From res at ausics.net Fri Sep 1 00:04:46 2006 From: res at ausics.net (Res) Date: Fri Sep 1 00:06:07 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: On Thu, 31 Aug 2006, Brett Charbeneau wrote: > I *did* try to upgrade sendmail, but there's an upstream problem with > the package, so I was able to downgrade back. > I let apt-get (this is in Debian) deal with the binaries, but I did > check the conf files and they all reverted. This is why I have never liked these " pre packaged " packages, be it .deb or .rpm on serious requirments like kernel, apache, sendmail, bind and so on I always use the real versions, not my OS's packagers prefered. far far far less hassles doing it that way. Also many many years ago I was bitten by a frigged up RH rpm update of a kernel that passed package verification, it was only on the update sites for a few hours but that was enough to destroy the sleep of a few ppl. > and I'm mounting this as a separate partition in fstab like so: > > /dev/sda3 /tmp ext3 defaults 0 2 As this is ext3 and not a swap I'd change that 0 to a 1 so its dumps > I'm seriously considering going this route and effectively starting over > with the MS install. takes only a few minutes :) for both MS and Sendmail > R> Check Sendmail Dir perms: > R> drwxrwx--- 2 smmsp smmsp 4096 2006-08-31 08:45 clientmqueue/ > R> drwxr-xr-x 2 root root 4096 2006-08-31 08:45 mqueue/ > R> drwxr-x--- 2 root bin 4096 2006-08-31 08:45 mqueue.in/ > > > Okay, now this should be interesting. > Here's what I got: > > drwxr-s--- 2 smmta smmsp 28672 Aug 31 09:22 mqueue > drwxrws--- 2 smmsp smmsp 4096 Aug 31 09:16 mqueue-client > drwxr-x--- 2 root bin 61440 Aug 31 09:22 mqueue.in yes, more vendor specific mutilation, ew yukky > > R> I also strongly suggest that you should upgrade, 4.51 is rather old > R> any many of us may be trying to offer suggestions based on later releases. > R> (like my display info above, cant recall when that was changed) > > Debian *is* quite conservative on what it considers "stable". For the > most part I agree with them, but I should probably consider installing MS from a > tarball instead... Good Idea :) > > -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Fri Sep 1 00:15:10 2006 From: res at ausics.net (Res) Date: Fri Sep 1 00:15:47 2006 Subject: OT: Sendmail forwarding envelope trick? In-Reply-To: References: Message-ID: On Thu, 31 Aug 2006, Travis Taylor wrote: > > This is a bit off topic, but thought I'd throw it out here. Maybe someone > got an idea why this happened or where I might post this to figure it out. > > One of our MailScanners received a message from a mail forwarding account on > yahoo to one of our clients. After scanning it, it attempted to deliver it > to the internal mail server. It was refused because of the domain > "bumeran.com.br", which should have be refused on the MailScanner box > originally. Upon checking the logs, the envelope address used was > "rrhhbr6.bumeran.com", not "bumeran.com.br" I did a quick google, but did > not find anything relivent. How is this possible? Anyone got any ideas? log on to the front line box in question, use lynx to pop over to its.ausics.net and use the open relay tester. if it accepted mail for aa non lcoal domain chances are it might be open relay, but yes this is OT, and i suggest you try comp.mail.sendmail -- Res From ssilva at sgvwater.com Fri Sep 1 00:21:06 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 00:23:43 2006 Subject: MailScanner hangs once a day In-Reply-To: <44F68BBE.1070900@treelogic.com> References: <44F68BBE.1070900@treelogic.com> Message-ID: Sergio Garc?a Caso spake the following on 8/31/2006 12:11 AM: > - I cycle my syslog every day. >> - Syslog continues running after MailScanner hangs. >> - In /var/spool/MailScanner/incoming/ there are several dirs with mail >> files. There is another file too called 'SpamAssassin.cache.db'. >> - In /var/spool/MailScanner/spamassassin/ there are several files called >> 'bayes....' (for example: 'bayes_toks.expire10031', >> 'bayes_toks.expire20819') >> - I use the virus scanner ClamAV 0.88.4 >> - I use Spamaasassin 3.1.3 >> - I use Postfix 2.3 and it continues running after MailScanner hangs >> >> >> > >> I wonder if there is a bayes expire problem here. >> Could you give your settings for the following; > >> # To avoid resource leaks, re-start periodically >> Restart Every = 7200 > >> Rebuild Bayes Every = 86400 > >> Wait During Bayes Rebuild = yes > > I have the next values for this parameters: > > * Restart Every = 14400 (it runs OK) > > * Rebuild Bayes Every = 0 > > * Wait During Bayes Rebuild = no > > I tried 'Wait During Bayes Rebuild = yes' but MailScanner hangs too. > > > > > > Then your bayes may never be rebuilt. Since you have the restart at 14400 (once a day) try it at half that and see if it changes the pattern of lockups. Maybe you are getting some sort of memory leak, and re-starting more often might fix it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From zenith.tang at gmail.com Fri Sep 1 04:04:15 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Fri Sep 1 04:04:20 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 Message-ID: <6026a0ab0608312004r7a8fa0abw52f4d74b4c2bd7e1@mail.gmail.com> After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner does not able to use Trend to scan virus. The 5.0 version uses vscan command to scan virus, but 6.0 does not have this command. It seems that the 6.0version does not compatible with MailScanner. Does anyone know how to make MailScanner able to use 6.0 to scan virus? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060901/d8ce8370/attachment.html From martinh at solidstatelogic.com Fri Sep 1 09:03:41 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Sep 1 09:03:56 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0608312004r7a8fa0abw52f4d74b4c2bd7e1@mail.gmail.com> References: <6026a0ab0608312004r7a8fa0abw52f4d74b4c2bd7e1@mail.gmail.com> Message-ID: <44F7E95D.9040805@solidstatelogic.com> Zenith Tang wrote: > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner > does not able to use Trend to scan virus. The 5.0 version uses vscan > command to scan virus, but 6.0 does not have this command. It seems > that the 6.0 version does not compatible with MailScanner. Does anyone > know how to make MailScanner able to use 6.0 to scan virus? Thanks! > in /opt/MailScanner/lib/ (or /lib/MailScanner I think on a RPM based install)) you'll see two trend* files... trend-wrapper trend-autoupdate you'll need to alter both to cope with V6.0 I don't know if Jules has a copy of Trend, but if you have a spare licence to give him for development I'm sure he'd appreciate it.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Fri Sep 1 09:10:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 1 09:10:43 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0608312004r7a8fa0abw52f4d74b4c2bd7e1@mail.gmail.com> References: <6026a0ab0608312004r7a8fa0abw52f4d74b4c2bd7e1@mail.gmail.com> Message-ID: <223f97700609010110t3feafbe1m3c0c2c039a893f94@mail.gmail.com> On 01/09/06, Zenith Tang wrote: > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner > does not able to use Trend to scan virus. The 5.0 version uses vscan command > to scan virus, but 6.0 does not have this command. It seems that the 6.0 > version does not compatible with MailScanner. Does anyone know how to make > MailScanner able to use 6.0 to scan virus? Thanks! Disclaimer: I don't use trend, but... Questions: Does 6.0 install to the directory expected in virus.scanners.conf (third column)? Is that really the "correct" product? Seems to me that the package including the "on-demand" scanning is the ServerProtect one... However (looking at the downloaded trial I just got) there seems to be an isw-scan utility... Might be one needs to just tweak the wrapper a bit:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From P.G.M.Peters at utwente.nl Fri Sep 1 09:15:35 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Sep 1 09:15:51 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> Message-ID: <44F7EC27.2020903@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Charbeneau wrote on 31-8-2006 19:47: > On Thu, 31 Aug 2006, Logan Shaw wrote: > > LS> That doesn't look like quite the right command to me. Should be > LS> this instead, I think: > LS> > LS> sendmail -bp -OQueueDirectory=/var/spool/mqueue.in > > Ah - NOW I get output. > Man, *lots* of mismatched pairs. Like > > > k7UBtv0q020039readqf: cannot open ./dfk7UBtv0q020039: No such file or directory > -1 Wed Aug 30 07:56 > 8BITMIME > > I need to look into this sendmail parameter. Not used it before... This indicates there is a qf-file with the information but no accompanying df-file. You can remove the qf-file. I have this too. Sometimes. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9+wnelLo80lrIdIRApvEAJ4wXItGNnh3AHpLCRK3Nag5rvqGCgCeJxlc CDCvKjH0QHAn5jnCDzqEelc= =4Q7B -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Fri Sep 1 09:29:42 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Sep 1 09:29:47 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: <44F59F21.3010707@utwente.nl> <223f97700608300810p400db0b0g80946f0d6a5a4760@mail.gmail.com> <44F6E368.7010300@utwente.nl> <44F717D4.5040305@coders.co.uk> Message-ID: <44F7EF76.9040204@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Charbeneau wrote on 31-8-2006 21:07: > MH> You have checked that the Lock Type is correct. > > This is a sendmail machine, > > Lock Type = What sendmail version? - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9+92elLo80lrIdIRAsiQAJ9vWbCyJ3nOXaNt3wA4nIqJTjJc1gCfWPRC Bf0QwSTPU5hwO99+8s0/ayA= =1ZpK -----END PGP SIGNATURE----- From Andreas.Doerfler at kempten.de Fri Sep 1 07:53:03 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Fri Sep 1 10:30:55 2006 Subject: problem with recive mail from gmx Message-ID: > Just out of curiosity, do you run any Milters? I don't recall having > this issue prior to running Milter-greylist and Milter-ahead. > Possibly > the problem is the Milter in front of sendmail? > > DAve nothing special mailscanner, spamassassin 3.1.4 done update from 3.0.4 the day bevor the problems startet, but ive found nothing special in the release notes about bigger changes and .. sa is behind sendmail i have some rules in sendmail access like From:sued@gmx.de ERROR:"550 User unknown. We don't accept mail from spammers." but thats only for mailadresses, not for tld?s greetings andy From ugob at camo-route.com Fri Sep 1 13:51:15 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Sep 1 13:51:45 2006 Subject: Sendmail privacy flags in MailScanner init script Message-ID: Hi, In the MailScanner init script, privacy options are stated for sendmail: -OPrivacyOptions=noetrn Why is that? Shouldn't these settings be defined in sendmail.mc (cf)? Does that override the settings in the config file? Regards, Ugo From steve.freegard at fsl.com Fri Sep 1 14:06:48 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Sep 1 14:09:03 2006 Subject: Sendmail privacy flags in MailScanner init script In-Reply-To: References: Message-ID: <44F83068.3010302@fsl.com> Hi Ugo, Ugo Bellavance wrote: > Hi, > > In the MailScanner init script, privacy options are stated for > sendmail: > > -OPrivacyOptions=noetrn > > Why is that? Shouldn't these settings be defined in sendmail.mc (cf)? I suspect this is a safety net -- you really really don't want the incoming Sendmail process to allow ETRN for any hosts, because ETRN would result in message being delivered to the host directly from mqueue.in, bypassing MailScanner completely. It's in the initscript for MailScanner so you don't have to remember to put it in the privacy options and rebuild the .cf file when you install MailScanner. > > Does that override the settings in the config file? > Yes -- but only for the incoming Sendmail process, the outgoing process will use whatever is configured in the .cf file. Cheers, Steve. From R.A.Gardener at shu.ac.uk Fri Sep 1 15:20:59 2006 From: R.A.Gardener at shu.ac.uk (Ray Gardener) Date: Fri Sep 1 15:22:41 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEAF6F.3040701@solid-state-logic.com> Message-ID: Hi, I undertook to report back on the results of trussing the mailscanner processes. I have run the program under truss but I can't see anything obviously strange. However a workaround has become apparent; starting mailscanner from a subshell called in the init.d script works e.g su - root -c "/opt/mailscanner/bin/MailScanner" possibly, this implies that there is some environment variable such as PATH or LD_LIBRARY_PATH that needs to be set, but I am not sure what it is. Any ideas? Regards ____________________________________________________________________________ Ray Gardener, IT Services, LITS, Sheffield Hallam University, Howard Street, Sheffield, UK S1 1WB Telephone: +44 114 225 4926 Fax: +44 114 225 3840 Mobile: +44 07788190005 Email: R.A.Gardener@shu.ac.uk On Fri, 25 Aug 2006, Ray Gardener wrote: > Many thanks for the number of useful replies; I would be interested in using > a different manifest to the one that I knocked together quicker and tried > with no positive results. One thing I haven't tried and should is to trace > the errant mailscanner processes using something like truss which I will try > and do and report back the findings. > > > > ____________________________________________________________________________ > Ray Gardener, > IT Services, LITS, > Sheffield Hallam University, > Howard Street, > Sheffield, > UK > S1 1WB > Telephone: +44 114 225 4926 > Fax: +44 114 225 3840 > Mobile: +44 07788190005 > Email: R.A.Gardener@shu.ac.uk > > > On Fri, 25 Aug 2006, Martin Hepworth wrote: > >> Randy Fishel wrote: >>> >>> On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: >>> >>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>> >>>>> Date: Thu, 24 Aug 2006 17:49:46 +0100 >>>>> From: Martin Hepworth >>>>> Reply-To: MailScanner discussion >>>>> To: MailScanner discussion >>>>> Subject: Re: Solaris 10 init.d startup failing >>>>> Jeff A. Earickson wrote: >>>>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>>>>> From: Martin Hepworth >>>>>>> Reply-To: MailScanner discussion >>>>>>> To: MailScanner discussion >>>>>>> Subject: Re: Solaris 10 init.d startup failing >>>>>>> Ray Gardener wrote: >>>>>>>> Hi, >>>>>>>> I had cause to reboot a Sunblade server running Exim and MailScanner >>>>>>>> version 4.53.8 and noticed a error. The mailscanner program is >>>>>>>> started by invoking MailScanner from the exim startup script in >>>>>>>> /etc/init.d. [I know this is a legacy method for Solaris 10 but do >>>>>>>> this to maintain consistency with other mailhubs based on Solaris >>>>>>>> 9]. On boot-up mainscannner instances were started and the startup >>>>>>>> log line was present in /var/log/maillog but the instances of >>>>>>>> mailscanner ate memory very quickly and didn't process mail. >>>>>>>> Pkilling the mailscanner instances and stopping and starting the >>>>>>>> init.d script resulted in a working system processing mail. >>>>>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>>>>> workaround? >>>>>>>> Incientally I later created a smf mailscanner service and tried to >>>>>>>> use that to start mailscanner but this also ate memory and didn't >>>>>>>> process mail. >>>>>>>> Regards, >>>>>>>> ____________________________________________________________________________ >>>>>>>> Ray Gardener, >>>>>>>> IT Services, LITS, >>>>>>>> Sheffield Hallam University, >>>>>>>> Howard Street, >>>>>>>> Sheffield, >>>>>>>> UK >>>>>>>> S1 1WB >>>>>>>> Telephone: +44 114 225 4926 >>>>>>>> Fax: +44 114 225 3840 >>>>>>>> Mobile: +44 07788190005 >>>>>>>> Email: R.A.Gardener@shu.ac.uk >>>>>>> Ray >>>>>>> only problem like this is when using MS in combination with >>>>>>> MailWatch. >>>>>>> Problem can be that mysql isn't fully operational by the time MS >>>>>>> starts up...so the first connection hangs. >>>>>>> I solved this by putting a wait 30 at the start() function to make >>>>>>> sure mysql is up and accepting connections before we start MS. >>>>>> Martin, >>>>>> Can you post a diff of your change to the list so I can try it here? >>>>>> I don't use MailWatch or sql, so maybe a smaller wait time would solve >>>>>> my issue. Thanks. >>>>>> Jeff Earickson >>>>>> Colby College >>>>> Jeff >>>>> >>>>> just added a sleep 30 at the top of the start) case statement in the >>>>> rc.d script... >>>> >>>> Nope, didn't work for me. I turned on the "-x" option in my init.d >>>> script, the check_mailscanner script, watched it as I ran things by >>>> hand. The loop-up is somewhere after the bin/MailScanner perl code >>>> is launched. FWIW, the "stop" option in my init.d script does not >>>> work either. The only way I can get things stopped is via >>>> "pkill -9 MailScanner". The mystery continues. >>>> >>>> Jeff Earickson >>>> Colby College >>>> -- >>> >>> I just created a manifest and have MailScanner run as a service and >>> have had no problems starting _or_ stopping it. By setting all the >>> correct dependancies, there should be no reason for waiting. My manifest >>> replaces the Solaris smtp service, and starts sendmail as well, but there >>> is no reason that there couldn't be a manifest for MailScanner that >>> depends on sendmail or any other MTA. I could easily generate a >>> MailScanner manifest and test it standalone if there is value. >>> >>> rf >>> --MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> Randy >> >> How about posting that to the list, or (even better) drop in to the wiki. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From lshaw at emitinc.com Fri Sep 1 16:32:30 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Sep 1 16:32:43 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEAF6F.3040701@solid-state-logic.com> Message-ID: On Fri, 1 Sep 2006, Ray Gardener wrote: > I undertook to report back on the results of trussing the mailscanner > processes. I have run the program under truss but I can't see anything > obviously strange. However a workaround has become apparent; starting > mailscanner from a subshell called in the init.d script works > > e.g > > su - root -c "/opt/mailscanner/bin/MailScanner" > > > possibly, this implies that there is some environment variable such as PATH > or LD_LIBRARY_PATH that needs to be set, but I am not sure what it is. Any > ideas? How about... su - root -c env | sort > abc env | sort > def diff abc def - Logan From jaearick at colby.edu Fri Sep 1 16:33:29 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Sep 1 16:33:42 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEAF6F.3040701@solid-state-logic.com> Message-ID: Ray, You are a hero! It also works for me with: su - root -c "/opt/mailscanner/bin/check_mailscanner" No Earthly idea why a subshell as root would work, since I run the /etc/init.d script as root anyway. Jeff Earickson Colby College On Fri, 1 Sep 2006, Ray Gardener wrote: > Date: Fri, 1 Sep 2006 15:20:59 +0100 (BST) > From: Ray Gardener > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Solaris 10 init.d startup failing > > Hi, > > I undertook to report back on the results of trussing the mailscanner > processes. I have run the program under truss but I can't see anything > obviously strange. However a workaround has become apparent; starting > mailscanner from a subshell called in the init.d script works > > e.g > > su - root -c "/opt/mailscanner/bin/MailScanner" > > > possibly, this implies that there is some environment variable such as PATH > or LD_LIBRARY_PATH that needs to be set, but I am not sure what it is. Any > ideas? > > Regards > ____________________________________________________________________________ > Ray Gardener, > IT Services, LITS, > Sheffield Hallam University, > Howard Street, > Sheffield, > UK > S1 1WB > Telephone: +44 114 225 4926 > Fax: +44 114 225 3840 > Mobile: +44 07788190005 > Email: R.A.Gardener@shu.ac.uk > > > On Fri, 25 Aug 2006, Ray Gardener wrote: > >> Many thanks for the number of useful replies; I would be interested in >> using a different manifest to the one that I knocked together quicker and >> tried with no positive results. One thing I haven't tried and should is to >> trace the errant mailscanner processes using something like truss which I >> will try and do and report back the findings. >> >> >> >> ____________________________________________________________________________ >> Ray Gardener, >> IT Services, LITS, >> Sheffield Hallam University, >> Howard Street, >> Sheffield, >> UK >> S1 1WB >> Telephone: +44 114 225 4926 >> Fax: +44 114 225 3840 >> Mobile: +44 07788190005 >> Email: R.A.Gardener@shu.ac.uk >> >> >> On Fri, 25 Aug 2006, Martin Hepworth wrote: >> >>> Randy Fishel wrote: >>>> >>>> On Aug 24, 2006, at 10:43 AM, Jeff A. Earickson wrote: >>>> >>>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>> >>>>>> Date: Thu, 24 Aug 2006 17:49:46 +0100 >>>>>> From: Martin Hepworth >>>>>> Reply-To: MailScanner discussion >>>>>> To: MailScanner discussion >>>>>> Subject: Re: Solaris 10 init.d startup failing >>>>>> Jeff A. Earickson wrote: >>>>>>> On Thu, 24 Aug 2006, Martin Hepworth wrote: >>>>>>>> Date: Thu, 24 Aug 2006 17:38:14 +0100 >>>>>>>> From: Martin Hepworth >>>>>>>> Reply-To: MailScanner discussion >>>>>>>> To: MailScanner discussion >>>>>>>> Subject: Re: Solaris 10 init.d startup failing >>>>>>>> Ray Gardener wrote: >>>>>>>>> Hi, >>>>>>>>> I had cause to reboot a Sunblade server running Exim and MailScanner >>>>>>>>> version 4.53.8 and noticed a error. The mailscanner program is >>>>>>>>> started by invoking MailScanner from the exim startup script in >>>>>>>>> /etc/init.d. [I know this is a legacy method for Solaris 10 but do >>>>>>>>> this to maintain consistency with other mailhubs based on Solaris >>>>>>>>> 9]. On boot-up mainscannner instances were started and the startup >>>>>>>>> log line was present in /var/log/maillog but the instances of >>>>>>>>> mailscanner ate memory very quickly and didn't process mail. >>>>>>>>> Pkilling the mailscanner instances and stopping and starting the >>>>>>>>> init.d script resulted in a working system processing mail. >>>>>>>>> Has anyone else seen this on Solaris 10 and if so is there a >>>>>>>>> workaround? >>>>>>>>> Incientally I later created a smf mailscanner service and tried to >>>>>>>>> use that to start mailscanner but this also ate memory and didn't >>>>>>>>> process mail. >>>>>>>>> Regards, >>>>>>>>> ____________________________________________________________________________ >>>>>>>>> Ray Gardener, >>>>>>>>> IT Services, LITS, >>>>>>>>> Sheffield Hallam University, >>>>>>>>> Howard Street, >>>>>>>>> Sheffield, >>>>>>>>> UK >>>>>>>>> S1 1WB >>>>>>>>> Telephone: +44 114 225 4926 >>>>>>>>> Fax: +44 114 225 3840 >>>>>>>>> Mobile: +44 07788190005 >>>>>>>>> Email: R.A.Gardener@shu.ac.uk >>>>>>>> Ray >>>>>>>> only problem like this is when using MS in combination with >>>>>>>> MailWatch. >>>>>>>> Problem can be that mysql isn't fully operational by the time MS >>>>>>>> starts up...so the first connection hangs. >>>>>>>> I solved this by putting a wait 30 at the start() function to make >>>>>>>> sure mysql is up and accepting connections before we start MS. >>>>>>> Martin, >>>>>>> Can you post a diff of your change to the list so I can try it here? >>>>>>> I don't use MailWatch or sql, so maybe a smaller wait time would solve >>>>>>> my issue. Thanks. >>>>>>> Jeff Earickson >>>>>>> Colby College >>>>>> Jeff >>>>>> >>>>>> just added a sleep 30 at the top of the start) case statement in the >>>>>> rc.d script... >>>>> >>>>> Nope, didn't work for me. I turned on the "-x" option in my init.d >>>>> script, the check_mailscanner script, watched it as I ran things by >>>>> hand. The loop-up is somewhere after the bin/MailScanner perl code >>>>> is launched. FWIW, the "stop" option in my init.d script does not >>>>> work either. The only way I can get things stopped is via >>>>> "pkill -9 MailScanner". The mystery continues. >>>>> >>>>> Jeff Earickson >>>>> Colby College >>>>> -- >>>> >>>> I just created a manifest and have MailScanner run as a service and >>>> have had no problems starting _or_ stopping it. By setting all the >>>> correct dependancies, there should be no reason for waiting. My manifest >>>> replaces the Solaris smtp service, and starts sendmail as well, but there >>>> is no reason that there couldn't be a manifest for MailScanner that >>>> depends on sendmail or any other MTA. I could easily generate a >>>> MailScanner manifest and test it standalone if there is value. >>>> >>>> rf >>>> --MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> Randy >>> >>> How about posting that to the list, or (even better) drop in to the wiki. >>> >>> -- >>> Martin Hepworth >>> Senior Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> ********************************************************************** >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they >>> are addressed. If you have received this email in error please notify >>> the system manager. >>> >>> This footnote confirms that this email message has been swept >>> for the presence of computer viruses and is believed to be clean. >>> ********************************************************************** >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at yeticomputers.com Fri Sep 1 16:52:50 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Sep 1 16:53:04 2006 Subject: MS 4.54.6 failing to tag a phishing message In-Reply-To: References: Message-ID: <44F85752.2080408@yeticomputers.com> Are you, by any chance, using Thunderbird to read the message? If so, be sure that your client is set to view messages as either "Simple HTML" or "Original HTML" for that account. When I tested your HTML through my MailScanner, I thought at first that it had failed for me, too. Then when viewing the message source I saw that I was wrong. The test message: Message-ID: <44F84CCF.2080704@yeticomputers.com> Date: Fri, 01 Sep 2006 11:07:59 -0400 From: Rick Chadderdon User-Agent: Thunderbird 1.5.0.5 (X11/20060809) MIME-Version: 1.0 To: Rick Chadderdon Subject: Test Content-Type: multipart/alternative; boundary="------------050805040507030102090704" This is a multi-part message in MIME format. --------------050805040507030102090704 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit https://boveda.banamex.com.mx/serban/ --------------050805040507030102090704 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit https://boveda.banamex.com.mx/serban/ --------------050805040507030102090704-- The important parts of what I received: This is a multi-part message in MIME format. --------------050805040507030102090704 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit https://boveda.banamex.com.mx/serban/ --------------050805040507030102090704 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner has detected a possible fraud attempt from "dsl093-070-130.sfo4.dsl.speakeasy.net" claiming to be https://boveda.banamex.com.mx/serban/www.boveda.banamex. --------------050805040507030102090704-- However, Thunderbird was set to view messages as plain text, and the phishing warning was *not shown*. The message was sent as plain text and HTML. All Thunderbird showed was the plain text portion: https://boveda.banamex.com.mx/serban/ Since the MailScanner phishing warning was HTML, it was not displayed. If I view the message body as HTML, the warning is shown. If I send the message as "plain text only" or "HTML only" I get slightly different results, but the phishing warning is always visible. For me, MailScanner caught your sample URL every time I tried it. Now the phishing warning was a bit odd: "...claiming to be https://boveda.banamex.com.mx/serban/www.boveda.banamex." - it tacked stuff on after the "serban/". I suppose there's a bug there, but for the most part I'm seeing a Thunderbird display issue. I am running MailScanner 4.55.10 on FreeBSD RELEASE 6.0, so it's possible that something was fixed after your version that is causing yours to fail to catch that particular link. Rick Ren? Berber wrote: > Hi, > > I'm using MS version 4.54.6 and trying to figure out why a phishing message went > in and MS didn't do anything. The message spam score (using spamassassin > version 3.1.4 + some rules-du-jour) was very low, but as shown below inside the > message was a very obvious phishing URL. > > Relevant parts of MailScanner.conf: > > Find Phishing Fraud = yes > Also Find Numeric Phishing = yes > Use Stricter Phishing Net = yes > Highlight Phishing Fraud = yes > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf > Phishing Modify Subject = yes > Phishing Subject Text = {Fraud?} > > The file phishing.safe.sites.conf does not contain the bank name. The > country.domains.conf has a correct set of domain suffixes for this country. > > The relevant part of the message is: > > href="http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php">https://boveda.banamex.com.mx/serban/
> > The links are as different as they can be, http vs https (not used by MS), > speakeasy.net vs banamex.com.mx, so what did fail in MS? > > Any pointers on how to debug this or should I upgrade to the latest version? > > I had a look at lib/MailScanner/Message.pm and found where the URLs are compared > taking into account the levels used by the country, I'll try to find out what > went wrong. > > Thanks. > From r.berber at computer.org Fri Sep 1 17:07:24 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Sep 1 17:08:07 2006 Subject: MS 4.54.6 failing to tag a phishing message In-Reply-To: <44F85752.2080408@yeticomputers.com> References: <44F85752.2080408@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > Are you, by any chance, using Thunderbird to read the message? No. > If so, > be sure that your client is set to view messages as either "Simple HTML" > or "Original HTML" for that account. When I tested your HTML through my > MailScanner, I thought at first that it had failed for me, too. Then > when viewing the message source I saw that I was wrong. Interesting, but that is a different scenario. The message was read by a person using Outlook which shows html, and looking at the raw mailbox of that person there was no multi-part or text on that message. So it went through my MS with no detection at all. [snip] > Since the MailScanner phishing warning was HTML, it was not displayed. > If I view the message body as HTML, the warning is shown. If I send the > message as "plain text only" or "HTML only" I get slightly different > results, but the phishing warning is always visible. For me, > MailScanner caught your sample URL every time I tried it. That's what I needed to know... > Now the > phishing warning was a bit odd: "...claiming to be > https://boveda.banamex.com.mx/serban/www.boveda.banamex." - it tacked > stuff on after the "serban/". I suppose there's a bug there, but for > the most part I'm seeing a Thunderbird display issue. > > I am running MailScanner 4.55.10 on FreeBSD RELEASE 6.0, so it's > possible that something was fixed after your version that is causing > yours to fail to catch that particular link. I'll update MS this weekend and test again. Thanks. -- Ren? Berber From dstraka at caspercollege.edu Fri Sep 1 17:06:26 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Sep 1 17:27:32 2006 Subject: Pointless SPAM containing story snippet - Why? Message-ID: <451CF022.61A4.0000.0@caspercollege.edu> Been receiving spam that contains no payload, no web site links, no way for the spammer to ever benefit from sending it. Are these some sort of test or attempt to un-train spamassassin? Thanks...Dan -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. From mailscanner at yeticomputers.com Fri Sep 1 17:44:53 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Sep 1 17:45:07 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <451CF022.61A4.0000.0@caspercollege.edu> References: <451CF022.61A4.0000.0@caspercollege.edu> Message-ID: <44F86385.7090601@yeticomputers.com> I've gotten a few of those, too. Since they're structured identically to most of the image spam I get (minus the image), my guess is that they're someone's broken attempt to send image spam. Probably pointed their spam sending program at the wrong image folder or something. The text portion of those messages might be an attempt to poison a Bayes database, although it might simply be an effort to avoid getting filtered for "not enough text" with an attached image. I'm about an inch away from dropping all mail with inline images. I'll train my users to zip 'em up first and have their families do the same. Daniel Straka wrote: > Been receiving spam that contains no payload, no web site links, no way > for the spammer to ever benefit from sending it. Are these some sort of > test or attempt to un-train spamassassin? Thanks...Dan > > From ka at pacific.net Fri Sep 1 17:58:46 2006 From: ka at pacific.net (Ken A) Date: Fri Sep 1 17:57:34 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <451CF022.61A4.0000.0@caspercollege.edu> References: <451CF022.61A4.0000.0@caspercollege.edu> Message-ID: <44F866C6.70102@pacific.net> Daniel Straka wrote: > Been receiving spam that contains no payload, no web site links, no way > for the spammer to ever benefit from sending it. Are these some sort of > test or attempt to un-train spamassassin? Thanks...Dan > Testing for valid addresses? Spammers don't want to trigger any MTA blocks on content, so they send this little probes. If the MTA accepts the mail, then they assume the address is good. Of course it could just be something broken in the spam generating world too... They don't exactly use consistent procedures, so things do go haywire now and then. Ken A Pacific.Net From Kevin_Miller at ci.juneau.ak.us Fri Sep 1 18:21:26 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 1 18:21:35 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <44F86385.7090601@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > I've gotten a few of those, too. Since they're structured identically > to most of the image spam I get (minus the image), my guess is that > they're someone's broken attempt to send image spam. Probably pointed > their spam sending program at the wrong image folder or something. > The text portion of those messages might be an attempt to poison a > Bayes database, although it might simply be an effort to avoid getting > filtered for "not enough text" with an attached image. I'm about an > inch away from dropping all mail with inline images. I'll train my > users to zip 'em up first and have their families do the same. I wouldn't want to disallow all image files, but might consider just blocking gifs. Wonder what percentage of valid emails use a gif - seems that most users either send in jpg, tif or (sigh) bmp. The gifs all come in via the stock spam. I suppose that some html newsletters and such may have a gif in them, but usually they use remote links to keep their costs down... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ricardo.bernardes at centraldecomunicacao.pt Fri Sep 1 18:36:49 2006 From: ricardo.bernardes at centraldecomunicacao.pt (Ricardo Bernardes-Mailscanner) Date: Fri Sep 1 18:38:08 2006 Subject: Can't locate Sys/Hostname/Long.pm - Mailscanner-4.55.10-3 Message-ID: <037401c6cded$354363f0$350fa8c0@bcc.net> Hello, i've just upgraded my Mailscanner version, everything went OK but i'm not able to start Mailscanner. Get the following message: MailScanner: Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 67. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. RedHat 8.0 Mailscanner Sendmail SA Help Please ! Thanks Ricardo From dstraka at caspercollege.edu Fri Sep 1 19:09:06 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Sep 1 19:09:41 2006 Subject: Sendmail RPM Update - Will This Break MailScanner Message-ID: <451D0CE3.61A4.0000.0@caspercollege.edu> I'm running MailScanner on Suse Linux Enterprise Server 10 and have received a sendmail security update to install via rpm. Does anyone know if this will break the MailScanner / Sendmail symbiosis or even the entire server? I've never had much luck in the past with these %#@& patches. Thanks...Dan -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. From dward at nccumc.org Fri Sep 1 19:18:12 2006 From: dward at nccumc.org (Douglas Ward) Date: Fri Sep 1 19:18:14 2006 Subject: Can't locate Sys/Hostname/Long.pm - Mailscanner-4.55.10-3 In-Reply-To: <037401c6cded$354363f0$350fa8c0@bcc.net> References: <037401c6cded$354363f0$350fa8c0@bcc.net> Message-ID: I had this problem recently with another perl module. Try the following: 1. Open cpan to install perl modules with the following command: perl -MCPAN -e shell 2. You may need to update your cpan module (it will tell you). 3. Search for the missing package: i /Long/ 4. install Sys::Hostname::Long (Could be wrong about the package name) This fixed it for me. On 9/1/06, Ricardo Bernardes-Mailscanner < ricardo.bernardes@centraldecomunicacao.pt> wrote: > > Hello, > i've just upgraded my Mailscanner version, everything went OK but i'm not > able to start Mailscanner. > > Get the following message: > > > MailScanner: Can't locate Sys/Hostname/Long.pm in @INC (@INC > contains: /usr/lib/MailScanner > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl/5.6.1 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner) at /usr/sbin/MailScanner line 67. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. > > > RedHat 8.0 > Mailscanner > Sendmail > SA > > > Help Please ! > > Thanks > > Ricardo > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060901/292027fa/attachment.html From steve.swaney at fsl.com Fri Sep 1 19:41:40 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Sep 1 19:41:44 2006 Subject: Sendmail RPM Update - Will This Break MailScanner In-Reply-To: <451D0CE3.61A4.0000.0@caspercollege.edu> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Straka > Sent: Friday, September 01, 2006 2:09 PM > To: mailscanner@lists.mailscanner.info > Subject: Sendmail RPM Update - Will This Break MailScanner > > I'm running MailScanner on Suse Linux Enterprise Server 10 and have > received a sendmail security update to install via rpm. Does anyone know > if this will break the MailScanner / Sendmail symbiosis or even the > entire server? I've never had much luck in the past with these %#@& > patches. Thanks...Dan > I've installed on SuSE 10 systems without problems. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From binaryflow at gmail.com Fri Sep 1 19:38:21 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Fri Sep 1 19:48:59 2006 Subject: Razor log file in Postfix hold queue Message-ID: Does anyone know how to make Razor stop putting its log file into the postfix hold queue? I have checked every file I can find using slocate and cannot find the setting. Any advice would be most appreciated. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060901/04d032f0/attachment.html From Phil.Udel at SalemCOrp.com Fri Sep 1 20:13:15 2006 From: Phil.Udel at SalemCOrp.com (Phil Udel) Date: Fri Sep 1 20:13:30 2006 Subject: Whitebox Linux install Message-ID: <200609011913.k81JDvpo014900@cat.salemcarriers.com> Hi. I have been playing around with Whitebox 4.0 and thought I would use it instead of RedHat 4.0 for my new mailserver. I tried the rpm install but it can't find redhat/src. whitebox changed the names to whitebox. lol Has anyone here used Whitebox with a rpm install? From Kevin_Miller at ci.juneau.ak.us Fri Sep 1 20:15:09 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 1 20:15:12 2006 Subject: Sendmail RPM Update - Will This Break MailScanner In-Reply-To: <451D0CE3.61A4.0000.0@caspercollege.edu> Message-ID: Daniel Straka wrote: > I'm running MailScanner on Suse Linux Enterprise Server 10 and have > received a sendmail security update to install via rpm. Does anyone > know if this will break the MailScanner / Sendmail symbiosis or even > the entire server? I've never had much luck in the past with these > %#@& patches. Thanks...Dan Installed on 9.3 and 10 this morning. One thing that *always* trips me up is when they patch sendmail they always turn it back on at boot time. You'd think I'd learn but I always space that out. I usually get a wake up call when spam turns up in my inbox that wasn't scanned. Just stop MailScanner, apply the patch, then do: chkconfig sendmail off so sendmail doesn't start automatically. Next check to make sure it isn't running ('ps aux | grep sendmail' is what I use). If it is running, kill the process(es). Then restart MailScanner. S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikej at rogers.com Fri Sep 1 20:17:03 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Sep 1 20:16:57 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: References: Message-ID: <44F8872F.1070501@rogers.com> Douglas Ward wrote: > Does anyone know how to make Razor stop putting its log file into the > postfix hold queue? I have checked every file I can find using > slocate and cannot find the setting. Any advice would be most > appreciated. Thanks! Just create a .razor directory in /var/spool/postfix and you're set. From edwardbruce at sbcglobal.net Fri Sep 1 20:19:34 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Fri Sep 1 20:19:37 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: References: Message-ID: <44F887C6.1060701@sbcglobal.net> Douglas Ward wrote: > Does anyone know how to make Razor stop putting its log file into the > postfix hold queue? I have checked every file I can find using > slocate and cannot find the setting. Any advice would be most > appreciated. Thanks! My AOL moment, me too :) From steve.swaney at fsl.com Fri Sep 1 20:41:07 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Sep 1 20:41:11 2006 Subject: Whitebox Linux install In-Reply-To: <200609011913.k81JDvpo014900@cat.salemcarriers.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Phil Udel > Sent: Friday, September 01, 2006 3:13 PM > To: mailscanner@lists.mailscanner.info > Subject: Whitebox Linux install > > Hi. > I have been playing around with Whitebox 4.0 and thought I would use it > instead of RedHat 4.0 for my new mailserver. I tried the rpm install but > it > can't find redhat/src. whitebox changed the names to whitebox. lol > Has anyone here used Whitebox with a rpm install? > I think WhiteboxLinux was a victim of Katrina (they were in Louisiana) but it may be back in business. The last update was April 2006 so it may be a bit dated. I'd recommend CentOS. www.centos.org Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From drew at themarshalls.co.uk Fri Sep 1 20:41:25 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Fri Sep 1 20:41:36 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: References: Message-ID: <7C4E1923-E297-4965-A7E3-9905DCEC3865@themarshalls.co.uk> On 1 Sep 2006, at 19:38, Douglas Ward wrote: > Does anyone know how to make Razor stop putting its log file into > the postfix hold queue? I have checked every file I can find using > slocate and cannot find the setting. Any advice would be most > appreciated. Thanks! You need to add razor_config /var/spool/MailScanner/spamassassin/ razor/ to spam.assassin.conf Then you need to run razor-admin -h /var/spool/MailScanner/ spamassassin/razor/ -create which should then put all the right files in that directory for you. Drew PS I thought this was in the Postfix section of the wiki but I can't find it either. When I get a spare moment I'll add it (Up to my eyeballs in it at the moment) -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From edwardbruce at sbcglobal.net Fri Sep 1 20:42:20 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Fri Sep 1 20:42:23 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: <44F8872F.1070501@rogers.com> References: <44F8872F.1070501@rogers.com> Message-ID: <44F88D1C.8010205@sbcglobal.net> Mike Jakubik wrote: > Douglas Ward wrote: >> Does anyone know how to make Razor stop putting its log file into the >> postfix hold queue? I have checked every file I can find using >> slocate and cannot find the setting. Any advice would be most >> appreciated. Thanks! > > Just create a .razor directory in /var/spool/postfix and you're set. > I did this, restarted MailScanner and it stills creates a the log in the hold directory. From ssilva at sgvwater.com Fri Sep 1 20:43:10 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 20:45:53 2006 Subject: Whitebox Linux install In-Reply-To: <200609011913.k81JDvpo014900@cat.salemcarriers.com> References: <200609011913.k81JDvpo014900@cat.salemcarriers.com> Message-ID: Phil Udel spake the following on 9/1/2006 12:13 PM: > Hi. > I have been playing around with Whitebox 4.0 and thought I would use it > instead of RedHat 4.0 for my new mailserver. I tried the rpm install but it > can't find redhat/src. whitebox changed the names to whitebox. lol > Has anyone here used Whitebox with a rpm install? > > I was playing with Whitebox for a while, but I have found more and more people to be moving to CentOS. No offense to John Morris, but I don't think he really envisioned Whitebox as a distro for the masses, and he updates it when he has the time. And he seems to still be busy after hurricane Katrina hit not too far south of him. That leaves you with a system that might be somewhat behind on security updates. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Phil.Udel at SalemCOrp.com Fri Sep 1 20:50:23 2006 From: Phil.Udel at SalemCOrp.com (Phil Udel) Date: Fri Sep 1 20:50:33 2006 Subject: Whitebox Linux install In-Reply-To: <200609011913.k81JDvpo014900@cat.salemcarriers.com> Message-ID: <200609011951.k81Jp6po019671@cat.salemcarriers.