:05 2006 From: vosburgh at dalsemi.com (David Vosburgh) Date: Mon Oct 30 20:53:19 2006 Subject: two messages repeatedly processed In-Reply-To: References: <45464609.4010208@dalsemi.com> Message-ID: <4546657D.6080100@dalsemi.com> Scott Silva wrote: > David Vosburgh spake the following on 10/30/2006 10:35 AM: > >>I have three inbound mail servers with equal weighted MX values, all >>running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 >>using sendmail 8.13. The last of these three servers was upgraded about >>30 days ago, and all have been running great since then. After getting >>in this morning (but prior to coffee), I checked out the Vispan web page >>on each server and noticed that one server had stats much different than >>the others. To make a long story shorter, there were two messages in >>mqueue.in that appear to have been processed 1651 and 548 times (but not >>delivered) during a three hour stretch until I moved them out of the >>inbound queue. Here's what was showing up in the maillog for one of the >>messages: >> > > Are there any thing common to these messages? TNEF? Mimetype? Encoding? > Are they overly large than average? > I have seen this in messages that failed the TNEF decoder in the past, but any > process that chokes on them could be leaving them un-processed. > The two messages appear very dissimilar. The one processed 1651 times was about 8kb and was just plain text/HTML, while the other was about 650kb and was TNEF encoded (you may be on to something). Here are some of the headers from the TNEF message: H??Content-class: urn:content-classes:message H??MIME-Version: 1.0 H??Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C6FC06.9C7EA78E" H??X-MimeOLE: Produced By Microsoft Exchange V6.5 H??X-MS-Has-Attach: H??X-MS-TNEF-Correlator: And here are the (repeating) maillog entries for it: Oct 30 03:33:46 milter-greylist: k9U9XevM016782: addr 61.204.177.252 from rcpt : autowhitelisted for more 768:00:00 Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: from=, size=662042, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=xxx.yyy.zzz.jp [www.xxx.yyy.zzz] Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: Milter add: header: X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-2.0.2 (xxxxx.dalsemi.com [aaa.bbb.ccc.ddd]); Mon, 30 Oct 2006 03:34:09 -0600 (CST) Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: to=, delay=00:00:23, mailer=smtp, pri=692042, stat=queued Oct 30 03:34:10 MailScanner[14011]: Expanding TNEF archive at /var/spool/MailScanner/incoming/14011/k9U9XevM016782/winmail.dat Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 added TNEF contents p1,msg-14011-1301.txt Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 has had TNEF winmail.dat removed Oct 30 03:34:13 MailScanner[16473]: SpamAssassin cache hit for message k9U9XevM016782 Oct 30 03:34:13 MailScanner[16473]: Expanding TNEF archive at /var/spool/MailScanner/incoming/16473/k9U9XevM016782/winmail.dat Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 added TNEF contents p1,msg-16473-1361.txt Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 has had TNEF winmail.dat removed Oct 30 03:34:15 MailScanner[17154]: SpamAssassin cache hit for message k9U9XevM016782 Oct 30 03:34:15 MailScanner[17154]: Expanding TNEF archive at /var/spool/MailScanner/incoming/17154/k9U9XevM016782/winmail.dat Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 added TNEF contents p1,msg-17154-961.txt Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 has had TNEF winmail.dat removed ... -- Dave Vosburgh Sr. Unix System Administrator Dallas Semiconductor vosburgh@dalsemi.com 972-371-4418 "By order of the prophet, we ban that boogie sound." From mailscanner at mango.zw Mon Oct 30 21:22:11 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Oct 30 21:21:13 2006 Subject: F-Prot integration into mailscanner In-Reply-To: Message-ID: On Mon, 30 Oct 2006, Sven De Troch wrote: > Date: Mon, 30 Oct 2006 13:57:27 +0100 > From: Sven De Troch > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: F-Prot integration into mailscanner > I do have a postmaster alias, redirected to root, BUT I'm using that > machine as a relay to another mailserver (smarthost). It seems that the > system is not accepting this (since redirecting postmaster to /dev/null > (as a test, I know it's not RFC compliant) is working fine. > > Can someone tell me how to instruct sendmail that it has to deliver > postmaster (or root) mail locally, while having all other mail delivered > to the smarthost? Provided that your machine has its hostname listed in /etc/mail/local-host-names then local mail should be delivered locally. Note that you have to restart sendmail to read the contents of this file. Verify that any references are to "postmaster" or "postmaster@hostname", where "hostname" is the name of the machine itself, and not to postmaster@someotherdomain. If this still doesn't sort it then you would need to provide more details, eg hostnames involved, how you are routing to your smarthost (eg using the SMART_HOST setting in sendmail.mc or using mailertable). Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From lists at thematthewsgroup.com Mon Oct 30 22:08:06 2006 From: lists at thematthewsgroup.com (Josh Dayberry) Date: Mon Oct 30 22:08:15 2006 Subject: SPF Scans on outgoing mail Message-ID: <007a01c6fc6f$e114e450$7c0fa8c0@Sue> Here is my problem. I have many mobile users of my server. When they send e-mail their e-mail fails the SPF tests and their IP is submitted for RBL tests and things of that sort. However, all users with the ability to send e-mail on my server should not have their e-mail scanned at all. Unfortunately I haven't been able to figure out how to stop MailScanner from scanning e-mail received from users who authenticate. Any ideas would be appreciated. Josh Dayberry josh@thematthewsgroup.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061030/b5985600/attachment.html From alex at nkpanama.com Mon Oct 30 22:20:39 2006 From: alex at nkpanama.com (Alex Neuman) Date: Mon Oct 30 22:21:56 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <007a01c6fc6f$e114e450$7c0fa8c0@Sue> References: <007a01c6fc6f$e114e450$7c0fa8c0@Sue> Message-ID: <45467AB7.3040000@nkpanama.com> Josh Dayberry escribi?: > > Here is my problem. I have many mobile users of my server. When they > send e-mail their e-mail fails the SPF tests and their IP is submitted > for RBL tests and things of that sort. However, all users with the > ability to send e-mail on my server should not have their e-mail > scanned at all. Unfortunately I haven?t been able to figure out how to > stop MailScanner from scanning e-mail received from users who > authenticate. Any ideas would be appreciated. > > Josh Dayberry > > josh@thematthewsgroup.com > The mobile users aren't using your server; they're using someone else's server to send out e-mail that should be going out of your server. Your SPF record is showing the following: "v=spf1 a mx -all" Which means only your MX's are allowed to send mail out as thematthewsgroup.com; if your users are *actually* connecting to your server, and they're authenticating themselves properly (not using POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should work, in theory. All of mine do. What are you using for SPF? In the meantime you can add "~all" instead of "-all" to mitigate (not eliminate) the problem while you find out what's wrong. From ssilva at sgvwater.com Mon Oct 30 22:24:10 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 30 22:30:17 2006 Subject: two messages repeatedly processed In-Reply-To: <4546657D.6080100@dalsemi.com> References: <45464609.4010208@dalsemi.com> <4546657D.6080100@dalsemi.com> Message-ID: David Vosburgh spake the following on 10/30/2006 12:50 PM: > Scott Silva wrote: >> David Vosburgh spake the following on 10/30/2006 10:35 AM: >> >>> I have three inbound mail servers with equal weighted MX values, all >>> running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 >>> using sendmail 8.13. The last of these three servers was upgraded about >>> 30 days ago, and all have been running great since then. After getting >>> in this morning (but prior to coffee), I checked out the Vispan web page >>> on each server and noticed that one server had stats much different than >>> the others. To make a long story shorter, there were two messages in >>> mqueue.in that appear to have been processed 1651 and 548 times (but not >>> delivered) during a three hour stretch until I moved them out of the >>> inbound queue. Here's what was showing up in the maillog for one of the >>> messages: >>> >> >> Are there any thing common to these messages? TNEF? Mimetype? Encoding? >> Are they overly large than average? >> I have seen this in messages that failed the TNEF decoder in the past, >> but any >> process that chokes on them could be leaving them un-processed. >> > The two messages appear very dissimilar. The one processed 1651 times > was about 8kb and was just plain text/HTML, while the other was about > 650kb and was TNEF encoded (you may be on to something). Here are some > of the headers from the TNEF message: > > H??Content-class: urn:content-classes:message > H??MIME-Version: 1.0 > H??Content-Type: multipart/mixed; > boundary="----_=_NextPart_001_01C6FC06.9C7EA78E" > H??X-MimeOLE: Produced By Microsoft Exchange V6.5 > H??X-MS-Has-Attach: > H??X-MS-TNEF-Correlator: > > > And here are the (repeating) maillog entries for it: > > Oct 30 03:33:46 milter-greylist: k9U9XevM016782: addr 61.204.177.252 > from rcpt : autowhitelisted for more > 768:00:00 > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: from=, > size=662042, class=0, nrcpts=1, > msgid=, > proto=SMTP, daemon=MTA, relay=xxx.yyy.zzz.jp [www.xxx.yyy.zzz] > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: Milter add: header: > X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by > milter-greylist-2.0.2 (xxxxx.dalsemi.com [aaa.bbb.ccc.ddd]); > Mon, 30 Oct 2006 03:34:09 -0600 (CST) > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: to=, > delay=00:00:23, mailer=smtp, pri=692042, stat=queued > Oct 30 03:34:10 MailScanner[14011]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/14011/k9U9XevM016782/winmail.dat > Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 added TNEF > contents p1,msg-14011-1301.txt > Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 has had TNEF > winmail.dat removed > Oct 30 03:34:13 MailScanner[16473]: SpamAssassin cache hit for message > k9U9XevM016782 > Oct 30 03:34:13 MailScanner[16473]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/16473/k9U9XevM016782/winmail.dat > Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 added TNEF > contents p1,msg-16473-1361.txt > Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 has had TNEF > winmail.dat removed > Oct 30 03:34:15 MailScanner[17154]: SpamAssassin cache hit for message > k9U9XevM016782 > Oct 30 03:34:15 MailScanner[17154]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/17154/k9U9XevM016782/winmail.dat > Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 added TNEF > contents p1,msg-17154-961.txt > Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 has had TNEF > winmail.dat removed > ... > You could try and use the opposite TNEF decoder from what you are using now (internal vs. external). I haven't had a problem for quite some time, but I am pretty sure they were some bad mojo between the mime-tools I had at the time and the TNEF decoder. This was back on Redhat 9 more than a year ago, so my memory on the subject is fading. With only 2 failures, it seems to rule out a locking problem. Looking at the log snippets, it seems to be choking at the point of replacing the winmail.dat with the extracted contents. Maybe you could play with those settings in mailscanner. Keep those messages just in case Julian wants to see them. Unless it is priviledged comm's. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Mon Oct 30 22:30:20 2006 From: alex at nkpanama.com (Alex Neuman) Date: Mon Oct 30 22:33:21 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <007a01c6fc6f$e114e450$7c0fa8c0@Sue> References: <007a01c6fc6f$e114e450$7c0fa8c0@Sue> Message-ID: <45467CFC.8090906@nkpanama.com> Josh Dayberry escribi?: > > Here is my problem. I have many mobile users of my server. When they > send e-mail their e-mail fails the SPF tests and their IP is submitted > for RBL tests and things of that sort. However, all users with the > ability to send e-mail on my server should not have their e-mail > scanned at all. Unfortunately I haven?t been able to figure out how to > stop MailScanner from scanning e-mail received from users who > authenticate. Any ideas would be appreciated. > > Josh Dayberry > > josh@thematthewsgroup.com > I was just looking at your headers a bit more closely. MailScanner says (SpamAssassin says (SPF Failed)), so it might be a question of your perl's SPF stuff going bad. Is your SpamAssassin updated? Is your Mail::SPF::Query updated? Is Net::DNS, Net::CIDR updated? A broken module might be doing it. Did you try spamassassin -D --lint to check for any issues? From lists at thematthewsgroup.com Mon Oct 30 22:35:59 2006 From: lists at thematthewsgroup.com (Josh Dayberry) Date: Mon Oct 30 22:35:58 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <45467AB7.3040000@nkpanama.com> Message-ID: <008d01c6fc73$c6008800$7c0fa8c0@Sue> For someone reason when someone send an e-mail (including myself) with smtp auth, the e-mail is scanned, then sent to the recipient, the SPF tests will fail on my server's copy of mailscanner because the e-mail appears to be from the users computer not the server, but after the e-mail has been delivered to another server, it no longer appears as being sent from only the users computer so the SPF tests pass. The SPF tests are my primary concern because they are the greatest source of false positives, but ultimately I would rather just not scan e-mails sent from users who as authenticated. Thanks again, Josh Dayberry -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, October 30, 2006 5:21 PM To: MailScanner discussion Subject: Re: SPF Scans on outgoing mail Josh Dayberry escribi?: > > Here is my problem. I have many mobile users of my server. When they > send e-mail their e-mail fails the SPF tests and their IP is submitted > for RBL tests and things of that sort. However, all users with the > ability to send e-mail on my server should not have their e-mail > scanned at all. Unfortunately I haven?t been able to figure out how to > stop MailScanner from scanning e-mail received from users who > authenticate. Any ideas would be appreciated. > > Josh Dayberry > > josh@thematthewsgroup.com > The mobile users aren't using your server; they're using someone else's server to send out e-mail that should be going out of your server. Your SPF record is showing the following: "v=spf1 a mx -all" Which means only your MX's are allowed to send mail out as thematthewsgroup.com; if your users are *actually* connecting to your server, and they're authenticating themselves properly (not using POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should work, in theory. All of mine do. What are you using for SPF? In the meantime you can add "~all" instead of "-all" to mitigate (not eliminate) the problem while you find out what's wrong. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Mon Oct 30 22:42:10 2006 From: res at ausics.net (Res) Date: Mon Oct 30 22:42:21 2006 Subject: F-Prot integration into mailscanner In-Reply-To: References: Message-ID: On Mon, 30 Oct 2006, Sven De Troch wrote: > On Mon, 30 Oct 2006 13:57:27 +0100, Sven De Troch > wrote: > > >> I do have a postmaster alias, redirected to root, >> BUT I'm using that machine as a relay to another mailserver >> (smarthost). It seems that the system is not accepting this (since >> redirecting postmaster to /dev/null (as a test, I know it's not RFC >> compliant) is working fine. >> >> Can someone tell me how to instruct sendmail that it has to deliver >> postmaster (or root) mail locally, while having all other mail >> delivered to the smarthost? > > And I found it: needed to add the following to sendmail config: > define(`SMART_CLASS_NOT', `mylocaldomain') dnl dont smart these > domains > Sven, I trust this is now all OK? I am surprised that what Jim told you to do did not resolve it, as it should have because Sendmail will never forward to anywhere, any domain listed in the local-host-names file. What does your sendmail.cf file think this is? grep Fw sendmailcf that will show you what your local host file is. Some distros have a good habbit of customising way too much, trying to be more like M$ :) > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From arturs at netvision.net.il Mon Oct 30 23:04:21 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Mon Oct 30 23:06:49 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? Message-ID: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> Howdy, It growes up to 24MB now, and I want to keep it quiet, or at least limit him in size. Has anyone done this? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From itlist at gmail.com Mon Oct 30 23:12:38 2006 From: itlist at gmail.com (Cheng Bruce) Date: Mon Oct 30 23:12:40 2006 Subject: how to cache no-spam message shown its content in mailwatch Message-ID: Dear all, I am starting to use mailscanner with mailwatch, recently get a lot of spams going through my mail server which are treated as no-spam. They have legitimate helo, sender , domains and so on. And they passed the RBL which I set in "spam list" of mailcanner. If I can review the messages like SPAM, I can add some rules in my server to block them. by the way, is it possible to release the none-spam message as original messages to users but not included in the message ? When our vendor send the update file (*.bpl) to us, it was blocked. I don't know how to release this rule, because I only can do is remark "deny executable No executables No programs allowed" this line in "/etc/MailScanner/filetype.rules.conf". Would you please advise me how to do it ? Best Regards, Bruce -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061031/e3719e33/attachment.html From alex at nkpanama.com Mon Oct 30 23:21:27 2006 From: alex at nkpanama.com (Alex Neuman) Date: Mon Oct 30 23:22:44 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? In-Reply-To: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> References: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> Message-ID: <454688F7.2090405@nkpanama.com> Arthur Sherman escribi?: > Howdy, > > It growes up to 24MB now, and I want to keep it quiet, or at least limit him > in size. > > Has anyone done this? > > Thanks! > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > How about running a weekly cron script that does "cat /dev/null > /path/to/your/fuzzyocr.log"? From res at ausics.net Mon Oct 30 23:39:31 2006 From: res at ausics.net (Res) Date: Mon Oct 30 23:39:41 2006 Subject: F-Prot integration into mailscanner In-Reply-To: References: Message-ID: On Mon, 30 Oct 2006, Sven De Troch wrote: > On Tue, 31 Oct 2006 08:42:10 +1000 (EST), Res wrote: > >> On Mon, 30 Oct 2006, Sven De Troch wrote: >> >>> On Mon, 30 Oct 2006 13:57:27 +0100, Sven De Troch >>> wrote: > >> Sven, >> I trust this is now all OK? >> I am surprised that what Jim told you to do did not resolve it, as it >> should have because Sendmail will never forward to anywhere, any domain >> listed in the local-host-names file. >> >> What does your sendmail.cf file think this is? >> grep Fw sendmailcf >> that will show you what your local host file is. >> Some distros have a good habbit of customising way too much, trying to be >> more like M$ :) > > > Yeps, everything is ok now. > local-host-names was empty, so I could solve it by adding the machine > to this file or by telling sendmail directly not to forward local > domains to the smarthost (SMART_CLASS_NOT) > > thanks for the assistance! No problems :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From duncan at dcl.co.uk Mon Oct 30 23:48:39 2006 From: duncan at dcl.co.uk (Duncan Berriman) Date: Mon Oct 30 23:48:52 2006 Subject: MailScanner MailScanner-4.56.8-1 Issue Message-ID: <081101c6fc7d$ec6918e0$0502a8c0@CPQEVO> Hi, I recently installed MailScanner-4.56.8-1 on FC 2. I've used it in the past and had no problems however the new version appears to be duplicating mails from the /var/spool/mqueue.in/ directory. I have ruled out problems with SpamAssasin or Clamav. The problem happens fairly randomly but regularly and is reported in the maillog as follows. Unlinking /var/spool/mqueue.in/dfk9UGfTcN018060 failed: No such file or directory The problem can be seen that two MailScanner children are picking the same email to process and one completes before the other and hence the error. The email is delivered twice, mostly identical but sometimes missing content depending on the timing. The 2nd child process reports the problem as the file can not be moved since the first has already done it. This clearly appears to be some form of locking issue. The only way I have currently found to solve the problem is set the children to 1 so that its single threaded which is not ideal. Any ideas? New to the list so apologies if this a known problem etc but couldn't find much on the net. Thanks in advance Duncan From ssilva at sgvwater.com Tue Oct 31 00:37:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 31 00:37:41 2006 Subject: MailScanner MailScanner-4.56.8-1 Issue In-Reply-To: <081101c6fc7d$ec6918e0$0502a8c0@CPQEVO> References: <081101c6fc7d$ec6918e0$0502a8c0@CPQEVO> Message-ID: Duncan Berriman spake the following on 10/30/2006 3:48 PM: > Hi, > > I recently installed MailScanner-4.56.8-1 on FC 2. I've used it in the past > and had no problems however the new version appears to be duplicating mails > from the /var/spool/mqueue.in/ directory. > > I have ruled out problems with SpamAssasin or Clamav. The problem happens > fairly randomly but regularly and is reported in the maillog as follows. > > Unlinking /var/spool/mqueue.in/dfk9UGfTcN018060 failed: No such file or > directory > > The problem can be seen that two MailScanner children are picking the same > email to process and one completes before the other and hence the error. The > email is delivered twice, mostly identical but sometimes missing content > depending on the timing. The 2nd child process reports the problem as the > file can not be moved since the first has already done it. > > This clearly appears to be some form of locking issue. > > The only way I have currently found to solve the problem is set the children > to 1 so that its single threaded which is not ideal. > > Any ideas? > > New to the list so apologies if this a known problem etc but couldn't find > much on the net. > > Thanks in advance > Duncan > > > Are you using sendmail? Which version? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From pravin.rane at gmail.com Tue Oct 31 00:38:36 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Tue Oct 31 00:38:38 2006 Subject: two messages repeatedly processed In-Reply-To: References: <45464609.4010208@dalsemi.com> <4546657D.6080100@dalsemi.com> Message-ID: <13c021a90610301638n421fee99h8d8e189a3dff841@mail.gmail.com> Use Following options in MailScanner.conf file. This might help you out. Deliver Unparsable TNEF = yes On 10/31/06, Scott Silva wrote: > > David Vosburgh spake the following on 10/30/2006 12:50 PM: > > Scott Silva wrote: > >> David Vosburgh spake the following on 10/30/2006 10:35 AM: > >> > >>> I have three inbound mail servers with equal weighted MX values, all > >>> running MS/SA/DCC/Razor/RDJ/milter-greylist/ImageInfo on CentOS 4.4 > >>> using sendmail 8.13. The last of these three servers was upgraded > about > >>> 30 days ago, and all have been running great since then. After > getting > >>> in this morning (but prior to coffee), I checked out the Vispan web > page > >>> on each server and noticed that one server had stats much different > than > >>> the others. To make a long story shorter, there were two messages in > >>> mqueue.in that appear to have been processed 1651 and 548 times (but > not > >>> delivered) during a three hour stretch until I moved them out of the > >>> inbound queue. Here's what was showing up in the maillog for one of > the > >>> messages: > >>> > >> > >> Are there any thing common to these messages? TNEF? Mimetype? Encoding? > >> Are they overly large than average? > >> I have seen this in messages that failed the TNEF decoder in the past, > >> but any > >> process that chokes on them could be leaving them un-processed. > >> > > The two messages appear very dissimilar. The one processed 1651 times > > was about 8kb and was just plain text/HTML, while the other was about > > 650kb and was TNEF encoded (you may be on to something). Here are some > > of the headers from the TNEF message: > > > > H??Content-class: urn:content-classes:message > > H??MIME-Version: 1.0 > > H??Content-Type: multipart/mixed; > > boundary="----_=_NextPart_001_01C6FC06.9C7EA78E" > > H??X-MimeOLE: Produced By Microsoft Exchange V6.5 > > H??X-MS-Has-Attach: > > H??X-MS-TNEF-Correlator: > > > > > > And here are the (repeating) maillog entries for it: > > > > Oct 30 03:33:46 milter-greylist: k9U9XevM016782: addr 61.204.177.252 > > from rcpt : autowhitelisted for more > > 768:00:00 > > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: from=, > > size=662042, class=0, nrcpts=1, > > msgid=, > > proto=SMTP, daemon=MTA, relay=xxx.yyy.zzz.jp [www.xxx.yyy.zzz] > > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: Milter add: header: > > X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by > > milter-greylist-2.0.2 (xxxxx.dalsemi.com [aaa.bbb.ccc.ddd]); > > Mon, 30 Oct 2006 03:34:09 -0600 (CST) > > Oct 30 03:34:09 sendmail[16782]: k9U9XevM016782: to=, > > delay=00:00:23, mailer=smtp, pri=692042, stat=queued > > Oct 30 03:34:10 MailScanner[14011]: Expanding TNEF archive at > > /var/spool/MailScanner/incoming/14011/k9U9XevM016782/winmail.dat > > Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 added TNEF > > contents p1,msg-14011-1301.txt > > Oct 30 03:34:10 MailScanner[14011]: Message k9U9XevM016782 has had TNEF > > winmail.dat removed > > Oct 30 03:34:13 MailScanner[16473]: SpamAssassin cache hit for message > > k9U9XevM016782 > > Oct 30 03:34:13 MailScanner[16473]: Expanding TNEF archive at > > /var/spool/MailScanner/incoming/16473/k9U9XevM016782/winmail.dat > > Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 added TNEF > > contents p1,msg-16473-1361.txt > > Oct 30 03:34:13 MailScanner[16473]: Message k9U9XevM016782 has had TNEF > > winmail.dat removed > > Oct 30 03:34:15 MailScanner[17154]: SpamAssassin cache hit for message > > k9U9XevM016782 > > Oct 30 03:34:15 MailScanner[17154]: Expanding TNEF archive at > > /var/spool/MailScanner/incoming/17154/k9U9XevM016782/winmail.dat > > Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 added TNEF > > contents p1,msg-17154-961.txt > > Oct 30 03:34:15 MailScanner[17154]: Message k9U9XevM016782 has had TNEF > > winmail.dat removed > > ... > > > You could try and use the opposite TNEF decoder from what you are using > now > (internal vs. external). I haven't had a problem for quite some time, but > I am > pretty sure they were some bad mojo between the mime-tools I had at the > time > and the TNEF decoder. This was back on Redhat 9 more than a year ago, so > my > memory on the subject is fading. > With only 2 failures, it seems to rule out a locking problem. > > Looking at the log snippets, it seems to be choking at the point of > replacing > the winmail.dat with the extracted contents. Maybe you could play with > those > settings in mailscanner. Keep those messages just in case Julian wants to > see > them. Unless it is priviledged comm's. > > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061031/2446a95d/attachment.html From pravin.rane at gmail.com Tue Oct 31 00:46:58 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Tue Oct 31 00:47:03 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <008d01c6fc73$c6008800$7c0fa8c0@Sue> References: <45467AB7.3040000@nkpanama.com> <008d01c6fc73$c6008800$7c0fa8c0@Sue> Message-ID: <13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com> Are your MX and SMTP servers are on different IP address ? If yes Then add your SMTP server IP address in SPF record. Which will just indicate that MX's as well as SMTP are allowed to send mail with from address as thematthewsgroup.com On 10/31/06, Josh Dayberry wrote: > > For someone reason when someone send an e-mail (including myself) with > smtp > auth, the e-mail is scanned, then sent to the recipient, the SPF tests > will > fail on my server's copy of mailscanner because the e-mail appears to be > from the users computer not the server, but after the e-mail has been > delivered to another server, it no longer appears as being sent from only > the users computer so the SPF tests pass. > > The SPF tests are my primary concern because they are the greatest source > of > false positives, but ultimately I would rather just not scan e-mails sent > from users who as authenticated. > > Thanks again, > Josh Dayberry > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman > Sent: Monday, October 30, 2006 5:21 PM > To: MailScanner discussion > Subject: Re: SPF Scans on outgoing mail > > Josh Dayberry escribi?: > > > > Here is my problem. I have many mobile users of my server. When they > > send e-mail their e-mail fails the SPF tests and their IP is submitted > > for RBL tests and things of that sort. However, all users with the > > ability to send e-mail on my server should not have their e-mail > > scanned at all. Unfortunately I haven't been able to figure out how to > > stop MailScanner from scanning e-mail received from users who > > authenticate. Any ideas would be appreciated. > > > > Josh Dayberry > > > > josh@thematthewsgroup.com > > > The mobile users aren't using your server; they're using someone else's > server to send out e-mail that should be going out of your server. > > Your SPF record is showing the following: > > "v=spf1 a mx -all" > > Which means only your MX's are allowed to send mail out as > thematthewsgroup.com; if your users are *actually* connecting to your > server, and they're authenticating themselves properly (not using > POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should > work, in theory. All of mine do. > > What are you using for SPF? In the meantime you can add "~all" instead > of "-all" to mitigate (not eliminate) the problem while you find out > what's wrong. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061031/bebc9ebb/attachment.html From lists at thematthewsgroup.com Tue Oct 31 02:01:37 2006 From: lists at thematthewsgroup.com (Josh Dayberry) Date: Tue Oct 31 01:00:31 2006 Subject: SPF Scans on outgoing mail References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue> <13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com> Message-ID: <00e801c6fc90$9581cdc0$660fa8c0@DellLaptop> They are the same address. Any idea how I can stop mailscanner from scanner mails from authenticated users? ----- Original Message ----- From: Pravin Rane To: MailScanner discussion Sent: Monday, October 30, 2006 6:46 PM Subject: Re: SPF Scans on outgoing mail Are your MX and SMTP servers are on different IP address ? If yes Then add your SMTP server IP address in SPF record. Which will just indicate that MX's as well as SMTP are allowed to send mail with from address as thematthewsgroup.com On 10/31/06, Josh Dayberry wrote: For someone reason when someone send an e-mail (including myself) with smtp auth, the e-mail is scanned, then sent to the recipient, the SPF tests will fail on my server's copy of mailscanner because the e-mail appears to be from the users computer not the server, but after the e-mail has been delivered to another server, it no longer appears as being sent from only the users computer so the SPF tests pass. The SPF tests are my primary concern because they are the greatest source of false positives, but ultimately I would rather just not scan e-mails sent from users who as authenticated. Thanks again, Josh Dayberry -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, October 30, 2006 5:21 PM To: MailScanner discussion Subject: Re: SPF Scans on outgoing mail Josh Dayberry escribi?: > > Here is my problem. I have many mobile users of my server. When they > send e-mail their e-mail fails the SPF tests and their IP is submitted > for RBL tests and things of that sort. However, all users with the > ability to send e-mail on my server should not have their e-mail > scanned at all. Unfortunately I haven't been able to figure out how to > stop MailScanner from scanning e-mail received from users who > authenticate. Any ideas would be appreciated. > > Josh Dayberry > > josh@thematthewsgroup.com > The mobile users aren't using your server; they're using someone else's server to send out e-mail that should be going out of your server. Your SPF record is showing the following: "v=spf1 a mx -all" Which means only your MX's are allowed to send mail out as thematthewsgroup.com; if your users are *actually* connecting to your server, and they're authenticating themselves properly (not using POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should work, in theory. All of mine do. What are you using for SPF? In the meantime you can add "~all" instead of "-all" to mitigate (not eliminate) the problem while you find out what's wrong. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Regards Pravin ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061030/a4b00a82/attachment.html From alex at nkpanama.com Tue Oct 31 01:22:34 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Oct 31 01:23:54 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <00e801c6fc90$9581cdc0$660fa8c0@DellLaptop> References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue> <13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com> <00e801c6fc90$9581cdc0$660fa8c0@DellLaptop> Message-ID: <4546A55A.5060107@nkpanama.com> Don't know if you'd want to; otherwise you wouldn't be able to do MCP and users could be prone to sending out spam/viruses/etc., not to mention timewasters (mp3s, mpgs, etc.) Josh Dayberry escribi?: > They are the same address. Any idea how I can stop mailscanner from > scanner mails from authenticated users? > > ----- Original Message ----- > *From:* Pravin Rane > *To:* MailScanner discussion > > *Sent:* Monday, October 30, 2006 6:46 PM > *Subject:* Re: SPF Scans on outgoing mail > > Are your MX and SMTP servers are on different IP address ? > > If yes > > Then add your SMTP server IP address in SPF record. Which will > just indicate that MX's as well as SMTP are allowed to send mail > with from address as thematthewsgroup.com > > > > > > > On 10/31/06, *Josh Dayberry* > wrote: > > For someone reason when someone send an e-mail (including > myself) with smtp > auth, the e-mail is scanned, then sent to the recipient, the > SPF tests will > fail on my server's copy of mailscanner because the e-mail > appears to be > from the users computer not the server, but after the e-mail > has been > delivered to another server, it no longer appears as being > sent from only > the users computer so the SPF tests pass. > > The SPF tests are my primary concern because they are the > greatest source of > false positives, but ultimately I would rather just not scan > e-mails sent > from users who as authenticated. > > Thanks again, > Josh Dayberry > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf > Of Alex Neuman > Sent: Monday, October 30, 2006 5:21 PM > To: MailScanner discussion > Subject: Re: SPF Scans on outgoing mail > > Josh Dayberry escribi?: > > > > Here is my problem. I have many mobile users of my server. > When they > > send e-mail their e-mail fails the SPF tests and their IP is > submitted > > for RBL tests and things of that sort. However, all users > with the > > ability to send e-mail on my server should not have their e-mail > > scanned at all. Unfortunately I haven't been able to figure > out how to > > stop MailScanner from scanning e-mail received from users who > > authenticate. Any ideas would be appreciated. > > > > Josh Dayberry > > > > josh@thematthewsgroup.com > > > The mobile users aren't using your server; they're using > someone else's > server to send out e-mail that should be going out of your server. > > Your SPF record is showing the following: > > "v=spf1 a mx -all" > > Which means only your MX's are allowed to send mail out as > thematthewsgroup.com ; if your > users are *actually* connecting to your > server, and they're authenticating themselves properly (not using > POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks > should > work, in theory. All of mine do. > > What are you using for SPF? In the meantime you can add "~all" > instead > of "-all" to mitigate (not eliminate) the problem while you > find out > what's wrong. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Regards > > Pravin > > ------------------------------------------------------------------------ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From lists at thematthewsgroup.com Tue Oct 31 03:01:20 2006 From: lists at thematthewsgroup.com (Josh Dayberry) Date: Tue Oct 31 01:59:36 2006 Subject: SPF Scans on outgoing mail References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue> <13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com><00e801c6fc90$9581cdc0$660fa8c0@DellLaptop> <4546A55A.5060107@nkpanama.com> Message-ID: <010101c6fc98$d7de81b0$660fa8c0@DellLaptop> I only want to limit spam and viruses from coming in. There aren't that many users and the setting I am in assumes they are all responsible. Does anyone know how to stop mailscanner from scanning outgoing e-mail? ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: Monday, October 30, 2006 7:22 PM Subject: Re: SPF Scans on outgoing mail > Don't know if you'd want to; otherwise you wouldn't be able to do MCP and > users could be prone to sending out spam/viruses/etc., not to mention > timewasters (mp3s, mpgs, etc.) > > Josh Dayberry escribi?: >> They are the same address. Any idea how I can stop mailscanner from >> scanner mails from authenticated users? >> >> ----- Original Message ----- >> *From:* Pravin Rane >> *To:* MailScanner discussion >> >> *Sent:* Monday, October 30, 2006 6:46 PM >> *Subject:* Re: SPF Scans on outgoing mail >> >> Are your MX and SMTP servers are on different IP address ? >> >> If yes >> >> Then add your SMTP server IP address in SPF record. Which will >> just indicate that MX's as well as SMTP are allowed to send mail >> with from address as thematthewsgroup.com >> >> >> >> >> >> >> On 10/31/06, *Josh Dayberry* > > wrote: >> >> For someone reason when someone send an e-mail (including >> myself) with smtp >> auth, the e-mail is scanned, then sent to the recipient, the >> SPF tests will >> fail on my server's copy of mailscanner because the e-mail >> appears to be >> from the users computer not the server, but after the e-mail >> has been >> delivered to another server, it no longer appears as being >> sent from only >> the users computer so the SPF tests pass. >> >> The SPF tests are my primary concern because they are the >> greatest source of >> false positives, but ultimately I would rather just not scan >> e-mails sent >> from users who as authenticated. >> >> Thanks again, >> Josh Dayberry >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> >> [mailto:mailscanner-bounces@lists.mailscanner.info >> ] On Behalf >> Of Alex Neuman >> Sent: Monday, October 30, 2006 5:21 PM >> To: MailScanner discussion >> Subject: Re: SPF Scans on outgoing mail >> >> Josh Dayberry escribi?: >> > >> > Here is my problem. I have many mobile users of my server. >> When they >> > send e-mail their e-mail fails the SPF tests and their IP is >> submitted >> > for RBL tests and things of that sort. However, all users >> with the >> > ability to send e-mail on my server should not have their >> e-mail >> > scanned at all. Unfortunately I haven't been able to figure >> out how to >> > stop MailScanner from scanning e-mail received from users who >> > authenticate. Any ideas would be appreciated. >> > >> > Josh Dayberry >> > >> > josh@thematthewsgroup.com >> > >> The mobile users aren't using your server; they're using >> someone else's >> server to send out e-mail that should be going out of your >> server. >> >> Your SPF record is showing the following: >> >> "v=spf1 a mx -all" >> >> Which means only your MX's are allowed to send mail out as >> thematthewsgroup.com ; if your >> users are *actually* connecting to your >> server, and they're authenticating themselves properly (not using >> POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks >> should >> work, in theory. All of mine do. >> >> What are you using for SPF? In the meantime you can add "~all" >> instead >> of "-all" to mitigate (not eliminate) the problem while you >> find out >> what's wrong. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> Regards >> >> Pravin >> >> ------------------------------------------------------------------------ >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From res at ausics.net Tue Oct 31 02:37:18 2006 From: res at ausics.net (Res) Date: Tue Oct 31 02:37:25 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <010101c6fc98$d7de81b0$660fa8c0@DellLaptop> References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue> <13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com><00e801c6fc90$9581cdc0$660fa8c0@DellLaptop> <4546A55A.5060107@nkpanama.com> <010101c6fc98$d7de81b0$660fa8c0@DellLaptop> Message-ID: On Mon, 30 Oct 2006, Josh Dayberry wrote: > I only want to limit spam and viruses from coming in. This is the biggest problem we all face, attitudes like this, administrators should stop this trash *leaving* their networks as well, admins who only want to stop inbound are irresponsible and should not be let near outlook let alone a mail server. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From lists at thematthewsgroup.com Tue Oct 31 04:42:34 2006 From: lists at thematthewsgroup.com (Josh Dayberry) Date: Tue Oct 31 03:41:07 2006 Subject: SPF Scans on outgoing mail References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue><13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com><00e801c6fc90$9581cdc0$660fa8c0@DellLaptop><4546A55A.5060107@nkpanama.com><010101c6fc98$d7de81b0$660fa8c0@DellLaptop> Message-ID: <011d01c6fca6$fca3c600$660fa8c0@DellLaptop> WOW, you are crazy. We are a small company and it easy for me to keep tabs on all poeple who send e-mail from our server. I work for an advertising company so a lot of the things mailscanner blocks are a necesary part of our work environment. Although scanning incoming mail help prevent viruses and spam from coming in, we use primarily macs so viruses going out won't be much of a problem (nor in), and I have no fear of any of the few people in my office going renegade and sending out a million spam messages. I don't need to filter the mail sent, it simply is not worth the hassel to office employees, and this the bottom line, and I know the people I work with aren't retarded. I would still appreciate anyone who can help me with this problem. ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Monday, October 30, 2006 8:37 PM Subject: Re: SPF Scans on outgoing mail > On Mon, 30 Oct 2006, Josh Dayberry wrote: > >> I only want to limit spam and viruses from coming in. > > > This is the biggest problem we all face, attitudes like this, > administrators should stop this trash *leaving* their networks > as well, admins who only want to stop inbound are irresponsible and should > not be let near outlook let alone a mail server. > > > -- > Cheers > Res > > "Just a world that we all must share, it's not enough just to stand and > stare, is it only a dream that there'll be no more turning away" - Floyd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From febrianto at sioenasia.com Tue Oct 31 03:55:34 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Tue Oct 31 03:50:51 2006 Subject: OT: MS Exchange Alternatives In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 10/20/2006 06:21:07 PM: > > > > > hakon@symfoni.no wrote on 18-10-2006 14:16: > > > > > > > >> There is always Lotus Domino. Not free, but very nice :-) > > > > > > > > We did an investigation into Exchange, Lotus and Oracle Collaboration > > > > Suite. These three were chosen because we had the experience with all > > > > three systems in one way or another. > > > > > > > > OCS came out best. Lotus was second and Exchange came last. We had some > > > > errors in the investigation corrected (by Microsoft) and Exchange came > > > > in second. > > Having used Lotus Notes, I would say that it is a very clever piece of > software, especially with regards to replication of databases. However > the one problem is that it has such an appalling piece of client software > for mail that I would never recommend it to anyone. It was just broken in > so many ways - folders that could be created but not deleted, moving mail > to folders in some situations would delete the mail, problems with editing > an original message when copied into a reply, and so on. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > I've been using lotus domino/notes from release 4.11 and have no problem with that. The problem is that lack on spam detection... only have rbl and limited blacklist system (Not sure for release 7), that why I use MailScanner. But, if you only want to use emails, don't use lotus/domino. Just too much for that. From brent.addis at pronet.co.nz Tue Oct 31 04:48:51 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Oct 31 04:49:22 2006 Subject: Need to reject null characters In-Reply-To: References: Message-ID: <4546D5B3.7050607@pronet.co.nz> What do you mean by null characters? Do you mean <> ? I wouldn't recommend doing this at the MTA level as it tends to break sender callout checks (Assuming you ended up upgrading postfix) I'm sure your users will get mighty annoyed when they find mail not being delivered. Plus its in the RFC's that you should accept these, and we all follow the RFC's, right? If your not meaning <> as null, forget my posting. :) Douglas Ward wrote: > I need to configure MailScanner or Spamassassin to reject any e-mails > with null characters in them. We are getting null character spams > occasionally which fouls up our imap users (checking their mailboxes > through squirrelmail). I know that postfix has a handy command for > this in 2.3 but cannot upgrade to it (due to a long and tortuous > Mandriva 2007 upgrade problem). Is there another way to configure > this? If not, could we request it as additional functionality in a > future version of MailScanner? Any advice would be most appreciated. > Thanks! From res at ausics.net Tue Oct 31 06:16:57 2006 From: res at ausics.net (Res) Date: Tue Oct 31 06:17:05 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <011d01c6fca6$fca3c600$660fa8c0@DellLaptop> References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue><13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com><00e801c6fc90$9581cdc0$660fa8c0@DellLaptop><4546A55A.5060107@nkpanama.com><010101c6fc98$d7de81b0$660fa8c0@DellLaptop> <011d01c6fca6$fca3c600$660fa8c0@DellLaptop> Message-ID: On Mon, 30 Oct 2006, Josh Dayberry wrote: > WOW, you are crazy. We are a small company and it easy for me to keep tabs and thousands of little companies combined compounds the issue to a large scale, my original comment still stands. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From alvaro at hostalia.com Tue Oct 31 09:00:09 2006 From: alvaro at hostalia.com (=?UTF-8?B?QWx2YXJvIE1hcsOtbg==?=) Date: Tue Oct 31 09:00:18 2006 Subject: RBL List selection In-Reply-To: <45462C98.8020406@evi-inc.com> References: <006e01c6f942$28e0d9a0$0d02a8c0@Gordon> <454124BC.3010304@fsl.com> <4541BFB7.5030403@hostalia.com> <02ae01c6f9a1$a13dca70$0a02a8c0@Gordon> <4541CC68.5030601@hostalia.com> <45462C98.8020406@evi-inc.com> Message-ID: <45471099.7060107@hostalia.com> Hello, >> Now, reviewing this, I've in MTA sbl.spamhaus.org but I've a few >> messages with RCVD_IN_SBL (not scored to 0 in spam.assassin.prefs.conf): >> >> Oct 27 09:40:18 relay MailScanner[9474]: Message 6F6916E16C3.98A09 from >> 83.11.59.37 (bdtelepolissro@telepolis.com) to xxxxxx.com is spam, >> SpamAssassin (no almacenado, puntaje=31.359, requerido 6, BAYES_99 2.00, >> FORGED_RCVD_HELO 0.14, RAZOR2_CF_RANGE_51_100 0.50, >> RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 4.00, RCVD_IN_NJABL_DUL >> 1.95, RCVD_IN_SBL 3.16, RELAYCOUNTRY_ES -0.20, URIBL_AB_SURBL 3.81, >> URIBL_BLACK 3.00, URIBL_JP_SURBL 4.00, URIBL_OB_SURBL 3.01, >> URIBL_SC_SURBL 4.50) >> >> As I've said, RCVD_IN_SBL only appears on 9 messages...and the IPs are >> not listed: >> >> http://www.spamhaus.org/query/bl?ip=83.11.59.37 > > What about all the other IPs in the message? > > SA checks them all. SpamAssassin cache hit for message 07F1A7F913F.85C59 SpamAssassin cache hit for message 72D5C7F918D.93608 SpamAssassin cache hit for message 607FC7F88C4.71A6F As I see those messages are cached by the SA cache; perhaps IPs were listed but now they've been removed from the black list. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From duncan at dcl.co.uk Tue Oct 31 09:56:39 2006 From: duncan at dcl.co.uk (Duncan Berriman) Date: Tue Oct 31 09:57:05 2006 Subject: MailScanner MailScanner-4.56.8-1 Issue In-Reply-To: Message-ID: <092201c6fcd2$dc3db0c0$0502a8c0@CPQEVO> Yes I'm using sendmail. 