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Friday, September 01, 2006 3:13 PM To: mailscanner@lists.mailscanner.info Subject: Whitebox Linux install Hi. I have been playing around with Whitebox 4.0 and thought I would use it instead of RedHat 4.0 for my new mailserver. I tried the rpm install but it can't find redhat/src. whitebox changed the names to whitebox. lol Has anyone here used Whitebox with a rpm install? -- Well I made a small change to the install script and the install went well. Here is the Change: if [ -d /usr/src/redhat ]; then echo Good, you have /usr/src/redhat in place. RPMROOT=/usr/srcredhat/ elif [ -d /usr/src/RPM ]; then echo Okay, you have /usr/src/RPM. RPMROOT=/usr/src/RPM elif [ -d /usr/src/whitebox ]; then <- Added echo Okay, you have /usr/src/whitebox. <- Added RPMROOT=/usr/src/whitebox <- Added elif [ -d /usr/src/packages ]; then echo Okay, you have /usr/src/packages. RPMROOT=/usr/src/packages From mikej at rogers.com Fri Sep 1 20:59:28 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Sep 1 20:59:23 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: <44F88D1C.8010205@sbcglobal.net> References: <44F8872F.1070501@rogers.com> <44F88D1C.8010205@sbcglobal.net> Message-ID: <44F89120.7030100@rogers.com> Ed Bruce wrote: > Mike Jakubik wrote: > >> Douglas Ward wrote: >> >>> Does anyone know how to make Razor stop putting its log file into the >>> postfix hold queue? I have checked every file I can find using >>> slocate and cannot find the setting. Any advice would be most >>> appreciated. Thanks! >>> >> Just create a .razor directory in /var/spool/postfix and you're set. >> >> > I did this, restarted MailScanner and it stills creates a the log in the > hold directory. > Did you create ".razor" or "razor" ? Also, you can specify the location with razor_config in your spamssassin config file. From lists at norcomcable.ca Fri Sep 1 20:58:51 2006 From: lists at norcomcable.ca (Dan) Date: Fri Sep 1 20:59:39 2006 Subject: Whitebox Linux install In-Reply-To: <200609011913.k81JDvpo014900@cat.salemcarriers.com> Message-ID: <9a2e701c6ce01$0bd47540$d100a8c0@norcom209> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Phil Udel > Sent: September 1, 2006 2:13 PM > To: mailscanner@lists.mailscanner.info > Subject: Whitebox Linux install > > Hi. > I have been playing around with Whitebox 4.0 and thought I > would use it instead of RedHat 4.0 for my new mailserver. I > tried the rpm install but it can't find redhat/src. whitebox > changed the names to whitebox. lol Has anyone here used > Whitebox with a rpm install? > > > -- Make sure you have 'rpm-build' installed first before installing MailScanner. I used to use Whitebox with MailScanner. It worked fine. I did switch to CentOS after Katrina due to the lack of updates. It really drove home the 'hit by bus' theory and putting all your resources into one place. regards, -dan From Phil.Udel at SalemCOrp.com Fri Sep 1 21:23:29 2006 From: Phil.Udel at SalemCOrp.com (Phil Udel) Date: Fri Sep 1 21:23:45 2006 Subject: Whitebox Linux install In-Reply-To: <200609011951.k81Jp6po019671@cat.salemcarriers.com> Message-ID: <200609012024.k81KOBpo022998@cat.salemcarriers.com> I think I will abandon the WhiteBox idea., I am downloading CentOS to see what that will be like. From dhawal at netmagicsolutions.com Fri Sep 1 21:20:33 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Sep 1 21:29:57 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: <44F89120.7030100@rogers.com> References: <44F8872F.1070501@rogers.com> <44F88D1C.8010205@sbcglobal.net> <44F89120.7030100@rogers.com> Message-ID: <20060902015033.b8xexi5uog0s4coc@mail.netmagicsolutions.com> Quoting Mike Jakubik : > Ed Bruce wrote: >> Mike Jakubik wrote: >> >>> Douglas Ward wrote: >>> >>>> Does anyone know how to make Razor stop putting its log file into the >>>> postfix hold queue? I have checked every file I can find using >>>> slocate and cannot find the setting. Any advice would be most >>>> appreciated. Thanks! >>>> >>> Just create a .razor directory in /var/spool/postfix and you're set. >>> >>> >> I did this, restarted MailScanner and it stills creates a the log in the >> hold directory. >> > > Did you create ".razor" or "razor" ? Also, you can specify the location > with razor_config in your spamssassin config file. Use the following commands to configure razor for SA, replace '/etc/mail/spamassassin/' with your preferred path. # razor-admin -home=/etc/mail/spamassassin/.razor -create # razor-admin -home=/etc/mail/spamassassin/.razor -discover Pause for a while before you give the below command (10-15 seconds) # razor-admin -home=/etc/mail/spamassassin/.razor -register Add to /etc/mail/spamassassin/.razor/razor-agent.conf the following line. razorhome = /etc/mail/spamassassin/.razor Add to /etc/mail/spamassassin/mailscanner.cf, the following line. razor_config /etc/mail/spamassassin/.razor/razor-agent.conf - dhawal From steve.swaney at fsl.com Fri Sep 1 21:39:36 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Sep 1 21:39:39 2006 Subject: Whitebox Linux install In-Reply-To: Message-ID: <1024401c6ce06$bd46d7a0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Friday, September 01, 2006 3:43 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitebox Linux install > > Phil Udel spake the following on 9/1/2006 12:13 PM: > > Hi. > > I have been playing around with Whitebox 4.0 and thought I would use it > > instead of RedHat 4.0 for my new mailserver. I tried the rpm install but > it > > can't find redhat/src. whitebox changed the names to whitebox. lol > > Has anyone here used Whitebox with a rpm install? > > > > > I was playing with Whitebox for a while, but I have found more and more > people > to be moving to CentOS. No offense to John Morris, but I don't think he > really > envisioned Whitebox as a distro for the masses, and he updates it when he > has > the time. And he seems to still be busy after hurricane Katrina hit not > too > far south of him. > That leaves you with a system that might be somewhat behind on security > updates. > Ditto!! John Morris put out a very competently packaged distro. We used and recommended before CentOS was around. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From glenn.steen at gmail.com Fri Sep 1 22:01:43 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 1 22:01:47 2006 Subject: Solaris 10 init.d startup failing In-Reply-To: References: <44EDD5F6.7090409@solid-state-logic.com> <44EDD8AA.90402@solid-state-logic.com> <44EEAF6F.3040701@solid-state-logic.com> Message-ID: <223f97700609011401oda1f22eo6e3d4f6e22728281@mail.gmail.com> On 01/09/06, Jeff A. Earickson wrote: > Ray, > > You are a hero! It also works for me with: > > su - root -c "/opt/mailscanner/bin/check_mailscanner" > > No Earthly idea why a subshell as root would work, since I run the > /etc/init.d script as root anyway. > Jeff, see Logans (and Rays) comments ... The thing is that the "su - root -c ..." isn't _just_ a subshell like any shell... It is a faked logon with all that that implies. I'm somewhat rusty on Solaris details, but this is common to all *nix... The startup environment is often very much more "bare bones" than for an actual interractive shell (even when setup through su which, depending on platform might not be that close to the "real thing":). So, one could say it's just another take on the usual cron problem:-):-). If you can determine exactly what needs be set, you'll likely be able to dispense with the "su" altogether... But you all knew that;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Sep 1 22:06:53 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Sep 1 22:07:16 2006 Subject: Whitebox Linux install In-Reply-To: <200609012024.k81KOBpo022998@cat.salemcarriers.com> References: <200609011951.k81Jp6po019671@cat.salemcarriers.com> <200609012024.k81KOBpo022998@cat.salemcarriers.com> Message-ID: Phil Udel wrote: > I think I will abandon the WhiteBox idea., I am downloading CentOS to see > what that will be like. > > > You won't be disappointed. It is like whitebox, but has more extra features (special repositories for example) and has a much larger users base. Ugo From ugob at camo-route.com Fri Sep 1 22:08:25 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Sep 1 22:10:10 2006 Subject: Sendmail RPM Update - Will This Break MailScanner In-Reply-To: References: <451D0CE3.61A4.0000.0@caspercollege.edu> Message-ID: Kevin Miller wrote: > Daniel Straka wrote: >> I'm running MailScanner on Suse Linux Enterprise Server 10 and have >> received a sendmail security update to install via rpm. Does anyone >> know if this will break the MailScanner / Sendmail symbiosis or even >> the entire server? I've never had much luck in the past with these >> %#@& patches. Thanks...Dan > > Installed on 9.3 and 10 this morning. One thing that *always* trips me > up is when they patch sendmail they always turn it back on at boot time. > You'd think I'd learn but I always space that out. I usually get a wake > up call when spam turns up in my inbox that wasn't scanned. > > Just stop MailScanner, apply the patch, then do: > chkconfig sendmail off > so sendmail doesn't start automatically. Next check to make sure it > isn't running ('ps aux | grep sendmail' is what I use). If it is > running, kill the process(es). Then restart MailScanner. > > S'later... > > ...Kevin I tend to close port 25 using iptables when updating sendmail, so that if the update decides to restart sendmail, it won't bypass MailScanner. From ugob at camo-route.com Fri Sep 1 22:10:03 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Sep 1 22:15:12 2006 Subject: Sendmail privacy flags in MailScanner init script In-Reply-To: <44F83068.3010302@fsl.com> References: <44F83068.3010302@fsl.com> Message-ID: Steve Freegard wrote: > Hi Ugo, > > Ugo Bellavance wrote: >> Hi, >> >> In the MailScanner init script, privacy options are stated for >> sendmail: >> >> -OPrivacyOptions=noetrn >> >> Why is that? Shouldn't these settings be defined in sendmail.mc (cf)? > > I suspect this is a safety net -- you really really don't want the > incoming Sendmail process to allow ETRN for any hosts, because ETRN > would result in message being delivered to the host directly from > mqueue.in, bypassing MailScanner completely. > > It's in the initscript for MailScanner so you don't have to remember to > put it in the privacy options and rebuild the .cf file when you install > MailScanner. I understand, but I think that most sendmail package disable etrn by default. This is slightly problematic when you want to use different privacy options like goaway, you have to edit the init script... > >> >> Does that override the settings in the config file? >> > > Yes -- but only for the incoming Sendmail process, the outgoing process > will use whatever is configured in the .cf file. OK > > > Cheers, > Steve. Ugo From ssilva at sgvwater.com Fri Sep 1 22:13:40 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 22:16:06 2006 Subject: Whitebox Linux install In-Reply-To: <200609011951.k81Jp6po019671@cat.salemcarriers.com> References: <200609011913.k81JDvpo014900@cat.salemcarriers.com> <200609011951.k81Jp6po019671@cat.salemcarriers.com> Message-ID: Phil Udel spake the following on 9/1/2006 12:50 PM: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel > Sent: Friday, September 01, 2006 3:13 PM > To: mailscanner@lists.mailscanner.info > Subject: Whitebox Linux install > > Hi. > I have been playing around with Whitebox 4.0 and thought I would use it > instead of RedHat 4.0 for my new mailserver. I tried the rpm install but it > can't find redhat/src. whitebox changed the names to whitebox. lol Has > anyone here used Whitebox with a rpm install? > -- > Well I made a small change to the install script and the install went well. > > Here is the Change: > if [ -d /usr/src/redhat ]; then > echo Good, you have /usr/src/redhat in place. > RPMROOT=/usr/srcredhat/ > elif [ -d /usr/src/RPM ]; then > echo Okay, you have /usr/src/RPM. > RPMROOT=/usr/src/RPM > elif [ -d /usr/src/whitebox ]; then <- Added > echo Okay, you have /usr/src/whitebox. <- Added > RPMROOT=/usr/src/whitebox <- Added > elif [ -d /usr/src/packages ]; then > echo Okay, you have /usr/src/packages. > RPMROOT=/usr/src/packages > You probably could have also made a symlink ln -s /usr/src/whitebox /usr/src/redhat -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Sep 1 22:16:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 1 22:16:28 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: References: <44F86385.7090601@yeticomputers.com> Message-ID: <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> On 01/09/06, Kevin Miller wrote: > Rick Chadderdon wrote: > > I've gotten a few of those, too. Since they're structured identically > > to most of the image spam I get (minus the image), my guess is that > > they're someone's broken attempt to send image spam. Probably pointed > > their spam sending program at the wrong image folder or something. > > The text portion of those messages might be an attempt to poison a > > Bayes database, although it might simply be an effort to avoid getting > > filtered for "not enough text" with an attached image. I'm about an > > inch away from dropping all mail with inline images. I'll train my > > users to zip 'em up first and have their families do the same. > > I wouldn't want to disallow all image files, but might consider just > blocking gifs. Wonder what percentage of valid emails use a gif - seems > that most users either send in jpg, tif or (sigh) bmp. The gifs all > come in via the stock spam. I suppose that some html newsletters and > such may have a gif in them, but usually they use remote links to keep > their costs down... > > ...Kevin In the somewhat backward world of financial information, gifs are if not common, at least an everyday occurence. Usually in that all-too-spamlike maillist that the users just *have* to have... Sigh. Not to mention the occasional IFrame, Script tag or Object Codebase..... They do their damnedest to make my life...interesting:-). Could give some example stats if you're really interested:-) Cheers -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Sep 1 22:16:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 22:20:06 2006 Subject: Whitebox Linux install In-Reply-To: <9a2e701c6ce01$0bd47540$d100a8c0@norcom209> References: <200609011913.k81JDvpo014900@cat.salemcarriers.com> <9a2e701c6ce01$0bd47540$d100a8c0@norcom209> Message-ID: Dan spake the following on 9/1/2006 12:58 PM: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Phil Udel >> Sent: September 1, 2006 2:13 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Whitebox Linux install >> >> Hi. >> I have been playing around with Whitebox 4.0 and thought I >> would use it instead of RedHat 4.0 for my new mailserver. I >> tried the rpm install but it can't find redhat/src. whitebox >> changed the names to whitebox. lol Has anyone here used >> Whitebox with a rpm install? >> >> >> -- > Make sure you have 'rpm-build' installed first before installing > MailScanner. > > I used to use Whitebox with MailScanner. It worked fine. > I did switch to CentOS after Katrina due to the lack of updates. > > It really drove home the 'hit by bus' theory and putting all your resources > into one place. > > regards, > -dan > My boss hounds me constantly about documenting and uses the "hit by a bus" argument. I keep telling her that if that happens, documentation will be "her" problem. The bus will be getting my immediate, if not short, attention! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Sep 1 22:29:31 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 1 22:29:34 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: <20060902015033.b8xexi5uog0s4coc@mail.netmagicsolutions.com> References: <44F8872F.1070501@rogers.com> <44F88D1C.8010205@sbcglobal.net> <44F89120.7030100@rogers.com> <20060902015033.b8xexi5uog0s4coc@mail.netmagicsolutions.com> Message-ID: <223f97700609011429k4466f948u15a7f95bdfaba49b@mail.gmail.com> On 01/09/06, Dhawal Doshy wrote: > Quoting Mike Jakubik : > > > Ed Bruce wrote: > >> Mike Jakubik wrote: > >> > >>> Douglas Ward wrote: > >>> > >>>> Does anyone know how to make Razor stop putting its log file into the > >>>> postfix hold queue? I have checked every file I can find using > >>>> slocate and cannot find the setting. Any advice would be most > >>>> appreciated. Thanks! > >>>> > >>> Just create a .razor directory in /var/spool/postfix and you're set. > >>> > >>> > >> I did this, restarted MailScanner and it stills creates a the log in the > >> hold directory. > >> > > > > Did you create ".razor" or "razor" ? Also, you can specify the location > > with razor_config in your spamssassin config file. > > Use the following commands to configure razor for SA, replace > '/etc/mail/spamassassin/' with your preferred path. > # razor-admin -home=/etc/mail/spamassassin/.razor -create > # razor-admin -home=/etc/mail/spamassassin/.razor -discover > Pause for a while before you give the below command (10-15 seconds) > # razor-admin -home=/etc/mail/spamassassin/.razor -register > > Add to /etc/mail/spamassassin/.razor/razor-agent.conf the following line. > razorhome = /etc/mail/spamassassin/.razor > > Add to /etc/mail/spamassassin/mailscanner.cf, the following line. > razor_config /etc/mail/spamassassin/.razor/razor-agent.conf > > - dhawal All nice and so. But Mikes advice actually works too, since one would then be creating it in the default place ($HOME/.razor), all provided one make sure that the postfix user can write it...:-). Always another way.....:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Fri Sep 1 22:49:45 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 1 22:49:49 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> Message-ID: Glenn Steen wrote: > > In the somewhat backward world of financial information, gifs are if > not common, at least an everyday occurence. Usually in that > all-too-spamlike maillist that the users just *have* to have... Sigh. > Not to mention the occasional IFrame, Script tag or Object > Codebase..... They do their damnedest to make my > life...interesting:-). > Could give some example stats if you're really interested:-) Thanks Glen, but just knowing I'd probably be shooting myself in the foot (or at least some of my users in the feet ) is probably sufficient not to get too aggressive for the time being. Things are getting better since last week. I should have done it a year ago, but I finally got a milter in place that does both sender and recipient lookups. Man, what a difference! On my terciary MX, which gets almost no valid emails, I went from around 850 messages processed around 6:45 am to just a couple hundred. On my secondary, I went from around 150-250 to 20. Dropping them at the MTA level has really cleaned out a lot of the chaff from the wheat. I only had one place call w/a problem - they were sending from a valid address, but it was foreign to the host they were sending from so the sender verification failed. I had to whitelist it as it was some important stuff for our police dept. Last year I did the greet pause thing in sendmail with similar results - after applying it, I saw about 1/10th the traffic coming in. These two simple things probably reduced the spam load more than anything else. Of course, what's left is the craftier spam and that's where the beauty of MailScanner comes in. Without it, it would be much harder to integrate all the various pieces of the puzzle! Have a great weekend all... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Fri Sep 1 23:16:08 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 23:18:39 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> References: <44F86385.7090601@yeticomputers.com> <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> Message-ID: Glenn Steen spake the following on 9/1/2006 2:16 PM: > On 01/09/06, Kevin Miller wrote: >> Rick Chadderdon wrote: >> > I've gotten a few of those, too. Since they're structured identically >> > to most of the image spam I get (minus the image), my guess is that >> > they're someone's broken attempt to send image spam. Probably pointed >> > their spam sending program at the wrong image folder or something. >> > The text portion of those messages might be an attempt to poison a >> > Bayes database, although it might simply be an effort to avoid getting >> > filtered for "not enough text" with an attached image. I'm about an >> > inch away from dropping all mail with inline images. I'll train my >> > users to zip 'em up first and have their families do the same. >> >> I wouldn't want to disallow all image files, but might consider just >> blocking gifs. Wonder what percentage of valid emails use a gif - seems >> that most users either send in jpg, tif or (sigh) bmp. The gifs all >> come in via the stock spam. I suppose that some html newsletters and >> such may have a gif in them, but usually they use remote links to keep >> their costs down... >> >> ...Kevin > > In the somewhat backward world of financial information, gifs are if > not common, at least an everyday occurence. Usually in that > all-too-spamlike maillist that the users just *have* to have... Sigh. > Not to mention the occasional IFrame, Script tag or Object > Codebase..... They do their damnedest to make my > life...interesting:-). > Could give some example stats if you're really interested:-) > > Cheers > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se Hey Glenn, Shouldn't you be gearing up for the weekend? It must be near midnight there. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Sep 1 23:41:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 1 23:41:42 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: References: <44F86385.7090601@yeticomputers.com> <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> Message-ID: <223f97700609011541t2faaba5ase215bade0397eee3@mail.gmail.com> On 02/09/06, Scott Silva wrote: (snip) > Hey Glenn, > Shouldn't you be gearing up for the weekend? > It must be near midnight there. > Oh yes, half past actually. Gearing up for another barbaric Swedish "food rite" for tomorrow... Crayfish... Like eating seabugs boiled in dill:-) Much tastier than the fermented herring (Note to Jules, not the tasty pickled herring... this is the stuff that puts noses out of joint and hair on ones chest:-):-)... Same type of drink though... Snaps/Akvavit mostly:-). For now, I'm just up trying to mail off some hefty mp3s (choir practise things, no illicit stuff) and fighting the diverse midi players that come with Ubuntu (for some reason timidity just don't play (bad pun, I know:-). Oh well, back to the battle (and sorry all for this repeat off-topic-offense:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Sep 1 23:46:03 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 1 23:48:36 2006 Subject: Pointless SPAM containing story snippet - Why? In-Reply-To: <223f97700609011541t2faaba5ase215bade0397eee3@mail.gmail.com> References: <44F86385.7090601@yeticomputers.com> <223f97700609011416m51c843f1s64b7cb7748ac2ad@mail.gmail.com> <223f97700609011541t2faaba5ase215bade0397eee3@mail.gmail.com> Message-ID: Glenn Steen spake the following on 9/1/2006 3:41 PM: > On 02/09/06, Scott Silva wrote: > (snip) >> Hey Glenn, >> Shouldn't you be gearing up for the weekend? >> It must be near midnight there. >> > Oh yes, half past actually. Gearing up for another barbaric Swedish > "food rite" for tomorrow... Crayfish... Like eating seabugs boiled in > dill:-) Much tastier than the fermented herring (Note to Jules, not > the tasty pickled herring... this is the stuff that puts noses out of > joint and hair on ones chest:-):-)... Same type of drink though... > Snaps/Akvavit mostly:-). > For now, I'm just up trying to mail off some hefty mp3s (choir > practise things, no illicit stuff) and fighting the diverse midi > players that come with Ubuntu (for some reason timidity just don't > play (bad pun, I know:-). > Oh well, back to the battle (and sorry all for this repeat > off-topic-offense:) Merry weekend!!! With the massive mails, I had better luck sticking them on a web page and just mailing links. I always had someone who had a message size limit 1k less than what I was sending. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From zenith.tang at gmail.com Sat Sep 2 06:29:08 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Sat Sep 2 06:29:13 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 Message-ID: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> I dont know why I can't receive the mailing list for each message. Back to the topic, yes, I have changed virus.scanners.conf correspond to /opt/trend/isvw6. It should be the correct product.as I was able to use the 5.0 version successfully. I have also found that it has the isvw-scan utility and changed trend-wrapper from vscan to isvw-scan and corresponding paths and lib path but still fail. Message: 21 Date: Fri, 1 Sep 2006 10:10:41 +0200 From: "Glenn Steen" Subject: Re: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 To: "MailScanner discussion" < mailscanner@lists.mailscanner.info> Message-ID: <223f97700609010110t3feafbe1m3c0c2c039a893f94@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 01/09/06, Zenith Tang wrote: > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner > does not able to use Trend to scan virus. The 5.0 version uses vscan command > to scan virus, but 6.0 does not have this command. It seems that the 6.0 > version does not compatible with MailScanner. Does anyone know how to make > MailScanner able to use 6.0 to scan virus? Thanks! Disclaimer: I don't use trend, but... Questions: Does 6.0 install to the directory expected in virus.scanners.conf (third column)? Is that really the "correct" product? Seems to me that the package including the "on-demand" scanning is the ServerProtect one... However (looking at the downloaded trial I just got) there seems to be an isw-scan utility... Might be one needs to just tweak the wrapper a bit:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060902/f263c675/attachment.html From r.berber at computer.org Sat Sep 2 11:12:16 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Sep 2 11:12:36 2006 Subject: No logging after upgrade Message-ID: Hi, I upgraded to MS version 4.55.10 and after a few changes there is no MailScanner messages sent to the log. The install script left Sys::Syslog version 0.17, and it was working when I started it with the default configuration by mistake, it complained about DBD::SQLite and later about wrong path to unrar, I installed DBD::SQLite and put the correct configuration and restarted and after that nothing was output to the log. Then I changed Sys::Syslog to version 0.18, restarted and no change. Strange thing is that running "./MailScanner --lint" does produce the usual starting... message, and the process stays after reporting no errors. Any ideas? How did I disabled logging? -- Ren? Berber From ricardo.bernardes at centraldecomunicacao.pt Sat Sep 2 11:32:53 2006 From: ricardo.bernardes at centraldecomunicacao.pt (Ricardo Bernardes) Date: Sat Sep 2 11:34:12 2006 Subject: Can't locate Sys/Hostname/Long.pm - Mailscanner-4.55.10-3 References: <037401c6cded$354363f0$350fa8c0@bcc.net> Message-ID: <007c01c6ce7b$2707ce00$ff2b6757@bcc.net> Douglas, thanks a lot. it worked. Ricardo ----- Original Message ----- From: Douglas Ward To: MailScanner discussion Sent: Friday, September 01, 2006 7:18 PM Subject: Re: Can't locate Sys/Hostname/Long.pm - Mailscanner-4.55.10-3 I had this problem recently with another perl module. Try the following: 1.. Open cpan to install perl modules with the following command: perl -MCPAN -e shell2.. You may need to update your cpan module (it will tell you). 3.. Search for the missing package: i /Long/ 4.. install Sys::Hostname::Long (Could be wrong about the package name) This fixed it for me. On 9/1/06, Ricardo Bernardes-Mailscanner wrote: Hello, i've just upgraded my Mailscanner version, everything went OK but i'm not able to start Mailscanner. Get the following message: MailScanner: Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 67. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. RedHat 8.0 Mailscanner Sendmail SA Help Please ! Thanks Ricardo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Douglas Ward Director of Information Technology NC Methodist Conference 1307 Glenwood Ave. Raleigh, NC 27605 Work: (919) 832-9560 ext. 227 Fax: (919) 834-7989 ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060902/bd950662/attachment.html From martin.lyberg at gmail.com Sat Sep 2 11:42:42 2006 From: martin.lyberg at gmail.com (Martin) Date: Sat Sep 2 11:43:02 2006 Subject: Debian package outdated? In-Reply-To: <44F6FD3B.6050302@yeticomputers.com> References: <223f97700608300440p350175d5r9eccfdbf4f3a7d2f@mail.gmail.com> <223f97700608300635i4319e087wcad89a5a35204eeb@mail.gmail.com> <223f97700608310145o7de6a35bj222c48ecca5438b2@mail.gmail.com> <223f97700608310323h3bae5f93i260d87cd0504693f@mail.gmail.com> <44F6FD3B.6050302@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > I asked myself this about nearly every package I had installed during my > year-long Debian phase. I understand that it's not necessary to have > the newest, shiniest stuff if everything is working, but that didn't > suit my personality, so I was not a good match with Debian. If you want > up-to-date packages, Debian is not the best choice of distros. If you > want secure and stable with a minimum of maintenance, Debian works very > well. True. I used to go with Fedora before, but i tried Debian and i loooved the package-managment, so i put up a new box with Postfix, Mailscanner, clamav etc, and was satisfied with the ease of installation. Though, i thought it was far behind with versions. I just want to find a repository for getting the latest stable versions of the programs above. :) / Martin From martin.lyberg at gmail.com Sat Sep 2 11:47:01 2006 From: martin.lyberg at gmail.com (Martin) Date: Sat Sep 2 11:50:03 2006 Subject: Debian package outdated? In-Reply-To: References: <17655.1438.883294.598086@gargle.gargle.HOWL> Message-ID: Stephen Swaney wrote: > I'm in the process of updating all of the basic Documentation. I can > probably put together a copyright free version for distribution with Debian. > It would be the basic Configuration and Installation instructions in text > format. I would be interested in this aswell. Thank you / Martin From martin.lyberg at gmail.com Sat Sep 2 11:45:11 2006 From: martin.lyberg at gmail.com (Martin) Date: Sat Sep 2 11:55:08 2006 Subject: Debian package outdated? In-Reply-To: <042901c6cd11$07edf050$88c5c657@arthur> References: <042901c6cd11$07edf050$88c5c657@arthur> Message-ID: Michele Neylon :: Blacknight Solutions wrote: > Because it's in apt? > > Because Julian is overworked? Michele, don't get me wrong, it was not my intention to demand a package for Debian made by Julian. Just thought there might be others out there, that were using other repos to get newer versions compiled by other people. / Martin From bgmahesh at gmail.com Sun Sep 3 13:08:45 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sun Sep 3 13:08:48 2006 Subject: Anyone using zen.spamhaus.org? Message-ID: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> hi In spam.lists.conf I see, spamhaus.org sbl.spamhaus.org. spamhaus-XBL xbl.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. http://www.spamhaus.org/zen/ says it is better to use zen.spamhaus.org Should we delete the above 3 lines and replace it with ZEN zen.spamhaus.org and make the appropriate changes in MailScanner.conf? -- -- B.G. Mahesh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060903/efbe8e30/attachment.html From drew at themarshalls.co.uk Sun Sep 3 15:20:12 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sun Sep 3 15:20:31 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> Message-ID: <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> On Sun, September 3, 2006 13:08, BG Mahesh wrote: > hi > > In spam.lists.conf I see, > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. > > http://www.spamhaus.org/zen/ says it is better to use zen.spamhaus.org > Should we delete the above 3 lines and replace it with > > ZEN zen.spamhaus.org > > and make the appropriate changes in MailScanner.conf? Personally, I agree and use zen already at SMTP stage however there are some considerations: Should people be encouraged to use the MailScanner spam lists as most seem to agree the conservative lists are better used at SMTP stage and the more aggressive lists in SA for scoring (Or even all in SA)? It removes freedom of choice as the zen list a combination of the others so it could be that people want to only use sbl and not the others. Having said that, I think it would be worth adding zen to the list and either including a url with details of what each list is/ does or similar comment. My 2/100 of your local currency. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From P.G.M.Peters at utwente.nl Sun Sep 3 15:54:25 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Sun Sep 3 15:54:28 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> Message-ID: <44FAECA1.2040800@utwente.nl> Drew Marshall wrote on 09/03/2006 04:20 PM: > Should people be encouraged to use the MailScanner spam lists as most seem > to agree the conservative lists are better used at SMTP stage and the more > aggressive lists in SA for scoring (Or even all in SA)? > > It removes freedom of choice as the zen list a combination of the others > so it could be that people want to only use sbl and not the others. > > Having said that, I think it would be worth adding zen to the list and > either including a url with details of what each list is/ does or similar > comment. I find it disturbing to see spam-sources and policy based entries in one and the same list. So it is harder to make your own policy based on the kind of client that is connecting. -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe From mailscanner at PDSCC.COM Sun Sep 3 19:42:50 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Sun Sep 3 19:42:59 2006 Subject: maq entry missing - large bayes database In-Reply-To: References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net>, <200608302007.k7UK74V4015015@sinclaire.sibble.net>, Message-ID: <200609031842.k83IgoiZ031116@sinclaire.sibble.net> On 30 Aug 2006 at 15:24, Scott Silva wrote: > can you run ls -al /etc/MailScanner/bayes and post the output. You should only > have 3 or 4 files in that directory. My bayes dir is much smaller; > # du -h /etc/MailScanner/bayes/ > 32M /etc/MailScanner/bayes/ There were literally thousands of files totalling 1.7gb.... :-( So something is obviously wrong, in the end I just moved the files to a directory under /var and tried running salearn with the expire and database location switches, but it quickly runs through and says (from memory) there's nothing to expire -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From glenn.steen at gmail.com Sun Sep 3 20:29:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 3 20:29:35 2006 Subject: maq entry missing - large bayes database In-Reply-To: <200609031842.k83IgoiZ031116@sinclaire.sibble.net> References: <200608301817.k7UIHAE1014729@sinclaire.sibble.net> <200608302007.k7UK74V4015015@sinclaire.sibble.net> <200609031842.k83IgoiZ031116@sinclaire.sibble.net> Message-ID: <223f97700609031229s4494e467jafde69a570844033@mail.gmail.com> On 03/09/06, Harondel J. Sibble wrote: > > > On 30 Aug 2006 at 15:24, Scott Silva wrote: > > > can you run ls -al /etc/MailScanner/bayes and post the output. You should only > > have 3 or 4 files in that directory. My bayes dir is much smaller; > > # du -h /etc/MailScanner/bayes/ > > 32M /etc/MailScanner/bayes/ > > There were literally thousands of files totalling 1.7gb.... > > :-( Were they "*expire*" files? If so, they're just leftover crud from failed/timed-out expire runs ... just delete them. > So something is obviously wrong, in the end I just moved the files to a > directory under /var and tried running salearn with the expire and database > location switches, but it quickly runs through and says (from memory) there's > nothing to expire Which would be true if you had at least one pretty recent successful expire;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From raymond at prolocation.net Sun Sep 3 20:35:16 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Sep 3 20:35:13 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> Message-ID: Hi! > In spam.lists.conf I see, > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. > > http://www.spamhaus.org/zen/ says it is better to use zen.spamhaus.org > Should we delete the above 3 lines and replace it with > > ZEN zen.spamhaus.org > > and make the appropriate changes in MailScanner.conf? I think its a little early to do this now. In some months its more appropriate. ZEN = SBL-XBL + PBL The PBL is in development and is not available for querying by mail servers yet. Further information will be published as we finalize a release date. So lets just wait till Spamhaus officially releases the list shall we :) Bye, Raymond. From raymond at prolocation.net Sun Sep 3 20:41:57 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Sep 3 20:41:54 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> Message-ID: Hi! > Should people be encouraged to use the MailScanner spam lists as most seem > to agree the conservative lists are better used at SMTP stage and the more > aggressive lists in SA for scoring (Or even all in SA)? > > It removes freedom of choice as the zen list a combination of the others > so it could be that people want to only use sbl and not the others. > > Having said that, I think it would be worth adding zen to the list and > either including a url with details of what each list is/ does or similar > comment. I dont think you have gotten much hits on PBL right? The list is somehow empty. We sync the list also, there is like 4 entry's in the list right now. Its still in beta. It does not remove freedom, you can filter with the bits it returns. 127.0.0.2 SBL 127.0.0.4 CBL 127.0.0.5 NJABL And so on ... it only saves lookups on the nameservers if you just use one list. Bye, Raymond. From raymond at prolocation.net Sun Sep 3 20:44:01 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Sep 3 20:43:59 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FAECA1.2040800@utwente.nl> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> Message-ID: Hi! >> Having said that, I think it would be worth adding zen to the list and >> either including a url with details of what each list is/ does or similar >> comment. > I find it disturbing to see spam-sources and policy based entries in one > and the same list. So it is harder to make your own policy based on the > kind of client that is connecting. Not if they return a code that you can filter, right? One thing they should adopt i think is the way of coding we do with SURBL right now, there you see with every hit what sublists its in and decide what to do with it. I personally love the idea of a single dsbl lookup with *ALL* available RBL's inside and filter on subcodes. This would make mailprocessing MUCH faster saving a zillion lookups for every mail, if one could do the same. Bye, Raymond. From ugob at camo-route.com Sun Sep 3 20:52:49 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sun Sep 3 20:53:05 2006 Subject: OT: Sendmail restriction In-Reply-To: <8f54b4330608311122h5708c8ewf647d91ce2aec7e1@mail.gmail.com> References: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> <8f54b4330608311122h5708c8ewf647d91ce2aec7e1@mail.gmail.com> Message-ID: Nathan Olson wrote: > http://www.sendmail.org/m4/features.html > > Look for compat_check > > Nate > I got an answer on another newsgroup. Haven't tried it yet. FYI http://thread.gmane.org/gmane.linux.centos.general/27221/focus=27323 Ugo From P.G.M.Peters at utwente.nl Sun Sep 3 22:03:11 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Sun Sep 3 22:03:17 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> Message-ID: <44FB430F.8040608@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond Dijkxhoorn wrote on 09/03/2006 09:44 PM: > Hi! > >>> Having said that, I think it would be worth adding zen to the list and >>> either including a url with details of what each list is/ does or >>> similar >>> comment. > >> I find it disturbing to see spam-sources and policy based entries in one >> and the same list. So it is harder to make your own policy based on the >> kind of client that is connecting. > > Not if they return a code that you can filter, right? I haven't found anything that indicates MS or SA uses the code that is returned. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFE+0MNelLo80lrIdIRAsWxAJ4k4FXVasASAAUmWMvCr203VJkVtACgiCnc vF3+htmzK2huF15zn9QpK3Y= =JHFI -----END PGP SIGNATURE----- From raymond at prolocation.net Sun Sep 3 22:16:04 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Sep 3 22:16:01 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FB430F.8040608@utwente.nl> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> Message-ID: Hi! >>>> Having said that, I think it would be worth adding zen to the list and >>>> either including a url with details of what each list is/ does or >>>> similar >>>> comment. >>> I find it disturbing to see spam-sources and policy based entries in one >>> and the same list. So it is harder to make your own policy based on the >>> kind of client that is connecting. >> Not if they return a code that you can filter, right? > I haven't found anything that indicates MS or SA uses the code that is > returned. So lets ask Julian to have a look at that. Would save a lot of lookups. On the other hand, i think still its rather silly to do the RBL blocking with MailScanner. Let either your mailer or SA do that :P Bye, Raymond. From naolson at gmail.com Mon Sep 4 00:55:05 2006 From: naolson at gmail.com (Nathan Olson) Date: Mon Sep 4 00:55:08 2006 Subject: OT: Sendmail restriction In-Reply-To: References: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> <8f54b4330608311122h5708c8ewf647d91ce2aec7e1@mail.gmail.com> Message-ID: <8f54b4330609031655w2aeb298bibdf88d4bf202c0ad@mail.gmail.com> What was wrong with check_compat? Just asking. :) Nate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060903/f96dc215/attachment.html From P.G.M.Peters at utwente.nl Mon Sep 4 07:00:43 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Sep 4 07:00:46 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> Message-ID: <44FBC10B.5070004@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond Dijkxhoorn wrote on 09/03/2006 11:16 PM: > On the other hand, i think still its rather silly to do the RBL blocking > with MailScanner. Let either your mailer or SA do that :P I can't use most of the RBL's I have configured in MS to block. They provide our users with extra tags to filter on. I check for Chinese, Brazilian etc sources. A lot of students don't want anything from those countries but the students from those countries want that mail. I use both L1 and L2 of SPEWS because some want the possiblity to block on L2 also. For our Chinese students I even have special SA rules that detect real Chinese spam. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFE+8EIelLo80lrIdIRAiA4AKCYiDegnVK084Xoi4CaFGiT+h/vlgCdEhfb GPIrJAd8/SypDFNMrxTT9po= =P7Dj -----END PGP SIGNATURE----- From jon.bates at summitmotors.com.au Mon Sep 4 08:05:26 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Mon Sep 4 08:05:46 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: <200609011100.k81B0HsJ000860@bkserver.blacknight.ie> Message-ID: <00bb01c6cff0$8034c340$5864a8c0@jonlaptop> I had this exact issue this morning. It's interesting that we got the same issue around the same time! I found the problem to be directly related to the size of the "Blacklist" SARE rule files. They were very very large (like 15 odd MB!). As soon as I removed these my problems were solved. The mailscanner processes were using 249MB each and bogging down to the point where a batch with only one small message would take 600 seconds to complete. Ive been using RulesDuJour as well, but im not sure how the problem only started suddenly for the both of us.. Interesting. I would check the multiple locations that spamassassin can pick these files up from as well, because I found another copy of the files lurking elsewhere. Check spamassassin lint to make sure that the offending lists definitely arent being used. - Jon Bates From drew at themarshalls.co.uk Mon Sep 4 09:00:43 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Sep 4 09:01:27 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> Message-ID: <54472.194.70.180.170.1157356843.squirrel@www.r-bit.net> On Sun, September 3, 2006 20:44, Raymond Dijkxhoorn wrote: > I personally love the idea of a single dsbl lookup with *ALL* available > RBL's inside and filter on subcodes. This would make mailprocessing MUCH > faster saving a zillion lookups for every mail, if one could do the same. Totally agreed. Reduces bandwidth, look up time, processing etc, etc. I wonder how feasable this could be... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From raymond at prolocation.net Mon Sep 4 09:06:24 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 4 09:06:45 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <54472.194.70.180.170.1157356843.squirrel@www.r-bit.net> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <54472.194.70.180.170.1157356843.squirrel@www.r-bit.net> Message-ID: Hi! >> I personally love the idea of a single dsbl lookup with *ALL* available >> RBL's inside and filter on subcodes. This would make mailprocessing MUCH >> faster saving a zillion lookups for every mail, if one could do the same. > Totally agreed. Reduces bandwidth, look up time, processing etc, etc. > I wonder how feasable this could be... Its possible but you have to check TTL times on the zones and also need rsync access on the zones and so. Have been playing with this a couple of times the parsing takes some time also, since its a couple of million records... Bye, Raymond. From matt at coders.co.uk Mon Sep 4 10:40:15 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Sep 4 10:40:27 2006 Subject: OT: Sendmail restriction In-Reply-To: <8f54b4330609031655w2aeb298bibdf88d4bf202c0ad@mail.gmail.com> References: <8f54b4330608311102t19ea781cn329d7a2ae2bfb167@mail.gmail.com> <8f54b4330608311122h5708c8ewf647d91ce2aec7e1@mail.gmail.com> <8f54b4330609031655w2aeb298bibdf88d4bf202c0ad@mail.gmail.com> Message-ID: <44FBF47F.9090307@coders.co.uk> Nathan Olson wrote: > What was wrong with check_compat? > Just asking. :) > > Nate > How would you implement this using check_compat? I couldn't see how to do this either? matt From ram at netcore.co.in Mon Sep 4 11:59:04 2006 From: ram at netcore.co.in (Ramprasad) Date: Mon Sep 4 11:57:03 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> Message-ID: <1157367545.1082.65.camel@darkstar.netcore.co.in> > On the other hand, i think still its rather silly to do the RBL blocking > with MailScanner. Let either your mailer or SA do that :P > Why ? Can you please elaborate on this ? Having your MTA do the RBL checks may not always be possible. What If I want to whitelist some ids of turnoff scan for some recipient ids From Chris.Russell at knowledgeit.co.uk Mon Sep 4 12:53:41 2006 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Mon Sep 4 12:53:49 2006 Subject: Anyone using zen.spamhaus.org? Message-ID: <1638CDD827D51E4D8E9B2741290E1C9170A9AC@xcelsior> > On the other hand, i think still its rather silly to do the RBL > blocking with MailScanner. Let either your mailer or SA do that :P > > Why ? Can you please elaborate on this ? If you trust the list, then why add additional load to your box by spam scanning (with the associated overheads) when you can reject at SMTP time. > Having your MTA do the RBL checks may not always be possible. What If I want to whitelist some ids of turnoff scan > for some recipient ids Its not as bad as you may think, for example, with Exim, you can use conditions in ACL's to determine what is scanned and what is not. For example, we use Exim and SQL and have SQL based settings and whitelists. In essence we do exactly what your "what if" question asks :) Cheers Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. From rabollinger at gmail.com Mon Sep 4 14:46:17 2006 From: rabollinger at gmail.com (Richard Bollinger) Date: Mon Sep 4 14:46:21 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? Message-ID: <7744a2840609040646j639867bat4855e494f76a4645@mail.gmail.com> Why is it forbidden to browse http://www.mailscanner.info/files/4 ? Was the apache configuration changed on purpose at the end of May? If so, why? For an open source project, one would assume there are no secrets to hide. Thanks, Rich B Here's what I get with lynx http://www.mailscanner.info/files/4: 403 Forbidden Forbidden You don't have permission to access /files/4/ on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. _________________________________________________________________ Apache/1.3.35 Server at www.mailscanner.info Port 80 From jethro.binks at strath.ac.uk Mon Sep 4 15:03:10 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Sep 4 15:03:13 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <7744a2840609040646j639867bat4855e494f76a4645@mail.gmail.com> References: <7744a2840609040646j639867bat4855e494f76a4645@mail.gmail.com> Message-ID: <20060904150021.W96869@defjam.cc.strath.ac.uk> On Mon, 4 Sep 2006, Richard Bollinger wrote: > For an open source project, one would assume there are no secrets to > hide. I'm struggling to see how you stumbled into this assumption. There could be many reasons why the web site administrator doesn't want you to see what is in there, perhaps nothing to do with MailScanner. Maybe it isn't a secret, just "not ready". Or maybe it is just a simple mistake. Maybe this is just a troll post. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From walmiro_muzzi at yahoo.com.br Mon Sep 4 15:37:56 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Mon Sep 4 15:38:05 2006 Subject: Restart problem Message-ID: <44FC3A44.1070109@yahoo.com.br> Hi all, everytime I restart MailScanner, the verification of emails stops and they are not delivered to mailbox. I need to restart it once more to normalize the situation. The MS gets the waiting messages, checks them up and deliver correctly. How can I solve this?!?!?! I need MailScanner active on the first re-initialization! Thank you. []s Walmiro Muzzi From alex at nkpanama.com Mon Sep 4 16:09:41 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Sep 4 16:10:05 2006 Subject: Restart problem In-Reply-To: <44FC3A44.1070109@yahoo.com.br> References: <44FC3A44.1070109@yahoo.com.br> Message-ID: <44FC41B5.8020200@nkpanama.com> Walmiro Muzzi wrote: > Hi all, > > > everytime I restart MailScanner, the verification of emails stops and > they are not delivered to mailbox. > > I need to restart it once more to normalize the situation. The MS gets > the waiting messages, checks them up and deliver correctly. How can I > solve this?!?!?! I need MailScanner active on the first re-initialization! > > Thank you. > > > []s > Walmiro Muzzi Did you disable sendmail? From miguelk at konsultex.com.br Mon Sep 4 16:34:44 2006 From: miguelk at konsultex.com.br (Miguel Koren O'Brien de Lacy) Date: Mon Sep 4 16:35:24 2006 Subject: Restart problem In-Reply-To: <44FC3A44.1070109@yahoo.com.br> References: <44FC3A44.1070109@yahoo.com.br> Message-ID: <44FC4794.5080901@konsultex.com.br> Walmiro; I found that the script does not always stop mailscanner, so when I restart port 25 is in use and so MialScanner does not work. What I do is to explicitly stop sendmail too right after stopping MailScanner. This may be a Fedora issue. Miguel Walmiro Muzzi wrote: >Hi all, > > > everytime I restart MailScanner, the verification of emails stops and >they are not delivered to mailbox. > >I need to restart it once more to normalize the situation. The MS gets >the waiting messages, checks them up and deliver correctly. How can I >solve this?!?!?! I need MailScanner active on the first re-initialization! > >Thank you. > > >[]s >Walmiro Muzzi > > -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From sandrews at andrewscompanies.com Mon Sep 4 16:38:07 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Mon Sep 4 16:38:11 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? Message-ID: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Most people don't allow file browse in webfolders. I think it's time to take your tinfoil hat off. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Bollinger Sent: Monday, September 04, 2006 9:46 AM To: mailscanner@lists.mailscanner.info Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? Why is it forbidden to browse http://www.mailscanner.info/files/4 ? Was the apache configuration changed on purpose at the end of May? If so, why? For an open source project, one would assume there are no secrets to hide. Thanks, Rich B Here's what I get with lynx http://www.mailscanner.info/files/4: 403 Forbidden Forbidden You don't have permission to access /files/4/ on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. _________________________________________________________________ Apache/1.3.35 Server at www.mailscanner.info Port 80 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From philip at zeiglers.net Mon Sep 4 16:54:13 2006 From: philip at zeiglers.net (Philip Zeigler) Date: Mon Sep 4 16:54:25 2006 Subject: Restart problem In-Reply-To: <44FC4794.5080901@konsultex.com.br> References: <44FC3A44.1070109@yahoo.com.br> <44FC4794.5080901@konsultex.com.br> Message-ID: <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> I have the same issue with FC5. Worked fine on FC4 and prior. Philip -----Original Message----- From: "Miguel Koren O'Brien de Lacy" Date: Mon, 04 Sep 2006 12:34:44 To:MailScanner discussion Subject: Re: Restart problem Walmiro; I found that the script does not always stop mailscanner, so when I restart port 25 is in use and so MialScanner does not work. What I do is to explicitly stop sendmail too right after stopping MailScanner. This may be a Fedora issue. Miguel Walmiro Muzzi wrote: >Hi all, > > > everytime I restart MailScanner, the verification of emails stops and >they are not delivered to mailbox. > >I need to restart it once more to normalize the situation. The MS gets >the waiting messages, checks them up and deliver correctly. How can I >solve this?!?!?! I need MailScanner active on the first re-initialization! > >Thank you. > > >[]s >Walmiro Muzzi > > -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dhawal at netmagicsolutions.com Mon Sep 4 16:58:40 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Sep 4 16:58:57 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Message-ID: <44FC4D30.8050509@netmagicsolutions.com> sandrews@andrewscompanies.com wrote: > Most people don't allow file browse in webfolders. I think it's time to > take your tinfoil hat off. The files section would perform a directory listing till some time back. Maybe Julian decided to change that.. Best to wait for his response.. - dhawal > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard > Bollinger > Sent: Monday, September 04, 2006 9:46 AM > To: mailscanner@lists.mailscanner.info > Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? > > Why is it forbidden to browse http://www.mailscanner.info/files/4 ? > Was the apache configuration changed on purpose at the end of May? If > so, why? For an open source project, one would assume there are no > secrets to hide. > > Thanks, Rich B > > Here's what I get with lynx http://www.mailscanner.info/files/4: > > 403 > Forbidden > > Forbidden > > You don't have permission to access /files/4/ on this server. > > Additionally, a 404 Not Found error was encountered while trying to > use an ErrorDocument to handle the request. > _________________________________________________________________ > > > Apache/1.3.35 Server at www.mailscanner.info Port 80 From walmiro_muzzi at yahoo.com.br Mon Sep 4 17:17:39 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Mon Sep 4 17:17:47 2006 Subject: Restart problem In-Reply-To: <44FC41B5.8020200@nkpanama.com> References: <44FC3A44.1070109@yahoo.com.br> <44FC41B5.8020200@nkpanama.com> Message-ID: <44FC51A3.6070403@yahoo.com.br> Yes, sendmail is disable. []s Walmiro Muzzi Alex Neuman van der Hans wrote: > Walmiro Muzzi wrote: > >> Hi all, >> >> >> everytime I restart MailScanner, the verification of emails stops and >> they are not delivered to mailbox. >> >> I need to restart it once more to normalize the situation. The MS gets >> the waiting messages, checks them up and deliver correctly. How can I >> solve this?!?!?! I need MailScanner active on the first >> re-initialization! >> >> Thank you. >> >> >> []s >> Walmiro Muzzi > > Did you disable sendmail? From walmiro_muzzi at yahoo.com.br Mon Sep 4 17:18:39 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Mon Sep 4 17:19:22 2006 Subject: Restart problem In-Reply-To: <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> References: <44FC3A44.1070109@yahoo.com.br> <44FC4794.5080901@konsultex.com.br> <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> Message-ID: <44FC51DF.2070700@yahoo.com.br> I'm using Debian Sarge 3.1. []s Walmiro Muzzi Philip Zeigler wrote: > I have the same issue with FC5. Worked fine on FC4 and prior. > > Philip > > > -----Original Message----- > From: "Miguel Koren O'Brien de Lacy" > Date: Mon, 04 Sep 2006 12:34:44 > To:MailScanner discussion > Subject: Re: Restart problem > > Walmiro; > > I found that the script does not always stop mailscanner, so when I > restart port 25 is in use and so MialScanner does not work. What I do is > to explicitly stop sendmail too right after stopping MailScanner. This > may be a Fedora issue. > > Miguel > > Walmiro Muzzi wrote: > > >>Hi all, >> >> >> everytime I restart MailScanner, the verification of emails stops and >>they are not delivered to mailbox. >> >>I need to restart it once more to normalize the situation. The MS gets >>the waiting messages, checks them up and deliver correctly. How can I >>solve this?!?!?! I need MailScanner active on the first re-initialization! >> >>Thank you. >> >> >>[]s >>Walmiro Muzzi >> >> > > From glenn.steen at gmail.com Mon Sep 4 18:41:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 4 18:41:36 2006 Subject: Restart problem In-Reply-To: <44FC51DF.2070700@yahoo.com.br> References: <44FC3A44.1070109@yahoo.com.br> <44FC4794.5080901@konsultex.com.br> <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> <44FC51DF.2070700@yahoo.com.br> Message-ID: <223f97700609041041w10c8a679x1fa7fea251e85951@mail.gmail.com> On 04/09/06, Walmiro Muzzi wrote: > I'm using Debian Sarge 3.1. > > > []s > Walmiro Muzzi > > Philip Zeigler wrote: > > I have the same issue with FC5. Worked fine on FC4 and prior. > > > > Philip > > > > > > -----Original Message----- > > From: "Miguel Koren O'Brien de Lacy" > > Date: Mon, 04 Sep 2006 12:34:44 > > To:MailScanner discussion > > Subject: Re: Restart problem > > > > Walmiro; > > > > I found that the script does not always stop mailscanner, so when I > > restart port 25 is in use and so MialScanner does not work. What I do is > > to explicitly stop sendmail too right after stopping MailScanner. This > > may be a Fedora issue. > > > > Miguel > > > > Walmiro Muzzi wrote: > > > > > >>Hi all, > >> > >> > >> everytime I restart MailScanner, the verification of emails stops and > >>they are not delivered to mailbox. > >> > >>I need to restart it once more to normalize the situation. The MS gets > >>the waiting messages, checks them up and deliver correctly. How can I > >>solve this?!?!?! I need MailScanner active on the first re-initialization! > >> > >>Thank you. > >> > >> > >>[]s > >>Walmiro Muzzi > >> > >> Isn't this the same issue hashed over a while back... That it takes a while (sometimes substantially so) for the sendmail waorkers to actually finish and die? Sometomes making the sleep interval in the init script not be enough, so that some linger when MS want to start up again? I might remember wrong, but check that first (I'm certainly to lazy to search the archives for you:-):-)... Stop MS, the grep ps for sendmail processess... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jrudd at ucsc.edu Mon Sep 4 20:17:28 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Sep 4 20:18:08 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <1157367545.1082.65.camel@darkstar.netcore.co.in> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> Message-ID: On Sep 4, 2006, at 3:59 AM, Ramprasad wrote: >> On the other hand, i think still its rather silly to do the RBL >> blocking >> with MailScanner. Let either your mailer or SA do that :P >> > Why ? Can you please elaborate on this ? As someone else pointed out: If you trust the RBL completely, then why not reject the message during the SMTP transaction, instead of waiting for MS to do it? If you only partially trust the RBL, then using MS's absolute RBL nature is a bad idea, just use SA so that the RBL's decision is one of many factors in the spam score. If you don't trust the RBL at all, then turn it off in all places: MTA, MS, and SA. Note: none of the three situations say "use MS for handling the RBL". > Having your MTA do the RBL checks may not always be possible. What If I > want to whitelist some ids of turnoff scan for some recipient ids sendmail access db and "delay checks" will let you over-ride the RBL's behavior via access entries. I honestly can't think of any reason you _would_ use MS's RBL facility. It's as absolute as doing the RBL entry in the MTA, yet doesn't get the advantage of rejecting the message during the SMTP transaction. It doesn't offer me any flexibility over using RBL+access_db+delay_checks. What's the point? (it's the one feature of MS whose point I've never understood) From miguelk at konsultex.com.br Mon Sep 4 21:02:44 2006 From: miguelk at konsultex.com.br (Miguel Koren O'Brien de Lacy) Date: Mon Sep 4 21:03:00 2006 Subject: Restart problem In-Reply-To: <223f97700609041041w10c8a679x1fa7fea251e85951@mail.gmail.com> References: <44FC3A44.1070109@yahoo.com.br> <44FC4794.5080901@konsultex.com.br> <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> <44FC51DF.2070700@yahoo.com.br> <223f97700609041041w10c8a679x1fa7fea251e85951@mail.gmail.com> Message-ID: <44FC8664.7080008@konsultex.com.br> Glenn; Right, this is probably a timing issue. For me it's good enough to know what the problem is and kill those processes manually I usually have to give it a "service sendmail stop" twice to kill them all. Miguel Glenn Steen wrote: > On 04/09/06, Walmiro Muzzi wrote: > >> I'm using Debian Sarge 3.1. >> >> >> []s >> Walmiro Muzzi >> >> Philip Zeigler wrote: >> > I have the same issue with FC5. Worked fine on FC4 and prior. >> > >> > Philip >> > >> > >> > -----Original Message----- >> > From: "Miguel Koren O'Brien de Lacy" >> > Date: Mon, 04 Sep 2006 12:34:44 >> > To:MailScanner discussion >> > Subject: Re: Restart problem >> > >> > Walmiro; >> > >> > I found that the script does not always stop mailscanner, so when I >> > restart port 25 is in use and so MialScanner does not work. What I >> do is >> > to explicitly stop sendmail too right after stopping MailScanner. This >> > may be a Fedora issue. >> > >> > Miguel >> > >> > Walmiro Muzzi wrote: >> > >> > >> >>Hi all, >> >> >> >> >> >> everytime I restart MailScanner, the verification of emails stops and >> >>they are not delivered to mailbox. >> >> >> >>I need to restart it once more to normalize the situation. The MS gets >> >>the waiting messages, checks them up and deliver correctly. How can I >> >>solve this?!?!?! I need MailScanner active on the first >> re-initialization! >> >> >> >>Thank you. >> >> >> >> >> >>[]s >> >>Walmiro Muzzi >> >> >> >> > > > Isn't this the same issue hashed over a while back... That it takes a > while (sometimes substantially so) for the sendmail waorkers to > actually finish and die? Sometomes making the sleep interval in the > init script not be enough, so that some linger when MS want to start > up again? > I might remember wrong, but check that first (I'm certainly to lazy to > search the archives for you:-):-)... Stop MS, the grep ps for sendmail > processess... -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From P.G.M.Peters at utwente.nl Mon Sep 4 21:24:45 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Sep 4 21:24:49 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> Message-ID: <44FC8B8D.2040703@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Rudd wrote on 09/04/2006 09:17 PM: > Note: none of the three situations say "use MS for handling the RBL". That is correct because you forgot one situation. Some customers trust the RBL and some don't. And a customer can decide from one moment to the other to trust or distrust a certain RBL. > I honestly can't think of any reason you _would_ use MS's RBL facility. > It's as absolute as doing the RBL entry in the MTA, yet doesn't get the > advantage of rejecting the message during the SMTP transaction. It > doesn't offer me any flexibility over using RBL+access_db+delay_checks. > What's the point? (it's the one feature of MS whose point I've never > understood) It does one thing MS is good at: tagging mail. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD4DBQFE/IuLelLo80lrIdIRAlkWAJ0dDDlm+oZeSyJPAuJ7l/MczJZVWQCXfErx +497ad5nIkaWsH7b6AKnzg== =vesT -----END PGP SIGNATURE----- From res at ausics.net Mon Sep 4 23:33:06 2006 From: res at ausics.net (Res) Date: Mon Sep 4 23:33:37 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Message-ID: On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > Most people don't allow file browse in webfolders. I think it's time to > take your tinfoil hat off. a webfolder... must be a micro$oft thing :P perl -pi -e "s/webfolder/directory (use its real name not M\$ slang)/g;" * -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Tue Sep 5 01:11:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 5 01:11:10 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> Message-ID: <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> On 04/09/06, John Rudd wrote: > > On Sep 4, 2006, at 3:59 AM, Ramprasad wrote: > > >> On the other hand, i think still its rather silly to do the RBL > >> blocking > >> with MailScanner. Let either your mailer or SA do that :P > >> > > Why ? Can you please elaborate on this ? > > As someone else pointed out: If you trust the RBL completely, then why > not reject the message during the SMTP transaction, instead of waiting > for MS to do it? > > If you only partially trust the RBL, then using MS's absolute RBL > nature is a bad idea, just use SA so that the RBL's decision is one of > many factors in the spam score. > > If you don't trust the RBL at all, then turn it off in all places: MTA, > MS, and SA. > > Note: none of the three situations say "use MS for handling the RBL". > > > > Having your MTA do the RBL checks may not always be possible. What If I > > want to whitelist some ids of turnoff scan for some recipient ids > > sendmail access db and "delay checks" will let you over-ride the RBL's > behavior via access entries. > > > I honestly can't think of any reason you _would_ use MS's RBL facility. > It's as absolute as doing the RBL entry in the MTA, yet doesn't get > the advantage of rejecting the message during the SMTP transaction. It > doesn't offer me any flexibility over using RBL+access_db+delay_checks. > What's the point? (it's the one feature of MS whose point I've never > understood) > > Um, John... Not that I disagree terribly, but.... "The absolute nature" of MailScanners BL lookup scheme isn't really absolute (like some MTAs might do it... Well, not that absolute either:-). Sure, it's more absolute than SA, but... If you trust a very few lists to be absolutely certain (and don't want to reject them, probably because of "political/policy" reasons), its is a good tool. Or if you want the tag, but dont want to run SA... I'm sure brighter minds can extrapolate a few other good points for it:-). The main reasons often cited as to why one should avoid doing them in MS is 1) If you run SA, it'll do a better job at looking up more lists, and 2) MS will serialize the lookups while SA will do them in parallell... So true, most will want to do the very few in the MTA and the rest in SA, but then again, some will still prefer to do them in MS. I for one work under legislation that prohibit me from flat-out rejecting _based on sender alone_ (it's a bit more involved than that, but lets leave that:-), so my best bet is to let MS do my "trusted lists" (all two of them) and SA do the rest. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From james at grayonline.id.au Tue Sep 5 01:46:44 2006 From: james at grayonline.id.au (James Gray) Date: Tue Sep 5 01:47:05 2006 Subject: Ugh - when will they learn? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yet another challenge-response mail system, only this time neatly packaged for clueless desktop lusers: http://www.comodoantispam.com/overview.html?currency=USD®ion=North% 20America&country=US Thoughts? Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE/Mj3wBHpdJO7b9ERAv7KAKCgOHouvCx/TgNpN6D6WZnLWPdJtACgr0EW XybBIRCTi7Zb6wAtlb1zBmo= =XiH2 -----END PGP SIGNATURE----- From jrudd at ucsc.edu Tue Sep 5 02:49:36 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Sep 5 02:50:14 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> Message-ID: On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: > > I for one work under legislation that prohibit me from flat-out > rejecting _based on sender alone_ (it's a bit more involved than that, > but lets leave that:-) What legislation is that? (you can answer me off list if you think it's too OT or something) From alex at nkpanama.com Tue Sep 5 02:54:18 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Sep 5 02:54:48 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <19911.84.92.123.1.1157293212.squirrel@www.r-bit.net> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> Message-ID: <44FCD8CA.2020600@nkpanama.com> John Rudd wrote: > > On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: > >> >> I for one work under legislation that prohibit me from flat-out >> rejecting _based on sender alone_ (it's a bit more involved than that, >> but lets leave that:-) > > What legislation is that? > > (you can answer me off list if you think it's too OT or something) > I'd love to know as well... From bgmahesh at gmail.com Tue Sep 5 03:11:19 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Tue Sep 5 03:11:21 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> Message-ID: <5227ac5c0609041911p22ac9b50wd4a124fdcebfd78b@mail.gmail.com> Phew! I really did not mean to start off a war here ;-) I have been using zen with surgemail and it has been showing good results. How do I make sure I am not using RBL with SA AND MS? From the thread it appears I should be using it in SA only [how do I do that?] On 9/3/06, BG Mahesh wrote: > > > hi > > In spam.lists.conf I see, > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. > > http://www.spamhaus.org/zen/ says it is better to use zen.spamhaus.org > Should we delete the above 3 lines and replace it with > > ZEN zen.spamhaus.org > > and make the appropriate changes in MailScanner.conf? > > -- > -- > B.G. Mahesh > > -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060905/cbf2275f/attachment.html From michele at blacknight.ie Tue Sep 5 08:35:33 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Tue Sep 5 08:35:46 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <44FC4D30.8050509@netmagicsolutions.com> References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> <44FC4D30.8050509@netmagicsolutions.com> Message-ID: <44FD28C5.4040707@blacknight.ie> Dhawal Doshy wrote: > sandrews@andrewscompanies.com wrote: >> Most people don't allow file browse in webfolders. I think it's time to >> take your tinfoil hat off. > > The files section would perform a directory listing till some time back. > Maybe Julian decided to change that.. The site was hosted elsewhere up until recently :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From glenn.steen at gmail.com Tue Sep 5 08:37:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 5 08:37:56 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FCD8CA.2020600@nkpanama.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> <44FCD8CA.2020600@nkpanama.com> Message-ID: <223f97700609050037r2b3bcf7foade77a554128e31d@mail.gmail.com> On 05/09/06, Alex Neuman van der Hans wrote: > John Rudd wrote: > > > > On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: > > > >> > >> I for one work under legislation that prohibit me from flat-out > >> rejecting _based on sender alone_ (it's a bit more involved than that, > >> but lets leave that:-) > > > > What legislation is that? > > > > (you can answer me off list if you think it's too OT or something) > > > I'd love to know as well... I'm not sure you really do, it's fairly specific to Sweden:-). This is pretty OT, so read on only if you're really interested;-) It's a brew of different (Swedish) laws governing "principal of availability and open equal dealing with all subjects"... Laws covering everything from freedom of speech(!) to how public documents are to be archived and handled. I'm certainly no lawyer, but thankfully a central .gov agency (Statskontoret for those who really want to know) has made a set of guidelines for us poor "public mailadmins" to follow. They're pretty generic, and open for _some_ interpretation, but paramount is that the collected body of laws does not allow us to use "generic blacklists" for rejecting messages. If I could somehow complement everything to know that a sender was actually a Swedish subject, then perhaps I could use BLs, but... Alas not now. This same legislation demands that any sorting/deleting has to be done by a person, so everything I accept (this is a key point) that turn out to be ... bad, I have to quarantine, so that a human can take care of the actual deletions. I bend this rule a bit, by just keeping the quarantine for three months... If no one has looked at it during that time,. it's not really my fault (well, I do give it a quick glance now and then:-):-). Now for the twist: I _can_ reject (at the MTA) things that are a) clearly not up to standards, and b) not destined for any recipient at us. So basically I can do a lot of early rejections... Just not based on BLs. Not even BLs geared at standards compliance (the guidelines are pretty forceful on this). Sigh. Isn't legislation _fun_..... This set of laws exist only in Sweden (to my knowledge), and are usually bundled up in a term like "the principle of public access" or somesuch (offentlighetsprincipen). Last I looked, our politicians were busy exporting this (which is actually mainly a good thing) to the EU, so ... we'll see what happens;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at mango.zw Tue Sep 5 08:51:50 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Sep 5 08:52:07 2006 Subject: Debian package outdated? In-Reply-To: <17655.1438.883294.598086@gargle.gargle.HOWL> Message-ID: On Thu, 31 Aug 2006, Matthias Klose wrote: > > Glenn Steen wrote: > > > > > quite a bit, version-wise. Jules has a debian package on his pages, > > > but i think you need dpkg it... Or can one set that as a separate apt > > > repository? > > > > Since we're talking about versions here, why is the Debian package only > > at 4.51.5-1 (link on mailscanner site is pointing to Debian unstable)? > > There are many versions released after this one. > > I have a recent package, but I don't know if it still makes sense to > provide the package in Debian. The recent releases don't ship any > documentation. Even the manual pages are dropped. Checked on the > website, which documentation could be included: > > - the online documentation doesn't have any copyright statements. > In this way it's not distributable by Debian. Please point me > to the copyright(s), if I'm wrong. > > - the online html documentation currently isn't really nice to > distribute, including all the advertising on every page. > > - The MailScanner-Manual-Version-1.0.5.pdf (which I currently cannot > find on the website anymore) has a copyright, which doesn't allow > distribution of MailScanner as free documentation. > > So we are down to a piece of software which Debian can only ship > without documentation. I'm not sure if that makes sense. MailScanner > itself may be still free software, but much of that status is lost > without free documentation. Julien, please correct me if I'm wrong. I would be very interested in seeing a Debian package for MailScanner, but given the rate of development of MailScanner it imposes a large burden on you to keep updating the Debian package so that it also remains current. And that is still subject to the software being able to meet all Debian's requirements for being an official package. As an alternative, involving less work for you, why not simply recommend that Debian users install from the tarball (so they can always keep up to date), but provide some basic instructions on customising the installation for Debian? Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From martinh at solidstatelogic.com Tue Sep 5 09:04:59 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Sep 5 09:05:13 2006 Subject: Ugh - when will they learn? In-Reply-To: References: Message-ID: <44FD2FAB.6040408@solidstatelogic.com> James Gray wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yet another challenge-response mail system, only this time neatly > packaged for clueless desktop lusers: > http://www.comodoantispam.com/overview.html?currency=USD®ion=North%20America&country=US > > > Thoughts? > > Cheers, > > James > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (Darwin) > > iD8DBQFE/Mj3wBHpdJO7b9ERAv7KAKCgOHouvCx/TgNpN6D6WZnLWPdJtACgr0EW > XybBIRCTi7Zb6wAtlb1zBmo= > =XiH2 > -----END PGP SIGNATURE----- > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! James sigh along the line of some 'person'[1] on techrepublic who proposed a new smtp protocol where you have to register each server. Basically like spf but there's a central registra of who's allowed to send from what domain. Then add whitelists and ..... the problem isn't SMTP it's the 'people'[2] who buy from them and therefore make them money.... [1] [2] replace with your own comments -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at mango.zw Tue Sep 5 09:22:02 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Sep 5 09:22:09 2006 Subject: List of variables for substitution in reports? In-Reply-To: Message-ID: On Thu, 31 Aug 2006, David Lee wrote: > Julian: The end of a typical report (e.g. "recipient.spam.report.txt") > has a 'signature' such as: > > ----------- snip --------------- > MailScanner > Email Virus Scanner > %org-long-name% > %web-site% > > For all your IT requirements visit: http://www.transtec.co.uk > ----------- snip --------------- > > Our site likes to keep local changes to a minimum, so we try to take your > reports as they are. > > But that final advertisement line isn't appropriate for our site. (And I > would guess that we probably aren't alone in this.) Having to chop it out > means a lot of potentially unnecessary maintenance effort as new versions > of MS go in and their potentially changed reports have to be checked and > reconciled. > > I can understand that you (as MS author) want to give recognition to one > of your sponsors where reasonably possible. Fair enough; fine. > > So could I suggest that you introduce a new variable, such as %sponsor%, > and use that in your reports. Your default value of %sponsor% could still > be something about "transtec" (i.e. an untweaked install of MS would > produce the same result as above). > > Supplementary: You might also introduce another variable, say %site-msg%, > default value empty, which would allow a site to insert its own tag line > (mission statement etc.) if it so chose. > > Hope that helps. (I'd be happy to try to beta-test this for you.) I understand your problem, and have the same view of it here. However I think that this could just be left to the users themselves to sort out rather than adding yet another option. The work involved in fixing it yourself is negligible - just run a one-line script in the report directory such as: perl -pi -e 's/For all your IT requirements visit.*//' * or perl -pi -e 's/For all your IT requirements visit.*/Our Mission Statement . . ./' * and if you want to avoid dealing with all the rpmnew report files that would appear after an upgrade, just run this before the above in the same directory: for file in *rpmnew; do mv -f $file `echo $file|sed s/.rpmnew//`; done I find it essential to have a bash script to do the upgrades anyway - to backup the old version, run Julian's install.sh script, log its output, stop MailScanner, run the upgrade_MailScanner_conf script, view the diffs, run the upgrade_languages_conf script, view the diffs etc. before manually restarting MailScanner. It is then easy enough to include the above one or two lines as appropriate. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From alex at erus.co.uk Tue Sep 5 09:33:36 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Tue Sep 5 09:34:06 2006 Subject: Debian package outdated? In-Reply-To: References: Message-ID: <44FD3660.3080901@erus.co.uk> > As an alternative, involving less work for you, why not simply recommend > that Debian users install from the tarball (so they can always keep up to > date), but provide some basic instructions on customising the installation > for Debian? > I'm not demanding a Debian package as I know how much work keeping a package updated is, especially one that changes as frequently as MailScanner, but I would be very sorry to see Julian take this line. Keeping software updated outside of apt is a pain and I personally (don't know about other Debian users) try and minimise software on my servers that isn't "apt-get-able". I would also suggest that at a time when Ubuntu is making major progress, and the number of users that will be using an apt based system is increasing, to abandon the Debian package would be a mistake. Regards, Alex From sergiogc at treelogic.com Tue Sep 5 09:41:23 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Tue Sep 5 09:37:04 2006 Subject: MailScanner hangs once a day (2) In-Reply-To: References: Message-ID: <44FD3833.8040400@treelogic.com> Hello, I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. The problem is that MailScanner hung once a day until last Wednesday so I had to restart it (/etc/init.d/mailscanner restart). Since last Wednesday until today MS has worked OK and it hasn?t stopped but today it has stopped at 10.24 AM. I get the following info in the log ('mail.info'): ... Sep 5 10:24:29 localhost MailScanner[29417]: Requeue: 077812B4600.91241 to 839CF2B4E59 Sep 5 10:24:29 localhost postfix/qmgr[13147]: 839CF2B4E59: from=<>, size=76801, nrcpt=1 (queue active) Sep 5 10:24:29 localhost MailScanner[29417]: Uninfected: Delivered 1 messages Sep 5 10:24:29 localhost MailScanner[29417]: Virus Processing completed at 3315169 bytes per second Sep 5 10:24:29 localhost MailScanner[29417]: Disinfection completed at 1244272545 bytes per second Sep 5 10:24:29 localhost MailScanner[29417]: Batch completed at 28507 bytes per second (77131 / 2) Sep 5 10:24:29 localhost MailScanner[29417]: Batch (1 message) processed in 2.71 seconds Sep 5 10:24:29 localhost MailScanner[29417]: MailScanner child dying of old age ... And then MS doesn?t appear more in the log. Can anybody help me? Thanks. From Q.G.Campbell at newcastle.ac.uk Tue Sep 5 10:15:06 2006 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Tue Sep 5 10:15:14 2006 Subject: MCP - does not do what the box says. Is this a known bug? (MS 4.55.7-1) Message-ID: <4165CF7A7F12DE4B96622CCBB905864707D51190@largo.campus.ncl.ac.uk> I am trying to use MCP to do three different things: 1. delete message with a high MCP score >= 10 2. deliver messages with 1 <= MCP score < 10 to get MCP report in syslog 3. deliver messages with 0 < MCP score < 1 to get MCP report in message headers Use 1 works as expected, deletes message and puts report in syslog. Use 2 does NOT deliver the message but puts report in log. [** PROBLEM **] Use 3 works as expected with report in message headers and no report in syslog. Use 1 is self explanatory. Among the classes of messages it deletes are those that are auto-generated by Outlook's Out of Office wizard in response to a tagged spam message. All the information needed to determine and score this class is contained in the Subject: line text of the message being scanned by MailScanner. Use 2 complements use 1. I want to deliver Out of Office messages that are NOT the result of incoming tagged spam but I want to flag these in syslog. This is so that I can gather stats on the number of OoO messages we generate and deliver. Use 3 is to help users whose personal mail filter rules only allows checks on message headers. I use MCP centrally to determine, for example, whether the message body contains cyrillic encodings or has some words that upset particularly sensitive users. The handles of the particular MCP rules triggered by this use appear in the message headers and can be looked for in personal mail filter rules as the message is delivered to recipient mailboxes. I do not understand why messages with a MCP score = 1 are not delivered. I am not getting a Sendmail "stat=Sent" record so it appears that MailScanner is not rewriting the queue files in /var/spool/mqueue for "MCP Action" is "deliver" messages. However in the case of low scoring spam where "Spam Action" is also "deliver" then things work as expected. I am running MailScanner 4.55.7-1 & SpamAssassin 3.1.3 with Sendmail (8.13) on Red Hat Enterprise Linux AS release 4. The relevant settings in MailScanner.conf are: MCP Checks = yes # Do the spam checks first, or the MCP checks first? # This cannot be the filename of a ruleset, only a fixed value. First Check = mcp # The rest of these options are clones of the equivalent spam options MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = delete Bounce MCP As Attachment = no MCP Modify Subject = no MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = yes High Scoring MCP Subject Text = {MCP?!} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = yes Detailed MCP Report = yes Include Scores In MCP Report = yes Log MCP = yes MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 75 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt The syslog records for a typical message scored by MCP for use 1 are: ... Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: from=, size=1086, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=stromberg.ncl.ac.uk [10.8.234.172] Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=header, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=eoh, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=body, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter add: header: Received-SPF: pass (cheviot4.ncl.ac.uk: 10.8.234.172 is authenticated by a trusted mechanism) Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter accept: message Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: to=, delay=00:00:00, mailer=esmtp, pri=31086, stat=queued Sep 5 06:15:19 cheviot4 MailScanner[12258]: Message k855FG8A007250 from 10.8.234.172 (nncu@cpx.ncl.ac.uk) to learningemall.com is MCP, MCP-Checker (score=1, required 1, MCP_OOO_2 1.00) Sep 5 06:15:19 cheviot4 MailScanner[12258]: MCP Actions: message k855FG8A007250 actions are deliver Sep 5 06:15:21 cheviot4 sendmail[7309]: k855FG8A007250: done; delay=00:00:05, ntries=1 For comparison, the records for delivered tagged spam are: ... Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: from=, size=4098, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=mx1.dc.iol.pt [193.126.240.141] Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: milter=milter-link, action=header, continue Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: milter=milter-link, action=eoh, continue Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: milter=milter-link, action=body, continue Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: Milter add: header: Received-SPF: none (cheviot4.ncl.ac.uk: domain of alyusuf_011@iol.pt does not designate permitted sender hosts) Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: Milter accept: message Sep 5 04:03:54 cheviot4 sendmail[3635]: k8533oEX003635: to=, delay=00:00:00, mailer=esmtp, pri=34098, stat=queued Sep 5 04:03:59 cheviot4 MailScanner[12258]: Message k8533oEX003635 from 193.126.240.141 (alyusuf_011@iol.pt) to newcastle.ac.uk is spam, SpamAssassin (not cached, score=17.171, required 6, autolearn=disabled, ADVANCE_FEE_1 0.00, ADVANCE_FEE_2 0.65, ADVANCE_FEE_3 1.76, ADVANCE_FEE_4 3.04, DEAR_FRIEND 0.86, FROM_EXCESS_QP 0.00, MILLION_USD 1.61, MISSING_HEADERS 0.19, NA_DOLLARS 0.61, RCVD_IN_BL_SPAMCOP_NET 4.00, SARE_FRAUD_X3 1.67, SARE_FRAUD_X4 1.67, SARE_URGBIZ 0.72, TO_CC_NONE 0.13, URG_BIZ 0.27) Sep 5 04:03:59 cheviot4 MailScanner[12258]: Spam Actions: message k8533oEX003635 actions are attachment,deliver Sep 5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635: SMTP outgoing connect on cheviot4.ncl.ac.uk Sep 5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635: to=, delay=00:00:07, xdelay=00:00:00, mailer=esmtp, pri=124098, relay=burnmoor.ncl.ac.uk. [128.240.233.53], dsn=2.0.0, stat=Sent (EAA14539 Message accepted for delivery) Sep 5 04:04:01 cheviot4 sendmail[3693]: k8533oEX003635: done; delay=00:00:07, ntries=1 Have I got the MCP option values wrong in MailScanner.conf? Any advice on how to fix this problem so that MCP can be exploited fully would be gratefully received. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------ From mailscanner at mango.zw Tue Sep 5 10:29:58 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Sep 5 10:30:11 2006 Subject: Debian package outdated? In-Reply-To: <44FD3660.3080901@erus.co.uk> Message-ID: On Tue, 5 Sep 2006, Alex Pimperton wrote: > > As an alternative, involving less work for you, why not simply recommend > > that Debian users install from the tarball (so they can always keep up to > > date), but provide some basic instructions on customising the installation > > for Debian? > > I'm not demanding a Debian package as I know how much work keeping a > package updated is, especially one that changes as frequently as > MailScanner, but I would be very sorry to see Julian take this line. > > Keeping software updated outside of apt is a pain and I personally > (don't know about other Debian users) try and minimise software on my > servers that isn't "apt-get-able". > > I would also suggest that at a time when Ubuntu is making major > progress, and the number of users that will be using an apt based system > is increasing, to abandon the Debian package would be a mistake. I agree with all the above - I don't want to see the Debian package abandoned either. However in the meantime the Debian package is getting rather old to be recommended to Debian users, so they urgently need some specific help on installing from the tarball. Someone else commented however that the major software for any OS should always be installed from tarballs for best reliabiity - ie the kernel, and the main services running on the machine, eg the MTA, apache etc. As a sendmail user under both Red Hat and Debian I have followed this approach, and the same with MailScanner. (I realise that there is at least one Linux distribution - Gentoo I think - that takes it to the extreme of insisting that everything should be compiled locally rather than installed as a binary.) Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From rabollinger at gmail.com Tue Sep 5 11:12:32 2006 From: rabollinger at gmail.com (Richard Bollinger) Date: Tue Sep 5 11:12:34 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <44FD28C5.4040707@blacknight.ie> References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> <44FC4D30.8050509@netmagicsolutions.com> <44FD28C5.4040707@blacknight.ie> Message-ID: <7744a2840609050312w6c57b604h180aece5b1ca8d25@mail.gmail.com> On 9/5/06, Michele Neylon:: Blacknight.ie wrote: > The site was hosted elsewhere up until recently :) Can it be changed back to allowing such browsing? I found it helpful to be able to retrieve prior releases on occasion without knowing their exact filenames. Thanks, Rich B From mailscanner at mango.zw Tue Sep 5 11:33:10 2006 From: mailscanner at mango.zw (Jim Holland) Date: Tue Sep 5 11:33:23 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: On Mon, 4 Sep 2006, John Rudd wrote: > I honestly can't think of any reason you _would_ use MS's RBL facility. > It's as absolute as doing the RBL entry in the MTA, yet doesn't get > the advantage of rejecting the message during the SMTP transaction. It > doesn't offer me any flexibility over using RBL+access_db+delay_checks. > What's the point? (it's the one feature of MS whose point I've never > understood) I for one certainly appreciate the option to use MS's RBL facility togehter with whitelisting. My view is that using RBLs at MTA level is too drastic - I just use my own limited blacklist of systems that are beyond the pale. The benefit of MS versus MTA is that the mail is quarantined so can be released if the RBLs have got it wrong. We regularly find a local domain gets on some blacklist, and can then just run a script to release all the mail from them in quarantine. I agree with those suggesting using RBLs in SpamAssassin, but as the current server doesn't have the horsepower to run SpamAssassin, I don't have that option. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From root at doctor.nl2k.ab.ca Tue Sep 5 13:01:17 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Sep 5 13:02:21 2006 Subject: MailScanner 4.56 Message-ID: <20060905120117.GH25367@doctor.nl2k.ab.ca> Julian when is 4.56 due out? Does it need further Beta Testing? Also a general question to all, how does one redirect spam to a specific spamlist , say spamtrap@domain.tld? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From walmiro_muzzi at yahoo.com.br Tue Sep 5 14:11:27 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Tue Sep 5 14:11:40 2006 Subject: Management tool Message-ID: <44FD777F.2080608@yahoo.com.br> Hi, I'm looking for a quarantine management tool(web) for MailScanner. Any suggestions??? Thanks in advance. []s Walmiro Muzzi From martinh at solidstatelogic.com Tue Sep 5 14:19:04 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Sep 5 14:19:19 2006 Subject: Management tool In-Reply-To: <44FD777F.2080608@yahoo.com.br> References: <44FD777F.2080608@yahoo.com.br> Message-ID: <44FD7948.4030906@solidstatelogic.com> Walmiro Muzzi wrote: > Hi, > > I'm looking for a quarantine management tool(web) for MailScanner. > > Any suggestions??? > > Thanks in advance. > > []s > Walmiro Muzzi Mailwatch??? http://mailwatch.sourceforge.net/doku.php or the other ones on the wiki.. http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_software:management -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From steve.swaney at fsl.com Tue Sep 5 14:25:48 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Sep 5 14:25:53 2006 Subject: Management tool In-Reply-To: <44FD777F.2080608@yahoo.com.br> Message-ID: <1997001c6d0ee$cd5484e0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Walmiro Muzzi > Sent: Tuesday, September 05, 2006 9:11 AM > To: mailscanner@lists.mailscanner.info > Subject: Management tool > > Hi, > > I'm looking for a quarantine management tool(web) for MailScanner. > > Any suggestions??? > > Thanks in advance. > > []s > Walmiro Muzzi > -- That and much, much more: mailwatch.sourceforge.net Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From edwardbruce at sbcglobal.net Tue Sep 5 14:28:15 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Sep 5 14:28:21 2006 Subject: Razor log file in Postfix hold queue In-Reply-To: <223f97700609011429k4466f948u15a7f95bdfaba49b@mail.gmail.com> References: <44F8872F.1070501@rogers.com> <44F88D1C.8010205@sbcglobal.net> <44F89120.7030100@rogers.com> <20060902015033.b8xexi5uog0s4coc@mail.netmagicsolutions.com> <223f97700609011429k4466f948u15a7f95bdfaba49b@mail.gmail.com> Message-ID: <44FD7B6F.4040101@sbcglobal.net> Glenn Steen wrote: > On 01/09/06, Dhawal Doshy wrote: >> Quoting Mike Jakubik : >> >> > Ed Bruce wrote: >> >> Mike Jakubik wrote: >> >> >> >>> Douglas Ward wrote: >> >>> >> >>>> Does anyone know how to make Razor stop putting its log file >> into the >> >>>> postfix hold queue? I have checked every file I can find using >> >>>> slocate and cannot find the setting. Any advice would be most >> >>>> appreciated. Thanks! >> >>>> >> >>> Just create a .razor directory in /var/spool/postfix and you're set. >> >>> >> >>> >> >> I did this, restarted MailScanner and it stills creates a the log >> in the >> >> hold directory. >> >> >> > >> > Did you create ".razor" or "razor" ? Also, you can specify the >> location >> > with razor_config in your spamssassin config file. >> >> Use the following commands to configure razor for SA, replace >> '/etc/mail/spamassassin/' with your preferred path. >> # razor-admin -home=/etc/mail/spamassassin/.razor -create >> # razor-admin -home=/etc/mail/spamassassin/.razor -discover >> Pause for a while before you give the below command (10-15 seconds) >> # razor-admin -home=/etc/mail/spamassassin/.razor -register >> >> Add to /etc/mail/spamassassin/.razor/razor-agent.conf the following >> line. >> razorhome = /etc/mail/spamassassin/.razor >> >> Add to /etc/mail/spamassassin/mailscanner.cf, the following line. >> razor_config /etc/mail/spamassassin/.razor/razor-agent.conf >> >> - dhawal > > All nice and so. But Mikes advice actually works too, since one would > then be creating it in the default place ($HOME/.razor), all provided > one make sure that the postfix user can write it...:-). Always another > way.....:-) Well, I tried Mikes (I used .razor) and I didn't get it to work. I tried Dhawal's method and it worked. Thanks go to both. From jrudd at ucsc.edu Tue Sep 5 15:29:19 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Sep 5 15:30:11 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609050037r2b3bcf7foade77a554128e31d@mail.gmail.com> References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <44FAECA1.2040800@utwente.nl> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> <44FCD8CA.2020600@nkpanama.com> <223f97700609050037r2b3bcf7foade77a554128e31d@mail.gmail.com> Message-ID: On Sep 5, 2006, at 12:37 AM, Glenn Steen wrote: > On 05/09/06, Alex Neuman van der Hans wrote: >> John Rudd wrote: >> > >> > On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: >> > >> >> >> >> I for one work under legislation that prohibit me from flat-out >> >> rejecting _based on sender alone_ (it's a bit more involved than >> that, >> >> but lets leave that:-) >> > > > It's a brew of different (Swedish) laws governing "principal of > availability and open equal dealing with all subjects"... Laws > covering everything from freedom of speech(!) to how public documents > are to be archived and handled. I'm certainly no lawyer, but > thankfully a central .gov agency (Statskontoret for those who really > want to know) has made a set of guidelines for us poor "public > mailadmins" to follow. They're pretty generic, and open for _some_ > interpretation, but paramount is that the collected body of laws does > not allow us to use "generic blacklists" for rejecting messages. If I > could somehow complement everything to know that a sender was actually > a Swedish subject, then perhaps I could use BLs, but... Alas not now. > Except... RBLs don't block senders. They block hosts (actually, that's not true either: they block IP addresses; a host can change IPs over time, and a sender can change hosts frequently ... especially when you consider relaying). Seems to me a distinction could be made... I mean, if I use a DUL type RBL to block ISP customer IPs, I'll still receive the sender's email via the ISP's proper mail gateway. I could go on, but RBLs are not even remotely about "based on sender", IMO. From jrudd at ucsc.edu Tue Sep 5 15:30:48 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Sep 5 15:31:54 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Sep 5, 2006, at 3:33 AM, Jim Holland wrote: > On Mon, 4 Sep 2006, John Rudd wrote: > >> >> What's the point? (it's the one feature of MS whose point I've >> never >> understood) > The benefit of MS versus MTA is that the mail is > quarantined so can be released if the RBLs have got it wrong. Ok, I can admit that I hadn't considered that aspect at all (because I don't use quarantining). I can see that as a reason to use RBLs at the MS level. From lshaw at emitinc.com Tue Sep 5 16:57:36 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Sep 5 16:57:48 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Message-ID: On Tue, 5 Sep 2006, Res wrote: > On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: >> Most people don't allow file browse in webfolders. I think it's time to >> take your tinfoil hat off. > a webfolder... must be a micro$oft thing :P > > perl -pi -e "s/webfolder/directory (use its real name not M\$ slang)/g;" * Nah, it's not Microsoft slang, because it makes logical sense. If it were Microsoft slang, it would use terminology in a way that muddies the issue and make everyone more confused than before. Maybe something which shows that Microsoft has conflated two concepts that should be separate. So it wouldn't be "web folder". It'd be something like "internet folder" instead. - Logan From lshaw at emitinc.com Tue Sep 5 17:02:17 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Sep 5 17:03:13 2006 Subject: Restart problem In-Reply-To: <223f97700609041041w10c8a679x1fa7fea251e85951@mail.gmail.com> References: <44FC3A44.1070109@yahoo.com.br> <44FC4794.5080901@konsultex.com.br> <905842108-1157385254-cardhu_blackberry.rim.net-2099532887-@bwe038-cell00.bisx.prod.on.blackberry> <44FC51DF.2070700@yahoo.com.br> <223f97700609041041w10c8a679x1fa7fea251e85951@mail.gmail.com> Message-ID: >> > From: "Miguel Koren O'Brien de Lacy" >> > Date: Mon, 04 Sep 2006 12:34:44 >> > To:MailScanner discussion >> > Subject: Re: Restart problem >> > I found that the script does not always stop mailscanner, so when I >> > restart port 25 is in use and so MialScanner does not work. What I do is >> > to explicitly stop sendmail too right after stopping MailScanner. This >> > may be a Fedora issue. On Mon, 4 Sep 2006, Glenn Steen wrote: > Isn't this the same issue hashed over a while back... That it takes a > while (sometimes substantially so) for the sendmail waorkers to > actually finish and die? Sometomes making the sleep interval in the > init script not be enough, so that some linger when MS want to start > up again? > I might remember wrong, but check that first (I'm certainly to lazy to > search the archives for you:-):-)... Stop MS, the grep ps for sendmail > processess... Hmm, I think this is my cue to semi-obnoxiously point out that if sendmail startup and MailScanner startup were separate the way I do it (with separate init scripts, etc.), this wouldn't be an issue. *grin* - Logan From rpoe at plattesheriff.org Tue Sep 5 17:03:16 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Sep 5 17:04:06 2006 Subject: Question Message-ID: <44FD5982.65ED.00A2.0@plattesheriff.org> Is there a way to start MailScanner so that it processes any messages in it's queue, but does not accept new incoming messages? I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 Running access lists in Sendmail (to block out other countries) and running the greet_pause feature (which is helping a lot) Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds I've tried 5, 3 and now 2 MS children. From dave.list at pixelhammer.com Tue Sep 5 17:31:50 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Sep 5 17:32:03 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: <44FDA676.9000209@pixelhammer.com> Rob Poe wrote: > Is there a way to start MailScanner so that it processes any messages in it's queue, but does not accept new incoming messages? > > I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > > It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > > Running access lists in Sendmail (to block out other countries) and running the greet_pause feature (which is helping a lot) > > Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > > I've tried 5, 3 and now 2 MS children. > > > OS? How many messages in a batch? What kind of SpamAssassin rule sets/plugins? Any RBLs at the MTA level? I've seen load go to 20 on my servers for days on end and they kept chugging away. Load doesn't mean that much, if MS is still processing in good time I would pay it no mind. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From martinh at solidstatelogic.com Tue Sep 5 17:31:08 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Sep 5 17:32:39 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: <44FDA64C.9000303@solidstatelogic.com> Rob Poe wrote: > Is there a way to start MailScanner so that it processes any messages in it's queue, but does not accept new incoming messages? > > I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > > It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > > Running access lists in Sendmail (to block out other countries) and running the greet_pause feature (which is helping a lot) > > Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > > I've tried 5, 3 and now 2 MS children. > > > memory more memeory 1GB per CPU is recommended just stop the inbound sendmail... try milter-ahead to check valid email addresses and reject non-valid ones on the inbound MTA. - I drop over 66% of my trafffic that way. there's a tuning link on the wiki also... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Tue Sep 5 17:47:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 5 17:47:27 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <5227ac5c0609030508o31a1a108iaf2459a00b7aed29@mail.gmail.com> <44FB430F.8040608@utwente.nl> <1157367545.1082.65.camel@darkstar.netcore.co.in> <223f97700609041711g3cefc474j55ba90a9db4321de@mail.gmail.com> <44FCD8CA.2020600@nkpanama.com> <223f97700609050037r2b3bcf7foade77a554128e31d@mail.gmail.com> Message-ID: <223f97700609050947j7a21bbb8lc5578b8310dd9f83@mail.gmail.com> On 05/09/06, John Rudd wrote: > > On Sep 5, 2006, at 12:37 AM, Glenn Steen wrote: > > > On 05/09/06, Alex Neuman van der Hans wrote: > >> John Rudd wrote: > >> > > >> > On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: > >> > > >> >> > >> >> I for one work under legislation that prohibit me from flat-out > >> >> rejecting _based on sender alone_ (it's a bit more involved than > >> that, > >> >> but lets leave that:-) > >> > > > > > It's a brew of different (Swedish) laws governing "principal of > > availability and open equal dealing with all subjects"... Laws > > covering everything from freedom of speech(!) to how public documents > > are to be archived and handled. I'm certainly no lawyer, but > > thankfully a central .gov agency (Statskontoret for those who really > > want to know) has made a set of guidelines for us poor "public > > mailadmins" to follow. They're pretty generic, and open for _some_ > > interpretation, but paramount is that the collected body of laws does > > not allow us to use "generic blacklists" for rejecting messages. If I > > could somehow complement everything to know that a sender was actually > > a Swedish subject, then perhaps I could use BLs, but... Alas not now. > > > > Except... RBLs don't block senders. They block hosts (actually, that's > not true either: they block IP addresses; a host can change IPs over > time, and a sender can change hosts frequently ... especially when you > consider relaying). Seems to me a distinction could be made... > > I mean, if I use a DUL type RBL to block ISP customer IPs, I'll still > receive the sender's email via the ISP's proper mail gateway. I could > go on, but RBLs are not even remotely about "based on sender", IMO. > Either I'm not explaining this well, or you are plain missing the point:-). The point (made by the lawyers mostly ... IIUC, the guidelines were put together by a joint group of "technicians" and "lawyers"...) is exactly that. I cannot reject mail _potentially_ from a Swedish subject based _solely_ on BLs. But if if a citizen choose to make their matter plain in a mail that is otherwise spam, or a message containing a virus or other malicious content, I can set things up to quarantine this from ever reaching the end recipient, and slate it for deletion. It is akin to the case where some citizen has scribbled the message in the margin of an IKEA catalog... I don't have to rifle through the catalog, but can just dump it out of hand... But for email I (or some other person) have to make a "simplified screening" (I look at the senders/subjects in mailwatch:-) to make everything comply to norm. With BLs I cannot be certain enough. So ... The guidelines go on to detail that it is OK to use them for scoring or tagging, and that is exactly what I do. This only affects public bodies, so the private sector is not under these laws (not that way at least). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Tue Sep 5 18:17:02 2006 From: ka at pacific.net (Ken A) Date: Tue Sep 5 18:15:54 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: <44FDB10E.30103@pacific.net> Rob Poe wrote: > Is there a way to start MailScanner so that it processes any messages in it's queue, but does not accept new incoming messages? > > I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > > It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > > Running access lists in Sendmail (to block out other countries) and running the greet_pause feature (which is helping a lot) Sendmail shouldn't accept mail faster than your system can handle it, so tune sendmail a bit more with things like max recipients per message, bad recipient throttle, connection rate throttle, and connection rate window size(per IP ratecontrol). If you set these to keep sendmail from being flooded during a spam attack, MailScanner should have an easier time keeping up. Also, add a couple of rbls to sendmail config to reject spam outright if it's on a trusted list, like spamhaus. > Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > > I've tried 5, 3 and now 2 MS children. > What does 'free' report? Using swap? Increase MS children up to 4 or 5 until they start using swap, or add ram if they are already swapping. Ken A Pacific.Net > From rpoe at plattesheriff.org Tue Sep 5 18:54:47 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Sep 5 18:56:39 2006 Subject: Question In-Reply-To: <44FDB10E.30103@pacific.net> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> Message-ID: <44FD73A5.65ED.00A2.0@plattesheriff.org> > I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > > It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > > I've tried 5, 3 and now 2 MS children. > >What does 'free' report? Using swap? Increase MS children up to 4 or 5 >until they start using swap, or add ram if they are already swapping. total used free shared buffers cached Mem: 479644 447512 32132 0 93536 161792 -/+ buffers/cache: 192184 287460 Swap: 2112440 4356 2108084 FEATURE(`dnsbl', `list.dsbl.org', `Rejected - see http://www.dsbl.org/')dnl FEATURE(`dnsbl', `relays.ordb.org', `Rejected - see http://ordb.org/')dnl They had problems with the xbl.spamhaus.org and sbl.spamhaus.org because their biggest client / vendor is on a shared server that has sent spam (and is listed). So it blocks their clients / vendor's email..... From lshaw at emitinc.com Tue Sep 5 19:20:35 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Sep 5 19:20:48 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: On Tue, 5 Sep 2006, Rob Poe wrote: > Is there a way to start MailScanner so that it processes any messages > in it's queue, but does not accept new incoming messages? Well, it's a queue that sendmail and MailScanner share (sendmail is the producer, MailScanner is the consumer), so it's not really MailScanner that controls whether messages are accepted. You could kill the incoming sendmail, but I don't recommend it. > I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > > It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > > Running access lists in Sendmail (to block out other countries) and running the greet_pause feature (which is helping a lot) > > Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > > I've tried 5, 3 and now 2 MS children. With a situation like this, you have to determine whether CPU or memory is the limiting factor. There are some third-party rulesets which are serious CPU hogs. One of those could explain the problem. Or you could be too low on RAM and swapping, which will kill performance and drive the load average through the roof without getting much work done. Personally, I would diagnose this problem by temporarily setting the MailScanner children to 1. As long as you don't have other processes on the machine hogging the memory, that will almost definitely eliminate memory as a bottleneck. (On the other hand, 2 children is pretty close to 1.) Then check the logs and see how many messages are in a batch and the total time it takes to process that batch. If a batch takes 61.70 seconds, that could be OK if it's processing 10 or 20 or 30 messages, especially if your virus checker(s) use lots of CPU. At my site, with McAfee and ClamAV, it takes something like 3 CPU-seconds to process a message, sometimes more. But if 61.70 seconds is the time for 2 or 3 messages, then you've got a problem. More than 5 or 10 seconds per message is definitely excessive, even on a Celeron. - Logan From ka at pacific.net Tue Sep 5 19:54:14 2006 From: ka at pacific.net (Ken A) Date: Tue Sep 5 19:53:04 2006 Subject: Question In-Reply-To: <44FD73A5.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> Message-ID: <44FDC7D6.4090902@pacific.net> Rob Poe wrote: >> I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... >> >> It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk >> >> 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > >> Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds >> >> I've tried 5, 3 and now 2 MS children. >> > >> What does 'free' report? Using swap? Increase MS children up to 4 or 5 >> until they start using swap, or add ram if they are already swapping. > > total used free shared buffers cached > Mem: 479644 447512 32132 0 93536 161792 > -/+ buffers/cache: 192184 287460 > Swap: 2112440 4356 2108084 Looks like you are pushing it already at 2 children. More memory would help. You should be able to run 4 MS processes with a GB of ram. What about the network tests in SA? Are they running slowly? Are you getting SA timeouts too? You could run 'spamassassin -D dns < /dev/null' to get the list of rbls that SA is using and test them individually to see if one of them is timing out? It would be nice if there was a script for diagnosing MailScanner slowness. There are a lot of things that can cause it, but most are pretty obvious - AFTER you find them. :-) Ken A. Pacific.Net > FEATURE(`dnsbl', `list.dsbl.org', `Rejected - see http://www.dsbl.org/')dnl > FEATURE(`dnsbl', `relays.ordb.org', `Rejected - see http://ordb.org/')dnl > > They had problems with the xbl.spamhaus.org and sbl.spamhaus.org because their biggest client / vendor is on a shared server that has sent spam (and is listed). So it blocks their clients / vendor's email..... > > > From taz at taz-mania.com Tue Sep 5 19:53:20 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Sep 5 19:53:24 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: My hubs (I have two of them) get about 75,000 emails per day. It's a 2.4Ghz P4 Zeon processor with 512MB of RAM and dual IDE hard drives (mirrored). They run with a load average of .10 (it goes up and down, but on average that's what I see, this ia also only on my secondary hub, where most of the Spam attempts to come in, the primary has even less load and most of the real email comes in there). However as long as MailScanner is processing in a reasonable time the overall load average doesn't mean too much. There are a couple of things that brought it down a lot, Greet pause, HELO validation (only simple validation to be sure the sending server isn't using my own servers name or IP as its HELO string), Sender Address Verification (smf-sav milter), Recipient Address Verificaton (smf-sav milter), Grey listing (milter-greylist) and I also use Connection throttling, all of which occur during the SMTP phase. Out of the approx 75,000 per day of emails, only 2,000-3,000 get by the SMTP phase to reach MailScanner/Spamassassin/ClamAV. Adding the SMTP phase filtering really brings down the CPU load. Hope this helps. On Tue, 05 Sep 2006 11:03:16 -0500 "Rob Poe" wrote: >Is there a way to start MailScanner so that it processes any messages >in it's queue, but does not accept new incoming messages? > >I have a client with an older linux box running MailScanner and it's >just being crushed ... with spam.... > >It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > > 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > >Running access lists in Sendmail (to block out other countries) and >running the greet_pause feature (which is helping a lot) > >Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: >Batch processed in 61.70 seconds > >I've tried 5, 3 and now 2 MS children. > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From wintermutecx at gmail.com Tue Sep 5 20:00:01 2006 From: wintermutecx at gmail.com (Dave) Date: Tue Sep 5 20:00:09 2006 Subject: Question In-Reply-To: <44FD5982.65ED.00A2.0@plattesheriff.org> References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: As suggested there is a setting in sendmail to limit the number of connections. I have it set on my 300Mhz server at home. When I want to disable incoming mail but still have Mailscanner running, I just put a firewall rule to not allow incoming port 25. From gborders at jlewiscooper.com Tue Sep 5 20:12:21 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Tue Sep 5 20:12:58 2006 Subject: Question In-Reply-To: References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: <44FDCC15.50606@jlewiscooper.com> Logan Shaw wrote: > On Tue, 5 Sep 2006, Rob Poe wrote: >> Is there a way to start MailScanner so that it processes any messages >> in it's queue, but does not accept new incoming messages? > > Well, it's a queue that sendmail and MailScanner share (sendmail > is the producer, MailScanner is the consumer), so it's not > really MailScanner that controls whether messages are accepted. > > You could kill the incoming sendmail, but I don't recommend it. Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms} Couldn't you issue service MailScanner stop service MailScanner startout And thus have MS process any messages in queue, and not accept any new messages. We must keep in mind, MailScanner is the puppet master, and the MTA, virus scanners and SA are all puppets! Greg. Borders Sys. Admin. JLC Co. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rpoe at plattesheriff.org Tue Sep 5 20:20:50 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Sep 5 20:21:29 2006 Subject: Question In-Reply-To: References: <44FD5982.65ED.00A2.0@plattesheriff.org> Message-ID: <44FD87C2.65ED.00A2.0@plattesheriff.org> >Sender Address Verification (smf-sav milter), Recipient Address Verificaton >(smf-sav milter), Grey listing (milter-greylist) and I also use >Connection throttling, all of which occur during the SMTP phase. No disrespect to Snert ... But did anyone catch the smf-sav ?? Looks like milter-ahead.. open sourced .. I must have missed it somewhere.. From lshaw at emitinc.com Tue Sep 5 21:35:35 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Sep 5 21:35:49 2006 Subject: Question In-Reply-To: <44FDC7D6.4090902@pacific.net> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> Message-ID: On Tue, 5 Sep 2006, Ken A wrote: > Rob Poe wrote: >> total used free shared buffers cached >> Mem: 479644 447512 32132 0 93536 161792 >> -/+ buffers/cache: 192184 287460 >> Swap: 2112440 4356 2108084 > > Looks like you are pushing it already at 2 children. More memory would help. > You should be able to run 4 MS processes with a GB of ram. Might be getting close to the limit, but I don't see evidence that the system is at the limit (i.e. that it's memory-starved). The swap used is very low; if the system were swapping, it would probably be higher. So yeah, more memory would help, since it always does, but lack of memory doesn't appear to be the primary problem. Of course, without seeing stats of how many messages are in a batch and how long that batch takes, it's difficult to tell what the problem is. Is MS using 60 seconds of CPU time for one message? Or is that 60 seconds for a whole bunch of messages? If the former, there is a significant problem not related to memory. - Logan From glenn.steen at gmail.com Tue Sep 5 22:24:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 5 22:24:20 2006 Subject: Question In-Reply-To: <44FDC7D6.4090902@pacific.net> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> Message-ID: <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> On 05/09/06, Ken A wrote: > > > Rob Poe wrote: > >> I have a client with an older linux box running MailScanner and it's just being crushed ... with spam.... > >> > >> It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > >> > >> 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > > > >> Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: Batch processed in 61.70 seconds > >> > >> I've tried 5, 3 and now 2 MS children. > >> > > > >> What does 'free' report? Using swap? Increase MS children up to 4 or 5 > >> until they start using swap, or add ram if they are already swapping. > > > > total used free shared buffers cached > > Mem: 479644 447512 32132 0 93536 161792 > > -/+ buffers/cache: 192184 287460 > > Swap: 2112440 4356 2108084 > > Looks like you are pushing it already at 2 children. More memory would > help. You should be able to run 4 MS processes with a GB of ram. Ah, beg to differ, if but a tad...:-) There is quite a bit of free memory there (both really free and "readily returnable":-), so that isn't likely "it". The total is a bit off from 512 MiB, which indicate that the machine have some memory snitched by a "share memory" VGA adapter (or similar)... Install the cheapest real VGA card you can find and disable the share-memory thing, if possible. And get some more real RAM, a big swap is just a crutch:-) But that's neither here nor there. The tiny amount of swap used doesn't really tell much.... "vmstat 2" is the tool to look to first, to see if you have any swap in/out activity (I'm guessing you'll not see much in that department:-). The high load means you're either waiting for CPU or I/O. Good tools to look at this (apart from what vmstat can tell you) are top, sar and iostat (start with top and iostat, which will help you determine what's up in the short term, and then move on to setting sar up.... that way you'll get some history to lean on in the future:). Does the system feel "sluggish" under the heavy load, or perhaps like it sometimes get stuck, then unclogs... or is it fairly responsive to keyboard input? > What about the network tests in SA? Are they running slowly? Are you > getting SA timeouts too? You could run 'spamassassin -D dns < /dev/null' > to get the list of rbls that SA is using and test them individually to > see if one of them is timing out? It would be nice if there was a script > for diagnosing MailScanner slowness. There are a lot of things that can > cause it, but most are pretty obvious - AFTER you find them. :-) > Without more forensic data, I'm thinking you're near the target Ken. Long I/O waits can really drive load through the roof. Especially if one has a lot of lookups to do, and a relatively congested network, or a piece of cr*p NIC. And that would still leave you with a "mysteriously responsive" system:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From matt at coders.co.uk Tue Sep 5 22:34:56 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Sep 5 22:35:08 2006 Subject: Question In-Reply-To: <44FDCC15.50606@jlewiscooper.com> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDCC15.50606@jlewiscooper.com> Message-ID: <44FDED80.3080001@coders.co.uk> > service MailScanner stop > service MailScanner startout You might also need to do /usr/sbin/MailScanner as well. Otherwise it won't process messages ;-) matt From ka at pacific.net Tue Sep 5 23:18:14 2006 From: ka at pacific.net (Ken A) Date: Tue Sep 5 23:17:03 2006 Subject: Question In-Reply-To: <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> Message-ID: <44FDF7A6.7010205@pacific.net> Glenn Steen wrote: > On 05/09/06, Ken A wrote: >> >> >> Rob Poe wrote: >> >> I have a client with an older linux box running MailScanner and >> it's just being crushed ... with spam.... >> >> >> >> It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk >> >> >> >> 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 >> > >> >> Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: >> Batch processed in 61.70 seconds >> >> >> >> I've tried 5, 3 and now 2 MS children. >> >> >> > >> >> What does 'free' report? Using swap? Increase MS children up to 4 or 5 >> >> until they start using swap, or add ram if they are already swapping. >> > >> > total used free shared buffers >> cached >> > Mem: 479644 447512 32132 0 93536 >> 161792 >> > -/+ buffers/cache: 192184 287460 >> > Swap: 2112440 4356 2108084 >> >> Looks like you are pushing it already at 2 children. More memory would >> help. You should be able to run 4 MS processes with a GB of ram. > > Ah, beg to differ, if but a tad...:-) > There is quite a bit of free memory there (both really free and > "readily returnable":-), so that isn't likely "it". The total is a bit > off from 512 MiB, which indicate that the machine have some memory > snitched by a "share memory" VGA adapter (or similar)... Install the > cheapest real VGA card you can find and disable the share-memory > thing, if possible. And get some more real RAM, a big swap is just a > crutch:-) Our mailscanner processes are ~100mb each. So... did you used to try to squeeze and extra 10k out of your 386 dos machine, so you could run doom? :-) > But that's neither here nor there. The tiny amount of swap used > doesn't really tell much.... "vmstat 2" is the tool to look to first, > to see if you have any swap in/out activity (I'm guessing you'll not > see much in that department:-). good catch. It is hard to tell from the 'free' report above what is actually happening, and vmstat will show you that and more. > The high load means you're either waiting for CPU or I/O. Good tools > to look at this (apart from what vmstat can tell you) are top, sar and > iostat (start with top and iostat, which will help you determine > what's up in the short term, and then move on to setting sar up.... > that way you'll get some history to lean on in the future:). Another plus from adding some ram is that you can add a nameserver to the box to speed up rbl lookups and/or a rbldnsd to serve them locally. Ken A. Pacific.Net > Does the system feel "sluggish" under the heavy load, or perhaps like > it sometimes get stuck, then unclogs... or is it fairly responsive to > keyboard input? > >> What about the network tests in SA? Are they running slowly? Are you >> getting SA timeouts too? You could run 'spamassassin -D dns < /dev/null' >> to get the list of rbls that SA is using and test them individually to >> see if one of them is timing out? It would be nice if there was a script >> for diagnosing MailScanner slowness. There are a lot of things that can >> cause it, but most are pretty obvious - AFTER you find them. :-) >> > Without more forensic data, I'm thinking you're near the target Ken. > Long I/O waits can really drive load through the roof. Especially if > one has a lot of lookups to do, and a relatively congested network, or > a piece of cr*p NIC. And that would still leave you with a > "mysteriously responsive" system:-). > From lshaw at emitinc.com Tue Sep 5 23:28:51 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Sep 5 23:29:07 2006 Subject: Question In-Reply-To: <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> Message-ID: On Tue, 5 Sep 2006, Glenn Steen wrote: > On 05/09/06, Ken A wrote: >> Rob Poe wrote: >> > total used free shared buffers cached >> > Mem: 479644 447512 32132 0 93536 161792 >> > -/+ buffers/cache: 192184 287460 >> > Swap: 2112440 4356 2108084 >> Looks like you are pushing it already at 2 children. More memory would >> help. > Ah, beg to differ, if but a tad...:-) > There is quite a bit of free memory there (both really free and > "readily returnable":-), so that isn't likely "it". The total is a bit > off from 512 MiB, which indicate that the machine have some memory > snitched by a "share memory" VGA adapter (or similar)... Install the > cheapest real VGA card you can find and disable the share-memory > thing, if possible. And get some more real RAM, a big swap is just a > crutch:-) Side issue, but IMHO a big swap is a way to turn one kind of negative consequences (running out of virtual memory) into another kind (system getting ridiculously slow). So it's a value judgement whether it's worth having big swap or not. > But that's neither here nor there. The tiny amount of swap used > doesn't really tell much.... "vmstat 2" is the tool to look to first, > to see if you have any swap in/out activity (I'm guessing you'll not > see much in that department:-). Speaking of which, memory issues are always confusing on modern operating systems with virtual memory (and the Linux "vmstat" documentation isn't much help), so is it safe to assume that vmstat's "si" and "so" columns are 0, then nothing is being read/written to swap space? That would be a pretty good (but not perfect) indicator of relatively pressure for memory. By the way, tiny amount of swap used should mean a pretty high probability of no swapping going on. The converse isn't true (you can have lots of stuff residing in swap but nothing going back and forth between there and RAM), though. - Logan From TGFurnish at herffjones.com Tue Sep 5 22:41:43 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Tue Sep 5 23:32:45 2006 Subject: problems reaching parts of the mailscanner docs online? Message-ID: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> Anyone else having problems today (2006-09-05, 17:39 GMT-4) reaching the MAQ? I get either a timeout or a connection refused when connecting to wiki.mailscanner.info, as well as when connecting to www.sng.ecs.soton.ac.uk for HTTP requests. Tested from two different sites and several different servers, no firewalls or proxies involved. From ka at pacific.net Tue Sep 5 23:45:43 2006 From: ka at pacific.net (Ken A) Date: Tue Sep 5 23:44:29 2006 Subject: problems reaching parts of the mailscanner docs online? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> Message-ID: <44FDFE17.60600@pacific.net> yeah, same here. Can't get to the wiki. Ken Furnish, Trever G wrote: > Anyone else having problems today (2006-09-05, 17:39 GMT-4) reaching the > MAQ? I get either a timeout or a connection refused when connecting to > wiki.mailscanner.info, as well as when connecting to > www.sng.ecs.soton.ac.uk for HTTP requests. Tested from two different > sites and several different servers, no firewalls or proxies involved. From res at ausics.net Tue Sep 5 23:49:05 2006 From: res at ausics.net (Res) Date: Tue Sep 5 23:49:33 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Tue, 5 Sep 2006, John Rudd wrote: >>> What's the point? (it's the one feature of MS whose point I've never >>> understood) >> The benefit of MS versus MTA is that the mail is >> quarantined so can be released if the RBLs have got it wrong. > > Ok, I can admit that I hadn't considered that aspect at all (because I don't RBL's first came about to stop waste of bandwith by spamming scumbags drop em dead in the water, by use in MS it kind of defeats the purpose if typically you get 100K rejects at MTA per day, thats 100K messages less you have to process, of course for SOHO's who get 10 a day it wouldnt really matter all that much. -- Res From res at ausics.net Tue Sep 5 23:54:15 2006 From: res at ausics.net (Res) Date: Tue Sep 5 23:54:48 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Message-ID: On Tue, 5 Sep 2006, Logan Shaw wrote: > On Tue, 5 Sep 2006, Res wrote: >> On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > >>> Most people don't allow file browse in webfolders. I think it's time to >>> take your tinfoil hat off. > >> a webfolder... must be a micro$oft thing :P >> >> perl -pi -e "s/webfolder/directory (use its real name not M\$ slang)/g;" * > > Nah, it's not Microsoft slang, because it makes logical sense. funny i only ever hear windows users refer to them as folders, for as long as I can remember, no linux or unix has ever had a webfolder command :) in fact im buggered if i can find that term used anywhere on my machines, except when sifting through the /home/res/mail/mailscanner & sent-mail files, whats even more funny its not in apache ;) > If it were Microsoft slang, it would use terminology in a > way that muddies the issue and make everyone more confused > than before. Maybe something which shows that Microsoft it does tho i think, thats why they call it webfolder instead of folder hehehe -- Cheers Res From lshaw at emitinc.com Wed Sep 6 00:10:03 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Sep 6 00:10:19 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Wed, 6 Sep 2006, Res wrote: > On Tue, 5 Sep 2006, John Rudd wrote: >>> The benefit of MS versus MTA is that the mail is >>> quarantined so can be released if the RBLs have got it wrong. >> Ok, I can admit that I hadn't considered that aspect at all (because I >> don't > RBL's first came about to stop waste of bandwith by spamming scumbags drop em > dead in the water, by use in MS it kind of defeats the purpose > > if typically you get 100K rejects at MTA per day, thats 100K messages less > you have to process Whether it defeats the purpose depends on what the purpose is. Is it a tool to save the bandwidth of accepting spam in the first place? Or is it a source of information for the process of classifying messages as spam/ham? It's whichever you want it to be. And what you want depends on the cost of receiving and scanning messages and whether you're willing to pay that cost. And that, in turn, depends on the resources (server hardware and bandwidth) available have versus the consequences of knowing that you've discarded/refused when you've had false positives. - Logan From res at ausics.net Wed Sep 6 05:43:17 2006 From: res at ausics.net (Res) Date: Wed Sep 6 05:43:34 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Tue, 5 Sep 2006, Logan Shaw wrote: > Whether it defeats the purpose depends on what the purpose is. The purpose is made up of and in the order of... Protecting users as much as possible from privacy invaders Lessen the load as much as possible on the SMTP servers Bandwith usage/costs Why should anyone go out and spend say 10K on another basic server to handle the extra load? nobody can ever tell me why I should do that, its always "get more or better hardware so S.A can work better" er no sorry, ill reduce the loading on the existing gear by preventing their trash from even trying to occupy any more of my resources. > and bandwidth) available have versus the consequences of knowing > that you've discarded/refused when you've had false positives. I've not yet once in all the years of use of RBL's, like back to when maps was the in and only thing (and free) ever seen an IP wrongfully blocked. If that scumbag shares a colo with 999 other hosts who are doing nothing wrong, it is up to the admins of the zone to get off their lazy useless asses and deal with the problem makers, most times (but admittedly not all) an IP only gets in a list because system admins ignore complaints and fail to deal with them for fear of losing that customer, their actions of ignoring it, now places them at risk of instead of losing the 1 idiot, they risk losing the other 999 innocent parties whos mail is blocked instead. I also operate in similar way with the sendmail and qmail access files, if we complain about spammers and a network fails to act after multiple complaints then ill take them out. For instance, I currently have RHS blocking on telusplanet.net, comcast.net and hinet.net, 3 i gather very large international ISP's. They prolly care about this as much as i do now but at least my users wont see much if any of their trash :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From taz at taz-mania.com Wed Sep 6 07:47:00 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Sep 6 07:47:35 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <44FE6EE4.4060703@taz-mania.com> Res wrote: > On Tue, 5 Sep 2006, Logan Shaw wrote: > >> Whether it defeats the purpose depends on what the purpose is. > > The purpose is made up of and in the order of... > > Protecting users as much as possible from privacy invaders > Lessen the load as much as possible on the SMTP servers > Bandwith usage/costs > > Why should anyone go out and spend say 10K on another basic server to > handle the extra load? nobody can ever tell me why I should do that, > its always "get more or better hardware so S.A can work better" er no > sorry, ill reduce the loading on the existing gear by preventing their > trash from even trying to occupy any more of my resources. > >> and bandwidth) available have versus the consequences of knowing >> that you've discarded/refused when you've had false positives. > > I've not yet once in all the years of use of RBL's, like back to when > maps was the in and only thing (and free) ever seen an IP wrongfully > blocked. Well I've been using RBLs for just as long and they have errors all the time. I depends on the RBL and how they get their listings as to how accurate they are. Recently I had problems with SpamCop listing yahoo groups servers and my users yelled about that... > If that scumbag shares a colo with 999 other hosts who are doing > nothing wrong, it is up to the admins of the zone to get off their > lazy useless asses and deal with the problem makers, most times (but > admittedly not all) > an IP only gets in a list because system admins ignore complaints and > fail to deal with them for fear of losing that customer, their actions > of ignoring it, now places them at risk of instead of losing the 1 > idiot, they risk losing the other 999 innocent parties whos mail is > blocked instead. > > I also operate in similar way with the sendmail and qmail access > files, if we complain about spammers and a network fails to act after > multiple complaints then ill take them out. For instance, I currently > have > RHS blocking on telusplanet.net, comcast.net and hinet.net, 3 i > gather very large international ISP's. They prolly care about this as > much as i do now but at least my users wont see much if any of their > trash :) This is a poor way block Spam. Since most Spammers use spoofed email addresses including using valid user addresses who had nothing to do with the Spam (usually by picking an address from their sending list and use that as the From: address), so while it may block some Spam, it also blocks many many users that had nothing to do with sending Spam. Comcast.net itself does not send Spam, while some Spam comes from email addresses that say they're from comcast.net, this is generally due to spoofing. I have also tracked lots IP addresses of originating hosts to be on the comcast network... They were not from the comcast owned mail servers and the From: email address was not using the comcast.net domain so blocking the comcast.net domain doesn't really block Spam from comcast.net customers. At least this is where RBLs do a better job as they block based on the IP address of the server not the email address of the spoofed sender. It would be nice if comcast used SPF to make it easier to verify spoofed email addresses.... Actually I get the best results from Greet Pause, Sender Address Verification and Greylisting. I do a number of other things at the SMTP level as well, then follow it up with SpamAssasin/MailScanner to catch the remaining Spam. > > From Q.G.Campbell at newcastle.ac.uk Wed Sep 6 08:10:51 2006 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Wed Sep 6 08:10:58 2006 Subject: Is MCP "deliver" option working at all? Message-ID: <4165CF7A7F12DE4B96622CCBB905864707D512B6@largo.campus.ncl.ac.uk> Is anybody using the MCP "deliver" option with MS 4.55.* and can verify that it is working? It is it working what do your MCP options values look like? What does the "MCP Error" option value in MailScanner.conf do? How does it interact with the other MCP options? I am running MailScanner 4.55.7-1 & SpamAssassin 3.1.3 with Sendmail (8.13) on Red Hat Enterprise Linux AS release 4. The relevant settings in MailScanner.conf are: MCP Checks = yes # Do the spam checks first, or the MCP checks first? # This cannot be the filename of a ruleset, only a fixed value. First Check = mcp # The rest of these options are clones of the equivalent spam options MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = delete Bounce MCP As Attachment = no MCP Modify Subject = no MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = yes High Scoring MCP Subject Text = {MCP?!} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = yes Detailed MCP Report = yes Include Scores In MCP Report = yes Log MCP = yes MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 75 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt The syslog records for a typical message scored by MCP for delivery: ... Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: from=, size=1086, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=stromberg.ncl.ac.uk [10.8.234.172] Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=header, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=eoh, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: milter=milter-link, action=body, continue Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter add: header: Received-SPF: pass (cheviot4.ncl.ac.uk: 10.8.234.172 is authenticated by a trusted mechanism) Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter accept: message Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: to=, delay=00:00:00, mailer=esmtp, pri=31086, stat=queued Sep 5 06:15:19 cheviot4 MailScanner[12258]: Message k855FG8A007250 from 10.8.234.172 (nxxx@cpx.ncl.ac.uk) to learningemall.com is MCP, MCP-Checker (score=1, required 1, MCP_OOO_2 1.00) Sep 5 06:15:19 cheviot4 MailScanner[12258]: MCP Actions: message k855FG8A007250 actions are deliver Sep 5 06:15:21 cheviot4 sendmail[7309]: k855FG8A007250: done; delay=00:00:05, ntries=1 Note _no_ Sendmail "stat=Sent" record. It is as if MailScanner simply dropped the queue files for the message and did not put them in /var/spool/mqueue. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------ Opinions expressed above are mine. From Q.G.Campbell at newcastle.ac.uk Wed Sep 6 08:24:11 2006 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Wed Sep 6 08:24:16 2006 Subject: Is MCP "deliver" option working at all? In-Reply-To: <4165CF7A7F12DE4B96622CCBB905864707D512B6@largo.campus.ncl.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB905864707D512B9@largo.campus.ncl.ac.uk> Still want confirmation that the MCP "deliver" option working for anyone. However found a description of the function of the "MCP Error" value but it raises as many questions as it answers: 'The "MCP Error Score" setting is there so that you can choose what happens if the MCP system fails for some unknown reason. Set it to 0 and failure will cause mail to be delivered as normal, but a high score would make it get stopped (assuming you set "High Scoring MCP Actions" appropriately.' Why, then, is the default value '1' rather than '0'? I have: MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 and wonder if the 'MCP Error Score = 1' is interacting adversly with 'MCP Required SpamAssassin Score = 1. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------ Opinions expressed above are mine. >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >Of Quentin Campbell >Sent: 06 September 2006 08:11 >To: MailScanner discussion >Subject: Is MCP "deliver" option working at all? > >Is anybody using the MCP "deliver" option with MS 4.55.* and can verify >that it is working? > >It is it working what do your MCP options values look like? > >What does the "MCP Error" option value in MailScanner.conf do? How does >it interact with the other MCP options? > >I am running MailScanner 4.55.7-1 & SpamAssassin 3.1.3 with Sendmail >(8.13) on Red Hat Enterprise Linux AS release 4. The relevant settings >in MailScanner.conf are: > >MCP Checks = yes > ># Do the spam checks first, or the MCP checks first? ># This cannot be the filename of a ruleset, only a fixed value. >First Check = mcp > ># The rest of these options are clones of the equivalent spam options >MCP Required SpamAssassin Score = 1 >MCP High SpamAssassin Score = 10 >MCP Error Score = 1 > >MCP Header = X-%org-name%-MailScanner-MCPCheck: >Non MCP Actions = deliver >MCP Actions = deliver >High Scoring MCP Actions = delete >Bounce MCP As Attachment = no > >MCP Modify Subject = no >MCP Subject Text = {MCP?} >High Scoring MCP Modify Subject = yes >High Scoring MCP Subject Text = {MCP?!} > >Is Definitely MCP = no >Is Definitely Not MCP = no >Definite MCP Is High Scoring = no >Always Include MCP Report = yes >Detailed MCP Report = yes >Include Scores In MCP Report = yes >Log MCP = yes > >MCP Max SpamAssassin Timeouts = 20 >MCP Max SpamAssassin Size = 100k >MCP SpamAssassin Timeout = 75 > >MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf >MCP SpamAssassin User State Dir = >MCP SpamAssassin Local Rules Dir = %mcp-dir% >MCP SpamAssassin Default Rules Dir = %mcp-dir% >MCP SpamAssassin Install Prefix = %mcp-dir% >Recipient MCP Report = %report-dir%/recipient.mcp.report.txt >Sender MCP Report = %report-dir%/sender.mcp.report.txt > >The syslog records for a typical message scored by MCP for delivery: > >... >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: >from=, size=1086, class=0, nrcpts=1, >msgid=ncl.ac.uk >>, proto=ESMTP, daemon=MTA, relay=stromberg.ncl.ac.uk [10.8.234.172] >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: >milter=milter-link, action=header, continue >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: >milter=milter-link, action=eoh, continue >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: >milter=milter-link, action=body, continue >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter add: >header: Received-SPF: pass (cheviot4.ncl.ac.uk: 10.8.234.172 is >authenticated by a trusted mechanism) >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: Milter accept: >message >Sep 5 06:15:16 cheviot4 sendmail[7250]: k855FG8A007250: >to=, delay=00:00:00, mailer=esmtp, >pri=31086, >stat=queued >Sep 5 06:15:19 cheviot4 MailScanner[12258]: Message >k855FG8A007250 from >10.8.234.172 (nxxx@cpx.ncl.ac.uk) to learningemall.com is MCP, >MCP-Checker (score=1, required 1, MCP_OOO_2 1.00) >Sep 5 06:15:19 cheviot4 MailScanner[12258]: MCP Actions: message >k855FG8A007250 actions are deliver >Sep 5 06:15:21 cheviot4 sendmail[7309]: k855FG8A007250: done; >delay=00:00:05, ntries=1 > >Note _no_ Sendmail "stat=Sent" record. It is as if MailScanner simply >dropped the queue files for the message and did not put them in >/var/spool/mqueue. > >Quentin >--- >PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, >FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >------------------------------------------------------------------ >Opinions expressed above are mine. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Sep 6 08:55:07 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 6 08:55:10 2006 Subject: Question In-Reply-To: References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> Message-ID: <223f97700609060055m1d1e56efu9c3c853d913bbb28@mail.gmail.com> On 06/09/06, Logan Shaw wrote: > On Tue, 5 Sep 2006, Glenn Steen wrote: > > On 05/09/06, Ken A wrote: > >> Rob Poe wrote: > > >> > total used free shared buffers cached > >> > Mem: 479644 447512 32132 0 93536 161792 > >> > -/+ buffers/cache: 192184 287460 > >> > Swap: 2112440 4356 2108084 > > >> Looks like you are pushing it already at 2 children. More memory would > >> help. > > > Ah, beg to differ, if but a tad...:-) > > There is quite a bit of free memory there (both really free and > > "readily returnable":-), so that isn't likely "it". The total is a bit > > off from 512 MiB, which indicate that the machine have some memory > > snitched by a "share memory" VGA adapter (or similar)... Install the > > cheapest real VGA card you can find and disable the share-memory > > thing, if possible. And get some more real RAM, a big swap is just a > > crutch:-) > > Side issue, but IMHO a big swap is a way to turn one kind of > negative consequences (running out of virtual memory) into > another kind (system getting ridiculously slow). So it's a > value judgement whether it's worth having big swap or not. Yes, well... The "divide" is "no swap"/"swap" (once you're heavily into that swap, it's time to call your RAM supplier:-). A 2 GiB swap on a system with 512 MiB RAM is usually (but not always) just a waste of diskspace. Yeah yeah, disk is cheap, I know:-). > > But that's neither here nor there. The tiny amount of swap used > > doesn't really tell much.... "vmstat 2" is the tool to look to first, > > to see if you have any swap in/out activity (I'm guessing you'll not > > see much in that department:-). > > Speaking of which, memory issues are always confusing on modern > operating systems with virtual memory (and the Linux "vmstat" > documentation isn't much help), so is it safe to assume that > vmstat's "si" and "so" columns are 0, then nothing is being > read/written to swap space? That would be a pretty good > (but not perfect) indicator of relatively pressure for memory. According to the Swordfish book (and my experience;), the "si" and "so" fields of vmstat are the only ones worth looking at, with linux vmstat. The other things are pretty much better covered by other tools. So yes, that is why one should always look at vmstat when one suspects that the system has swapping activity. Oh, and remember to always disregard the first line of junk (but you knew that:-). > By the way, tiny amount of swap used should mean a pretty high > probability of no swapping going on. The converse isn't true > (you can have lots of stuff residing in swap but nothing going > back and forth between there and RAM), though. Quite true. And having a lot of "unused cr*p" in swap is actually a good thing, as that will free up memory for ... better use, and the only real problem with swap is the slow I/O to/from it (compared to memory). That is why looking at si/so is important, one could say:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 6 09:09:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 6 09:09:49 2006 Subject: Question In-Reply-To: <44FDF7A6.7010205@pacific.net> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDB10E.30103@pacific.net> <44FD73A5.65ED.00A2.0@plattesheriff.org> <44FDC7D6.4090902@pacific.net> <223f97700609051424r7a6f4443t555c80b237523ef@mail.gmail.com> <44FDF7A6.7010205@pacific.net> Message-ID: <223f97700609060109k56f8d48bpbf326f3a78d697e3@mail.gmail.com> On 06/09/06, Ken A wrote: > > > Glenn Steen wrote: > > On 05/09/06, Ken A wrote: > >> > >> > >> Rob Poe wrote: > >> >> I have a client with an older linux box running MailScanner and > >> it's just being crushed ... with spam.... > >> >> > >> >> It's a Celeron 2.0 ghz / 512mb ram / dual IDE disk > >> >> > >> >> 10:55:02 up 19:05, 1 user, load average: 6.23, 4.56, 4.04 > >> > > >> >> Seeing things like this: Sep 5 10:56:12 mail MailScanner[25809]: > >> Batch processed in 61.70 seconds > >> >> > >> >> I've tried 5, 3 and now 2 MS children. > >> >> > >> > > >> >> What does 'free' report? Using swap? Increase MS children up to 4 or 5 > >> >> until they start using swap, or add ram if they are already swapping. > >> > > >> > total used free shared buffers > >> cached > >> > Mem: 479644 447512 32132 0 93536 > >> 161792 > >> > -/+ buffers/cache: 192184 287460 > >> > Swap: 2112440 4356 2108084 > >> > >> Looks like you are pushing it already at 2 children. More memory would > >> help. You should be able to run 4 MS processes with a GB of ram. > > > > Ah, beg to differ, if but a tad...:-) > > There is quite a bit of free memory there (both really free and > > "readily returnable":-), so that isn't likely "it". The total is a bit > > off from 512 MiB, which indicate that the machine have some memory > > snitched by a "share memory" VGA adapter (or similar)... Install the > > cheapest real VGA card you can find and disable the share-memory > > thing, if possible. And get some more real RAM, a big swap is just a > > crutch:-) > > Our mailscanner processes are ~100mb each. So... did you used to try to > squeeze and extra 10k out of your 386 dos machine, so you could run > doom? :-) It's all a question of relative sizes... On an ABC80 (Luxor computer, based around the Z80 chip) saving 10 KiB would mean saving most of the available memory;-):-)... At a previous job (manufacturing industry) they actually had to do stupid things like that, but not for doom, rather to get the production 386:s to both have the homegrown production app and a "network client" running at the same time. One can say I'm familiar with the concept. In this case you have more than 100 MiB available, which means that _as it is set now_ it doesn't have an immediate memory problem. One MS child more though, and things might hit the fan, at a disturbing rate:-). Having another 32 MiB "locked" to some piece of **** onboard VGA chip, in that context, isn't particularly good. Every bit that can improve a somewhat resource-starved system.... But as with disks, RAM is cheap these days, so...:-) > > But that's neither here nor there. The tiny amount of swap used > > doesn't really tell much.... "vmstat 2" is the tool to look to first, > > to see if you have any swap in/out activity (I'm guessing you'll not > > see much in that department:-). > > good catch. It is hard to tell from the 'free' report above what is > actually happening, and vmstat will show you that and more Yes well, vmstats si/so is really the only info worth monitoring with that particular tool, IMO. > > The high load means you're either waiting for CPU or I/O. Good tools > > to look at this (apart from what vmstat can tell you) are top, sar and > > iostat (start with top and iostat, which will help you determine > > what's up in the short term, and then move on to setting sar up.... > > that way you'll get some history to lean on in the future:). > > Another plus from adding some ram is that you can add a nameserver to > the box to speed up rbl lookups and/or a rbldnsd to serve them locally. > Oh yes. A very good idea that. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Wed Sep 6 09:09:46 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Sep 6 09:09:58 2006 Subject: problems reaching parts of the mailscanner docs online? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> Message-ID: <44FE824A.1010707@solidstatelogic.com> Furnish, Trever G wrote: > Anyone else having problems today (2006-09-05, 17:39 GMT-4) reaching the > MAQ? I get either a timeout or a connection refused when connecting to > wiki.mailscanner.info, as well as when connecting to > www.sng.ecs.soton.ac.uk for HTTP requests. Tested from two different > sites and several different servers, no firewalls or proxies involved. Back now. I guess they where working on the web servers as the whole of ecs.soton.ac.uk was offline for me..either that or the external line they use is out of action. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at mango.zw Wed Sep 6 11:01:18 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Sep 6 11:01:32 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: On Wed, 6 Sep 2006, Res wrote: > Date: Wed, 6 Sep 2006 08:49:05 +1000 (EST) > From: Res > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Anyone using zen.spamhaus.org? > > On Tue, 5 Sep 2006, John Rudd wrote: > > >>> What's the point? (it's the one feature of MS whose point I've never > >>> understood) > >> The benefit of MS versus MTA is that the mail is > >> quarantined so can be released if the RBLs have got it wrong. > > > > Ok, I can admit that I hadn't considered that aspect at all (because I don't > > RBL's first came about to stop waste of bandwith by spamming scumbags drop > em dead in the water, by use in MS it kind of defeats the purpose > > if typically you get 100K rejects at MTA per day, thats 100K messages > less you have to process, of course for SOHO's who get 10 a day it > wouldnt really matter all that much. I had a quick look at our yesterday logs and see, to my total amazement, that we rejected 60K (sic) connections at MTA level - that is based on greet-pause, blocked servers, domains, addresses, DNS problems etc etc. Didn't include unknown users. So it is essential to do what you can at that level first (our Internet link is only 64k for 2 500 e-mail users). I just don't want to use DNS blocklists there. However after all that was blocked there, MS blocked less than 500 more based on RBL checks. That is what is quarantined. Of that, we would get probably a dozen or so requests a day for such mail to be released. We find that even Hotmail and Yahoo servers occasionally get on RBLs. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at mango.zw Wed Sep 6 11:22:42 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Sep 6 11:22:45 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FE6EE4.4060703@taz-mania.com> Message-ID: On Tue, 5 Sep 2006, Dennis Willson wrote: > Res wrote: > > On Tue, 5 Sep 2006, Logan Shaw wrote: > > > >> Whether it defeats the purpose depends on what the purpose is. > > > > The purpose is made up of and in the order of... > > > > Protecting users as much as possible from privacy invaders > > Lessen the load as much as possible on the SMTP servers > > Bandwith usage/costs > > > > Why should anyone go out and spend say 10K on another basic server to > > handle the extra load? nobody can ever tell me why I should do that, > > its always "get more or better hardware so S.A can work better" er no > > sorry, ill reduce the loading on the existing gear by preventing their > > trash from even trying to occupy any more of my resources. > > > >> and bandwidth) available have versus the consequences of knowing > >> that you've discarded/refused when you've had false positives. > > > > I've not yet once in all the years of use of RBL's, like back to when > > maps was the in and only thing (and free) ever seen an IP wrongfully > > blocked. > Well I've been using RBLs for just as long and they have errors all the > time. I depends on the RBL and how they get their listings as to how > accurate they are. Recently I had problems with SpamCop listing yahoo > groups servers and my users yelled about that... I have also found many false positives, especially as I deliberately use a somewhat aggressive RBL - t1.dnsbl.net.au. > > If that scumbag shares a colo with 999 other hosts who are doing > > nothing wrong, it is up to the admins of the zone to get off their > > lazy useless asses and deal with the problem makers, most times (but > > admittedly not all) > > an IP only gets in a list because system admins ignore complaints and > > fail to deal with them for fear of losing that customer, their actions > > of ignoring it, now places them at risk of instead of losing the 1 > > idiot, they risk losing the other 999 innocent parties whos mail is > > blocked instead. > > > > I also operate in similar way with the sendmail and qmail access > > files, if we complain about spammers and a network fails to act after > > multiple complaints then ill take them out. For instance, I currently > > have > > RHS blocking on telusplanet.net, comcast.net and hinet.net, 3 i > > gather very large international ISP's. They prolly care about this as > > much as i do now but at least my users wont see much if any of their > > trash :) > This is a poor way block Spam. Since most Spammers use spoofed email > addresses including using valid user addresses who had nothing to do > with the Spam (usually by picking an address from their sending list and > use that as the From: address), so while it may block some Spam, it also > blocks many many users that had nothing to do with sending Spam. > Comcast.net itself does not send Spam, while some Spam comes from email > addresses that say they're from comcast.net, this is generally due to > spoofing. I have also tracked lots IP addresses of originating hosts to > be on the comcast network... They were not from the comcast owned mail > servers and the From: email address was not using the comcast.net domain > so blocking the comcast.net domain doesn't really block Spam from > comcast.net customers. At least this is where RBLs do a better job as > they block based on the IP address of the server not the email address > of the spoofed sender. I presume that the previous sender was referring to comcast.net client servers rather than their domain. I agree that blocking by domain is generally not a good idea (with quite a few specific exceptions, such as all the garageservice.biz type domains), and I wouldn't block comcast.net e-mail addresses. However I do block all comcast.net servers with hostnames of the form hsd1.xx.comcast.net - they just spew out spam all the time. There I am of course being more aggressive than the RBLs. > It would be nice if comcast used SPF to make it easier to verify spoofed > email addresses.... > > Actually I get the best results from Greet Pause, Sender Address > Verification and Greylisting. I do a number of other things at the SMTP > level as well, then follow it up with SpamAssasin/MailScanner to catch > the remaining Spam. Yes - all essential tools. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From joakim at cefalk.com Wed Sep 6 13:07:28 2006 From: joakim at cefalk.com (Joakim Cefalk) Date: Wed Sep 6 13:07:33 2006 Subject: MailScanner putting dirs in /proc Message-ID: <44FEBA00.2010209@cefalk.com> Hello! I have been upgrading from 4.48. to 4.55.10, before mailscanner where making folders in folder /var/spool/MailScanner/incoming but after upgrading these folders are in folder /proc. If i check in my MailScanner.conf file Incoming Work Dir = /var/spool/MailScanner/incoming A second question. Should these folders not be deleted by MailScanner? Every day there is a couple that not are deleted. Best regards Joakim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060906/0e04ba38/attachment.html From res at ausics.net Wed Sep 6 13:18:59 2006 From: res at ausics.net (Res) Date: Wed Sep 6 13:19:50 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FE6EE4.4060703@taz-mania.com> References: <44FE6EE4.4060703@taz-mania.com> Message-ID: On Tue, 5 Sep 2006, Dennis Willson wrote: > are. Recently I had problems with SpamCop listing yahoo groups servers and my > users yelled about that... if sp[amcop listed em its for a very good reason and I know personally yahoo ignore complaints, so i wouldnt say it was wrongfully listed > >> I also operate in similar way with the sendmail and qmail access files, if >> we complain about spammers and a network fails to act after multiple > This is a poor way block Spam. Since most Spammers use spoofed email > addresses including using valid user addresses who had nothing to do with the > Spam (usually by picking an address from their sending list and use that as > the From: address), so while it may block some Spam, it also blocks many many huh? we do our homework, who the hell blocks using the from lines these days anyway. > users that had nothing to do with sending Spam. Comcast.net itself does not > send Spam, while some Spam comes from email addresses that say they're from bullshit! if comcast ignore complaints proven to be their scumbag spammer users they are JUST as much at fault as the idiot spammer. > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Sep 6 13:31:26 2006 From: res at ausics.net (Res) Date: Wed Sep 6 13:31:42 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Wed, 6 Sep 2006, Jim Holland wrote: > I had a quick look at our yesterday logs and see, to my total amazement, > that we rejected 60K (sic) connections at MTA level - that is based on > greet-pause, blocked servers, domains, addresses, DNS problems etc etc. > Didn't include unknown users. So it is essential to do what you can at > that level first (our Internet link is only 64k for 2 500 e-mail users). > I just don't want to use DNS blocklists there. However after all that was > blocked there, MS blocked less than 500 more based on RBL checks. That is > what is quarantined. Of that, we would get probably a dozen or so > requests a day for such mail to be released. We find that even Hotmail > and Yahoo servers occasionally get on RBLs. The only RBL i've seen that seems to list hotmail often is SORBS, which we dont use. Yahoo well they deserve to be blocked IMHO :) and having said that one thing i give m$ credit for it dealing with hotmail abusers they respond typically within 24 hours, and I'm talking a human not a auto responder, yes yes totally flipped me out as well LOL I agree the earlier checks do a lot of the work, bad helos, make em have forward and reverse DNS (which gets about 90% more) but can be a problem with some of the Australian govt depts who dont know what dns is :) greet pause is very handy feature and its ability to no-delay your own users or others that are trusted doesnt upset your own customers, I dont believe in greylisting tho, in many cases its more of a pain and can cause lengthy delays, especially when you have users who expect mail to be in their inbox 5 minutes *before* the sender sends it, you know the types... and with multiple MX's if it hits anothers box its delayed again and so on and so on, yes it happens, not to us but to other admins i know who tried it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From amoore at dekalbmemorial.com Wed Sep 6 14:12:27 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Sep 6 14:12:32 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF12257016EBBC9@exch1.dekalbmemorial.local> John Rudd wrote: > On Sep 5, 2006, at 12:37 AM, Glenn Steen wrote: > >> On 05/09/06, Alex Neuman van der Hans wrote: >>> John Rudd wrote: >>>> >>>> On Sep 4, 2006, at 5:11 PM, Glenn Steen wrote: >>>> >>>>> >>>>> I for one work under legislation that prohibit me from flat-out >>>>> rejecting _based on sender alone_ (it's a bit more involved than >>>>> that, but lets leave that:-) >>>> >> >> It's a brew of different (Swedish) laws governing "principal of >> availability and open equal dealing with all subjects"... Laws >> covering everything from freedom of speech(!) to how public documents >> are to be archived and handled. I'm certainly no lawyer, but >> thankfully a central .gov agency (Statskontoret for those who really >> want to know) has made a set of guidelines for us poor "public >> mailadmins" to follow. They're pretty generic, and open for _some_ >> interpretation, but paramount is that the collected body of laws does >> not allow us to use "generic blacklists" for rejecting messages. If I >> could somehow complement everything to know that a sender was >> actually a Swedish subject, then perhaps I could use BLs, but... >> Alas not now. >> > > Except... RBLs don't block senders. They block hosts (actually, > that's not true either: they block IP addresses; a host can change > IPs over time, and a sender can change hosts frequently ... > especially when you consider relaying). Seems to me a distinction > could be made... > > I mean, if I use a DUL type RBL to block ISP customer IPs, I'll still > receive the sender's email via the ISP's proper mail gateway. I could > go on, but RBLs are not even remotely about "based on sender", IMO. I send a url back in the rejection messages for instructions on how to contact us so that legitimate mail can be whitelisted if they're showing up in one of the blacklists. In the last 6 months or so I've had to companies that we do business with that use a hosted e-mail service get blocked by sorbs. And one that is on a DUL list as they send out from their local mail server, instead of through any of their registered mail servers. If it wasn't for the RBLs our mail server would've succumbed to the massive increase in spam several months ago. I'd look into white listing Swedish mail servers. Not being able to use RBLs is extremely limiting. Perhaps it's time to start lobbying your government for changing their guidelines. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN Phone: 260.920.2808 E-mail: amoore@dekalbmemorial.com From sandrews at andrewscompanies.com Wed Sep 6 14:13:30 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Sep 6 14:13:35 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? Message-ID: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> Ok, so I'm exposed. I started life with MS. You got me. ;) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Monday, September 04, 2006 6:33 PM To: MailScanner discussion Subject: RE: Forbidden to browse http://www.mailscanner.info/files/4 - why? On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > Most people don't allow file browse in webfolders. I think it's time > to take your tinfoil hat off. a webfolder... must be a micro$oft thing :P perl -pi -e "s/webfolder/directory (use its real name not M\$ slang)/g;" * -- Cheers Res Aussie Open Source Hosting "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Wed Sep 6 14:14:55 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Sep 6 14:15:26 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? Message-ID: <1964AAFBC212F742958F9275BF63DBB04292CF@winchester.andrewscompanies.com> If it doesn't have a webfolder command, write one. Come on, this is open source, help a brotha' out. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Tuesday, September 05, 2006 6:54 PM To: MailScanner discussion Subject: RE: Forbidden to browse http://www.mailscanner.info/files/4 - why? On Tue, 5 Sep 2006, Logan Shaw wrote: > On Tue, 5 Sep 2006, Res wrote: >> On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > >>> Most people don't allow file browse in webfolders. I think it's >>> time to take your tinfoil hat off. > >> a webfolder... must be a micro$oft thing :P >> >> perl -pi -e "s/webfolder/directory (use its real name not M\$ >> slang)/g;" * > > Nah, it's not Microsoft slang, because it makes logical sense. funny i only ever hear windows users refer to them as folders, for as long as I can remember, no linux or unix has ever had a webfolder command :) in fact im buggered if i can find that term used anywhere on my machines, except when sifting through the /home/res/mail/mailscanner & sent-mail files, whats even more funny its not in apache ;) > If it were Microsoft slang, it would use terminology in a way that > muddies the issue and make everyone more confused than before. Maybe > something which shows that Microsoft it does tho i think, thats why they call it webfolder instead of folder hehehe -- Cheers Res -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Sep 6 14:43:17 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 6 14:43:58 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <60D398EB2DB948409CA1F50D8AF12257016EBBC9@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF12257016EBBC9@exch1.dekalbmemorial.local> Message-ID: <223f97700609060643p48a5ee32sc6774ba0cabc2243@mail.gmail.com> On 06/09/06, Aaron K. Moore wrote: (snip) > I'd look into white listing Swedish mail servers. Not being able to use > RBLs is extremely limiting. Perhaps it's time to start lobbying your > government for changing their guidelines. > I wish it was that simple... I would personally love to be able to use a few RBLs at the MTA level. Two things: 1) It is not restricted to Swedish mail servers, it is regarding Swedish citizens, wherever they choose to reside, whatever ISP or whatnot they choose to use. Kind of defeats the whitelist idea, unfortunately. 2) If I cannot make them see the light with something as simple to grasp as the badness of software patents (Swedish representatives have been very much in favour of the much-hated EU proposal), what is the chance of me making a bunch of lawyers and politicians see the usefulness of RBLs? If I understand correctly, it was a rather big win to not have them banned entirely in the guiodelines. Sigh. So far though, we've had tremendous succcess with simple measures (RFC strictness, recipient verification etc), so ... I'll muiddle along:-). But thanks for all the suggestions. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edwardbruce at sbcglobal.net Wed Sep 6 14:46:16 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Sep 6 14:47:06 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <44FED128.9020907@sbcglobal.net> Res wrote: > > > I agree the earlier checks do a lot of the work, bad helos, make em > have forward and reverse DNS (which gets about 90% more) but can be a > problem with some of the Australian govt depts who dont know what dns > is :) > greet pause is very handy feature and its ability to no-delay your own > users or others that are trusted doesnt upset your own customers, I > dont believe in greylisting tho, in many cases its more of a pain and > can cause lengthy delays, especially when you have users who expect > mail to be in their inbox 5 minutes *before* the sender sends it, you > know the types... > and with multiple MX's if it hits anothers box its delayed again and > so on and so on, yes it happens, not to us but to other admins i know > who tried it. > > > Interesting. I just added greylisting and my stats with MS reversed. I run MailWatch and when I would log in the morning I would have only 12-15% of email id as clean. Now it is regularly 75-80% clean. And so far it has only been one user that wanted their email now that had two emails delayed. Luckily they complain so much nobody cared :) Actually I had the most trouble with foward and reverse DNS. I turned that off because my whitelist had grown to over a couple hundred entries. With greylisting I've only had to add 5 or 6 domains. From res at ausics.net Wed Sep 6 15:04:48 2006 From: res at ausics.net (Res) Date: Wed Sep 6 15:05:48 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> Message-ID: On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: > Ok, so I'm exposed. I started life with MS. You got me. ;) coz you admitted to your crime, sentance will be light, only 1 carton of Jack Daniels Whiskey wil be your punishment :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Sep 6 15:13:56 2006 From: res at ausics.net (Res) Date: Wed Sep 6 15:14:18 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04292CF@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04292CF@winchester.andrewscompanies.com> Message-ID: On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: > If it doesn't have a webfolder command, write one. Come on, this is > open source, help a brotha' out. lol actually, many many years ago when I ran a public bbs and linked the ol dos desqview box with the linux gear to give em basic shell access so they could email and irc etc, i wrote up a few bash scripts for common windows weenie faults like dir instead of ls, first they got a smart ass comment with a few seconds sleep delay then they got told how to ls , and the best one was the c: had a bash script that said thank you for calling, disconnecting you in 10 seconds, control-c to remain online, then would echo 10 9 8 7 etc haha > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Tuesday, September 05, 2006 6:54 PM > To: MailScanner discussion > Subject: RE: Forbidden to browse http://www.mailscanner.info/files/4 - > why? > > On Tue, 5 Sep 2006, Logan Shaw wrote: > >> On Tue, 5 Sep 2006, Res wrote: >>> On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: >> >>>> Most people don't allow file browse in webfolders. I think it's >>>> time to take your tinfoil hat off. >> >>> a webfolder... must be a micro$oft thing :P >>> >>> perl -pi -e "s/webfolder/directory (use its real name not M\$ >>> slang)/g;" * >> >> Nah, it's not Microsoft slang, because it makes logical sense. > > funny i only ever hear windows users refer to them as folders, for as > long as I can remember, no linux or unix has ever had a webfolder > command :) in fact im buggered if i can find that term used anywhere on > my machines, except when sifting through the /home/res/mail/mailscanner > & sent-mail files, whats even more funny its not in apache ;) > >> If it were Microsoft slang, it would use terminology in a way that >> muddies the issue and make everyone more confused than before. Maybe >> something which shows that Microsoft > > it does tho i think, thats why they call it webfolder instead of folder > hehehe > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mike at tc3net.com Wed Sep 6 15:25:05 2006 From: mike at tc3net.com (Michael Baird) Date: Wed Sep 6 15:16:19 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FED128.9020907@sbcglobal.net> References: <44FED128.9020907@sbcglobal.net> Message-ID: <1157552705.9174.3.camel@mike-new2.tc3net.com> On Wed, 2006-09-06 at 09:46 -0400, Ed Bruce wrote: > Res wrote: > > > > > > I agree the earlier checks do a lot of the work, bad helos, make em > > have forward and reverse DNS (which gets about 90% more) but can be a > > problem with some of the Australian govt depts who dont know what dns > > is :) > > greet pause is very handy feature and its ability to no-delay your own > > users or others that are trusted doesnt upset your own customers, I > > dont believe in greylisting tho, in many cases its more of a pain and > > can cause lengthy delays, especially when you have users who expect > > mail to be in their inbox 5 minutes *before* the sender sends it, you > > know the types... > > and with multiple MX's if it hits anothers box its delayed again and > > so on and so on, yes it happens, not to us but to other admins i know > > who tried it. > > > > > > > Interesting. I just added greylisting and my stats with MS reversed. I > run MailWatch and when I would log in the morning I would have only > 12-15% of email id as clean. Now it is regularly 75-80% clean. And so > far it has only been one user that wanted their email now that had two > emails delayed. Luckily they complain so much nobody cared :) I actually have my delay set to 1 minute, none of my customers have complained about the delay since I've been running it. (I did have some sites I had to whitelist). Regards Michael Baird From glenn.steen at gmail.com Wed Sep 6 15:17:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 6 15:17:46 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04292CF@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04292CF@winchester.andrewscompanies.com> Message-ID: <223f97700609060717r6a606ecendaf97075e6324a2b@mail.gmail.com> On 06/09/06, sandrews@andrewscompanies.com wrote: > If it doesn't have a webfolder command, write one. Come on, this is > open source, help a brotha' out. Um, what's wrong with mod_dav? http://www.akadia.com/services/mod_dav.html ... and the plethora of dav clients (inc. davfs ...:-) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Tuesday, September 05, 2006 6:54 PM > To: MailScanner discussion > Subject: RE: Forbidden to browse http://www.mailscanner.info/files/4 - > why? > > On Tue, 5 Sep 2006, Logan Shaw wrote: > > > On Tue, 5 Sep 2006, Res wrote: > >> On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > > > >>> Most people don't allow file browse in webfolders. I think it's > >>> time to take your tinfoil hat off. > > > >> a webfolder... must be a micro$oft thing :P > >> > >> perl -pi -e "s/webfolder/directory (use its real name not M\$ > >> slang)/g;" * > > > > Nah, it's not Microsoft slang, because it makes logical sense. > > funny i only ever hear windows users refer to them as folders, for as > long as I can remember, no linux or unix has ever had a webfolder > command :) in fact im buggered if i can find that term used anywhere on > my machines, except when sifting through the /home/res/mail/mailscanner > & sent-mail files, whats even more funny its not in apache ;) > > > If it were Microsoft slang, it would use terminology in a way that > > muddies the issue and make everyone more confused than before. Maybe > > something which shows that Microsoft > > it does tho i think, thats why they call it webfolder instead of folder > hehehe > > -- > > Cheers > Res -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Wed Sep 6 15:22:04 2006 From: res at ausics.net (Res) Date: Wed Sep 6 15:22:25 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FED128.9020907@sbcglobal.net> References: <44FED128.9020907@sbcglobal.net> Message-ID: On Wed, 6 Sep 2006, Ed Bruce wrote: > Interesting. I just added greylisting and my stats with MS reversed. I > run MailWatch and when I would log in the morning I would have only > 12-15% of email id as clean. Now it is regularly 75-80% clean. And so ummm those figures are strange, you have 12-15% of clean mail accepting all, but yet 75-80% on all accepted with greylisting.. that doesnt compute, if it is true your SA rules need a major cleanup, else SA would have got it in first place > > Actually I had the most trouble with foward and reverse DNS. I turned > that off because my whitelist had grown to over a couple hundred > entries. With greylisting I've only had to add 5 or 6 domains. the vast majority of failed attempts come from no PTR's and those that dont have them, tends to indicate lazy network admins so i wouldnt expect them to take action on spammers either, I simply whitelisted .gov.au in sendmail and qmail and alls been happy since, AOL also still do this i understand, so the collateral damage cant be all that bad if tehy still do it :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From lshaw at emitinc.com Wed Sep 6 15:54:41 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Sep 6 15:54:54 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FED128.9020907@sbcglobal.net> Message-ID: On Thu, 7 Sep 2006, Res wrote: > On Wed, 6 Sep 2006, Ed Bruce wrote: >> Interesting. I just added greylisting and my stats with MS reversed. I >> run MailWatch and when I would log in the morning I would have only >> 12-15% of email id as clean. Now it is regularly 75-80% clean. And so > > ummm those figures are strange, you have 12-15% of clean mail accepting all, > but yet 75-80% on all accepted with greylisting.. that doesnt compute, if it > is true your SA rules need a major cleanup, else SA would have got it in > first place It made sense to me. Greylisting should reduce the amount of spam. Thus the amount of ham (things that are "accepted") should go up as a percentage of total mail (that reaches MailScanner). - Logan From edwardbruce at sbcglobal.net Wed Sep 6 16:10:26 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Sep 6 16:10:38 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FED128.9020907@sbcglobal.net> Message-ID: <44FEE4E2.7080401@sbcglobal.net> Logan Shaw wrote: > On Thu, 7 Sep 2006, Res wrote: >> On Wed, 6 Sep 2006, Ed Bruce wrote: > >>> Interesting. I just added greylisting and my stats with MS reversed. I >>> run MailWatch and when I would log in the morning I would have only >>> 12-15% of email id as clean. Now it is regularly 75-80% clean. And so >> >> ummm those figures are strange, you have 12-15% of clean mail >> accepting all, but yet 75-80% on all accepted with greylisting.. that >> doesnt compute, if it is true your SA rules need a major cleanup, >> else SA would have got it in first place > > It made sense to me. Greylisting should reduce the amount > of spam. Thus the amount of ham (things that are "accepted") > should go up as a percentage of total mail (that reaches > MailScanner). > > - Logan That be it. The amount of spam hitting MS dropped with just the addition of a greylisting of 7 minutes. From mailscanner at mango.zw Wed Sep 6 16:20:33 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Sep 6 16:20:38 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: On Thu, 7 Sep 2006, Res wrote: > > Actually I had the most trouble with foward and reverse DNS. I turned > > that off because my whitelist had grown to over a couple hundred > > entries. With greylisting I've only had to add 5 or 6 domains. > > the vast majority of failed attempts come from no PTR's and those that > dont have them, tends to indicate lazy network admins so i wouldnt expect > them to take action on spammers either, I simply whitelisted .gov.au > in sendmail and qmail and alls been happy since, AOL also still do this i > understand, so the collateral damage cant be all that bad if tehy still do > it :) I use the RDNS etc checks as a kind of poor man's greylisting - I give a 451 to all errors and then let them try again at our higher MX. That minimises the need to do whitelisting. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From brett at wrl.org Wed Sep 6 16:21:20 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Sep 6 16:21:59 2006 Subject: mqueue.in just gets bigger - no delivery? In-Reply-To: References: Message-ID: Folks, I've given up on trying to fix my Debian install of MS. Point of diminishing returns and all. I'm going to attempt a tarball install and will change the thread because I already have some questions. Many thanks to all who offered assistance! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From dhawal at netmagicsolutions.com Wed Sep 6 16:27:37 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Sep 6 16:28:06 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609060643p48a5ee32sc6774ba0cabc2243@mail.gmail.com> References: <60D398EB2DB948409CA1F50D8AF12257016EBBC9@exch1.dekalbmemorial.local> <223f97700609060643p48a5ee32sc6774ba0cabc2243@mail.gmail.com> Message-ID: <44FEE8E9.1000705@netmagicsolutions.com> Glenn Steen wrote: > On 06/09/06, Aaron K. Moore wrote: > (snip) >> I'd look into white listing Swedish mail servers. Not being able to use >> RBLs is extremely limiting. Perhaps it's time to start lobbying your >> government for changing their guidelines. >> > I wish it was that simple... I would personally love to be able to use > a few RBLs at the MTA level. > Two things: > 1) It is not restricted to Swedish mail servers, it is regarding > Swedish citizens, wherever they choose to reside, whatever ISP or > whatnot they choose to use. Kind of defeats the whitelist idea, > unfortunately. > 2) If I cannot make them see the light with something as simple to > grasp as the badness of software patents (Swedish representatives have > been very much in favour of the much-hated EU proposal), what is the > chance of me making a bunch of lawyers and politicians see the > usefulness of RBLs? If I understand correctly, it was a rather big win > to not have them banned entirely in the guiodelines. Sigh. > > So far though, we've had tremendous succcess with simple measures (RFC > strictness, recipient verification etc), so ... I'll muiddle along:-). > But thanks for all the suggestions. Glenn, can you greylist? I was hoping to try this out sometime.. but meanwhile see if it helps. Read it before you reject the idea of greylisting. http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml - dhawal From brett at wrl.org Wed Sep 6 16:45:20 2006 From: brett at wrl.org (Brett Charbeneau) Date: Wed Sep 6 16:46:06 2006 Subject: Tarball install on Debian machine In-Reply-To: References: Message-ID: To the kind folks that maintain the Wiki, I'm starting my installation and am prowling for an install guide for the tarball. I first found this: http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:install:tar which looks like a good place for it to live, but nothing's there at this writing. If this is the definitive guide on the install: http://www.mailscanner.info/other.html should the WiKi link to it? I'm happy to keep a list of steps for my Debian installation if someone will give me a good place to send this once it's complete... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From octaviomaiden at yahoo.com Wed Sep 6 20:18:25 2006 From: octaviomaiden at yahoo.com (Octavio) Date: Wed Sep 6 20:18:49 2006 Subject: can I protect internal information with MailScanner? In-Reply-To: <223f97700609060717r6a606ecendaf97075e6324a2b@mail.gmail.com> Message-ID: <20060906191825.11976.qmail@web38903.mail.mud.yahoo.com> Hi, do you know a way to protect the information scape (I dont know the english term) with mailscanner and at the same time prevent the spam? another tool that I can use? always_bcc anything else? many thanks Octavio __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate ya - http://correo.espanol.yahoo.com/ From P.G.M.Peters at utwente.nl Wed Sep 6 20:24:11 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Sep 6 20:24:57 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <44FF205B.7060807@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote on 09/06/2006 06:43 AM: > I've not yet once in all the years of use of RBL's, like back to when > maps was the in and only thing (and free) ever seen an IP wrongfully > blocked. The dnsbl containing all IP address of China probably is not wrong. But I don't wan to use it to block e-mail. I want to use it to tag so my customers can decide whether they want to receive mail from China or not. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFE/yBZelLo80lrIdIRAm5TAJ9h2MT6CBIiqsuu1D+8ZPeUvjxz+ACeM0si Ir/6fG1JEkwtHvAEE25vL+8= =/++h -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Wed Sep 6 20:27:00 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Sep 6 20:27:43 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FE6EE4.4060703@taz-mania.com> Message-ID: <44FF2104.4090700@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote on 09/06/2006 02:18 PM: > On Tue, 5 Sep 2006, Dennis Willson wrote: > >> are. Recently I had problems with SpamCop listing yahoo groups servers >> and my users yelled about that... > > if sp[amcop listed em its for a very good reason and I know personally > yahoo ignore complaints, so i wouldnt say it was wrongfully listed Even SC sometimes does a bad job in finding the right source. And then there are stupid customers who complain about spam they received through an external fallback server so that server gets listed. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFE/yEDelLo80lrIdIRAq1KAJ9OZDtTFt9H2wrfVE0RiEXGyXO0NQCgjXLr +pU8Cwq8uL54tnve1MvENOk= =kEyQ -----END PGP SIGNATURE----- From alex at nkpanama.com Wed Sep 6 21:20:33 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Sep 6 21:21:22 2006 Subject: can I protect internal information with MailScanner? In-Reply-To: <20060906191825.11976.qmail@web38903.mail.mud.yahoo.com> References: <20060906191825.11976.qmail@web38903.mail.mud.yahoo.com> Message-ID: <44FF2D91.6040506@nkpanama.com> If I may... Octavio wrote: > Hi, do you know a way to protect the information scape > (I dont know the english term) with mailscanner and at > the same time prevent the spam? Si quieres decir "prevenir la fuga de informaci?n", puedes utilizar MailScanner con la opci?n "Archive Mail" de modo que todo correo que pase por tu servidor quede respaldado en un archivo que luego puedes consultar. Adem?s puedes usar la opci?n "MCP" (Message Content Protection) que permite que ciertas palabras claves (por ejemplo, nombres de producto, secretos industriales, etc.) hagan que MailScanner borre, archive, reenv?e o redirija los correos a un administrativo/due?o/directivo que pueda decidir si el mensaje se va o no. (Translation: To prevent info leaks you can archive stuff for later perusal or use MCP to make messages with certain words go elsewhere, get deleted or quarantined) > > another tool that I can use? always_bcc anything else? > many thanks Existen muchas otras herramientas y depende enteramente de tu situaci?n. (Translation: Yeap. Lots. YMMV.) > > Octavio > > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ?gratis! > Reg?strate ya - http://correo.espanol.yahoo.com/ From res at ausics.net Wed Sep 6 22:45:19 2006 From: res at ausics.net (Res) Date: Wed Sep 6 22:45:31 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FED128.9020907@sbcglobal.net> Message-ID: On Wed, 6 Sep 2006, Logan Shaw wrote: >>> 12-15% of email id as clean. Now it is regularly 75-80% clean. And so >> ummm those figures are strange, you have 12-15% of clean mail accepting >> all, but yet 75-80% on all accepted with greylisting.. that doesnt compute, > It made sense to me. Greylisting should reduce the amount > of spam. Thus the amount of ham (things that are "accepted") > should go up as a percentage of total mail (that reaches > MailScanner). Ok I know it was late when i posted that, and its early now and im just sitting down to my first coffee of the day, but... does this still not mean SA is still missing 60% or so of spam, greylistd or not, if its spam SA would/should have picked it up regardless, just being greylisted meant it had to wait a bit of time before marking it as spam rather than instantly. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Sep 6 22:52:11 2006 From: res at ausics.net (Res) Date: Wed Sep 6 22:52:26 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Wed, 6 Sep 2006, Jim Holland wrote: > On Thu, 7 Sep 2006, Res wrote: > >>> Actually I had the most trouble with foward and reverse DNS. I turned >>> that off because my whitelist had grown to over a couple hundred >>> entries. With greylisting I've only had to add 5 or 6 domains. >> >> the vast majority of failed attempts come from no PTR's and those that >> dont have them, tends to indicate lazy network admins so i wouldnt expect >> them to take action on spammers either, I simply whitelisted .gov.au >> in sendmail and qmail and alls been happy since, AOL also still do this i >> understand, so the collateral damage cant be all that bad if tehy still do >> it :) > > I use the RDNS etc checks as a kind of poor man's greylisting - I give a > 451 to all errors and then let them try again at our higher MX. That > minimises the need to do whitelisting. I can see that idea working well with no overheads. You ever had hotmail try your secondary MX ? Once had a disk fail, it was down for only 20 minutes in total time, hotmail couldnt connect and rejected the msg to the sender, I tested this out for myself in the early hours of the following morning by killing sendmail for a couple mins, i got a reject msg back within 2 mins from hotmail, i thought it weird and hope it was only a temp misconfig. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Sep 6 23:06:01 2006 From: res at ausics.net (Res) Date: Wed Sep 6 23:06:15 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FF2104.4090700@utwente.nl> References: <44FE6EE4.4060703@taz-mania.com> <44FF2104.4090700@utwente.nl> Message-ID: On Wed, 6 Sep 2006, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Res wrote on 09/06/2006 02:18 PM: >> On Tue, 5 Sep 2006, Dennis Willson wrote: >> >>> are. Recently I had problems with SpamCop listing yahoo groups servers >>> and my users yelled about that... >> >> if sp[amcop listed em its for a very good reason and I know personally >> yahoo ignore complaints, so i wouldnt say it was wrongfully listed > > Even SC sometimes does a bad job in finding the right source. And then > there are stupid customers who complain about spam they received through > an external fallback server so that server gets listed. At least SC are easily approached -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mailscanner at mango.zw Wed Sep 6 23:07:28 2006 From: mailscanner at mango.zw (Jim Holland) Date: Wed Sep 6 23:07:34 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: On Thu, 7 Sep 2006, Res wrote: > On Wed, 6 Sep 2006, Jim Holland wrote: > > > On Thu, 7 Sep 2006, Res wrote: > > > >>> Actually I had the most trouble with foward and reverse DNS. I turned > >>> that off because my whitelist had grown to over a couple hundred > >>> entries. With greylisting I've only had to add 5 or 6 domains. > >> > >> the vast majority of failed attempts come from no PTR's and those that > >> dont have them, tends to indicate lazy network admins so i wouldnt expect > >> them to take action on spammers either, I simply whitelisted .gov.au > >> in sendmail and qmail and alls been happy since, AOL also still do this i > >> understand, so the collateral damage cant be all that bad if tehy still do > >> it :) > > > > I use the RDNS etc checks as a kind of poor man's greylisting - I give a > > 451 to all errors and then let them try again at our higher MX. That > > minimises the need to do whitelisting. > > I can see that idea working well with no overheads. > You ever had hotmail try your secondary MX ? > Once had a disk fail, it was down for only 20 minutes in total time, > hotmail couldnt connect and rejected the msg to the sender, I tested this > out for myself in the early hours of the following morning by killing > sendmail for a couple mins, i got a reject msg back within 2 mins from > hotmail, i thought it weird and hope it was only a temp misconfig. I haven't noticed hotmail doing that, but other large ISPs such as Yahoo, Gmail, MessageLabs etc seem to make only a single delivery attempt and if that tempfails they still return the mail to sender and don't try the secondary. Very annoying! Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at berger.nl Wed Sep 6 23:24:46 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Wed Sep 6 23:25:02 2006 Subject: children are killing my server Message-ID: <1157581486.611@bsd4.nedport.net> OK, As some of you guys adviced me earlier, I installed MailWatch on my server (freebsd 6.1). Well, that is a nice package, thanks for that!! I have only a small problem. I installed it earlier today and it seemed to work fine. I had some problems with the change between linux and Freebsd but I managed to make it work. After it worked great for about 3 hours the messages stopped appearing and after a few more time the server got loaded more and more. I checked and I saw that MailScanner spawned 70 children (MailScanner.conf says max=5). They all spawned at different times in "ps". There was also no "MailWatch SQL" running anymore, even after I killed all child processes and restarted" I finally removed MailWatc.pm and SQLBlackWhiteList.pm from the /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ dir and after that MailScanner worked fine again. Does anybody have any idea what is causing this? I know it's a bit off-topic, but I think, maybe one of you guys is using MailWatch with Freebsd too. Thanks, Roger From taz at taz-mania.com Wed Sep 6 23:25:30 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Sep 6 23:25:34 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: On Thu, 7 Sep 2006 07:45:19 +1000 (EST) Res wrote: >On Wed, 6 Sep 2006, Logan Shaw wrote: > >>>>12-15% of email id as clean. Now it is regularly 75-80% clean. And so > >>>ummm those figures are strange, you have 12-15% of clean mail >>>accepting >>>all, but yet 75-80% on all accepted with greylisting.. that doesnt >>>compute, > >>It made sense to me. Greylisting should reduce the amount >>of spam. Thus the amount of ham (things that are "accepted") >>should go up as a percentage of total mail (that reaches >>MailScanner). > >Ok I know it was late when i posted that, and its early now and im >just sitting down to my first coffee of the day, but... does this >still not >mean SA is still missing 60% or so of spam, greylistd or not, if its >spam SA would/should have picked it up regardless, just being >greylisted meant it had to wait a bit of time before marking it as >spam rather than instantly. A large number of the Spam sending computers never retry. They don't have the time or queue capacity to store email for retry so any error including temp errors cause them to give up and move on to the next email in their list. So SA would never get a chance to scan something that was never received... Therefore if you use Greylisting the percentage of Spam to Ham changes. A lot more of the email making it to SA is real since a large amount of the Spam never made it by the Greylisting. > > >-- >Cheers >Res > >"Just a world that we all must share, it's not enough just to stand >and >stare, is it only a dream that there'll be no more turning away" - >Floyd > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From ssilva at sgvwater.com Thu Sep 7 00:09:08 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 7 00:09:28 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> Message-ID: Res spake the following on 9/6/2006 7:04 AM: > On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: > >> Ok, so I'm exposed. I started life with MS. You got me. ;) > > coz you admitted to your crime, sentance will be light, only 1 carton of > Jack Daniels Whiskey wil be your punishment :) > Boy! What's a guy gotta do to get punished by you! Slap me with some of that Jack!! It's been a rough day! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From james at grayonline.id.au Thu Sep 7 00:16:20 2006 From: james at grayonline.id.au (James Gray) Date: Thu Sep 7 01:04:25 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292A4@winchester.andrewscompanies.com> Message-ID: <82778997-69F7-41F2-9DFC-4C782F379C82@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/09/2006, at 1:57 AM, Logan Shaw wrote: > On Tue, 5 Sep 2006, Res wrote: >> On Mon, 4 Sep 2006, sandrews@andrewscompanies.com wrote: > >>> Most people don't allow file browse in webfolders. I think it's >>> time to >>> take your tinfoil hat off. > >> a webfolder... must be a micro$oft thing :P >> >> perl -pi -e "s/webfolder/directory (use its real name not M\$ >> slang)/g;" * > > Nah, it's not Microsoft slang, because it makes logical sense. > If it were Microsoft slang, it would use terminology in a > way that muddies the issue and make everyone more confused > than before. Maybe something which shows that Microsoft > has conflated two concepts that should be separate. So it > wouldn't be "web folder". It'd be something like "internet > folder" instead. The first M$-sounding term I thought of was "Internet Repository"... I think I just confused myself! Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE/1bNwBHpdJO7b9ERAoV0AKDIHPgbKeJXb1OfZvUeKcWlJqHZjwCgg1l/ jqBOmp7ZrppmMzP3i47IDS4= =DNNq -----END PGP SIGNATURE----- From dave.list at pixelhammer.com Thu Sep 7 05:47:12 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Sep 7 05:47:26 2006 Subject: children are killing my server In-Reply-To: <1157581486.611@bsd4.nedport.net> References: <1157581486.611@bsd4.nedport.net> Message-ID: <44FFA450.8060301@pixelhammer.com> mailscanner@berger.nl wrote: > OK, > > As some of you guys adviced me earlier, I installed MailWatch on my > server (freebsd 6.1). Well, that is a nice package, thanks for that!! > I have only a small problem. I installed it earlier today and it > seemed to work fine. I had some problems with the change between > linux and Freebsd but I managed to make it work. After it worked > great for about 3 hours the messages stopped appearing and after a > few more time the server got loaded more and more. I checked and I > saw that MailScanner spawned 70 children (MailScanner.conf says > max=5). They all spawned at different times in "ps". There was also > no "MailWatch SQL" running anymore, even after I killed all child > processes and restarted" I finally removed MailWatc.pm and > SQLBlackWhiteList.pm from the > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ dir and after > that MailScanner worked fine again. > > Does anybody have any idea what is causing this? I know it's a bit > off-topic, but I think, maybe one of you guys is using MailWatch with > Freebsd too. > > Thanks, > > Roger > MailScanner 4.54.6 FreeBSD 4.x and 5.x I experienced the same result, though the cause may be different. I have a posting on the MailWatch list about it between me and Steve. What I saw was that whenever I restarted MySQL (my mailwatch install is on a remote server from my MailScanner installs) MailWatch.pm would hang when MySQL went away. Once that happened it stopped working. Restarting MailScanner left all the children using that MailWatch process behind. The more you restarted the worse it got. Look for the thread in this list titled "Always Looked Up Last". Julian fixed that problem, MailScanner will pass over a function that fails now. Not sure what version he put the fix into. Look for the thread in the MailWatch list titled "MailWatch SQL Logging" Still no answer on this one, I just have to make sure I stop MailScanner before I restart my SQL server and all is well. Otherwise MailWatch.pm fails when it can't get port 11553 on startup. Possibly those will help you. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Thu Sep 7 08:20:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 08:21:19 2006 Subject: Tarball install on Debian machine In-Reply-To: References: Message-ID: <223f97700609070020x6685ea2cx286294c6fa60b439@mail.gmail.com> On 06/09/06, Brett Charbeneau wrote: > To the kind folks that maintain the Wiki, > > I'm starting my installation and am prowling for an install guide for > the tarball. I first found this: > > http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:install:tar > > which looks like a good place for it to live, but nothing's there at > this writing. > If this is the definitive guide on the install: > > http://www.mailscanner.info/other.html > > should the WiKi link to it? > I'm happy to keep a list of steps for my Debian installation if someone > will give me a good place to send this once it's complete... > > It's a Wiki.... If you feel that some part is missing, _you_ add it;-). If the steps are very different from what can be found in the official guide (and MAQ and ... everywhere else:-), it sounds like a good idea to fill this in at that place in the wiki. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 7 08:30:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 08:30:47 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <44FEE8E9.1000705@netmagicsolutions.com> References: <60D398EB2DB948409CA1F50D8AF12257016EBBC9@exch1.dekalbmemorial.local> <223f97700609060643p48a5ee32sc6774ba0cabc2243@mail.gmail.com> <44FEE8E9.1000705@netmagicsolutions.com> Message-ID: <223f97700609070030s13382a4ei91ae822f2639f1aa@mail.gmail.com> On 06/09/06, Dhawal Doshy wrote: > Glenn Steen wrote: > > On 06/09/06, Aaron K. Moore wrote: > > (snip) > >> I'd look into white listing Swedish mail servers. Not being able to use > >> RBLs is extremely limiting. Perhaps it's time to start lobbying your > >> government for changing their guidelines. > >> > > I wish it was that simple... I would personally love to be able to use > > a few RBLs at the MTA level. > > Two things: > > 1) It is not restricted to Swedish mail servers, it is regarding > > Swedish citizens, wherever they choose to reside, whatever ISP or > > whatnot they choose to use. Kind of defeats the whitelist idea, > > unfortunately. > > 2) If I cannot make them see the light with something as simple to > > grasp as the badness of software patents (Swedish representatives have > > been very much in favour of the much-hated EU proposal), what is the > > chance of me making a bunch of lawyers and politicians see the > > usefulness of RBLs? If I understand correctly, it was a rather big win > > to not have them banned entirely in the guiodelines. Sigh. > > > > So far though, we've had tremendous succcess with simple measures (RFC > > strictness, recipient verification etc), so ... I'll muiddle along:-). > > But thanks for all the suggestions. > > Glenn, can you greylist? I was hoping to try this out sometime.. but > meanwhile see if it helps. Read it before you reject the idea of > greylisting. > > http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml > Thanks Dahwal. Well... Yes, and no... This is left by the guidelines to each organization/agency to decide... So... It's up to the usual, me trying to convince the PHB&CEO that it is safe (as in "safe to use in view of the applicable laws":-). I've been meaning to implement this in testing, so ... sometime this weekend I might just start doing this:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 7 09:03:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 09:03:16 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FED128.9020907@sbcglobal.net> Message-ID: <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> On 06/09/06, Res wrote: > On Wed, 6 Sep 2006, Logan Shaw wrote: > > >>> 12-15% of email id as clean. Now it is regularly 75-80% clean. And so > > >> ummm those figures are strange, you have 12-15% of clean mail accepting > >> all, but yet 75-80% on all accepted with greylisting.. that doesnt compute, > > > It made sense to me. Greylisting should reduce the amount > > of spam. Thus the amount of ham (things that are "accepted") > > should go up as a percentage of total mail (that reaches > > MailScanner). > > Ok I know it was late when i posted that, and its early now and im just > sitting down to my first coffee of the day, but... does this still not > mean SA is still missing 60% or so of spam, greylistd or not, if its spam > SA would/should have picked it up regardless, just being greylisted meant > it had to wait a bit of time before marking it as spam rather than > instantly. > Why do you assume the spammers use an MTA that can handle a temp fail? The point of greylisting isn't "wait a bit", it is "retry if you're real":-). So Eds figures add up just fine. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at berger.nl Thu Sep 7 12:05:23 2006 From: mailscanner at berger.nl (mailscanner@berger.nl) Date: Thu Sep 7 12:05:44 2006 Subject: children are killing my server In-Reply-To: <44FFA450.8060301@pixelhammer.com> Message-ID: <1157627123.26202@bsd4.nedport.net> DAve wrote .. > mailscanner@berger.nl wrote: > > OK, > > > > As some of you guys adviced me earlier, I installed MailWatch on my > > server (freebsd 6.1). Well, that is a nice package, thanks for that!! > > I have only a small problem. I installed it earlier today and it > > seemed to work fine. I had some problems with the change between > > linux and Freebsd but I managed to make it work. After it worked > > great for about 3 hours the messages stopped appearing and after a > > few more time the server got loaded more and more. I checked and I > > saw that MailScanner spawned 70 children (MailScanner.conf says > > max=5). They all spawned at different times in "ps". There was also > > no "MailWatch SQL" running anymore, even after I killed all child > > processes and restarted" I finally removed MailWatc.pm and > > SQLBlackWhiteList.pm from the > > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ dir and after > > that MailScanner worked fine again. > > > > Does anybody have any idea what is causing this? I know it's a bit > > off-topic, but I think, maybe one of you guys is using MailWatch with > > Freebsd too. > > > > Thanks, > > > > Roger > > > > MailScanner 4.54.6 > FreeBSD 4.x and 5.x > > I experienced the same result, though the cause may be different. I have > a posting on the MailWatch list about it between me and Steve. What I > saw was that whenever I restarted MySQL (my mailwatch install is on a > remote server from my MailScanner installs) MailWatch.pm would hang when > MySQL went away. Once that happened it stopped working. Restarting > MailScanner left all the children using that MailWatch process behind. > The more you restarted the worse it got. > > Look for the thread in this list titled "Always Looked Up Last". Julian > fixed that problem, MailScanner will pass over a function that fails > now. Not sure what version he put the fix into. > > Look for the thread in the MailWatch list titled "MailWatch SQL Logging" > Still no answer on this one, I just have to make sure I stop MailScanner > before I restart my SQL server and all is well. Otherwise MailWatch.pm > fails when it can't get port 11553 on startup. > > Possibly those will help you. > > DAve > > Dave, I couldn't find anything on the net so I started a fresh install and tested every change I made. I found out that if I change my($hostname) = hostname; to my($hostname) = server1.mydomain.net; which is the hostname of the server, the problem started. After I changed this back the problem was gone and it starts running again. Just to let you know. Greetings, Roger From glenn.steen at gmail.com Thu Sep 7 12:29:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 12:29:38 2006 Subject: children are killing my server In-Reply-To: <1157627123.26202@bsd4.nedport.net> References: <44FFA450.8060301@pixelhammer.com> <1157627123.26202@bsd4.nedport.net> Message-ID: <223f97700609070429n72c77b3ua38cb497f981aeee@mail.gmail.com> On 07/09/06, mailscanner@berger.nl wrote: > DAve wrote .. > > mailscanner@berger.nl wrote: > > > OK, > > > > > > As some of you guys adviced me earlier, I installed MailWatch on my > > > server (freebsd 6.1). Well, that is a nice package, thanks for that!! > > > I have only a small problem. I installed it earlier today and it > > > seemed to work fine. I had some problems with the change between > > > linux and Freebsd but I managed to make it work. After it worked > > > great for about 3 hours the messages stopped appearing and after a > > > few more time the server got loaded more and more. I checked and I > > > saw that MailScanner spawned 70 children (MailScanner.conf says > > > max=5). They all spawned at different times in "ps". There was also > > > no "MailWatch SQL" running anymore, even after I killed all child > > > processes and restarted" I finally removed MailWatc.pm and > > > SQLBlackWhiteList.pm from the > > > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ dir and after > > > that MailScanner worked fine again. > > > > > > Does anybody have any idea what is causing this? I know it's a bit > > > off-topic, but I think, maybe one of you guys is using MailWatch with > > > Freebsd too. > > > > > > Thanks, > > > > > > Roger > > > > > > > MailScanner 4.54.6 > > FreeBSD 4.x and 5.x > > > > I experienced the same result, though the cause may be different. I have > > a posting on the MailWatch list about it between me and Steve. What I > > saw was that whenever I restarted MySQL (my mailwatch install is on a > > remote server from my MailScanner installs) MailWatch.pm would hang when > > MySQL went away. Once that happened it stopped working. Restarting > > MailScanner left all the children using that MailWatch process behind. > > The more you restarted the worse it got. > > > > Look for the thread in this list titled "Always Looked Up Last". Julian > > fixed that problem, MailScanner will pass over a function that fails > > now. Not sure what version he put the fix into. > > > > Look for the thread in the MailWatch list titled "MailWatch SQL Logging" > > Still no answer on this one, I just have to make sure I stop MailScanner > > before I restart my SQL server and all is well. Otherwise MailWatch.pm > > fails when it can't get port 11553 on startup. > > > > Possibly those will help you. > > > > DAve > > > > > Dave, > > I couldn't find anything on the net so I started a fresh install and tested every change I made. I found out that if I change > my($hostname) = hostname; > to > my($hostname) = server1.mydomain.net; > which is the hostname of the server, the problem started. > After I changed this back the problem was gone and it starts running again. > > Just to let you know. > > Greetings, > > Roger > Is the name "hostname" ... "bound" to loopback (127.0.0.1)? And "server1.mydomain.net" to eth0 (or similar)? Have you granted access to both? Or do you have a firewll blocking on the second? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Sep 7 14:29:47 2006 From: res at ausics.net (Res) Date: Thu Sep 7 14:30:02 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Thu, 7 Sep 2006, Jim Holland wrote: > I haven't noticed hotmail doing that, but other large ISPs such as Yahoo, > Gmail, MessageLabs etc seem to make only a single delivery attempt and if > that tempfails they still return the mail to sender and don't try the > secondary. Very annoying! Hmmm I've never checked gmail, dont have/need an account there, thanks for the heads up -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Sep 7 14:33:56 2006 From: res at ausics.net (Res) Date: Thu Sep 7 14:34:05 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Wed, 6 Sep 2006, Dennis Willson wrote: > A large number of the Spam sending computers never retry. They don't have the > time or queue capacity to store email for retry so any error including temp > errors cause them to give up and move on to the next email in their list. So > SA would never get a chance to scan something that was never received... thats not what he was saying, unless we are looking at this from two very different angles, it comes down to he should never have seen them as clean messages at all, never, ever, nudda, regardless of greylisting or not, else he has a very large amount that was never marked as spam by SA, rmeember he did say "clean messages" -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Sep 7 14:35:32 2006 From: res at ausics.net (Res) Date: Thu Sep 7 14:35:45 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> Message-ID: On Wed, 6 Sep 2006, Scott Silva wrote: > Res spake the following on 9/6/2006 7:04 AM: >> On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: >> >>> Ok, so I'm exposed. I started life with MS. You got me. ;) >> >> coz you admitted to your crime, sentance will be light, only 1 carton of >> Jack Daniels Whiskey wil be your punishment :) >> > Boy! What's a guy gotta do to get punished by you! > Slap me with some of that Jack!! It's been a rough day! nonono.... thats what he owes us :P mmmmmmm enjoying a glass of jacky right now, gota unwind for an hour or so before i head off to bed -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Sep 7 14:45:49 2006 From: res at ausics.net (Res) Date: Thu Sep 7 14:46:03 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> References: <44FED128.9020907@sbcglobal.net> <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> Message-ID: On Thu, 7 Sep 2006, Glenn Steen wrote: >> Ok I know it was late when i posted that, and its early now and im just >> sitting down to my first coffee of the day, but... does this still not >> mean SA is still missing 60% or so of spam, greylistd or not, if its spam >> SA would/should have picked it up regardless, just being greylisted meant >> it had to wait a bit of time before marking it as spam rather than >> instantly. >> > Why do you assume the spammers use an MTA that can handle a temp fail? > The point of greylisting isn't "wait a bit", it is "retry if you're real":-). > So Eds figures add up just fine. I never assumed that, infact i know they dont, 90% use internal smtp code that rarely uses an isp mail server, read my last post a few mins ago, it clarifies where im coming from :) Grey listing is not an option on very large carriers networks IMHO. (and the opinion of many other aussie and yank admins i know who also run large customer bases) for some reason it does seem to be an extreme facination here though for the weitse patsies who try thrash down our throats how much we should all use postfix, they on one list were told to STFU or be banned as now deemed as UBE spammers ROFLMFAO We are happy with RBL'd, bad helos RFC1912 compliance, greet pause on sendmail boxes, and our internal "F-U" access lists ;) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From stork at openenterprise.ca Thu Sep 7 15:14:05 2006 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Sep 7 15:17:36 2006 Subject: Mailscanner-mrtg errors? Message-ID: I have been running mailscanner-mrtg for a few weeks now and just noticed these errors in the syslog? All the paths to the mailscanner install, /var/spool/Mailscanner/incoming etc, are set correctly? But they are not separate mounts, they are off / Any suggestions? Sep 7 07:10:03 gateway MailScanner-MRTG[20927]: Unable to find a mountpoint for /var/spool. Please set Spool Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a list of mointpoints on your system by using the df command. Sep 7 07:10:03 gateway MailScanner-MRTG[20927]: Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can see a list of mointpoints on your system by using the df command --------------------------------------------- Johnny Stork Open Enterprise Solutions http://www.openenterprise.ca (Linux & Open Source Business Technology) http://www.dreamscapemedia.ca (Photography & Media) http://www.mountainlinux.ca (Linux Users Group) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060907/c94a3fed/attachment.html From alex at nkpanama.com Thu Sep 7 15:25:01 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Sep 7 15:25:11 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> References: <44FED128.9020907@sbcglobal.net> <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> Message-ID: <45002BBD.4030907@nkpanama.com> Glenn Steen wrote: > Why do you assume the spammers use an MTA that can handle a temp fail? > The point of greylisting isn't "wait a bit", it is "retry if you're > real":-). > So Eds figures add up just fine. If I may.... Some *actually do*. They use open relays (*truly* open or "open to people on my network without AUTH" open, but that's a subject of another thread by Muhammad Nauman), faked return addresses on M-Sexchange servers that will bounce back to the intended victim, etc. - so the server's they're *abusing* *are* legit. That's where things like rbl's, SA (with razor/pyzor/dcc/SARE), and other tools of the trade come in. From Denis.Beauchemin at USherbrooke.ca Thu Sep 7 15:56:32 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Sep 7 15:56:54 2006 Subject: Mailscanner-mrtg errors? In-Reply-To: References: Message-ID: <45003320.8010301@USherbrooke.ca> Johnny Stork a ?crit : > I have been running mailscanner-mrtg for a few weeks now and just > noticed these errors in the syslog? All the paths to the mailscanner > install, /var/spool/Mailscanner/incoming etc, are set correctly? But > they are not separate mounts, they are off / > > Any suggestions? > > > Sep 7 07:10:03 gateway MailScanner-MRTG[20927]: Unable to find a > mountpoint for /var/spool. Please set Spool Directory in > mailscanner-mrtg.conf to a valid mountpoint. You can see a list of > mointpoints on your system by using the df command. > Sep 7 07:10:03 gateway MailScanner-MRTG[20927]: Unable to find a > mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner > Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can > see a list of mointpoints on your system by using the df command > Johnny, Then use / in /etc/MailScanner/mailscanner-mrtg.conf You need mount points as displayed by the df command, not sub directories. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060907/de890536/smime.bin From steve.freegard at fsl.com Thu Sep 7 16:03:43 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Sep 7 16:01:53 2006 Subject: children are killing my server In-Reply-To: <1157627123.26202@bsd4.nedport.net> References: <44FFA450.8060301@pixelhammer.com> <1157627123.26202@bsd4.nedport.net> Message-ID: <450034CF.30903@fsl.com> mailscanner@berger.nl wrote: > I couldn't find anything on the net so I started a fresh install and tested every change I made. I found out that if I change > my($hostname) = hostname; > to > my($hostname) = server1.mydomain.net; There's the problem: that's a syntax error - to override the value it should read: my($hostname) = 'server1.mydomain.net'; (notice the quotes). my($hostname) = hostname; is meant literally -- hostname is a perl function that returns the machines hostname, you shouldn't need to change it. Cheers, Steve. From lshaw at emitinc.com Thu Sep 7 16:27:23 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Sep 7 16:27:37 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Thu, 7 Sep 2006, Res wrote: > On Wed, 6 Sep 2006, Dennis Willson wrote: >> A large number of the Spam sending computers never retry. They don't have >> the time or queue capacity to store email for retry so any error including >> temp errors cause them to give up and move on to the next email in their >> list. So SA would never get a chance to scan something that was never >> received... > > thats not what he was saying, unless we are looking at this from two very > different angles, it comes down to he should never have seen them as clean > messages at all, never, ever, nudda, regardless of greylisting or not, else > he has a very large amount that was never marked as spam by SA, rmeember he > did say "clean messages" Yes, he was saying that, before greylisting, 12-15% of the traffic gets marked as clean. Presumably that is because 12-15% of the traffic IS clean, and the rest is not. Then after greylisting, 80% of the traffic got marked as clean. Presumably that means 80% of it IS clean. In other words, the proportion of spam coming in was previously about 15% ham to 85% spam; after greylisting it was more like 80% ham to 20% spam. 80% are getting marked as ham because 80% are ham. 20% are getting marked as spam because they are. SpamAssassin's hit rate (as a proportion of the total number of messages per day) went down because the amount of spam went down. - Logan From steve.swaney at fsl.com Thu Sep 7 16:46:25 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Sep 7 16:46:29 2006 Subject: Thoughts on Barracudas? In-Reply-To: Message-ID: <1d8a501c6d294$c694c870$287ba8c0@office.fsl> Just to finish off this thread, I just heard that D&H, a large distributor here in the states, has dropped Barracuda from their product line. Don't know why. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From brett at wrl.org Thu Sep 7 17:26:08 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Sep 7 17:37:01 2006 Subject: Tarball install on Debian machine In-Reply-To: <223f97700609070020x6685ea2cx286294c6fa60b439@mail.gmail.com> References: <223f97700609070020x6685ea2cx286294c6fa60b439@mail.gmail.com> Message-ID: On Thu, 7 Sep 2006, Glenn Steen wrote: GS> It's a Wiki.... If you feel that some part is missing, _you_ add GS> it;-). If the steps are very different from what can be found in the GS> official guide (and MAQ and ... everywhere else:-), it sounds like a GS> good idea to fill this in at that place in the wiki. Ah, so. =8^) Will Wiki, then. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From brett at wrl.org Thu Sep 7 17:32:10 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Sep 7 17:54:59 2006 Subject: Tarball install on Debian machine In-Reply-To: References: Message-ID: Just a follow-up on this - the install when like a dream following these instructions: http://www.mailscanner.info/other.html JULIAN: WOW, the install script is super slick - GREAT info in there. Really excellent job. Let's give 'em a raise, folks! The only minor hitch came with some perl modules, but anyone with even passing familiarity with CPAN commands (that's me) can negotiate that. I am starting to believe that a Debian base install with MailScanner and SpamAssassin (ClamAV installed with .deb package) installed from tar gives you the best of both worlds: Debian stability with the latest updates from MailScannerworld. I'll post back when I upgrade with any notes, but I'm very bullish on the concept right now! P.S. Again, MANY thanks to all who offered help with my troubled .deb package install last week. Haven't a clue what was going wrong, but that's the advantage of starting over: now I don't care. =8^) -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From Kevin_Miller at ci.juneau.ak.us Thu Sep 7 18:05:10 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 7 18:05:19 2006 Subject: Restart problem In-Reply-To: Message-ID: Logan Shaw wrote: >>>> From: "Miguel Koren O'Brien de Lacy" >>>> I found that the script does not always stop mailscanner, so when I >>>> restart port 25 is in use and so MialScanner does not work. What I >>>> do is to explicitly stop sendmail too right after stopping >>>> MailScanner. This may be a Fedora issue. > > > On Mon, 4 Sep 2006, Glenn Steen wrote: >> Isn't this the same issue hashed over a while back... That it takes a >> while (sometimes substantially so) for the sendmail waorkers to >> actually finish and die? Sometomes making the sleep interval in the >> init script not be enough, so that some linger when MS want to start >> up again? I might remember wrong, but check that first (I'm >> certainly to lazy to search the archives for you:-):-)... Stop MS, >> the grep ps for sendmail processess... > > Hmm, I think this is my cue to semi-obnoxiously point out that > if sendmail startup and MailScanner startup were separate the > way I do it (with separate init scripts, etc.), this wouldn't > be an issue. *grin* Maybe. But I don't see why it should matter whether you manually stop both process with two steps or you stop both processes with a single script. Stopping sendmail with it's own script won't close open connections any faster. But to each his own. But back to the business at hand; lately MailScanner has stopped, sorta, after a restart. /var/log/mail shows "MailScanner child caught a SIGHUP", then after that I get entries along the line of: Sep 7 01:19:05 mxg MailScanner[20055]: MailScanner E-Mail Virus Scanner version 4.55.9 starting... Sep 7 01:19:05 mxg MailScanner[20055]: Read 750 hostnames from the phishing whitelist Sep 7 01:19:05 mxg MailScanner[20055]: Config: calling custom init function MailWatchLogging Sep 7 01:19:05 mxg MailScanner[20055]: Started SQL Logging child Sep 7 01:19:06 mxg MailScanner[20055]: Using SpamAssassin results cache Sep 7 01:19:06 mxg MailScanner[20055]: Connected to SpamAssassin cache database Sep 7 01:19:08 mxg MailScanner[20055]: ClamAV scanner using unrar command /usr/bin/unrar Sep 7 01:19:08 mxg MailScanner[20055]: Using locktype = posix Sep 7 01:19:08 mxg MailScanner[20055]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Sep 7 01:19:35 mxg sendmail-client[19990]: k879IVp7020013: to=root, ctladdr=root (0/0), delay=00:01:04, xdelay=00:00:00, mailer=relay, pri=210376, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Sep 7 01:19:45 mxg sendmail-in[19786]: k879HfP2019786: Milter: from=, reject=550 5.1.8 Sender address verification failed Sep 7 01:20:18 mxg sendmail-in[19786]: k879HfP2019786: Milter: from=, reject=550 5.1.8 Sender address verification failed Sep 7 01:20:19 mxg sendmail-in[19786]: k879HfP2019786: Milter: from=, reject=451 4.1.8 Sender address verification tempfailed Sep 7 01:20:20 mxg sendmail-in[19786]: k879HfP2019786: from=, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=d7142.upc-d.chello.nl [213.46.7.142] Sep 7 01:20:35 mxg sendmail-client[19990]: k879IVp7020013: to=root, ctladdr=root (0/0), delay=00:02:04, xdelay=00:00:00, mailer=relay, pri=300376, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] Sep 7 01:21:35 mxg sendmail-client[19990]: k879IVp7020013: to=root, ctladdr=root (0/0), delay=00:03:04, xdelay=00:00:00, mailer=relay, pri=390376, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1] ... No further mail goes through until I manually restart MailScanner, making sure that there are no sendmail processes. Running ps shows both MailScanner In the mix above it seems that a couple more messages were accepted by sendmail-in, but were rejected by the milter (saf-sav). After that, sendmail-client seems to want to bogart the process - until I restarted this morning when I came in to work there was just line after line of the sendmail-client entries. Looking at the logs on another machine, I see one sendmail-client process that is started when MailScanner starts (or reloads) but it doesn't turn up in the log apart from that. MailScanner, sendmail and sendmail-in are the workers. Not sure what sendmail-client is actually doing. I think I've found the smoking gun though: it is rules_du_jur. On one machine I have it run at 1:17 am. The process went south at 1:18. I'm running MailScanner 4.55.9 on it. On my secondary (MailScanner 4.55.10) it runs at 8:20 pm. That one broke just after that. Both updated a ruleset last night, which triggers a restart of MailScanner. The box that didn't break was running 4.48.4. All three are running rules_du_jour 1.28. I don't know if this is a similar mix to the OP's setup. I've increased the delay in the init script from 10 seconds to 20, but don't know if that will actually make any difference. Any help appreciated... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Thu Sep 7 18:34:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 18:34:42 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <44FED128.9020907@sbcglobal.net> <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> Message-ID: <223f97700609071034m373f48e2u7943894dcfc0a407@mail.gmail.com> On 07/09/06, Res wrote: > On Thu, 7 Sep 2006, Glenn Steen wrote: > > >> Ok I know it was late when i posted that, and its early now and im just > >> sitting down to my first coffee of the day, but... does this still not > >> mean SA is still missing 60% or so of spam, greylistd or not, if its spam > >> SA would/should have picked it up regardless, just being greylisted meant > >> it had to wait a bit of time before marking it as spam rather than > >> instantly. > >> > > Why do you assume the spammers use an MTA that can handle a temp fail? > > The point of greylisting isn't "wait a bit", it is "retry if you're real":-). > > So Eds figures add up just fine. > > I never assumed that, infact i know they dont, 90% use internal smtp > code that rarely uses an isp mail server, read my last post a few mins > ago, it clarifies where im coming from :) Yep, clearly a case of "speaking past" each other:-). > Grey listing is not an option on very large carriers networks IMHO. > (and the opinion of many other aussie and yank admins i know who also run > large customer bases) for some reason it does seem to be an extreme > facination here though for the weitse patsies who try thrash down our > throats how much we should all use postfix, they on one list were told to > STFU or be banned as now deemed as UBE spammers ROFLMFAO Hm, isn't it a good thing that I'm a good-natured easygoing Postfix fascist then?:-):-) Then again, since I don't agree with the postfix "party line", or "gospel according to W. Venema), that wouldn't make me a "wietse patsy" anyway:-D > We are happy with RBL'd, bad helos RFC1912 compliance, greet pause on > sendmail boxes, and our internal "F-U" access lists ;) > Same here, well... minus greet pause, plus reject_unath_pipelining and SA (and lets not mention _where_ I do my RBLs;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 7 18:43:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 18:43:59 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <45002BBD.4030907@nkpanama.com> References: <44FED128.9020907@sbcglobal.net> <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> <45002BBD.4030907@nkpanama.com> Message-ID: <223f97700609071043r3f461566md5a6fc379dbce233@mail.gmail.com> On 07/09/06, Alex Neuman van der Hans wrote: > Glenn Steen wrote: > > Why do you assume the spammers use an MTA that can handle a temp fail? > > The point of greylisting isn't "wait a bit", it is "retry if you're > > real":-). > > So Eds figures add up just fine. > > If I may.... Some *actually do*. They use open relays (*truly* open or > "open to people on my network without AUTH" open, but that's a subject > of another thread by Muhammad Nauman), faked return addresses on > M-Sexchange servers that will bounce back to the intended victim, etc. - > so the server's they're *abusing* *are* legit. > > That's where things like rbl's, SA (with razor/pyzor/dcc/SARE), and > other tools of the trade come in. I know Alex;-). And for those, neither RFC strictness (well, to a certain amount perhaps) nor "greet pausing" nor greylisting will have any effect whatsoever. We'll be seeing more of this as the spamtools evolve, no doubt. It's a constant battle, which is good... It'll keep us in work for the forseeable future;). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 7 18:51:15 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 18:51:21 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> Message-ID: <223f97700609071051i207ae417gca7d36fffda7fd90@mail.gmail.com> On 07/09/06, Res wrote: > On Wed, 6 Sep 2006, Scott Silva wrote: > > > Res spake the following on 9/6/2006 7:04 AM: > >> On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: > >> > >>> Ok, so I'm exposed. I started life with MS. You got me. ;) > >> > >> coz you admitted to your crime, sentance will be light, only 1 carton of > >> Jack Daniels Whiskey wil be your punishment :) > >> > > Boy! What's a guy gotta do to get punished by you! > > Slap me with some of that Jack!! It's been a rough day! > > > nonono.... thats what he owes us :P > > mmmmmmm enjoying a glass of jacky right now, gota unwind for an hour or > so before i head off to bed > Good thinking, but ... a case is probably too little. Make that a cask of some nice single malt... :-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Thu Sep 7 20:18:06 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 7 20:18:19 2006 Subject: Restart problem In-Reply-To: Message-ID: Kevin Miller wrote: Quick followup. I added SARE_FRAUD to the rules_du_jour mix and ran rules_du_jour from the CLI. It hosed MailScanner. Sep 7 10:50:07 mail3 sendmail[29652]: k87Io7uw029652: from=root, size=561, class=0, nrcpts=1, msgid=<450069DF.mailMVM12XPGA@mail3.c i.juneau.ak.us>, relay=root@localhost Sep 7 10:50:07 mail3 sendmail[29652]: k87Io7uw029652: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, p ri=30561, relay=localhost.ci.juneau.ak.us. [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by localhost.ci.juneau.ak.us. As it usually does, it attempts to send a notice to postmaster after an update. As you can see from the above line, localhost refused the connection, even from itself. Is there a way to disable the restart in rules_du_jour? I'm supposing that the new rules will be picked up when MailScanner kills off it's child processes and restarts them. It may take up to four hours to take affect, but I can live with that, so long as the rest of the system is still working. Is there anything that changed significantly between 4.48 and 4.55 that would cause this behaviour? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From rob at dido.ca Thu Sep 7 20:47:31 2006 From: rob at dido.ca (Rob Morin) Date: Thu Sep 7 20:47:55 2006 Subject: Spamcop.net RBL blocking emails by mistake? Message-ID: <45007753.8040105@dido.ca> Is it possible to get a false positive back from spamcop.net's RBL ? I have been getting some complaints about spam being deleted, because it is seen as being on spamcop.nets list, so it gets a score of 10 and gets deleted.... here is an entry in my log file... Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: 2380E69001E.DFE12 found in spamcop.net Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 from 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, spamcop.net, SpamAssassin (score=8.638, required 4, HTML_MESSAGE 0.00, RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message 2380E69001E.DFE12 actions are delete I checked the IP and it was not listed. Is it possible to be listed at 7AM and then removed at 10AM? Plus its a gmail.com account/IP Any ideas? Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From Phil.Udel at SalemCOrp.com Thu Sep 7 20:51:25 2006 From: Phil.Udel at SalemCOrp.com (Phil Udel) Date: Thu Sep 7 20:51:39 2006 Subject: Question With the Mcafee autoupdater Message-ID: <200609071952.k87Jqe2C010647@cat.salemcarriers.com> For some reason my Mcafee autoupdater does not complete. I can run it standalone. See Below. But when mailscanner runs I get the following messages: Sep 7 15:02:46 mail update.virus.scanners: Found mcafee installed Sep 7 15:02:46 mail update.virus.scanners: Running autoupdate for mcafee But it never updates. [root@mail etc]# /usr/lib/MailScanner/mcafee-autoupdate Doing initial setup of /usr/lib/MailScanner/mcafee-autoupdate > mkdir -p /usr/local/uvscan/datfiles > cd /usr/local/uvscan/datfiles > wget --tries=1 --waitretry=300 --passive-ftp http://download.nai.com/products/ datfiles/4.x/nai/update.ini 2>version.err 1>&2 > rm -f update.ini version.err > uvscan --version 2>version.err 1>&2 > rm -f version.err version.err Installed dat file is 4777 Latest dat file is 4847 > mkdir 4847 > cd 4847 > chmod 700 . > wget --tries=1 --waitretry=300 --passive-ftp --progress=dot:mega http://downlo ad.nai.com/products/datfiles/4.x/nai/dat-4847.tar --15:31:27-- http://download.nai.com/products/datfiles/4.x/nai/dat-4847.tar => `dat-4847.tar' Resolving download.nai.com... 84.53.144.159, 84.53.144.153 Connecting to download.nai.com|84.53.144.159|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432,064 (9.0M) [application/x-tar] 0K ........ ........ ........ ........ ........ ........ 33% 173.93 KB/s 3072K ........ ........ ........ ........ ........ ........ 66% 168.55 KB/s 6144K ........ ........ ........ ........ ........ ....... 