8.12.11-4.6 # sendmail -d0.1 Version 8.12.11 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT Duncan > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: 31 October 2006 00:37 > To: mailscanner@lists.mailscanner.info > Subject: Re: MailScanner MailScanner-4.56.8-1 Issue > > > Duncan Berriman spake the following on 10/30/2006 3:48 PM: > > Hi, > > > > I recently installed MailScanner-4.56.8-1 on FC 2. I've > used it in the past > > and had no problems however the new version appears to be > duplicating mails > > from the /var/spool/mqueue.in/ directory. > > > > I have ruled out problems with SpamAssasin or Clamav. The > problem happens > > fairly randomly but regularly and is reported in the > maillog as follows. > > > > Unlinking /var/spool/mqueue.in/dfk9UGfTcN018060 failed: No > such file or > > directory > > > > The problem can be seen that two MailScanner children are > picking the same > > email to process and one completes before the other and > hence the error. The > > email is delivered twice, mostly identical but sometimes > missing content > > depending on the timing. The 2nd child process reports the > problem as the > > file can not be moved since the first has already done it. > > > > This clearly appears to be some form of locking issue. > > > > The only way I have currently found to solve the problem is > set the children > > to 1 so that its single threaded which is not ideal. > > > > Any ideas? > > > > New to the list so apologies if this a known problem etc > but couldn't find > > much on the net. > > > > Thanks in advance > > Duncan > > > > > > > Are you using sendmail? > Which version? > > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From marc at marcsnet.com Tue Oct 31 11:20:03 2006 From: marc at marcsnet.com (Marc Lucke) Date: Tue Oct 31 11:20:39 2006 Subject: MailScanner as mail proxy Message-ID: <45473163.2080805@marcsnet.com> Hi list, I know this is getting off topic. I know enough about sendmail to be 99% sure that this question should be on their list. But any help, ideas or feedback would be welcome. I'm guessing the MailScanner community would have come across my problem on more than 1 occasion. I run MailScanner on a remote machine to my actual mailserver. In other words all mail is relayed via the Mailscanner box. This is to stop viruses and spam on the mailserver I have to run which is very limited in such defenses. It all works great, apart from one annoying problem: if someone sends to an unknown email account (as oft occurs) the MailScanner proxy (for want of a better way to describe it as I'm using it) first accepts the email, attempts delivery, cannot deliver and then tries to notify the sender who doesn't exist. So I'm lumbered with a billion postmaster non-delivery emails. I'm keeping up with this quite well, but I'm scared I'll miss a legitimate message because it's buried in garbage. Is there anything I can do to get anything in MailScanner to check with my destination email server that the actual account exists before accepting the email in the first place? Marc From steve.freegard at fsl.com Tue Oct 31 11:34:37 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 31 11:34:44 2006 Subject: MailScanner as mail proxy In-Reply-To: <45473163.2080805@marcsnet.com> References: <45473163.2080805@marcsnet.com> Message-ID: <454734CD.4030303@fsl.com> Marc Lucke wrote: > Is there anything I can do to get anything in MailScanner to check with > my destination email server that the actual account exists before > accepting the email in the first place? MailScanner can't do this as it doesn't get involved in the SMTP conversation. You can do this using a sendmail milter - have a look at http://www.snertsoft.com/sendmail/milter-ahead/ (I personally use this and the author is a personal friend, it very well written - but you do have to pay for it), alternatively there is a free alternative (I've never tried it though, so I can't comment on it's features) at http://smfs.sourceforge.net/smf-sav.html. Kind regards, Steve. From michele at blacknight.ie Tue Oct 31 11:39:23 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue Oct 31 11:39:04 2006 Subject: MailScanner as mail proxy In-Reply-To: <45473163.2080805@marcsnet.com> Message-ID: <05a301c6fce1$368e1480$e3f31151@blacknight.local> Check out milter-ahead Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From t.d.lee at durham.ac.uk Tue Oct 31 11:47:35 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Oct 31 11:48:02 2006 Subject: MailScanner as mail proxy In-Reply-To: <45473163.2080805@marcsnet.com> References: <45473163.2080805@marcsnet.com> Message-ID: On Tue, 31 Oct 2006, Marc Lucke wrote: > I know this is getting off topic. I know enough about sendmail to be > 99% sure that this question should be on their list. But any help, > ideas or feedback would be welcome. I'm guessing the MailScanner > community would have come across my problem on more than 1 occasion. > > I run MailScanner on a remote machine to my actual mailserver. In other > words all mail is relayed via the Mailscanner box. This is to stop > viruses and spam on the mailserver I have to run which is very limited > in such defenses. It all works great, apart from one annoying problem: > if someone sends to an unknown email account (as oft occurs) the > MailScanner proxy (for want of a better way to describe it as I'm using > it) first accepts the email, attempts delivery, cannot deliver and then > tries to notify the sender who doesn't exist. So I'm lumbered with a > billion postmaster non-delivery emails. I'm keeping up with this quite > well, but I'm scared I'll miss a legitimate message because it's buried > in garbage. > > Is there anything I can do to get anything in MailScanner to check with > my destination email server that the actual account exists before > accepting the email in the first place? Even MailScanner would be too late: your overall email system has already accepted the email. To confirm your last paragraph, for unknown usernames, you really need to refuse to accept the email in the first place. You need to do your "refuse to accept" on your Internet boundary: on the sendmail listener that runs on your remote (MailScanner) box. A route you probably want to investigate is the "virtuser" table in that remote sendmail listener, and having a maintenance procedure that regularly populates that table with the valid usernames (and other possible valid addresses) on your user-mailserver. Then (as you say) take any further questions to the sendmail list. Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From dward at nccumc.org Tue Oct 31 13:07:32 2006 From: dward at nccumc.org (Douglas Ward) Date: Tue Oct 31 13:07:35 2006 Subject: Need to reject null characters In-Reply-To: <4546D5B3.7050607@pronet.co.nz> References: <4546D5B3.7050607@pronet.co.nz> Message-ID: The RFC's do specify accepting null characters during the smtp transaction. The problem is that they do not specify it during an imap transaction. Hence when one is received by postfix that user's squirrelmail client no longer displays their mailbox. I have to hunt through their inbox to find the message (always spam) and delete it manually. Maybe a plugin to MailScanner that strips the null fields and lets the message through? On 10/30/06, Brent Addis wrote: > What do you mean by null characters? > > Do you mean <> ? > > I wouldn't recommend doing this at the MTA level as it tends to break > sender callout checks (Assuming you ended up upgrading postfix) > > I'm sure your users will get mighty annoyed when they find mail not > being delivered. > > Plus its in the RFC's that you should accept these, and we all follow > the RFC's, right? > > If your not meaning <> as null, forget my posting. > > :) > > > > Douglas Ward wrote: > > I need to configure MailScanner or Spamassassin to reject any e-mails > > with null characters in them. We are getting null character spams > > occasionally which fouls up our imap users (checking their mailboxes > > through squirrelmail). I know that postfix has a handy command for > > this in 2.3 but cannot upgrade to it (due to a long and tortuous > > Mandriva 2007 upgrade problem). Is there another way to configure > > this? If not, could we request it as additional functionality in a > > future version of MailScanner? Any advice would be most appreciated. > > Thanks! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From matt at coders.co.uk Tue Oct 31 13:13:57 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Oct 31 13:14:23 2006 Subject: OT: milter-link Message-ID: <45474C15.3080704@coders.co.uk> Slightly (ok very much) off topic but I know a lot of you are using milter-link. I don't seem to be able to get it to do anything! I am using the default settings (no changes at all) and it just logs that it has checked the message and then moves on. Now I am guessing that this is either to do with the Access map or the definition of the blacklist provider. (Antony seems to have the exact opposite approach to thinking to me ;-)) - it took me ages to work out how to get milter-null to do anything. In the accessmap I have example.com RELAY I have been trying with the following URL http://put*in*jerion*kdsace*in.*com (remove the stars to see the url) and this returns 127.0.0.118 if you do a multi.surbl.org lookup (multi is the default configured into milter-null) The default policy is to reject email with matching URLs - it's sailing through! Any thoughts Matt From steve.freegard at fsl.com Tue Oct 31 13:43:42 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 31 13:43:49 2006 Subject: OT: milter-link In-Reply-To: <45474C15.3080704@coders.co.uk> References: <45474C15.3080704@coders.co.uk> Message-ID: <4547530E.9010409@fsl.com> Hi Matt, Matt Hampton wrote: > (Antony seems to have the exact opposite approach to thinking to me ;-)) I've had similar discussions with him.... > In the accessmap I have > > example.com RELAY This is most likely the problem. All of Anthony's milters use the access map for white/blacklisting, so in these terms RELAY > OK = whitelisted. You've got a few alternatives: 1) In the cf file - set access-map to blank. 2) Assign access-map to a 'fake' access map with your milter white/black list entries only. 2) Use tagged access map entries (e.g. Connect:, From:, To: -- you should probably be doing this anyway soon as the untagged forms are deprecated and will disappear from Sendmail eventually), so your example.com would probably change to To:example.com RELAY or Connect:example.com RELAY - in which case at the top of the access map you can add: milter-link-To: SKIP or milter-link-Connect: SKIP. Hope this helps. Cheers, Steve. From mailscanner at mango.zw Tue Oct 31 14:07:13 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Oct 31 14:05:57 2006 Subject: MailScanner as mail proxy In-Reply-To: Message-ID: On Tue, 31 Oct 2006, David Lee wrote: > Date: Tue, 31 Oct 2006 11:47:35 +0000 (GMT) > From: David Lee > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: MailScanner as mail proxy > > On Tue, 31 Oct 2006, Marc Lucke wrote: > > > I know this is getting off topic. I know enough about sendmail to be > > 99% sure that this question should be on their list. But any help, > > ideas or feedback would be welcome. I'm guessing the MailScanner > > community would have come across my problem on more than 1 occasion. > > > > I run MailScanner on a remote machine to my actual mailserver. In other > > words all mail is relayed via the Mailscanner box. This is to stop > > viruses and spam on the mailserver I have to run which is very limited > > in such defenses. It all works great, apart from one annoying problem: > > if someone sends to an unknown email account (as oft occurs) the > > MailScanner proxy (for want of a better way to describe it as I'm using > > it) first accepts the email, attempts delivery, cannot deliver and then > > tries to notify the sender who doesn't exist. So I'm lumbered with a > > billion postmaster non-delivery emails. I'm keeping up with this quite > > well, but I'm scared I'll miss a legitimate message because it's buried > > in garbage. > > > > Is there anything I can do to get anything in MailScanner to check with > > my destination email server that the actual account exists before > > accepting the email in the first place? > > Even MailScanner would be too late: your overall email system has already > accepted the email. To confirm your last paragraph, for unknown > usernames, you really need to refuse to accept the email in the first > place. > > You need to do your "refuse to accept" on your Internet boundary: on the > sendmail listener that runs on your remote (MailScanner) box. A route you > probably want to investigate is the "virtuser" table in that remote > sendmail listener, and having a maintenance procedure that regularly > populates that table with the valid usernames (and other possible valid > addresses) on your user-mailserver. That is the method that I used to use on MANGO, with a script to mail the updated virtusertable to the gateway machine and then have it processed by another script on arrival. It works, but is a rather messy approach. In particular, the virtusertable entries redirect mail from one address to another address, so you have to change the domain names and then have a mailertable entry for the new domain. However I don't think that sendmail itself offers any alternative approach to this problem. As Steve Freegard wrote: > You can do this using a sendmail milter . . . > there is a free alternative (I've never tried it though, so I can't > comment on it's features) at http://smfs.sourceforge.net/smf-sav.html. I highly recommend it in its latest version, smf-sav v1.4.0. Not only can it be used for recipient verification, it can also do sender verification. Earlier versions had some significant drawbacks, but I now run this version on a production server and find it extremely useful for SAV and RAV. If you want any help offline, please feel free to contact me. The developer, Eugene Kurmanin, is also extremely helpful and responsive (even helping me get it running on an ancient RedHat 6.1 box that it was never intended to be compiled on). Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From daniel.maher at ubisoft.com Tue Oct 31 14:21:26 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Oct 31 14:21:29 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2038FDECD@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Arthur Sherman > Sent: October 30, 2006 6:04 PM > To: 'MailScanner discussion' > Subject: OT may be: how to limit size of FuzzyOcr.log? > > > Howdy, > > It growes up to 24MB now, and I want to keep it quiet, or at least limit > him > in size. > > Has anyone done this? > > Thanks! Sounds like you need "logrotate". http://www.google.ca/search?q=logrotate Cheers! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From duncan at dcl.co.uk Tue Oct 31 14:22:59 2006 From: duncan at dcl.co.uk (Duncan Berriman) Date: Tue Oct 31 14:23:15 2006 Subject: MailScanner MailScanner-4.56.8-1 Issue In-Reply-To: Message-ID: <099601c6fcf8$115c7a00$0502a8c0@CPQEVO> Hi Scott, After your email I did a google for MailScanner Sendmail duplicate mail and found the answer. I changed the lock to flock (as per the notes in the MailScanner.conf) and so far things look good - no duplicates in 3 hours. Thanks for pointing me in the right direction I hadn't considered the sendmail/mailscanner configuration. Duncan > > > > > Are you using sendmail? > Which version? > > From gmourani at privalodc.com Tue Oct 31 14:57:27 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Tue Oct 31 14:57:42 2006 Subject: Removing X Headers Message-ID: <4665.70.82.58.187.1162306647.squirrel@webmail.privalodc.com> Hello list, Every time I receive an email, Mailscanner add X-%org-name%-MailScanner: and similar X headers lines into the BODY!! of the message. What I need to do to remove the X header lines to appear into the body of the message? Gerhard, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Oct 31 15:14:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 31 15:14:17 2006 Subject: Removing X Headers In-Reply-To: <4665.70.82.58.187.1162306647.squirrel@webmail.privalodc.com> References: <4665.70.82.58.187.1162306647.squirrel@webmail.privalodc.com> Message-ID: <223f97700610310714i2b389bf9ybb628d3ec11ce2ae@mail.gmail.com> On 31/10/06, Gerhard Mourani wrote: > Hello list, > > Every time I receive an email, Mailscanner add X-%org-name%-MailScanner: > and similar X headers lines into the BODY!! of the message. What I need to > do to remove the X header lines to appear into the body of the message? > > Gerhard, > it shouldn't do that. Your %org name is valid, I presume (no spaces or other characters that aren't allowed in a header)? If that is OK, I'd look long and hard at what precedes them... After all, all that separates the headers from the body is a single blank line:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Tue Oct 31 16:12:17 2006 From: ka at pacific.net (Ken A) Date: Tue Oct 31 16:10:15 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <011d01c6fca6$fca3c600$660fa8c0@DellLaptop> References: <45467AB7.3040000@nkpanama.com><008d01c6fc73$c6008800$7c0fa8c0@Sue><13c021a90610301646g14c93ddao48c5f31732773334@mail.gmail.com><00e801c6fc90$9581cdc0$660fa8c0@DellLaptop><4546A55A.5060107@nkpanama.com><010101c6fc98$d7de81b0$660fa8c0@DellLaptop> <011d01c6fca6$fca3c600$660fa8c0@DellLaptop> Message-ID: <454775E1.1090107@pacific.net> Josh Dayberry wrote: > WOW, you are crazy. We are a small company and it easy for me to keep > tabs on all poeple who send e-mail from our server. I work for an > advertising company so a lot of the things mailscanner blocks are a > necesary part of our work environment. Although scanning incoming mail > help prevent viruses and spam from coming in, we use primarily macs so > viruses going out won't be much of a problem (nor in), and I have no > fear of any of the few people in my office going renegade and sending > out a million spam messages. I don't need to filter the mail sent, it > simply is not worth the hassel to office employees, and this the bottom > line, and I know the people I work with aren't retarded. I agree that 99% of spam is sent by spammers who know they are spammers, but there are other examples of why scanning outgoing mail is important. This week we've had 7 copies of the same virus blocked by clamav - sent from a MAC. It's a word macro virus. The user doesn't understand that she should have to pay for antivirus software for her Mac, since "mac's don't get viruses". I think it's time to stop saying that. Macs DO get viruses, and mac users should run antivirus software. Ken A. Pacific.Net > I would still appreciate anyone who can help me with this problem. > > ----- Original Message ----- From: "Res" > To: "MailScanner discussion" > Sent: Monday, October 30, 2006 8:37 PM > Subject: Re: SPF Scans on outgoing mail > > >> On Mon, 30 Oct 2006, Josh Dayberry wrote: >> >>> I only want to limit spam and viruses from coming in. >> >> >> This is the biggest problem we all face, attitudes like this, >> administrators should stop this trash *leaving* their networks >> as well, admins who only want to stop inbound are irresponsible and >> should not be let near outlook let alone a mail server. >> >> >> -- >> Cheers >> Res >> >> "Just a world that we all must share, it's not enough just to stand and >> stare, is it only a dream that there'll be no more turning away" - Floyd >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > From ssilva at sgvwater.com Tue Oct 31 16:53:19 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 31 16:54:11 2006 Subject: MailScanner MailScanner-4.56.8-1 Issue In-Reply-To: <099601c6fcf8$115c7a00$0502a8c0@CPQEVO> References: <099601c6fcf8$115c7a00$0502a8c0@CPQEVO> Message-ID: Duncan Berriman spake the following on 10/31/2006 6:22 AM: > Hi Scott, > > After your email I did a google for MailScanner Sendmail duplicate mail and > found the answer. I changed the lock to flock (as per the notes in the > MailScanner.conf) and so far things look good - no duplicates in 3 hours. > > Thanks for pointing me in the right direction I hadn't considered the > sendmail/mailscanner configuration. > > Duncan > > >>> >> Are you using sendmail? >> Which version? >> >> > > That is the direction I was leaning. Glad you found it. The newer versions of MailScanner state that in the comments of the .conf file. # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = posix Also, if you use dovecot, make sure it is set to a compatible lock type. That issue has also come up recently. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:01:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:01:41 2006 Subject: dcc logs In-Reply-To: <4545D649.7FBE.00FC.3@medicine.wisc.edu> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <45479D75.5010809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can someone put this one in the wiki please! Michael Masse wrote: > >>>> On 10/27/2006 at 5:56 PM, in message , >>>> > Ugo > Bellavance wrote: > >> Michael Masse wrote: >> >>> I see that the /var/dcc/log folder on my mailscanner machine is >>> > getting > >>> to be rather large. Do I need to keep these log files around for >>> anything, or can I clean them out? >>> >>> Mike >>> >>> >> Look in /var/dcc/dcc_conf for this line: >> >> DBCLEAN_LOGDAYS= >> >> I set it a two (you may set it lower). >> >> And make sure you run the cronjob that comes with dcc. >> >> /var/dcc/libexec/cron-dccd >> > > > Thanks for this. Mine was set to 14 days and it was definately > purging files older then 14 days old, but 14 days worth was still a gig > of data. I've set it to two days now and it sits around 75 megs now > which I can live with a little easier. > > Mike > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR52OEfZZRxQVtlQRAjNBAJ9aVQA6FvMhwvWzXIVjCePFOMQp0ACg9WCt ZN2jpRcZq9KSq7lwGuX6Hg8= =pMho -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:00:28 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:01:47 2006 Subject: Spam Detection Around 55% In-Reply-To: <4546297C.5080502@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> Message-ID: <45479D4C.8090107@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > >>>> The existing file assumes: >>>> >>>> you have DCC and pyzor installed, and have enabled their plugins >>>> you don't use NFS, so flock is safe >>>> you have working DNS (likely, but not always true) >>>> you don't want to use the AWL. >>>> >>>> The last 3 are probably safe for 99% of sites, but the NFS bit could really bite >>>> someone in the butt. >>>> >>>> >> I set them to sensible values that will be correct for 99% of my users, >> particularly the less knowledgeable ones. I don't know anyone who runs a >> mail server with no dns, it would make lots of things rather hard. If >> you run a mail server with no dns successfully, you probably know enough >> to be able to tweak 1 config file. >> >> You are quite entitled to your opinions, and you are quite entitled to >> edit the config files too. They aren't rules, they are just a starting >> point for your own edits. >> >> I'm not going to get into an argument over this, it's a straight >> difference of opinion. You have your view, I have mine. Let's just agree >> to disagree. >> > > > I will readily agree to disagree on the DNS and AWL ones. It's purely an opinion > matter. > > The NFS one, well.. fine, call it an opinion matter. But don't claim you're > doing it because you want to make things easier for the less knowledgeable. > You're doing it to get better performance for 99.9% of setups, and considering > the NFS users to be experts. You're willing to accept the trade of screwing over > a less knowledgeable person who inherits a NFS setup. Which is fine by me, but > let's be realistic. This is a performance tweak, not a ease-of-use tweak. > > > That said, I will ask you to consider commenting out the DCC statements. By > default, straight out of the box, SA doesn't 3.1.x support this command because > the DCC plugin isn't loaded by default. Therefore this causes parse errors, and > doesn't belong. > But if you read the instructions printed at the end of the install, it tells you to uncomment the DCC statement in init.pre. It doesn't do it automatically as this would break the licence. > Which is of course, what triggered my reply in the first place. The dcc_path > statement was causing parse errors. That's bad. It breaks RDJ. > And, as the RDJ setup instructions from www.fsl.com/support tell you to do, you should run the RDJ once by hand to get the initial rulesets and check everything's okay. If you didn't follow the earlier instructions, this will highlight the dcc_path error for you, allowing you to either comment out the dcc_path line or re-read the earlier instruction printing by my install script. Maybe we should have a wiki page that lists all the things that you and I disagree on :-) Just I've never had a complaint sent to me by a user who's really had problems figuring out my instructions and has been badly bitten by all these things. I just put my feet in the shoes of a particular kind of user, one that barely knows what they are doing, who runs a little box for him/herself and a few customers/friends and who loves to have instructions telling them what to do. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR52LEfZZRxQVtlQRApzRAJ0aWnKtJRBCcRDhQPnM8RtwEuZrkwCfflZj rRXLFfRjDOAFXq90XJIZdbw= =IHbS -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:03:34 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:03:43 2006 Subject: FuzzyOcr Unexpected error only with MailScanner In-Reply-To: <229A346E44379140A59A48951B56E0C00260CE64@ARLABML01.DS.ARL.ARMY.MIL> References: <229A346E44379140A59A48951B56E0C00260CE64@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <45479E06.8070007@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you send me off-list more details of this problem! Kash, Howard (Civ, ARL/CISD) wrote: > Beware, there is a bug in the 4.57 version that causes it to not properly detect silent viruses if you have "Max Spam Check Size" set too low. As far as I know, it hasn't been fixed yet. It properly stops the virus, but sends a striped message to the recipient anyway. > > > Howard > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dominique Marant > Sent: Monday, October 30, 2006 8:03 AM > To: MailScanner discussion > Subject: FuzzyOcr Unexpected error only with MailScanner > > > I sent my problem FuzzyOcr in the devel-spam list. > It seems that FuzzyOcr fails because MailScanner truncates emails for spamassassin. > How to configure MailScanner for the best compromise ? > Perhaps it would be interresting to create a new variable "Max SpamAssassin OCR Size" for size of inserted or attached images ? > > What do you think of it ? > > Dominique > > > > Dominique Marant wrote: > > > > Yes, I'm using MailScanner > > > > Mailscanner truncates emails which exceed a given size specified in > their config. They also truncate inside attachments, leading to "half" > images, which are to be considered as corrupt. jpegtopnm cannot handle > these and will fail. This is not a problem of FuzzyOcr but MailScanner's. > > > Best regards, > > > Chris > > > > > > > regards Dom > > > > > > decoder a ?crit : > > > > Dominique Marant wrote: > > > > > >>>> I use FuzzyOcr with SA 3.1.7 > >>>> > >>>> In FuzzyOcr.log, I have a lot of error messages like : > >>>> > >>>> [2006-10-30 08:54:30] Unexpected error in pipe to external > >>>> programs. Please check that all helper programs are installed > >>>> and in the correct path. (Pipe Command "/usr/bin/jpegtopnm", > >>>> Pipe > > > > exit code > > > >>>> 2 (""), Temporary file: "/tmp/.spamassassin18742sUMUDptmp") > >>>> > >>>> How to fix this problem ? > >>>> > > > > Are you using third party applications such as mailscanner? > > > > Best regards, > > > > Chris > > > > > > > >>>> Regards, Dom > >>>> > >>>> ______________ > > > An other reply : > --------------------------------------- > > > looks like Mailscanner is the issue (according to decoder's mail). Amavis > works perfect, maybe you could consider it. > > rgds, > Joseph > > --------------------------------------- > > > Dominique Marant a ?crit : > > Hello > > I installed FuzzyOcr (debian / MailScanner / Spamassassin) > > It seems to running : > for example : > ... is polluriel, SpamAssassin (not cached, score=19.202, requis 7, autolearn=disabled, FUZZY_OCR 14.00, HTML_10_20 0.94, HTML_IMAGE_ONLY_28 1.01, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_SORBS_DUL 1.99, RCVD_NUMERIC_HELO 1.25) > > But in FuzzyOcr.log, I see : > > > # more FuzzyOcr.log > [2006-10-24 16:36:42] Unexpected error in pipe to external programs. > Please check that all helper programs are installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin2537050jAY2tmp") > [2006-10-24 16:37:47] Unexpected error in pipe to external programs. > Please check that all helper programs are installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin25926yhpqsstmp") > [2006-10-24 16:41:32] FuzzyOcr received timeout after running "10" seconds. > [2006-10-24 16:42:33] Unexpected error in pipe to external programs. > Please check that all helper programs are installed and in the correct path. > (Pipe Command "/usr/bin/jpegtopnm", Pipe exit code 2 (""), Temporary file: "/tmp/.spamassassin28372mzT0dZtmp") > ... > > Could you help me ? > > > Many thanks in advance > Dominique > > > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj4DBQFFR54KEfZZRxQVtlQRAuweAJYw1aCx7/jcd7cGCJf3PZDFKR1dAKDgdu2O xWP9KBf5vvdSf8bkqOPZdA== =gVt4 -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:08:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:11:36 2006 Subject: Need to reject null characters In-Reply-To: References: Message-ID: <45479F36.5000309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I should be able to do this with a simple custom virus scanner plugged in to MailScanner. If you want me to write it for you, and are prepared to pay me to do so, I can do this. Get in touch off-list if you want to progress this at all. Regards, Jules. Douglas Ward wrote: > I need to configure MailScanner or Spamassassin to reject any e-mails > with null characters in them. We are getting null character spams > occasionally which fouls up our imap users (checking their mailboxes > through squirrelmail). I know that postfix has a handy command for > this in 2.3 but cannot upgrade to it (due to a long and tortuous > Mandriva 2007 upgrade problem). Is there another way to configure > this? If not, could we request it as additional functionality in a > future version of MailScanner? Any advice would be most appreciated. > Thanks! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR5/jEfZZRxQVtlQRAm0pAKDg6Hfgwp68WHT4YBJrcTmHd3o/hACgziFN vT1CNSlVl4iZlaeZSbt199k= =7zIo -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:15:40 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:16:36 2006 Subject: SPF Scans on outgoing mail In-Reply-To: <008d01c6fc73$c6008800$7c0fa8c0@Sue> References: <008d01c6fc73$c6008800$7c0fa8c0@Sue> Message-ID: <4547A0DC.2090903@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I ended up setting up an SPF record which effectively says nothing about who can send mail as us from anywhere. It was the only practical solution to our environment where we have large numbers of travelling academics, often using hotel networks which don't allow VPN traffic, or hijack SMTP connections to the hotel's ISP's own mail servers so you cannot stop the email appearing to originate from outside our network. SPF is just not practical for us, so I had to work around it. Check the SPF record for ecs.soton.ac.uk if you want to see how to do it. Josh Dayberry wrote: > For someone reason when someone send an e-mail (including myself) with smtp > auth, the e-mail is scanned, then sent to the recipient, the SPF tests will > fail on my server's copy of mailscanner because the e-mail appears to be > from the users computer not the server, but after the e-mail has been > delivered to another server, it no longer appears as being sent from only > the users computer so the SPF tests pass. > > The SPF tests are my primary concern because they are the greatest source of > false positives, but ultimately I would rather just not scan e-mails sent > from users who as authenticated. > > Thanks again, > Josh Dayberry > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Monday, October 30, 2006 5:21 PM > To: MailScanner discussion > Subject: Re: SPF Scans on outgoing mail > > Josh Dayberry escribi?: > >> Here is my problem. I have many mobile users of my server. When they >> send e-mail their e-mail fails the SPF tests and their IP is submitted >> for RBL tests and things of that sort. However, all users with the >> ability to send e-mail on my server should not have their e-mail >> scanned at all. Unfortunately I haven?t been able to figure out how to >> stop MailScanner from scanning e-mail received from users who >> authenticate. Any ideas would be appreciated. >> >> Josh Dayberry >> >> josh@thematthewsgroup.com >> >> > The mobile users aren't using your server; they're using someone else's > server to send out e-mail that should be going out of your server. > > Your SPF record is showing the following: > > "v=spf1 a mx -all" > > Which means only your MX's are allowed to send mail out as > thematthewsgroup.com; if your users are *actually* connecting to your > server, and they're authenticating themselves properly (not using > POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should > work, in theory. All of mine do. > > What are you using for SPF? In the meantime you can add "~all" instead > of "-all" to mitigate (not eliminate) the problem while you find out > what's wrong. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: windows-1252 wj8DBQFFR6EPEfZZRxQVtlQRAhsTAKCpfk8DZ08Q42tQxN+VpgxePw7VUACeJ90G c1pcQv7YEpG9Irl0pyeDpsg= =ypII -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:17:22 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:21:36 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: Message-ID: <4547A142.5030204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cheng Bruce wrote: > Dear all, > > I am starting to use mailscanner with mailwatch, recently get a lot of > spams going through my mail server which are treated as no-spam. > They have legitimate helo, sender , domains and so on. And they passed > the RBL which I set in "spam list" of mailcanner. > If I can review the messages like SPAM, I can add some rules in my > server to block them. > > by the way, is it possible to release the none-spam message as > original messages to users but not included in the message ? > > When our vendor send the update file (*.bpl) to us, it was blocked. I > don't know how to release this rule, because I only can do is remark > "deny executable No executables No programs allowed" > this line in "/etc/MailScanner/filetype.rules.conf". > > Would you please advise me how to do it ? What does the "file" command output when given one of the *.bpl files? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR6I7EfZZRxQVtlQRAjK1AJ9yQIwaD3DL9qjZaP3uHRI//FHzwQCg3L+G ysz/3TXUmmGo1I2nSjqNwfI= =MPAB -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:19:08 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:21:43 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? In-Reply-To: <454688F7.2090405@nkpanama.com> References: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> <454688F7.2090405@nkpanama.com> Message-ID: <4547A1AC.8020203@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman wrote: > Arthur Sherman escribi?: >> Howdy, >> >> It growes up to 24MB now, and I want to keep it quiet, or at least >> limit him >> in size. >> >> Has anyone done this? >> >> Thanks! >> >> >> Best, >> >> -- >> Arthur Sherman >> >> +972-52-4878851 >> CPTeam >> > How about running a weekly cron script that does "cat /dev/null > > /path/to/your/fuzzyocr.log"? A shorter command that achieves the same thing is the lovely smiley command :> /path/to/your/fuzzyocr.log ':' is the null command. It does nothing and produces null output. The '>' redirects that null output to the following filename, so that ':>file' wipes the contents of "file". Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR6I9EfZZRxQVtlQRArWBAKCHVjbk+25VrqlOuCgskpp+6SH2IgCgtV9l KXh+v+ZEGk/oVlZsxa4XVeg= =H/5A -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Oct 31 19:21:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 31 19:21:48 2006 Subject: Need to reject null characters In-Reply-To: <4546D5B3.7050607@pronet.co.nz> References: <4546D5B3.7050607@pronet.co.nz> Message-ID: <4547A239.4040509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brent Addis wrote: > What do you mean by null characters? > > Do you mean <> ? > > I wouldn't recommend doing this at the MTA level as it tends to break > sender callout checks (Assuming you ended up upgrading postfix) > > I'm sure your users will get mighty annoyed when they find mail not > being delivered. > > Plus its in the RFC's that you should accept these, and we all follow > the RFC's, right? > > If your not meaning <> as null, forget my posting. If you are getting lots of messages from <> then you need "milter-null" from www.snertsoft.com. It will entirely eliminate this problem. Fantastic software! > > :) > > > > Douglas Ward wrote: >> I need to configure MailScanner or Spamassassin to reject any e-mails >> with null characters in them. We are getting null character spams >> occasionally which fouls up our imap users (checking their mailboxes >> through squirrelmail). I know that postfix has a handy command for >> this in 2.3 but cannot upgrade to it (due to a long and tortuous >> Mandriva 2007 upgrade problem). Is there another way to configure >> this? If not, could we request it as additional functionality in a >> future version of MailScanner? Any advice would be most appreciated. >> Thanks! > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFR6I+EfZZRxQVtlQRAkiLAKDEZ4jaG+zP8LQQ4KuLD2JmKT6EsACffvg+ nBhpo3J/XD0ZSeLMIFQ1wIc= =XS+Q -----END PGP SIGNATURE----- From marc at marcsnet.com Tue Oct 31 19:22:44 2006 From: marc at marcsnet.com (Marc Lucke) Date: Tue Oct 31 19:23:09 2006 Subject: MailScanner as mail proxy In-Reply-To: <45473163.2080805@marcsnet.com> References: <45473163.2080805@marcsnet.com> Message-ID: <4547A284.50604@marcsnet.com> Thank you both Steve & Michele - I'll look at those milters. I'm particularly happy for the recommendation and am not unhappy to pay for a well written product. Marc Marc Lucke wrote: > Hi list, > > I know this is getting off topic. I know enough about sendmail to be > 99% sure that this question should be on their list. But any help, > ideas or feedback would be welcome. I'm guessing the MailScanner > community would have come across my problem on more than 1 occasion. > > I run MailScanner on a remote machine to my actual mailserver. In > other words all mail is relayed via the Mailscanner box. This is to > stop viruses and spam on the mailserver I have to run which is very > limited in such defenses. It all works great, apart from one annoying > problem: if someone sends to an unknown email account (as oft occurs) > the MailScanner proxy (for want of a better way to describe it as I'm > using it) first accepts the email, attempts delivery, cannot deliver > and then tries to notify the sender who doesn't exist. So I'm > lumbered with a billion postmaster non-delivery emails. I'm keeping > up with this quite well, but I'm scared I'll miss a legitimate message > because it's buried in garbage. > > Is there anything I can do to get anything in MailScanner to check > with my destination email server that the actual account exists before > accepting the email in the first place? > > > Marc From ssilva at sgvwater.com Tue Oct 31 20:01:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 31 20:04:46 2006 Subject: Spam Detection Around 55% In-Reply-To: <45479D4C.8090107@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 10/31/2006 11:00 AM: > > > Matt Kettler wrote: >>> Julian Field wrote: >>> >>>>>> The existing file assumes: >>>>>> >>>>>> you have DCC and pyzor installed, and have enabled their plugins >>>>>> you don't use NFS, so flock is safe >>>>>> you have working DNS (likely, but not always true) >>>>>> you don't want to use the AWL. >>>>>> >>>>>> The last 3 are probably safe for 99% of sites, but the NFS bit could really bite >>>>>> someone in the butt. >>>>>> >>>>>> >>>> I set them to sensible values that will be correct for 99% of my users, >>>> particularly the less knowledgeable ones. I don't know anyone who runs a >>>> mail server with no dns, it would make lots of things rather hard. If >>>> you run a mail server with no dns successfully, you probably know enough >>>> to be able to tweak 1 config file. >>>> >>>> You are quite entitled to your opinions, and you are quite entitled to >>>> edit the config files too. They aren't rules, they are just a starting >>>> point for your own edits. >>>> >>>> I'm not going to get into an argument over this, it's a straight >>>> difference of opinion. You have your view, I have mine. Let's just agree >>>> to disagree. >>>> >>> >>> I will readily agree to disagree on the DNS and AWL ones. It's purely an opinion >>> matter. >>> >>> The NFS one, well.. fine, call it an opinion matter. But don't claim you're >>> doing it because you want to make things easier for the less knowledgeable. >>> You're doing it to get better performance for 99.9% of setups, and considering >>> the NFS users to be experts. You're willing to accept the trade of screwing over >>> a less knowledgeable person who inherits a NFS setup. Which is fine by me, but >>> let's be realistic. This is a performance tweak, not a ease-of-use tweak. >>> >>> >>> That said, I will ask you to consider commenting out the DCC statements. By >>> default, straight out of the box, SA doesn't 3.1.x support this command because >>> the DCC plugin isn't loaded by default. Therefore this causes parse errors, and >>> doesn't belong. >>> > But if you read the instructions printed at the end of the install, it > tells you to uncomment the DCC statement in init.pre. It doesn't do it > automatically as this would break the licence. >>> Which is of course, what triggered my reply in the first place. The dcc_path >>> statement was causing parse errors. That's bad. It breaks RDJ. >>> > And, as the RDJ setup instructions from www.fsl.com/support tell you to > do, you should run the RDJ once by hand to get the initial rulesets and > check everything's okay. If you didn't follow the earlier instructions, > this will highlight the dcc_path error for you, allowing you to either > comment out the dcc_path line or re-read the earlier instruction > printing by my install script. > > Maybe we should have a wiki page that lists all the things that you and > I disagree on :-) > Just I've never had a complaint sent to me by a user who's really had > problems figuring out my instructions and has been badly bitten by all > these things. I just put my feet in the shoes of a particular kind of > user, one that barely knows what they are doing, who runs a little box > for him/herself and a few customers/friends and who loves to have > instructions telling them what to do. > > Jules > Julian, I agree with you completely. IMHO it is easier for a seasoned admin to just skip the extra steps than for a newbie to know what to do next. I think your defaults are the best compromise to keep a badly FSCKed up machine from becoming someones spam zombie. I am happy to have a few less of them firing blindly at me! ;-) Besides, you are root when it comes to MailScanner, and you get to implement what you want and cut what you don't like. We happy and thankful admins just work with what we are given, and adjust things to suit our environment. If someone wants hand holding through every step, they should just contact Fortress Systems and set up a contract and buy something with all that included. You have created, IMHO, a real "bangers and mash" product that competes with and beats most everything out there! It is easy to get started with, and so highly customizable that the only thing it won't do yet is make coffee "Beggars cannot be choosers!" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From matt at coders.co.uk Tue Oct 31 21:11:17 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Oct 31 21:11:48 2006 Subject: OT: milter-link In-Reply-To: <4547530E.9010409@fsl.com> References: <45474C15.3080704@coders.co.uk> <4547530E.9010409@fsl.com> Message-ID: <4547BBF5.6040206@coders.co.uk> Steve Freegard wrote: > Hi Matt, > > Matt Hampton wrote: >> (Antony seems to have the exact opposite approach to thinking to me ;-)) > > I've had similar discussions with him.... Logic is somewhat screwed: Email domains I relay for I don't want to scan...... > 2) Use tagged access map entries (e.g. Connect:, From:, To: -- you > should probably be doing this anyway soon as the untagged forms are > deprecated and will disappear from Sendmail eventually), so your > example.com would probably change to To:example.com RELAY or > Connect:example.com RELAY - in which case at the top of the access map > you can add: milter-link-To: SKIP or milter-link-Connect: SKIP. Actually it was a bit of a combination - the email domain I was testing from was also in the access map - so it was being whitelisted from the sending address. This explains why milter-link-To:example.com failed! Head, wall, banging, of, lots - re-arrange! I have moved all of my access map over to the To: format (I love having all of my maps generated from a database - just an update on the database and 10 minutes late it has propagated to all of my servers :-) ) cheers for the pointer Matt (PS Haven't forgot your feature request - have been snowed under in the real world....) From ugob at camo-route.com Tue Oct 31 21:15:29 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Oct 31 21:16:19 2006 Subject: dcc logs In-Reply-To: <45479D75.5010809@ecs.soton.ac.uk> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Can someone put this one in the wiki please! I'll try to do it if I can find some time. BTW I think this only happens when one uses dccifd. Correct me if I'm wrong but if you're only using dccproc, you don't have those logs... From gmourani at privalodc.com Tue Oct 31 21:26:23 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Tue Oct 31 21:26:35 2006 Subject: Removing X Headers In-Reply-To: <223f97700610310714i2b389bf9ybb628d3ec11ce2ae@mail.gmail.com> References: <4665.70.82.58.187.1162306647.squirrel@webmail.privalodc.com> <223f97700610310714i2b389bf9ybb628d3ec11ce2ae@mail.gmail.com> Message-ID: <2673.70.82.58.187.1162329983.squirrel@webmail.privalodc.com> Thanks for your reply, yes you're right, I've space in the name of the company. G > On 31/10/06, Gerhard Mourani wrote: >> Hello list, >> >> Every time I receive an email, Mailscanner add X-%org-name%-MailScanner: >> and similar X headers lines into the BODY!! of the message. What I need >> to >> do to remove the X header lines to appear into the body of the message? >> >> Gerhard, >> > it shouldn't do that. > Your %org name is valid, I presume (no spaces or other characters that > aren't allowed in a header)? > If that is OK, I'd look long and hard at what precedes them... After > all, all that separates the headers from the body is a single blank > line:-). > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- PrivalODC Cel: (514) 726-3766 Tel: (450) 761-9973 ext 634 Ce message ?lectronique ainsi que tous les documents annex?s s?adressent exclusivement ? la personne ou ? l?entit? inscrite dans la rubrique destinataire ; il peut contenir des renseignements de nature confidentielle ou privil?gi?e aux termes des lois applicables. Nulle autre personne ne doit y avoir acc?s. Si vous n??tes pas le destinataire convenu, nous vous avisons par la pr?sente qu'il est strictement interdit d'en divulguer le contenu, de le distribuer, le copier ou l?utiliser. Veuillez aviser l?exp?diteur imm?diatement par retour de courrier ?lectronique et supprimer ce message de votre syst?me. Toute diffusion ou reproduction de ce document ainsi que tout mesure prise ? l??gard de la pr?sente sont formellement interdites . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marc at marcsnet.com Tue Oct 31 22:42:47 2006 From: marc at marcsnet.com (Marc Lucke) Date: Tue Oct 31 22:43:10 2006 Subject: MailScanner as mail proxy In-Reply-To: References: Message-ID: <49741.61.29.41.174.1162334567.squirrel@webmail.marcsnet.com> > > I highly recommend it in its latest version, smf-sav v1.4.0. Not only can > it be used for recipient verification, it can also do sender verification. > Earlier versions had some significant drawbacks, but I now run this > version on a production server and find it extremely useful for SAV and > RAV. If you want any help offline, please feel free to contact me. The > developer, Eugene Kurmanin, is also extremely helpful and responsive (even > helping me get it running on an ancient RedHat 6.1 box that it was never > intended to be compiled on). > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service This soudns really good, Jim. Thanks for the tip. I'll have a look :-) From ugob at camo-route.com Tue Oct 31 22:52:11 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Oct 31 22:53:03 2006 Subject: dcc logs In-Reply-To: <45479D75.5010809@ecs.soton.ac.uk> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Can someone put this one in the wiki please! Done http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:maintenance I put a link in the dccifd install instructions. From shuttlebox at gmail.com Tue Oct 31 23:20:47 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Oct 31 23:20:50 2006 Subject: dcc logs In-Reply-To: References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> Message-ID: <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> On 10/31/06, Ugo Bellavance wrote: > I'll try to do it if I can find some time. BTW I think this only > happens when one uses dccifd. Correct me if I'm wrong but if you're > only using dccproc, you don't have those logs... That's correct. -- /peter