100% 176.12 KB/s 15:32:21 (172.81 KB/s) - `dat-4847.tar' saved [9432064/9432064] > tar xvf dat-4847.tar clean.dat file_id.diz names.dat packing.lst pkgdesc.ini reseller.txt scan.dat validate.exe readme.txt internet.dat > chmod 644 clean.dat dat-4847.tar file_id.diz internet.dat names.dat packing.ls t pkgdesc.ini readme.txt reseller.txt scan.dat validate.exe > chmod 755 . > uvscan --version --dat . Virus Scan for Linux v5.10.0 Copyright (c) 1992-2006 McAfee, Inc. All rights reserved. (408) 988-3832 LICENSED COPY - May 26 2006 Scan engine v5.1.00 for Linux. Virus data file v4847 created Sep 07 2006 Scanning for 208291 viruses, trojans and variants. Update OK > rm -f file_id.diz validate.exe pkgdesc.ini packing.lst dat-4847.tar readme.txt reseller.txt > rm -f /usr/local/uvscan/clean.dat > ln -s datfiles/current/clean.dat /usr/local/uvscan/clean.dat > rm -f /usr/local/uvscan/extra.dat > ln -s datfiles/current/extra.dat /usr/local/uvscan/extra.dat > rm -f /usr/local/uvscan/internet.dat > ln -s datfiles/current/internet.dat /usr/local/uvscan/internet.dat > rm -f /usr/local/uvscan/names.dat > ln -s datfiles/current/names.dat /usr/local/uvscan/names.dat > rm -f /usr/local/uvscan/scan.dat > ln -s datfiles/current/scan.dat /usr/local/uvscan/scan.dat > cd /usr/local/uvscan/datfiles > ln -s 4847 4847/current > mv 4847/current . Completed OK > exit 0 From r.berber at computer.org Thu Sep 7 21:10:04 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Sep 7 21:10:57 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> References: <45007753.8040105@dido.ca> Message-ID: Rob Morin wrote: > Is it possible to get a false positive back from spamcop.net's RBL ? Yes. Anybody can make spamcop add a server address, and they do, many famous non spammers have been there, Amazon, mail lists... > I have been getting some complaints about spam being deleted, because it > is seen as being on spamcop.nets list, so it gets a score of 10 and gets > deleted.... Why are you using such a high score? MS uses 4.0 for spamcop. > here is an entry in my log file... > > Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: 2380E69001E.DFE12 > found in spamcop.net > Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 from > 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, spamcop.net, > SpamAssassin (score=8.638, required 4, HTML_MESSAGE 0.00, > RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) > Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message > 2380E69001E.DFE12 actions are delete > > I checked the IP and it was not listed. Is it possible to be listed at > 7AM and then removed at 10AM? Plus its a gmail.com account/IP No idea here, they (spamcop) probably found the bogus entry and changed it fast. -- Ren? Berber From jaearick at colby.edu Thu Sep 7 21:15:49 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Sep 7 21:16:11 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> References: <45007753.8040105@dido.ca> Message-ID: On Thu, 7 Sep 2006, Rob Morin wrote: > Date: Thu, 07 Sep 2006 15:47:31 -0400 > From: Rob Morin > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Spamcop.net RBL blocking emails by mistake? > > Is it possible to get a false positive back from spamcop.net's RBL ? > > I have been getting some complaints about spam being deleted, because it is > seen as being on spamcop.nets list, so it gets a score of 10 and gets > deleted.... > > here is an entry in my log file... > > Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: 2380E69001E.DFE12 found > in spamcop.net > Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 from > 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, spamcop.net, > SpamAssassin (score=8.638, required 4, HTML_MESSAGE 0.00, > RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) > Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message > 2380E69001E.DFE12 actions are delete > > I checked the IP and it was not listed. Is it possible to be listed at 7AM > and then removed at 10AM? Plus its a gmail.com account/IP > > Any ideas? I gave up on spamcop both as an RBL and within the MS lists at the nearly a year ago. The were overly aggressive and their webpages giving info on why a site was blocked got murky. Jeff Earickson Colby College From ssilva at sgvwater.com Thu Sep 7 21:21:03 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 7 21:21:43 2006 Subject: Forbidden to browse http://www.mailscanner.info/files/4 - why? In-Reply-To: <223f97700609071051i207ae417gca7d36fffda7fd90@mail.gmail.com> References: <1964AAFBC212F742958F9275BF63DBB04292CE@winchester.andrewscompanies.com> <223f97700609071051i207ae417gca7d36fffda7fd90@mail.gmail.com> Message-ID: Glenn Steen spake the following on 9/7/2006 10:51 AM: > On 07/09/06, Res wrote: >> On Wed, 6 Sep 2006, Scott Silva wrote: >> >> > Res spake the following on 9/6/2006 7:04 AM: >> >> On Wed, 6 Sep 2006, sandrews@andrewscompanies.com wrote: >> >> >> >>> Ok, so I'm exposed. I started life with MS. You got me. ;) >> >> >> >> coz you admitted to your crime, sentance will be light, only 1 >> carton of >> >> Jack Daniels Whiskey wil be your punishment :) >> >> >> > Boy! What's a guy gotta do to get punished by you! >> > Slap me with some of that Jack!! It's been a rough day! >> >> >> nonono.... thats what he owes us :P >> >> mmmmmmm enjoying a glass of jacky right now, gota unwind for an hour or >> so before i head off to bed >> > Good thinking, but ... a case is probably too little. Make that a cask > of some nice single malt... :-D I'll drink to that!!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From michele at blacknight.ie Thu Sep 7 21:43:03 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight.ie) Date: Thu Sep 7 21:43:10 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> References: <45007753.8040105@dido.ca> Message-ID: <45008457.80509@blacknight.ie> Rob Morin wrote: > Is it possible to get a false positive back from spamcop.net's RBL ? Of course it is. You can get false positives from just about any DNSBL. > > I have been getting some complaints about spam being deleted, because it > is seen as being on spamcop.nets list, so it gets a score of 10 and gets > deleted.... You should never set spamcop with a score that high. You're just asking for trouble. > > here is an entry in my log file... > > Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: 2380E69001E.DFE12 > found in spamcop.net > Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 from > 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, spamcop.net, > SpamAssassin (score=8.638, required 4, HTML_MESSAGE 0.00, > RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) > Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message > 2380E69001E.DFE12 actions are delete > > I checked the IP and it was not listed. Is it possible to be listed at > 7AM and then removed at 10AM? Plus its a gmail.com account/IP Gmail is constantly getting list due to their demented attitude to SMTP. They whine when it happens but they won't fix the problem > > Any ideas? Stop using Spamcop to block mail. It's fine for scoring... Just not with the scores / settings you are using > > Thanks... > -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From glenn.steen at gmail.com Thu Sep 7 21:44:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 7 21:44:33 2006 Subject: Question With the Mcafee autoupdater In-Reply-To: <200609071952.k87Jqe2C010647@cat.salemcarriers.com> References: <200609071952.k87Jqe2C010647@cat.salemcarriers.com> Message-ID: <223f97700609071344p1ef3439g9ee4e7ac54ddbddc@mail.gmail.com> On 07/09/06, Phil Udel wrote: > For some reason my Mcafee autoupdater does not complete. > I can run it standalone. See Below. But when mailscanner runs > I get the following messages: > Sep 7 15:02:46 mail update.virus.scanners: Found mcafee installed > Sep 7 15:02:46 mail update.virus.scanners: Running autoupdate for mcafee > But it never updates. > > (snip) McAfee have notoriously shaky update servers. Might be that you just hit an "unupdated" mirror. This (or similar) things happen from time to time both with their http and ftp mirrors. Very irritating. I've put a blurb or two about it in the wiki... I've been trying to use the speedownload address for a while, which seemed to be better... you can try http://speedownload.nai.com/products/datfiles/4.x/nai ... Anyway, it might be that, or something entirely unrelated:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Thu Sep 7 22:38:25 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Sep 7 22:38:41 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> References: <45007753.8040105@dido.ca> Message-ID: <45009151.2050607@evi-inc.com> Rob Morin wrote: > Is it possible to get a false positive back from spamcop.net's RBL ? As many folks have already said, yes, you WILL get FPs from any RBL. However, nobody has pointed out that the spamassassin STATISTICS file has information on FP rates... According to SA 3.1.0's STATISTICS-set1.txt and set3, RCVD_IN_BL_SPAMCOP_NET has a S/O of 0.986. This means that 98.6% of messages matching the rule were spam. It also means that 1.4% were nonspam. So yes, you'll get false positives, quite frequently in fact. > > I have been getting some complaints about spam being deleted, because it > is seen as being on spamcop.nets list, so it gets a score of 10 and gets > deleted.... So, why did you change the score of RCVD_IN_BL_SPAMCOP_NET to be such a huge value? Did you not understand that the scores that come with SA are based on tests of real-world email, and should only be changed carefully? There's a obvious reason why SA 3.1.0 only gave this rule a score under 1.6. It FPs way too often to be scored higher. Really, there aren't any rules that come with SA besides GTUBE that are sufficiently accurate to have a score greater than 6.0. It's almost impossible to write any rule that has a zero false-positive rate unless it's so specialized it matches very little mail and is a waste of CPU time. Even close-to-zero is tough, although several rules in SA do have a S/O of 1.000 (ie: less than 0.1% FP rate). Personally, I'd want to see a rule be more like 0.001% before giving it such a high score, but the SA statistics files don't track enough significant digits to represent that. > I checked the IP and it was not listed. Is it possible to be listed at > 7AM and then removed at 10AM? Plus its a gmail.com account/IP Yes, spamcop listings are highly dynamic. Sometimes an IP will get listed because of a flood of complaints, and then quickly get de-listed when it appears to be owned by a well-behaved network that has terminated the responsible party. From taz at taz-mania.com Thu Sep 7 23:12:38 2006 From: taz at taz-mania.com (Dennis Willson) Date: Thu Sep 7 23:12:42 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> Message-ID: I have an issue with the subject of your posting... SpamCop did NOT block your email... You did. Granted it was based on information they provided. But that's a lot different than SpamCop actually doing the blocking. Having run an RBL service before, I'm a bit sensitive to that kind of statement. I feel better now..... Dennis On Thu, 07 Sep 2006 15:47:31 -0400 Rob Morin wrote: >Is it possible to get a false positive back from spamcop.net's RBL ? > >I have been getting some complaints about spam being deleted, because >it is seen as being on spamcop.nets list, so it gets a score of 10 >and gets deleted.... > >here is an entry in my log file... > >Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: >2380E69001E.DFE12 found in spamcop.net >Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 >from 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, >spamcop.net, SpamAssassin (score=8.638, required 4, HTML_MESSAGE >0.00, RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) >Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message >2380E69001E.DFE12 actions are delete > >I checked the IP and it was not listed. Is it possible to be listed >at 7AM and then removed at 10AM? Plus its a gmail.com account/IP > >Any ideas? > >Thanks... > >-- > >Rob Morin >Dido InterNet Inc. >Montreal, Canada >Http://www.dido.ca >514-990-4444 > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mkettler at evi-inc.com Thu Sep 7 23:32:58 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Sep 7 23:33:07 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: Message-ID: <45009E1A.3060606@evi-inc.com> Dennis Willson wrote: > I have an issue with the subject of your posting... > > SpamCop did NOT block your email... You did. Granted it was based on > information they provided. But that's a lot different than SpamCop > actually doing the blocking. > I tend to agree with that, although I also have more problems with the fact that it implies that any RBL is ever perfect. A better wording was "spamcop.net RBL listing ip's that send nonspam by mistake?". Which of course still has the problem of assuming that listings that affect both spam and nonspam are or should extraordinarily rare. They aren't rare, they're commonplace in all RBLs. From csweeney at osubucks.org Fri Sep 8 01:04:02 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Fri Sep 8 01:04:36 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <4500B372.7040005@osubucks.org> Thats funny I have never had that problem. Res wrote: > On Thu, 7 Sep 2006, Jim Holland wrote: > >> I haven't noticed hotmail doing that, but other large ISPs such as >> Yahoo, >> Gmail, MessageLabs etc seem to make only a single delivery attempt >> and if >> that tempfails they still return the mail to sender and don't try the >> secondary. Very annoying! > > Hmmm I've never checked gmail, dont have/need an account there, > thanks for the heads up > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4022 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060907/7df05fd4/smime.bin From leiw324 at yahoo.com.hk Fri Sep 8 03:09:38 2006 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Fri Sep 8 03:09:45 2006 Subject: ERROR: CVD extraction failure Message-ID: <20060908020939.35552.qmail@web54407.mail.yahoo.com> Sep 5 01:22:45 abc MailScanner[17366]: ERROR: CVD extraction failure How can I fix this problem ? Thank _______________________________________ YM - Â÷½u°T®§ ´Nºâ§A¨S¦³¤Wºô¡A§AªºªB¤Í¤´¥i¥H¯d¤U°T®§µ¹§A¡A·í§A¤Wºô®É´N¯à¥ß§Y¬Ý¨ì¡A¥ô¦ó»¡¸Ü³£ÉN¨«¥¢¡C http://messenger.yahoo.com.hk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/3dbb11fb/attachment.html From mailscanner at mango.zw Fri Sep 8 07:59:06 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Sep 8 07:59:12 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <4500B372.7040005@osubucks.org> Message-ID: On Thu, 7 Sep 2006, Chris Sweeney wrote: > Thats funny I have never had that problem. > > Res wrote: > > On Thu, 7 Sep 2006, Jim Holland wrote: > > > >> I haven't noticed hotmail doing that, but other large ISPs such as > >> Yahoo, > >> Gmail, MessageLabs etc seem to make only a single delivery attempt > >> and if > >> that tempfails they still return the mail to sender and don't try the > >> secondary. Very annoying! > > > > Hmmm I've never checked gmail, dont have/need an account there, > > thanks for the heads up I had a specific problem with the above three ISPs because they all ignore the SIZE extension during the SMTP transaction. Our system has very little bandwidth - 64K for our 2,500 users. So we need to be very efficient, and set a 1.5 MB size limit on incoming mail. However these three systems will happily attempt to deliver us messages of 10 MB or more. Because they don't announce the size at the beginning, we can't tell them the message is too large until they have sent the full message. Which is a huge waste of bandwidth. So I thought I would be clever and give them a 451 error when their servers connected, so they would always be forced to use our secondary MX which has far more bandwidth than we do. I do that frequently when being mailbombed by a system sending genuine mail (eg huge mailing lists) - they then send the mail to the secondary from which I can collect it during off-peak periods. However when I checked over the day that I tried to implement this with Gmail, Yahoo and MessageLabs, there was no indication that the mail we had tempfailed here from these three systems was being resent to our secondary MX. I quickly stopped doing it - and am still left with the problem of how to block their annoying large messages. Perhaps I have drawn too broad a conclusion about these ISPs from this experience? Perhaps an explicit 451 generated by us causes them to respond differently than if they got a different kind of temporary failure such as a timeout. However if I am correct I would expect that greylisting would not work with these systems for the same reason. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From martin.lyberg at gmail.com Fri Sep 8 08:17:16 2006 From: martin.lyberg at gmail.com (Martin) Date: Fri Sep 8 08:17:32 2006 Subject: How to tell wich url that triggered in SURBL? Message-ID: Hi, I get the following in my mail-header if a mail contains a url listed in SURBL: URIBL_JP_SURBL 3.36 I recall that i've read som other posts that it looks like this in the header: URIBL_JP_SURBL Contains an URL listed in the JP blocklist * [URIs: site.com] How do i enable SURBL to show which URL is triggered like above? I'm using MailScanner 4.51.5 + SA 3.1.4 Thank you From raymond at prolocation.net Fri Sep 8 09:55:54 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Sep 8 09:55:55 2006 Subject: How to tell wich url that triggered in SURBL? In-Reply-To: References: Message-ID: Hi! > URIBL_JP_SURBL 3.36 > > I recall that i've read som other posts that it looks like this in the > header: > > URIBL_JP_SURBL Contains an URL listed in the JP blocklist > * [URIs: site.com] > > How do i enable SURBL to show which URL is triggered like above? I'm using > MailScanner 4.51.5 + SA 3.1.4 You cant. Unless you modify code yourself. SA reports back the domain only as far as i know. Bye, Raymond. From martin.lyberg at gmail.com Fri Sep 8 10:18:01 2006 From: martin.lyberg at gmail.com (Martin) Date: Fri Sep 8 10:18:30 2006 Subject: How to tell wich url that triggered in SURBL? In-Reply-To: References: Message-ID: Raymond Dijkxhoorn wrote: > You cant. Unless you modify code yourself. SA reports back the domain > only as far as i know. > > Bye, > Raymond. Raymond, Maybe i was a little unclear what i meant. I've seen some posts on the SA-mailinglist where headers are showing the domain like this: URIBL_JP_SURBL Contains an URL listed in the JP blocklist * [URIs: site.com] When I get a mail with an domain listed on SURBL, i only get this information and not the URI: URIBL_JP_SURBL 3.36 So my question is, is this configurable? If not, why does it show up for some people, but not for me? Thank you From csweeney at osubucks.org Fri Sep 8 12:51:27 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Fri Sep 8 12:51:56 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <4501593F.1070904@osubucks.org> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4022 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/f36ce7f0/smime.bin From res at ausics.net Fri Sep 8 12:54:37 2006 From: res at ausics.net (Res) Date: Fri Sep 8 12:54:52 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Thu, 7 Sep 2006, Logan Shaw wrote: > Yes, he was saying that, before greylisting, 12-15% of the > traffic gets marked as clean. Presumably that is because > 12-15% of the traffic IS clean, and the rest is not. Then > after greylisting, 80% of the traffic got marked as clean. > Presumably that means 80% of it IS clean. Then SA cant be that effective for him. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Fri Sep 8 12:56:20 2006 From: res at ausics.net (Res) Date: Fri Sep 8 12:56:37 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <223f97700609071034m373f48e2u7943894dcfc0a407@mail.gmail.com> References: <44FED128.9020907@sbcglobal.net> <223f97700609070103y6b0d17b5p15e02ea60387d318@mail.gmail.com> <223f97700609071034m373f48e2u7943894dcfc0a407@mail.gmail.com> Message-ID: On Thu, 7 Sep 2006, Glenn Steen wrote: > Yep, clearly a case of "speaking past" each other:-). hehe it happens :) > Hm, isn't it a good thing that I'm a good-natured easygoing Postfix > fascist then?:-):-) Then again, since I don't agree with the postfix > "party line", or "gospel according to W. Venema), that wouldn't make > me a "wietse patsy" anyway:-D true, lol the first one i've met :P > >> We are happy with RBL'd, bad helos RFC1912 compliance, greet pause on >> sendmail boxes, and our internal "F-U" access lists ;) >> > Same here, well... minus greet pause, plus reject_unath_pipelining and > SA (and lets not mention _where_ I do my RBLs;-) hahahaha lets not -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Fri Sep 8 12:58:48 2006 From: res at ausics.net (Res) Date: Fri Sep 8 12:59:01 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45007753.8040105@dido.ca> References: <45007753.8040105@dido.ca> Message-ID: On Thu, 7 Sep 2006, Rob Morin wrote: > I checked the IP and it was not listed. Is it possible to be listed at 7AM > and then removed at 10AM? Plus its a gmail.com account/IP Yes, spamcop have a time based entry system if its that IP's first entry its delisted after 2 hours, then if your in it again its longer, and so on, each time gets longer, its a very fair process. Of copurce there will always be certain cretins who will be in there forever, but msot of us enver have to worry about that. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From steve.swaney at fsl.com Fri Sep 8 14:48:17 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Sep 8 14:48:21 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: <1f4a501c6d34d$70541920$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jim Holland > Sent: Friday, September 08, 2006 2:59 AM > To: MailScanner discussion > Subject: Re: Anyone using zen.spamhaus.org? > > On Thu, 7 Sep 2006, Chris Sweeney wrote: > > > Thats funny I have never had that problem. > > > > Res wrote: > > > On Thu, 7 Sep 2006, Jim Holland wrote: > > > > > >> I haven't noticed hotmail doing that, but other large ISPs such as > > >> Yahoo, > > >> Gmail, MessageLabs etc seem to make only a single delivery attempt > > >> and if > > >> that tempfails they still return the mail to sender and don't try the > > >> secondary. Very annoying! > > > > > > Hmmm I've never checked gmail, dont have/need an account there, > > > thanks for the heads up > > I had a specific problem with the above three ISPs because they all ignore > the SIZE extension during the SMTP transaction. Our system has very > little bandwidth - 64K for our 2,500 users. So we need to be very > efficient, and set a 1.5 MB size limit on incoming mail. However these > three systems will happily attempt to deliver us messages of 10 MB or > more. Because they don't announce the size at the beginning, we can't > tell them the message is too large until they have sent the full message. > Which is a huge waste of bandwidth. > > So I thought I would be clever and give them a 451 error when their > servers connected, so they would always be forced to use our secondary MX > which has far more bandwidth than we do. I do that frequently when being > mailbombed by a system sending genuine mail (eg huge mailing lists) - they > then send the mail to the secondary from which I can collect it during > off-peak periods. However when I checked over the day that I tried to > implement this with Gmail, Yahoo and MessageLabs, there was no indication > that the mail we had tempfailed here from these three systems was being > resent to our secondary MX. I quickly stopped doing it - and am still > left with the problem of how to block their annoying large messages. > > Perhaps I have drawn too broad a conclusion about these ISPs from this > experience? Perhaps an explicit 451 generated by us causes them to > respond differently than if they got a different kind of temporary failure > such as a timeout. However if I am correct I would expect that > greylisting would not work with these systems for the same reason. > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > With sendmail or the latest postfix, this might help milter-length http://www.snertsoft.com/sendmail/milter-length/ >From the site: "This is a Sendmail utility milter that imposes message size limits by IP address, domain name, or sender address on a message body length, excluding the message headers. Sendmail's MaxMessageSize option only allows for a single global server wide message size limit, which is insufficient for some sites that would prefer finer granularity in the application of message size limits. This is particularly useful for mail hosts that manage several domains and/or a large number of users, such as an ISP." I don't know at what point the connection is broken if the message is too large but I would hope that It happens as soon as the message size limit is reached during the transmission. This milter is a free source download so if you can read the code it you could find out - or contact the author. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From edwardbruce at sbcglobal.net Fri Sep 8 15:03:36 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Fri Sep 8 15:03:41 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <45017838.10009@sbcglobal.net> Res wrote: > On Thu, 7 Sep 2006, Logan Shaw wrote: > >> Yes, he was saying that, before greylisting, 12-15% of the >> traffic gets marked as clean. Presumably that is because >> 12-15% of the traffic IS clean, and the rest is not. Then >> after greylisting, 80% of the traffic got marked as clean. >> Presumably that means 80% of it IS clean. > > Then SA cant be that effective for him. > > That is just what percentage is not identified as SPAM. Yes it doesn't mean that no SPAM is getting through, I'm not John C Dvorak :). From jrudd at ucsc.edu Fri Sep 8 16:09:47 2006 From: jrudd at ucsc.edu (John Rudd) Date: Fri Sep 8 16:10:31 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Sep 8, 2006, at 4:58 AM, Res wrote: > On Thu, 7 Sep 2006, Rob Morin wrote: > >> I checked the IP and it was not listed. Is it possible to be listed >> at 7AM and then removed at 10AM? Plus its a gmail.com account/IP > > Yes, spamcop have a time based entry system > > if its that IP's first entry its delisted after 2 hours, then if your > in it again its longer, and so on, each time gets longer, its a very > fair process. It would be a fair process if their criteria were reasonable and accurate. Since their criteria are neither, the process is anything but fair. From mailscanner at mango.zw Fri Sep 8 16:13:06 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Sep 8 16:12:58 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <1f4a501c6d34d$70541920$287ba8c0@office.fsl> Message-ID: On Fri, 8 Sep 2006, Stephen Swaney wrote: > > I had a specific problem with the above three ISPs because they all ignore > > the SIZE extension during the SMTP transaction. Our system has very > > little bandwidth - 64K for our 2,500 users. So we need to be very > > efficient, and set a 1.5 MB size limit on incoming mail. However these > > three systems will happily attempt to deliver us messages of 10 MB or > > more. Because they don't announce the size at the beginning, we can't > > tell them the message is too large until they have sent the full message. > > Which is a huge waste of bandwidth. > > > > So I thought I would be clever and give them a 451 error when their > > servers connected, so they would always be forced to use our secondary MX > > which has far more bandwidth than we do. I do that frequently when being > > mailbombed by a system sending genuine mail (eg huge mailing lists) - they > > then send the mail to the secondary from which I can collect it during > > off-peak periods. However when I checked over the day that I tried to > > implement this with Gmail, Yahoo and MessageLabs, there was no indication > > that the mail we had tempfailed here from these three systems was being > > resent to our secondary MX. I quickly stopped doing it - and am still > > left with the problem of how to block their annoying large messages. > > > > Perhaps I have drawn too broad a conclusion about these ISPs from this > > experience? Perhaps an explicit 451 generated by us causes them to > > respond differently than if they got a different kind of temporary failure > > such as a timeout. However if I am correct I would expect that > > greylisting would not work with these systems for the same reason. > > > > Regards > > > > Jim Holland > > System Administrator > > MANGO - Zimbabwe's non-profit e-mail service > > > > With sendmail or the latest postfix, this might help > > milter-length http://www.snertsoft.com/sendmail/milter-length/ > > >From the site: > "This is a Sendmail utility milter that imposes message size limits by IP > address, domain name, or sender address on a message body length, excluding > the message headers. Sendmail's MaxMessageSize option only allows for a > single global server wide message size limit, which is insufficient for some > sites that would prefer finer granularity in the application of message size > limits. This is particularly useful for mail hosts that manage several > domains and/or a large number of users, such as an ISP." > > I don't know at what point the connection is broken if the message is too > large but I would hope that It happens as soon as the message size limit is > reached during the transmission. This milter is a free source download so if > you can read the code it you could find out - or contact the author. Thanks - this looks interesting, but it won't solve the problem in my case. If a server does not announce the size in the MAIL FROM command: EHLO mail.mango.zw 250-mail.example.com Hello mail.mango.zw [196.201.16.130], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 2097152 250-DSN 250-ONEX 250-XUSR 250 HELP MAIL FROM: SIZE=2304 ^^^^^^^^^ then the recipient will have no idea of the size until the end of the DATA phase. It has to accept the whole message, and the protocols do not allow you to disconnect during the DATA phase. The milter above seems very handy but will only work if the ESMTP SIZE extension is used. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From lshaw at emitinc.com Fri Sep 8 16:31:16 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Sep 8 16:31:33 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Fri, 8 Sep 2006, Res wrote: > On Thu, 7 Sep 2006, Logan Shaw wrote: >> Yes, he was saying that, before greylisting, 12-15% of the >> traffic gets marked as clean. Presumably that is because >> 12-15% of the traffic IS clean, and the rest is not. Then >> after greylisting, 80% of the traffic got marked as clean. >> Presumably that means 80% of it IS clean. > Then SA cant be that effective for him. That doesn't make any sense mathematically. If I get 100 messages and 20 of them are spam and 80 of them are ham, and if SpamAssassin catches all 20 spams and nothing else, how does that qualify as "not that effective"? - Logan From dave.list at pixelhammer.com Fri Sep 8 16:39:04 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Sep 8 16:39:24 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: <45018E98.30900@pixelhammer.com> John Rudd wrote: > > On Sep 8, 2006, at 4:58 AM, Res wrote: > >> On Thu, 7 Sep 2006, Rob Morin wrote: >> >>> I checked the IP and it was not listed. Is it possible to be listed >>> at 7AM and then removed at 10AM? Plus its a gmail.com account/IP >> >> Yes, spamcop have a time based entry system >> >> if its that IP's first entry its delisted after 2 hours, then if your >> in it again its longer, and so on, each time gets longer, its a very >> fair process. > > It would be a fair process if their criteria were reasonable and accurate. > > Since their criteria are neither, the process is anything but fair. > I don't know if their criteria is fair or not, they never tell me their criteria. I know that if a spamcop subscriber turns in a message as spam from my server, and they list me, and the message body looks something like, "Hi grandson, I hope I got your email address right, your handwriting is hard to read with my cataracts. Grandpa passed this morning, your Mom will call you when you get out of class. I hate to make you miss finals so please don't come to the funeral. Grandpa would understand. Love Grandma" Then there is a problem with their criteria for certain. I still do not believe that a common users opinion should be the sole determination of what is SPAM and what is not. I get several hundred AOL SPAM reports I must manually unsubscribe from maillists each month because they sign up to gain access to a website and then don't want the mail. SPAM has become "mail I don't want". DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From john.clancy at businessworld.ie Fri Sep 8 16:47:34 2006 From: john.clancy at businessworld.ie (John Clancy) Date: Fri Sep 8 16:48:13 2006 Subject: Spamcop.net RBL blocking emails by mistake? References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> Message-ID: <000c01c6d35e$1d1f60a0$0101a8c0@JOHNCLANCY> > I still do not believe that a common users opinion should be the sole > determination of what is SPAM and what is not. I get several hundred AOL > SPAM reports I must manually unsubscribe from maillists each month because > they sign up to gain access to a website and then don't want the mail. > SPAM has become "mail I don't want". > > DAve SPAM has always been "mail I don't want" its just that not all "mail I don't want" happens to be SPAM :-) JC From pas at unh.edu Fri Sep 8 16:57:42 2006 From: pas at unh.edu (Paul A Sand) Date: Fri Sep 8 16:59:51 2006 Subject: Sendmail ignoring MinQueueAge after MailScanner upgrade? Message-ID: <20060908155742.GA30562@cisunix.unh.edu> Hi -- I recently upgraded MailScanner to version 4.55.10 from version 4.54.6. All seemed to go OK, but I soon noticed a dramatic increase in sendmail processes on the servers. (All running RHEL 4, Sendmail 8.13.1) Background: the servers typically have 500-1000 entries in their "outgoing" mail queue, most of them deferred messages either due to (a) over-quota local users; (b) unresponsive external servers. Previously, deferred messages would wait at least 4 hours between delivery attempts. ('O MinQueueAge=4h' in /etc/mail/sendmail.cf). But now, post-upgrade, this setting seems to be ignored. Each sendmail process running through the queue seems to attempt to deliver any message it sees, no matter how little time has gone since the last delivery attempt. So the result is (typically) 600-700 concurrent sendmail processes, where previously we'd see 70-80. And a LOT of failed delivery attempts, all dutifully logged in some impressively-sized logfiles. (About 5x bigger post-upgrade.) Fortunately, normal mail seems to flow OK. But I'd prefer not to have sendmail chatter like this. I've searched the MailScanner list archives with nothing popping out at me. Worse, I don't even understand how the upgrade could have caused this behavior, since MailScanner's involvement in the outgoing queue seems to be limited to starting up the initial sendmail queue-runner in exactly the same way it did before, and (of course) putting scanned messages in there, just like it did before. I have tried specifying MinQueueAge directly in the MailScanner startup script, so the command line now looks like /usr/sbin/sendmail -q15m -OMinQueueAge=4h \ -OPidFile=/var/run/sendmail.out.pid ... but that didn't change the behavior. I am using Lock Type = posix in /etc/MailScanner/MailScanner.conf, if that matters. If I run the queue by hand: sendmail -q -v ... it dutifully tells me that it's passing over too-young queue entries. But that doesn't seem to be happening with the normal queue processors. I am prepared to have list members point out my idiotic mistake, because I'm pretty much out of ideas on this end. -- -- Paul A. Sand | Personifiers unite! -- University of New Hampshire | You have nothing to lose but Mr. Dignity! -- pas@unh.edu | -- http://pubpages.unh.edu/~pas | From alex at nkpanama.com Fri Sep 8 17:27:12 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Sep 8 17:27:26 2006 Subject: Ways to filter other document types Message-ID: <450199E0.6020301@nkpanama.com> Any ideas on how to block word or pdf spam, as mentioned in: http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1214687,00.html It could be an interesting option to add to the phishing filter or to SA, as spammers are now using these formats. Something like the TNEF unpack-then-repack approach we're getting now, would probably be the way to go. Anybody already doing something similar? From ms-list at alexb.ch Fri Sep 8 17:34:33 2006 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 8 17:34:37 2006 Subject: How to tell wich url that triggered in SURBL? In-Reply-To: References: Message-ID: <45019B99.40904@alexb.ch> On 9/8/2006 11:18 AM, Martin wrote: > Raymond Dijkxhoorn wrote: > >> You cant. Unless you modify code yourself. SA reports back the domain >> only as far as i know. >> >> Bye, >> Raymond. > > Raymond, > > Maybe i was a little unclear what i meant. I've seen some posts on the > SA-mailinglist where headers are showing the domain like this: > > URIBL_JP_SURBL Contains an URL listed in the JP blocklist > * [URIs: site.com] > > When I get a mail with an domain listed on SURBL, i only get this > information and not the URI: > > URIBL_JP_SURBL 3.36 > > So my question is, is this configurable? If not, why does it show up for > some people, but not for me? > > Thank you Seems its a MailScanner special. (makes it hard to debug when you have a FP but that's the way it is) Alex From dave.list at pixelhammer.com Fri Sep 8 17:44:39 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Sep 8 17:44:54 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <000c01c6d35e$1d1f60a0$0101a8c0@JOHNCLANCY> References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> <000c01c6d35e$1d1f60a0$0101a8c0@JOHNCLANCY> Message-ID: <45019DF7.4060800@pixelhammer.com> John Clancy wrote: > >> I still do not believe that a common users opinion should be the sole >> determination of what is SPAM and what is not. I get several hundred >> AOL SPAM reports I must manually unsubscribe from maillists each month >> because they sign up to gain access to a website and then don't want >> the mail. SPAM has become "mail I don't want". >> >> DAve > > SPAM has always been "mail I don't want" its just that not all "mail I > don't want" happens to be SPAM :-) > > JC True, it depends on your perspective. What I call SPAM as a sysadmin is different that what my paying clients call SPAM. Stopping SPAM is becoming a vicious juggling act for ISPs like us with mixed clients. When I am told "You need to work on the SPAM filtering, client complaints are increasing", I hear "Descend into the depths of hell and bring me Satan's head". DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at ecs.soton.ac.uk Fri Sep 8 18:12:55 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 8 18:13:05 2006 Subject: problems reaching parts of the mailscanner docs online? In-Reply-To: <44FE824A.1010707@solidstatelogic.com> References: <57573D714A832C43B9D80EAFBDA48D03013572A4@inex3.herffjones.hj-int> <44FE824A.1010707@solidstatelogic.com> Message-ID: <4501A497.3090500@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Hepworth wrote: > Furnish, Trever G wrote: >> Anyone else having problems today (2006-09-05, 17:39 GMT-4) reaching the >> MAQ? I get either a timeout or a connection refused when connecting to >> wiki.mailscanner.info, as well as when connecting to >> www.sng.ecs.soton.ac.uk for HTTP requests. Tested from two different >> sites and several different servers, no firewalls or proxies involved. > > Back now. I guess they where working on the web servers as the whole of > ecs.soton.ac.uk was offline for me..either that or the external line > they use is out of action. I am about to move wiki.mailscanner.info off our servers altogether and onto BlacknightSolutions.com (whom I thoroughly recommend for all your hosting needs! They rock!). - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAaSZEfZZRxQVtlQRAikVAKCJ4l4TuGRxlXNNn31BcrkMD9b+UQCeNWhW GBYxckC5iKYbJKTGDCgX90U= =uTHy -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Sep 8 18:15:52 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 8 18:16:01 2006 Subject: MailScanner 4.56 In-Reply-To: <20060905120117.GH25367@doctor.nl2k.ab.ca> References: <20060905120117.GH25367@doctor.nl2k.ab.ca> Message-ID: <4501A548.5040605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am about to release a new beta for you folks to test for me. The next stable release probably won't be until the beginning of October, if I have time. My day job is really busy at the moment, I am doing huge rounds of server upgrades this summer. New filestore, new file server, new mail system, new virtualisation servers, all sorts of stuff. That has to come first. Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Julian when is 4.56 due out? Does it need further Beta Testing? > > Also a general question to all, how does one > redirect spam to a specific spamlist , say spamtrap@domain.tld? > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAaVKEfZZRxQVtlQRAtK+AKDgIj3WF+u5ASLgB9JYrLwmBKb5KwCcC+fU iOkFx7eJkEk64hDzPwoDSpI= =CYkN -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Sep 8 18:21:42 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 8 18:21:52 2006 Subject: Marking list as 'all read' Message-ID: <4501A6A6.7090209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am marking the whole mailing list content for the past week as "read" as I don't have time to go through all of the messages that have been posted while I've been away at the "Spies, Lies and Intelligence" conference in Oxford for the past week. If you have a really serious problem, and not just a "how do I" question, then mail me off-list and I will try to get around to you. Otherwise I am assuming that you folks have all dealt with everything important between you. I will endeavour to respond to all the off-list mail you send me, but I don't guarantee it. As usual, I try very hard to respond personally to every mail sent to me. Thanks for your understanding, Jules. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAaaoEfZZRxQVtlQRAqw9AKCKK9qOZr4gHSYVdqvJrpZ+7GeuNACeIrke CqEcLBRMv4e+DRPb8Y+h/DE= =ol1Y -----END PGP SIGNATURE----- From prandal at herefordshire.gov.uk Fri Sep 8 18:29:10 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 8 18:29:54 2006 Subject: MailScanner 4.56 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F3743E6@isabella.herefordshire.gov.uk> Julian, Any chance of an updated install-Clam-SA.gz with spamassassin 3.1.5 in it? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 08 September 2006 18:16 > To: MailScanner discussion > Subject: Re: MailScanner 4.56 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am about to release a new beta for you folks to test for me. > The next stable release probably won't be until the beginning of > October, if I have time. My day job is really busy at the > moment, I am > doing huge rounds of server upgrades this summer. New filestore, new > file server, new mail system, new virtualisation servers, all > sorts of > stuff. That has to come first. > > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: > > Julian when is 4.56 due out? Does it need further Beta Testing? > > > > Also a general question to all, how does one > > redirect spam to a specific spamlist , say spamtrap@domain.tld? > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFAaVKEfZZRxQVtlQRAtK+AKDgIj3WF+u5ASLgB9JYrLwmBKb5KwCcC+fU > iOkFx7eJkEk64hDzPwoDSpI= > =CYkN > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rgreen at trayerproducts.com Fri Sep 8 18:50:06 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Fri Sep 8 18:51:36 2006 Subject: Hold queue question Message-ID: <4501AD4E.4080401@trayerproducts.com> Hello, I'm using Postfix with MailScanner. Can someone tell me what would happen if I were to release (using postsuper -H queueid) a message in the hold queue? Would that message bypass MailScanner? Thanks, Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at dido.ca Fri Sep 8 18:59:02 2006 From: rob at dido.ca (Rob Morin) Date: Fri Sep 8 18:59:08 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: <4501AF66.6040702@dido.ca> Well the default in my config was already set at 10 i lowered it to 8... i will now lower it to 4... Thanks for all your replies.... But is there any RBL worth paying for or worth using then? Thanks.. Rob Morin Dido Internet.Inc. Montreal, Canada Ren? Berber wrote: > Rob Morin wrote: > > >> Is it possible to get a false positive back from spamcop.net's RBL ? >> > > Yes. Anybody can make spamcop add a server address, and they do, many famous > non spammers have been there, Amazon, mail lists... > > >> I have been getting some complaints about spam being deleted, because it >> is seen as being on spamcop.nets list, so it gets a score of 10 and gets >> deleted.... >> > > Why are you using such a high score? MS uses 4.0 for spamcop. > > >> here is an entry in my log file... >> >> Sep 7 03:36:57 peter MailScanner[15870]: RBL checks: 2380E69001E.DFE12 >> found in spamcop.net >> Sep 7 03:36:58 peter MailScanner[15870]: Message 2380E69001E.DFE12 from >> 66.249.82.232 (team4ss@gmail.com) to zonecom.ca is spam, spamcop.net, >> SpamAssassin (score=8.638, required 4, HTML_MESSAGE 0.00, >> RCVD_IN_BL_SPAMCOP_NET 8.00, SARE_MSGID_LONG40 0.64) >> Sep 7 03:37:00 peter MailScanner[15870]: Spam Actions: message >> 2380E69001E.DFE12 actions are delete >> >> I checked the IP and it was not listed. Is it possible to be listed at >> 7AM and then removed at 10AM? Plus its a gmail.com account/IP >> > > No idea here, they (spamcop) probably found the bogus entry and changed it fast. > From mailscanner at ecs.soton.ac.uk Fri Sep 8 19:20:10 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 8 19:20:25 2006 Subject: MailScanner beta 4.56.3 released Message-ID: <4501B45A.8010306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you give this a try and let me know how you get on. The Change Log for this version is this: * New Features and Improvements * 1 Added a complete new set of configuration settings to report on messages and attachments that are outside the size limits set in MailScanner.conf. These are: Sender Size Report Stored Size Message Report Deleted Size Message Report Size Modify Subject Size Subject Text These are used in exactly the same way as the other sets of options that tag and modify the message for other reasons. 3 Improved report of "message too large" case. 3 Updated Catalan language files courtesy of Jordi Sanfeliu. 3 Increased default max SpamAssassin message size to catch more single-image spam messages. 3 Solved compatibility with Postfix 2.3. 3 Upgraded Sys::Syslog to 0.18 which fixes all the compatibility problems of 0.17 and 0.16. 3 Upgraded Kaspersky support to 5.5. * Fixes * 1 When 'Outgoing Queue Dir' was changed from the default, kicking sendmail into attempting delivery of a new processed message in the outgoing queue would just wait for the next regular run of the queue. Now fixed so that a delivery attempt is made immediately. This fix only affects users who have changed the "Outgoing Queue Dir" setting and who are also using sendmail as their MTA. 2 Missed 2 "defined" checks on variables before using them. Thanks to Andy Kirkpatrick for spotting that one. 2 Fixed version number check. 3 Fixed output bug in less strict phishing net. Does anyone use this? 3 Fixed bug in Sendmail KickMessage() function. Thanks to Martin Billy. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAbRcEfZZRxQVtlQRAsouAJsGN1T6hXkQsx4E8bq2SAv2PMAEvQCfZsiW gWNO4mvjjmiB9qr/Rlt1+2U= =LYya -----END PGP SIGNATURE----- From daniel.maher at ubisoft.com Fri Sep 8 19:47:30 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Sep 8 19:47:33 2006 Subject: spamassassin doesn't like Norwegian email, apparently.. Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D1BB@UBIMAIL1.ubisoft.org> Hi all, One of my users has been complaining that his Norwegian-language email has been getting tagged as Spam. I checked the headers, and it doesn't appear to be a locale issue. In fact, it's all Bayes: pts rule name description ---- ---------------------- -------------------------------------------------- 6.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9956] That's it. Apparently Norwegian (Bokmal, I think) looks like spam. Who knew? Does anybody have any ideas on how I might be able to "fix" this? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/2ae5fd21/attachment.html From mailscanner at ecs.soton.ac.uk Fri Sep 8 19:50:42 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 8 19:50:59 2006 Subject: MailScanner 4.56 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F3743E6@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F3743E6@isabella.herefordshire.gov.uk> Message-ID: <4501BB82.6070109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done. Randal, Phil wrote: > Julian, > > Any chance of an updated install-Clam-SA.gz with spamassassin 3.1.5 in > it? > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 08 September 2006 18:16 >> To: MailScanner discussion >> Subject: Re: MailScanner 4.56 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am about to release a new beta for you folks to test for me. >> The next stable release probably won't be until the beginning of >> October, if I have time. My day job is really busy at the >> moment, I am >> doing huge rounds of server upgrades this summer. New filestore, new >> file server, new mail system, new virtualisation servers, all >> sorts of >> stuff. That has to come first. >> >> >> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the >> Problem wrote: >>> Julian when is 4.56 due out? Does it need further Beta Testing? >>> >>> Also a general question to all, how does one >>> redirect spam to a specific spamlist , say spamtrap@domain.tld? >>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.5.0 (Build 1112) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFFAaVKEfZZRxQVtlQRAtK+AKDgIj3WF+u5ASLgB9JYrLwmBKb5KwCcC+fU >> iOkFx7eJkEk64hDzPwoDSpI= >> =CYkN >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAbuEEfZZRxQVtlQRAqoCAKDUWqdhUOSzOzjsxBgzjLCJ8AZzaQCgqyNd URJCeJLPehyxH6havWvX4x0= =qGg+ -----END PGP SIGNATURE----- From Denis.Beauchemin at USherbrooke.ca Fri Sep 8 19:55:50 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 8 19:56:07 2006 Subject: How to tell wich url that triggered in SURBL? In-Reply-To: References: Message-ID: <4501BCB6.1050207@USherbrooke.ca> Martin a ?crit : > Raymond Dijkxhoorn wrote: > >> You cant. Unless you modify code yourself. SA reports back the domain >> only as far as i know. >> >> Bye, >> Raymond. > > Raymond, > > Maybe i was a little unclear what i meant. I've seen some posts on the > SA-mailinglist where headers are showing the domain like this: > > URIBL_JP_SURBL Contains an URL listed in the JP blocklist > * [URIs: site.com] > > When I get a mail with an domain listed on SURBL, i only get this > information and not the URI: > > URIBL_JP_SURBL 3.36 > > So my question is, is this configurable? If not, why does it show up > for some people, but not for me? > > Thank you > Martin, This is what I get in my SA report: 4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html [URIs: asreco.com] I'm using the following in spam.assassin.prefs.conf: lang fr clear-report-template lang fr report ------------------ D?but de Rapport SpamAssassin --------------------- lang fr report Cette notice a ?t? ajout?e par le syst?me d'analyse "SpamAssassin" sur lang fr report votre serveur de courrier "_HOSTNAME_", pour vous lang fr report aider ? identifier ce type de messages. lang fr report lang fr report D?tails de l'analyse du message: (_HITS_ points, _REQD_ requis) lang fr report _SUMMARY_ You could do the same with your own language. The previous text is not complete but it shows all the variables I use there. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/4d8c06ad/smime.bin From Denis.Beauchemin at USherbrooke.ca Fri Sep 8 20:01:20 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 8 20:01:42 2006 Subject: Marking list as 'all read' In-Reply-To: <4501A6A6.7090209@ecs.soton.ac.uk> References: <4501A6A6.7090209@ecs.soton.ac.uk> Message-ID: <4501BE00.2010900@USherbrooke.ca> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am marking the whole mailing list content for the past week as "read" > as I don't have time to go through all of the messages that have been > posted while I've been away at the "Spies, Lies and Intelligence" > conference in Oxford for the past week. > > If you have a really serious problem, and not just a "how do I" > question, then mail me off-list and I will try to get around to you. > Otherwise I am assuming that you folks have all dealt with everything > important between you. I will endeavour to respond to all the off-list > mail you send me, but I don't guarantee it. As usual, I try very hard to > respond personally to every mail sent to me. > > Thanks for your understanding, > Jules. > > You were away? Didn't notice! ;-) This list is attended by qualified people that like to help others out. This is really important whenever you have to go away for a couple of days. Thanks to everyone for making this list an exemple to follow. Now, can someone explain to me why MailScanner makes my system swap? :-P Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/abfa4e3c/smime.bin From taz at taz-mania.com Fri Sep 8 20:05:10 2006 From: taz at taz-mania.com (Dennis Willson) Date: Fri Sep 8 20:05:13 2006 Subject: Question about upgrading (possible enhancement) Message-ID: I have avoided doing an upgrade on top of an old version of MailScanner. I usually build an entirely new server with the new version and then swap the servers. I have a question about doing upgrades... Are the old configuration file values "imported" into the new MailScanner configuration files? If so is there a way to run what ever program that does that seperately? Having to go through the old and the new config files by hand and get all the setting changes I use is a bit of a pain. If there is isn't such a tool, I think it would be a good feature to add in the future. -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mkettler at evi-inc.com Fri Sep 8 20:38:06 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 8 20:38:20 2006 Subject: spamassassin doesn't like Norwegian email, apparently.. In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D1BB@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D1BB@UBIMAIL1.ubisoft.org> Message-ID: <4501C69E.9070103@evi-inc.com> Daniel Maher wrote: > Hi all, > > > > One of my users has been complaining that his Norwegian-language email > has been getting tagged as Spam. I checked the headers, and it doesn?t > appear to be a locale issue. In fact, it?s /all Bayes/: > 6.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > > [score: 0.9956] Erm, why is your bayes_99 score so absurdly high? Theoretically, 1% of the emails matching this rule should be nonspam. Admittedly, in practice chi-squared combining makes this much less, and more like 0.1%, but still, this rule is NOT 100% accurate. Don't treat it like it is. > > > Does anybody have any ideas on how I might be able to ?fix? this? Thanks! Well, bayes is based on YOUR training. Apparently, the only email, or at least most of the email, that's been learned by SA so far that was in Norwegian was spam mail. The fix is to train some Norwegian nonspam mail using sa-learn --ham. See, bayes by default doesn't really know the difference between spam or ham, it just knows what it's been trained on. You can also see which words in the message have been heavily hit as spam by redirecting one of the messages into SA with debug enabled.. assuming SA 3.1.x or higher: spamassassin -D bayes 0.998818414322251 [11988] dbg: bayes: token 'H*F:D*hu' => 0.996473282442748 [11988] dbg: bayes: token 'happy!' => 0.996181818181818 [11988] dbg: bayes: token 'swamp' => 0.990941176470588 [11988] dbg: bayes: token 'Nigeria' => 0.978 [11988] dbg: bayes: token 'Commissioner' => 0.978 [11988] dbg: bayes: token 'nigeria' => 0.978 [11988] dbg: bayes: token 'twisted' => 0.978 Note: the ones that start off with H* are tokens representing headers, I'd start off ignoring those for now. Look for tokens with scores near 1.0, those will be the ones pushing up the bayes score. See if it's Norwegian words, or something else. From Denis.Beauchemin at USherbrooke.ca Fri Sep 8 20:38:34 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 8 20:38:48 2006 Subject: Question about upgrading (possible enhancement) In-Reply-To: References: Message-ID: <4501C6BA.3030608@USherbrooke.ca> Dennis Willson a ?crit : > I have avoided doing an upgrade on top of an old version of > MailScanner. I usually build an entirely new server with the new > version and then swap the servers. > I have a question about doing upgrades... Are the old configuration > file values "imported" into the new MailScanner configuration files? > If so is there a way to run what ever program that does that seperately? > > Having to go through the old and the new config files by hand and get > all the setting changes I use is a bit of a pain. > > If there is isn't such a tool, I think it would be a good feature to > add in the future. Dennis, The following 2 scripts are there to help you upgrade: upgrade_languages_conf upgrade_MailScanner_conf Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060908/7e9b98a4/smime.bin From steve.swaney at fsl.com Fri Sep 8 20:41:27 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Sep 8 20:41:32 2006 Subject: Question about upgrading (possible enhancement) In-Reply-To: Message-ID: <204d301c6d37e$c67a6d50$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dennis Willson > Sent: Friday, September 08, 2006 3:05 PM > To: mailscanner@lists.mailscanner.info > Subject: Question about upgrading (possible enhancement) > > I have avoided doing an upgrade on top of an old version of > MailScanner. I usually build an entirely new server with the new > version and then swap the servers. > > I have a question about doing upgrades... Are the old configuration > file values "imported" into the new MailScanner configuration files? > If so is there a way to run what ever program that does that > seperately? > > Having to go through the old and the new config files by hand and get > all the setting changes I use is a bit of a pain. > > If there is isn't such a tool, I think it would be a good feature to > add in the future. > > > -------------------------------------------------- > Dennis Willson > It's already there. Just run: /usr/sbin/upgrade_MailScanner_conf To see the usage. With this tool upgrading MailScanner in place is dead easy! Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From mailscanner at mango.zw Fri Sep 8 20:42:41 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Sep 8 20:42:31 2006 Subject: Using SaneSecurity's special signatures for ClamAV Message-ID: Is anyone using SaneSecurity's special signatures for ClamAV? http://www.sanesecurity.com/clamav/ These are intended to be used to block image spam as well as lottery and 419 scams. There is some discussion about this at: http://www.mail-archive.com/declude.junkmail@declude.com/msg29858.html Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From campbell at cnpapers.com Fri Sep 8 20:44:53 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 8 20:45:06 2006 Subject: Marking list as 'all read' References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> Message-ID: <004a01c6d37f$41763110$0705000a@DDF5DW71> Denis, The question about swapping was on the list months ago, and I'm not sure it was ever answered. I have spent the last few months researching this, sometimes googling for 5-10 hours a day, and no less than 4 hours a day. I think I finally came up with a solution: I upgraded the server (an IBM AT) with lots more RAM. It now has 64K and it just flies now. I haven't seen any swapping since. The spec are as follows IBM AT running 3.77 MHz clock. This is just the front side bus, I don't think it has a back side bus. It may not have a front side bus, either. I lost the manual. 64K memory. Advanced SVGA video card, although we run in on a monochrome monitor. No mouse - I couldn't find where to plug it in. 5 MB Winchester hard drive. It thrashes a lot, but I feel comfortable with it. I knocked the whole CPU off of the rack (well, really I forgot to screw in the rails for the rack - I made them myself and it's now a 3U rack-mounted AT) and it performed great after I shook it up a little bit before putting it back in the rack. Boy, I won't do that again! Scary stuff. I had to build the kernel for our system, for some reason, and had to leave out a whole lot of stuff, but we are running a non-standard CentOS 4.4 system. Mail flow averages about 1 per month. Hope this helps. Steve ----- Original Message ----- From: "Denis Beauchemin" To: "MailScanner discussion" Sent: Friday, September 08, 2006 3:01 PM Subject: Re: Marking list as 'all read' > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dave.list at pixelhammer.com Fri Sep 8 20:48:06 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Sep 8 20:48:24 2006 Subject: Question about upgrading (possible enhancement) In-Reply-To: References: Message-ID: <4501C8F6.5080806@pixelhammer.com> Dennis Willson wrote: > I have avoided doing an upgrade on top of an old version of MailScanner. > I usually build an entirely new server with the new version and then > swap the servers. > I have a question about doing upgrades... Are the old configuration file > values "imported" into the new MailScanner configuration files? If so is > there a way to run what ever program that does that seperately? > > Having to go through the old and the new config files by hand and get > all the setting changes I use is a bit of a pain. > > If there is isn't such a tool, I think it would be a good feature to add > in the future. > > There is a script to upgrade the conf file, not certain it's name as I use the FreeBSD port and it may be renamed. It is called "upgrade_MailScanner_conf" on my system. Does a fine job. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Fri Sep 8 20:17:39 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Sep 8 21:05:52 2006 Subject: MailScanner beta 4.56.3 released In-Reply-To: <4501B45A.8010306@ecs.soton.ac.uk> References: <4501B45A.8010306@ecs.soton.ac.uk> Message-ID: <4501C1D3.8020606@nkpanama.com> Is there a way for one to install everything without a bunch of rpmnew files showing up? I'd rather back up /etc/MailScanner, install everything, then redo the config from scratch and import site-specific settings, at least on my testbed servers... Would it work if I simply renamed /etc/MailScanner to something else after I back it up? Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you give this a try and let me know how you get on. > > The Change Log for this version is this: > > * New Features and Improvements * > 1 Added a complete new set of configuration settings to report on > messages and attachments that are outside the size limits set in > MailScanner.conf. These are: > Sender Size Report > Stored Size Message Report > Deleted Size Message Report > Size Modify Subject > Size Subject Text > These are used in exactly the same way as the other sets of options > that tag and modify the message for other reasons. > 3 Improved report of "message too large" case. > 3 Updated Catalan language files courtesy of Jordi Sanfeliu. > 3 Increased default max SpamAssassin message size to catch more single-image > spam messages. > 3 Solved compatibility with Postfix 2.3. > 3 Upgraded Sys::Syslog to 0.18 which fixes all the compatibility problems of > 0.17 and 0.16. > 3 Upgraded Kaspersky support to 5.5. > > * Fixes * > 1 When 'Outgoing Queue Dir' was changed from the default, kicking sendmail > into attempting delivery of a new processed message in the outgoing queue > would just wait for the next regular run of the queue. Now fixed so that > a delivery attempt is made immediately. This fix only affects users who > have changed the "Outgoing Queue Dir" setting and who are also using > sendmail as their MTA. > 2 Missed 2 "defined" checks on variables before using them. > Thanks to Andy Kirkpatrick for spotting that one. > 2 Fixed version number check. > 3 Fixed output bug in less strict phishing net. Does anyone use this? > 3 Fixed bug in Sendmail KickMessage() function. Thanks to Martin Billy. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFAbRcEfZZRxQVtlQRAsouAJsGN1T6hXkQsx4E8bq2SAv2PMAEvQCfZsiW > gWNO4mvjjmiB9qr/Rlt1+2U= > =LYya > -----END PGP SIGNATURE----- From r.berber at computer.org Fri Sep 8 21:06:41 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Sep 8 21:07:07 2006 Subject: Using SaneSecurity's special signatures for ClamAV In-Reply-To: References: Message-ID: Jim Holland wrote: > Is anyone using SaneSecurity's special signatures for ClamAV? Yes. > http://www.sanesecurity.com/clamav/ > > These are intended to be used to block image spam as well as lottery and > 419 scams. They are signatures built from phishing messages, not caught by clamav (the author tries to keep current and eliminates the ones that clamav adds). Work very well. > There is some discussion about this at: > > http://www.mail-archive.com/declude.junkmail@declude.com/msg29858.html -- Ren? Berber From Kevin_Miller at ci.juneau.ak.us Fri Sep 8 21:07:24 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 8 21:07:29 2006 Subject: Marking list as 'all read' In-Reply-To: <004a01c6d37f$41763110$0705000a@DDF5DW71> Message-ID: > The question about swapping was on the list months ago, and I'm not > sure it was ever answered. I have spent the last few months > researching this, sometimes googling for 5-10 hours a day, and no > less than 4 hours a day. I think I finally came up with a solution: The line about swapping is a standing joke - I don't think Denis was serious... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From root at doctor.nl2k.ab.ca Fri Sep 8 21:11:57 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Sep 8 21:12:33 2006 Subject: MailScanner 4.56 In-Reply-To: <4501A548.5040605@ecs.soton.ac.uk> References: <20060905120117.GH25367@doctor.nl2k.ab.ca> <4501A548.5040605@ecs.soton.ac.uk> Message-ID: <20060908201156.GM20257@doctor.nl2k.ab.ca> On Fri, Sep 08, 2006 at 06:15:52PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am about to release a new beta for you folks to test for me. > The next stable release probably won't be until the beginning of > October, if I have time. My day job is really busy at the moment, I am > doing huge rounds of server upgrades this summer. New filestore, new > file server, new mail system, new virtualisation servers, all sorts of > stuff. That has to come first. > What OS are these new machines getting? > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: > > Julian when is 4.56 due out? Does it need further Beta Testing? > > > > Also a general question to all, how does one > > redirect spam to a specific spamlist , say spamtrap@domain.tld? > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFAaVKEfZZRxQVtlQRAtK+AKDgIj3WF+u5ASLgB9JYrLwmBKb5KwCcC+fU > iOkFx7eJkEk64hDzPwoDSpI= > =CYkN > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lday at txk.k12.ar.us Fri Sep 8 21:14:06 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Fri Sep 8 21:14:14 2006 Subject: Using SaneSecurity's special signatures for ClamAV In-Reply-To: References: Message-ID: <4501CF0E.20906@txk.k12.ar.us> How do you get ClamAV to use them? Thanks, Lynn Ren? Berber wrote: > Jim Holland wrote: > > >> Is anyone using SaneSecurity's special signatures for ClamAV? >> > > Yes. > > >> http://www.sanesecurity.com/clamav/ >> >> These are intended to be used to block image spam as well as lottery and >> 419 scams. >> > > They are signatures built from phishing messages, not caught by clamav (the > author tries to keep current and eliminates the ones that clamav adds). Work > very well. > > >> There is some discussion about this at: >> >> http://www.mail-archive.com/declude.junkmail@declude.com/msg29858.html >> From campbell at cnpapers.com Fri Sep 8 21:15:01 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 8 21:15:17 2006 Subject: Marking list as 'all read' References: Message-ID: <000401c6d383$772de1f0$0705000a@DDF5DW71> ----- Original Message ----- From: "Kevin Miller" To: "MailScanner discussion" Sent: Friday, September 08, 2006 4:07 PM Subject: RE: Marking list as 'all read' >> The question about swapping was on the list months ago, and I'm not >> sure it was ever answered. I have spent the last few months >> researching this, sometimes googling for 5-10 hours a day, and no >> less than 4 hours a day. I think I finally came up with a solution: > > The line about swapping is a standing joke - I don't think Denis was > serious... Neither was I. Steve > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From alex at nkpanama.com Fri Sep 8 21:22:30 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Sep 8 21:22:41 2006 Subject: Marking list as 'all read' In-Reply-To: <004a01c6d37f$41763110$0705000a@DDF5DW71> References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> <004a01c6d37f$41763110$0705000a@DDF5DW71> Message-ID: <4501D106.6080304@nkpanama.com> There's probably something wrong with your system, since my stock IBM AT runs at 6Mhz. The frontside bus and backside are locked to that speed, but I've heard there's a newer one (don't know if it's come out yet) that fully utilizes the AT bus's 8Mhz (theoretical) limit. The one without a backside bus (ISA hooked up directly to the CPU) is the somewhat slower XT model, which did run at 4.77Mhz. You could have the "turbo" button turned off, which might make programs report "3.77Mhz" in the speed department, but everybody knows that it's just the regular 6 (or 8)Mhz clock being slowed artificially by inserting wait states between ticks on the 81555 (IIRC) responsible for timing in the system. Getting good NE-2000 network cards might help in order to raise your message throughput level to maybe 2 or 3 a month - just watch out for those pesky IRQ conflicts, specially if you ever get a hold of a serial card to hook up that mouse (since the serial card, if it uses COM2, will use IRQ3, which is the default). If you *do* get the mouse working, let me know where to find the drivers for CentOS 4.4 to fully utilize the amazing graphics capabilities of my high-resolution Hercules monochrome monitor. I'm still having problems getting 132-column mode to work. Are you doing anything regarding the Y2k problem? I think these machines might have an issue with that, but I don't really remember; probably a BIOS upgrade (which requires a special tool and a PROM burner) might do the trick. The 800 number I have stuck on a yellow post it next to the amber monitor (It's a lot easier on the eyes than the green one I used to have) is being answered by a magazine subscription service; maybe you've got the new number? Steve Campbell wrote: > Denis, > > The question about swapping was on the list months ago, and I'm not sure > it was ever answered. I have spent the last few months researching this, > sometimes googling for 5-10 hours a day, and no less than 4 hours a day. > I think I finally came up with a solution: > > I upgraded the server (an IBM AT) with lots more RAM. It now has 64K and > it just flies now. I haven't seen any swapping since. The spec are as > follows > > IBM AT running 3.77 MHz clock. This is just the front side bus, I don't > think it has a back side bus. It may not have a front side bus, either. > I lost the manual. > 64K memory. > Advanced SVGA video card, although we run in on a monochrome monitor. > No mouse - I couldn't find where to plug it in. > 5 MB Winchester hard drive. It thrashes a lot, but I feel comfortable > with it. I knocked the whole CPU off of the rack (well, really I forgot > to screw in the rails for the rack - I made them myself and it's now a > 3U rack-mounted AT) and it performed great after I shook it up a little > bit before putting it back in the rack. Boy, I won't do that again! > Scary stuff. > > I had to build the kernel for our system, for some reason, and had to > leave out a whole lot of stuff, but we are running a non-standard CentOS > 4.4 system. > > Mail flow averages about 1 per month. > > Hope this helps. > > Steve > > ----- Original Message ----- From: "Denis Beauchemin" > > To: "MailScanner discussion" > Sent: Friday, September 08, 2006 3:01 PM > Subject: Re: Marking list as 'all read' > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > From r.berber at computer.org Fri Sep 8 21:32:18 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Sep 8 21:32:43 2006 Subject: Using SaneSecurity's special signatures for ClamAV In-Reply-To: <4501CF0E.20906@txk.k12.ar.us> References: <4501CF0E.20906@txk.k12.ar.us> Message-ID: James L. Day wrote: > How do you get ClamAV to use them? Just download the .ndb files to the same directory where clamav keeps its databases. Clamav programs will use them with no change required. I use the script from the same place, http://www.sanesecurity.com/clamav/usage.htm once a day in a cron job. -- Ren? Berber From Kevin_Miller at ci.juneau.ak.us Fri Sep 8 21:43:05 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 8 21:43:08 2006 Subject: Marking list as 'all read' In-Reply-To: Message-ID: Kevin Miller wrote: >> The question about swapping was on the list months ago, and I'm not >> sure it was ever answered. I have spent the last few months >> researching this, sometimes googling for 5-10 hours a day, and no >> less than 4 hours a day. I think I finally came up with a solution: > > The line about swapping is a standing joke - I don't think Denis was > serious... Sigh. Nevermind. Just went back and read the rest of you post. Sheesh, talk about being asleep at the wheel (me, not you)... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From FStein at thehill.org Fri Sep 8 21:45:29 2006 From: FStein at thehill.org (Stein, Mr. Fred) Date: Fri Sep 8 21:45:45 2006 Subject: MailScanner beta 4.56.3 released In-Reply-To: <4501C1D3.8020606@nkpanama.com> Message-ID: I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a Centos 4.3 server and this is the error I get when I try to restart MailScanner. Any ideas? Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Unmatched ) in regex; marked by <-- HERE in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. Compilation failed in require at /usr/sbin/MailScanner line 315. [ OK ] Fred Stein Network Administrator The Hill School 717 E. High Street Pottstown, PA? 19464 fstein@thehill.org www.thehill.org -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Friday, September 08, 2006 3:18 PM To: MailScanner discussion Subject: Re: MailScanner beta 4.56.3 released Is there a way for one to install everything without a bunch of rpmnew files showing up? I'd rather back up /etc/MailScanner, install everything, then redo the config from scratch and import site-specific settings, at least on my testbed servers... Would it work if I simply renamed /etc/MailScanner to something else after I back it up? Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you give this a try and let me know how you get on. > > The Change Log for this version is this: > > * New Features and Improvements * > 1 Added a complete new set of configuration settings to report on > messages and attachments that are outside the size limits set in > MailScanner.conf. These are: > Sender Size Report > Stored Size Message Report > Deleted Size Message Report > Size Modify Subject > Size Subject Text > These are used in exactly the same way as the other sets of options > that tag and modify the message for other reasons. > 3 Improved report of "message too large" case. > 3 Updated Catalan language files courtesy of Jordi Sanfeliu. > 3 Increased default max SpamAssassin message size to catch more single-image > spam messages. > 3 Solved compatibility with Postfix 2.3. > 3 Upgraded Sys::Syslog to 0.18 which fixes all the compatibility problems of > 0.17 and 0.16. > 3 Upgraded Kaspersky support to 5.5. > > * Fixes * > 1 When 'Outgoing Queue Dir' was changed from the default, kicking sendmail > into attempting delivery of a new processed message in the outgoing queue > would just wait for the next regular run of the queue. Now fixed so that > a delivery attempt is made immediately. This fix only affects users who > have changed the "Outgoing Queue Dir" setting and who are also using > sendmail as their MTA. > 2 Missed 2 "defined" checks on variables before using them. > Thanks to Andy Kirkpatrick for spotting that one. > 2 Fixed version number check. > 3 Fixed output bug in less strict phishing net. Does anyone use this? > 3 Fixed bug in Sendmail KickMessage() function. Thanks to Martin Billy. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFAbRcEfZZRxQVtlQRAsouAJsGN1T6hXkQsx4E8bq2SAv2PMAEvQCfZsiW > gWNO4mvjjmiB9qr/Rlt1+2U= > =LYya > -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Fri Sep 8 21:57:47 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Sep 8 21:58:07 2006 Subject: Marking list as 'all read' In-Reply-To: <4501D106.6080304@nkpanama.com> References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> <004a01c6d37f$41763110$0705000a@DDF5DW71> <4501D106.6080304@nkpanama.com> Message-ID: <4501D94B.7070809@pixelhammer.com> Alex Neuman van der Hans wrote: > There's probably something wrong with your system, since my stock IBM AT > runs at 6Mhz. The frontside bus and backside are locked to that speed, > but I've heard there's a newer one (don't know if it's come out yet) > that fully utilizes the AT bus's 8Mhz (theoretical) limit. The one > without a backside bus (ISA hooked up directly to the CPU) is the > somewhat slower XT model, which did run at 4.77Mhz. > > You could have the "turbo" button turned off, which might make programs > report "3.77Mhz" in the speed department, but everybody knows that it's > just the regular 6 (or 8)Mhz clock being slowed artificially by > inserting wait states between ticks on the 81555 (IIRC) responsible for > timing in the system. > > Getting good NE-2000 network cards might help in order to raise your > message throughput level to maybe 2 or 3 a month - just watch out for > those pesky IRQ conflicts, specially if you ever get a hold of a serial > card to hook up that mouse (since the serial card, if it uses COM2, will > use IRQ3, which is the default). If you *do* get the mouse working, let > me know where to find the drivers for CentOS 4.4 to fully utilize the > amazing graphics capabilities of my high-resolution Hercules monochrome > monitor. I'm still having problems getting 132-column mode to work. > > Are you doing anything regarding the Y2k problem? I think these machines > might have an issue with that, but I don't really remember; probably a > BIOS upgrade (which requires a special tool and a PROM burner) might do > the trick. > > The 800 number I have stuck on a yellow post it next to the amber > monitor (It's a lot easier on the eyes than the green one I used to > have) is being answered by a magazine subscription service; maybe you've > got the new number? > > Steve Campbell wrote: >> Denis, >> >> The question about swapping was on the list months ago, and I'm not >> sure it was ever answered. I have spent the last few months >> researching this, sometimes googling for 5-10 hours a day, and no less >> than 4 hours a day. I think I finally came up with a solution: >> >> I upgraded the server (an IBM AT) with lots more RAM. It now has 64K >> and it just flies now. I haven't seen any swapping since. The spec are >> as follows >> >> IBM AT running 3.77 MHz clock. This is just the front side bus, I >> don't think it has a back side bus. It may not have a front side bus, >> either. I lost the manual. >> 64K memory. >> Advanced SVGA video card, although we run in on a monochrome monitor. >> No mouse - I couldn't find where to plug it in. >> 5 MB Winchester hard drive. It thrashes a lot, but I feel comfortable >> with it. I knocked the whole CPU off of the rack (well, really I >> forgot to screw in the rails for the rack - I made them myself and >> it's now a 3U rack-mounted AT) and it performed great after I shook it >> up a little bit before putting it back in the rack. Boy, I won't do >> that again! Scary stuff. >> >> I had to build the kernel for our system, for some reason, and had to >> leave out a whole lot of stuff, but we are running a non-standard >> CentOS 4.4 system. >> >> Mail flow averages about 1 per month. >> >> Hope this helps. I H0pe MY k3yB0ard stARts WoRK1ng agAIN AFter TH3 C0ffee dRIes ;^) -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Fri Sep 8 23:30:46 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 8 23:31:00 2006 Subject: MailScanner 4.56 In-Reply-To: <4501A548.5040605@ecs.soton.ac.uk> References: <20060905120117.GH25367@doctor.nl2k.ab.ca> <4501A548.5040605@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 9/8/2006 10:15 AM: > I am about to release a new beta for you folks to test for me. > The next stable release probably won't be until the beginning of > October, if I have time. My day job is really busy at the moment, I am > doing huge rounds of server upgrades this summer. New filestore, new > file server, new mail system, new virtualisation servers, all sorts of > stuff. That has to come first. > > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: >>> Julian when is 4.56 due out? Does it need further Beta Testing? >>> >>> Also a general question to all, how does one >>> redirect spam to a specific spamlist , say spamtrap@domain.tld? >>> > Food on the table and roof over the head always has to come first! Besides, how much could you do if they turn off the electricity! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From pas at unh.edu Fri Sep 8 23:31:24 2006 From: pas at unh.edu (Paul A Sand) Date: Fri Sep 8 23:31:36 2006 Subject: Sendmail ignoring MinQueueAge after MailScanner upgrade? In-Reply-To: <20060908155742.GA30562@cisunix.unh.edu> References: <20060908155742.GA30562@cisunix.unh.edu> Message-ID: <20060908223124.GA24698@cisunix.unh.edu> Hi -- In reference to my previous message: http://lists.mailscanner.info/pipermail/mailscanner/2006-September/065029.html ...I totally misunderstood what was going on. It looks as if the problem is in the KickMessage subroutine in Sendmail.pm, which contains: $idlist = " -OQueueDirectory=$outqdir " if $outqdir; $idlist .= join(' -qI', @ids); [...] system(MailScanner::Config::Value('sendmail2') . ' -qI' . $idlist); This results in a bad command line here. Example, broken for clarity: /usr/sbin/sendmail -qI -OQueueDirectory=/var/spool/mqueue \ k88HeqOs011468 -qIk88HernJ011479 -qIk88Heq6w011452 -qIk88HetWL011510 I.e., the first '-qI' stranded from its matching ID by the QueueDirectory directive, which causes the entire queue to be processed (and MinQueueAge to be ignored), which (in turn) causes the extraordinary number of sendmail processes I was seeing. Suggested small patch here: http://pubpages.unh.edu/~sysman/MailScanner-4.55.patch Seems also to be fixed in the beta 4.56. -- -- Paul A. Sand | Relying on the government to protect your -- University of New Hampshire | privacy is like asking a peeping tom to -- pas@unh.edu | install your window blinds. -- http://pubpages.unh.edu/~pas | (John Perry Barlow) From ssilva at sgvwater.com Fri Sep 8 23:37:27 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 8 23:37:52 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <4501AF66.6040702@dido.ca> References: <45007753.8040105@dido.ca> <4501AF66.6040702@dido.ca> Message-ID: Rob Morin spake the following on 9/8/2006 10:59 AM: > Well the default in my config was already set at 10 i lowered it to 8... > i will now lower it to 4... > > Thanks for all your replies.... But is there any RBL worth paying for or > worth using then? > It will always depend on your message base. I can use sbl-xbl at the MTA, but many others here cannot. It is very depentant on where your mail that you want to keep comes from. If you don't get mail from dynamic addresses, you can block those. You can usually block from the dial-up lists, but very few spammers are using dial-up. Spamassassin is the best bet, but anything that you "know" you can dump at the MTA is that much less load. And i you use the equivalent of delay_checks in sendmail, you can whitelist any needed servers in the access file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Sep 8 23:42:58 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 8 23:43:43 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45019DF7.4060800@pixelhammer.com> References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> <000c01c6d35e$1d1f60a0$0101a8c0@JOHNCLANCY> <45019DF7.4060800@pixelhammer.com> Message-ID: DAve spake the following on 9/8/2006 9:44 AM: > John Clancy wrote: >> >>> I still do not believe that a common users opinion should be the sole >>> determination of what is SPAM and what is not. I get several hundred >>> AOL SPAM reports I must manually unsubscribe from maillists each >>> month because they sign up to gain access to a website and then don't >>> want the mail. SPAM has become "mail I don't want". >>> >>> DAve >> >> SPAM has always been "mail I don't want" its just that not all "mail I >> don't want" happens to be SPAM :-) >> >> JC > > True, it depends on your perspective. What I call SPAM as a sysadmin is > different that what my paying clients call SPAM. Stopping SPAM is > becoming a vicious juggling act for ISPs like us with mixed clients. > > When I am told "You need to work on the SPAM filtering, client > complaints are increasing", I hear "Descend into the depths of hell and > bring me Satan's head". But your boss will supply the silver platter, won't he? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Sep 8 23:41:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 8 23:45:07 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45018E98.30900@pixelhammer.com> References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> Message-ID: DAve spake the following on 9/8/2006 8:39 AM: > John Rudd wrote: >> >> On Sep 8, 2006, at 4:58 AM, Res wrote: >> >>> On Thu, 7 Sep 2006, Rob Morin wrote: >>> >>>> I checked the IP and it was not listed. Is it possible to be listed >>>> at 7AM and then removed at 10AM? Plus its a gmail.com account/IP >>> >>> Yes, spamcop have a time based entry system >>> >>> if its that IP's first entry its delisted after 2 hours, then if your >>> in it again its longer, and so on, each time gets longer, its a very >>> fair process. >> >> It would be a fair process if their criteria were reasonable and >> accurate. >> >> Since their criteria are neither, the process is anything but fair. >> > > I don't know if their criteria is fair or not, they never tell me their > criteria. I know that if a spamcop subscriber turns in a message as spam > from my server, and they list me, and the message body looks something > like, > > "Hi grandson, > > I hope I got your email address right, your handwriting is hard to read > with my cataracts. Grandpa passed this morning, your Mom will call you > when you get out of class. I hate to make you miss finals so please > don't come to the funeral. Grandpa would understand. > > Love Grandma" > > Then there is a problem with their criteria for certain. > > I still do not believe that a common users opinion should be the sole > determination of what is SPAM and what is not. I get several hundred AOL > SPAM reports I must manually unsubscribe from maillists each month > because they sign up to gain access to a website and then don't want the > mail. SPAM has become "mail I don't want". > > DAve > > > Any body that would report that message is using some sort of automated system, and I don't think any automation should be used, with the exception of spamtraps. Spamtraps are different because they aren't a legitimate address, so anything they get should be spam. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Sep 8 23:49:25 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 8 23:50:08 2006 Subject: Marking list as 'all read' In-Reply-To: <004a01c6d37f$41763110$0705000a@DDF5DW71> References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> <004a01c6d37f$41763110$0705000a@DDF5DW71> Message-ID: Steve Campbell spake the following on 9/8/2006 12:44 PM: > Denis, > > The question about swapping was on the list months ago, and I'm not sure > it was ever answered. I have spent the last few months researching this, > sometimes googling for 5-10 hours a day, and no less than 4 hours a day. > I think I finally came up with a solution: > > I upgraded the server (an IBM AT) with lots more RAM. It now has 64K and > it just flies now. I haven't seen any swapping since. The spec are as > follows > > IBM AT running 3.77 MHz clock. This is just the front side bus, I don't > think it has a back side bus. It may not have a front side bus, either. > I lost the manual. > 64K memory. > Advanced SVGA video card, although we run in on a monochrome monitor. > No mouse - I couldn't find where to plug it in. > 5 MB Winchester hard drive. It thrashes a lot, but I feel comfortable > with it. I knocked the whole CPU off of the rack (well, really I forgot > to screw in the rails for the rack - I made them myself and it's now a > 3U rack-mounted AT) and it performed great after I shook it up a little > bit before putting it back in the rack. Boy, I won't do that again! > Scary stuff. > > I had to build the kernel for our system, for some reason, and had to > leave out a whole lot of stuff, but we are running a non-standard CentOS > 4.4 system. > > Mail flow averages about 1 per month. > > Hope this helps. > > Steve >Hey Steve, I am glad to see you finally got rid of that PCjr with the 2 floppy drives! Isn't progress grand!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Sep 9 00:02:47 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Sep 9 00:03:12 2006 Subject: Question about upgrading (possible enhancement) In-Reply-To: References: Message-ID: Dennis Willson spake the following on 9/8/2006 12:05 PM: > I have avoided doing an upgrade on top of an old version of MailScanner. > I usually build an entirely new server with the new version and then > swap the servers. > I have a question about doing upgrades... Are the old configuration file > values "imported" into the new MailScanner configuration files? If so is > there a way to run what ever program that does that seperately? > > Having to go through the old and the new config files by hand and get > all the setting changes I use is a bit of a pain. > > If there is isn't such a tool, I think it would be a good feature to add > in the future. I think that might be a little extreme. It would be like buying a new car before you change the oil on the old one. There are many ways to copy the old version of mailscanner to a different place and then upgrade to the new one. Then you only have to rename some directories and restart. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jrudd at ucsc.edu Sat Sep 9 00:37:37 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Sep 9 00:37:54 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> Message-ID: On Sep 8, 2006, at 15:41, Scott Silva wrote: > Any body that would report that message is using some sort of automated > system, and I don't think any automation should be used, with the > exception of > spamtraps. Spamtraps are different because they aren't a legitimate > address, > so anything they get should be spam. Spamtraps can also get replies from autoresponders... which are not automatically spam (contrary to the BS that Spamcop is trying to sell). From alex at nkpanama.com Sat Sep 9 00:46:20 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Sep 9 00:46:51 2006 Subject: Marking list as 'all read' In-Reply-To: References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> <004a01c6d37f$41763110$0705000a@DDF5DW71> Message-ID: <450200CC.8020901@nkpanama.com> Scott Silva wrote: >> Hey Steve, > I am glad to see you finally got rid of that PCjr with the 2 floppy drives! > Isn't progress grand!! > > Oh, I *kept* mine around to play King's Quest in glorious 16 color and 4 voice sound! From campbell at cnpapers.com Sat Sep 9 03:21:07 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Sep 9 03:21:22 2006 Subject: Marking list as 'all read' In-Reply-To: References: <4501A6A6.7090209@ecs.soton.ac.uk> <4501BE00.2010900@USherbrooke.ca> <004a01c6d37f$41763110$0705000a@DDF5DW71> Message-ID: <1157768467.45022513486dc@perdition.cnpapers.net> Quoting Scott Silva : > Steve Campbell spake the following on 9/8/2006 12:44 PM: > > Denis, > > > > The question about swapping was on the list months ago, and I'm not sure > > it was ever answered. I have spent the last few months researching this, > > sometimes googling for 5-10 hours a day, and no less than 4 hours a day. > > I think I finally came up with a solution: > > > > I upgraded the server (an IBM AT) with lots more RAM. It now has 64K and > > it just flies now. I haven't seen any swapping since. The spec are as > > follows > > > > IBM AT running 3.77 MHz clock. This is just the front side bus, I don't > > think it has a back side bus. It may not have a front side bus, either. > > I lost the manual. > > 64K memory. > > Advanced SVGA video card, although we run in on a monochrome monitor. > > No mouse - I couldn't find where to plug it in. > > 5 MB Winchester hard drive. It thrashes a lot, but I feel comfortable > > with it. I knocked the whole CPU off of the rack (well, really I forgot > > to screw in the rails for the rack - I made them myself and it's now a > > 3U rack-mounted AT) and it performed great after I shook it up a little > > bit before putting it back in the rack. Boy, I won't do that again! > > Scary stuff. > > > > I had to build the kernel for our system, for some reason, and had to > > leave out a whole lot of stuff, but we are running a non-standard CentOS > > 4.4 system. > > > > Mail flow averages about 1 per month. > > > > Hope this helps. > > > > Steve > >Hey Steve, > I am glad to see you finally got rid of that PCjr with the 2 floppy drives! > Isn't progress grand!! I didn't get rid of it yet. It's still being used as my firewall and DNS server. Ain't Linux great! Steve > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From res at ausics.net Sat Sep 9 03:35:05 2006 From: res at ausics.net (Res) Date: Sat Sep 9 03:35:14 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Fri, 8 Sep 2006, John Rudd wrote: >> if its that IP's first entry its delisted after 2 hours, then if your in it >> again its longer, and so on, each time gets longer, its a very fair >> process. > > It would be a fair process if their criteria were reasonable and accurate. > > Since their criteria are neither, the process is anything but fair. That depends upon why there were listed, of course we all know spammers never see what they do as spamming, spamcop do have an automated listing process if you send to one of their spamtrap addresses, an address thats never real, never read, nerer given out to anyone, to send to this address means someones up to no good, be it deliberate or virus, either way its a legitmate listing IMHO caused by the sender. And on non spamtrap addresses they do send you notifications, thatys of course so long as you have an abuse@ email addy and botehr to read it :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Sep 9 03:39:16 2006 From: res at ausics.net (Res) Date: Sat Sep 9 03:39:23 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: On Fri, 8 Sep 2006, Logan Shaw wrote: > On Fri, 8 Sep 2006, Res wrote: >> On Thu, 7 Sep 2006, Logan Shaw wrote: > >>> Yes, he was saying that, before greylisting, 12-15% of the >>> traffic gets marked as clean. Presumably that is because >>> 12-15% of the traffic IS clean, and the rest is not. Then >>> after greylisting, 80% of the traffic got marked as clean. >>> Presumably that means 80% of it IS clean. > >> Then SA cant be that effective for him. > > That doesn't make any sense mathematically. > > If I get 100 messages and 20 of them are spam and 80 of them > are ham, and if SpamAssassin catches all 20 spams and nothing > else, how does that qualify as "not that effective"? depends on how you have your SA setup, mines a 'no mercy' approach his and yours clearly cant be. Like I said try running greylisting on a network that does several million emails per day with several MX's, you might say ok retry in 1 minute, but most daemons wait 10, so by the time one of our guys gets his email its 40-50 minutes later, i would want to hope they werent in a critical ebay auction. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From dave.list at pixelhammer.com Sat Sep 9 04:08:44 2006 From: dave.list at pixelhammer.com (DAve) Date: Sat Sep 9 04:09:06 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> Message-ID: <4502303C.3000602@pixelhammer.com> Scott Silva wrote: > DAve spake the following on 9/8/2006 8:39 AM: >> John Rudd wrote: >>> On Sep 8, 2006, at 4:58 AM, Res wrote: >>> >>>> On Thu, 7 Sep 2006, Rob Morin wrote: >>>> >>>>> I checked the IP and it was not listed. Is it possible to be listed >>>>> at 7AM and then removed at 10AM? Plus its a gmail.com account/IP >>>> Yes, spamcop have a time based entry system >>>> >>>> if its that IP's first entry its delisted after 2 hours, then if your >>>> in it again its longer, and so on, each time gets longer, its a very >>>> fair process. >>> It would be a fair process if their criteria were reasonable and >>> accurate. >>> >>> Since their criteria are neither, the process is anything but fair. >>> >> I don't know if their criteria is fair or not, they never tell me their >> criteria. I know that if a spamcop subscriber turns in a message as spam >> from my server, and they list me, and the message body looks something >> like, >> >> "Hi grandson, >> >> I hope I got your email address right, your handwriting is hard to read >> with my cataracts. Grandpa passed this morning, your Mom will call you >> when you get out of class. I hate to make you miss finals so please >> don't come to the funeral. Grandpa would understand. >> >> Love Grandma" >> >> Then there is a problem with their criteria for certain. >> >> I still do not believe that a common users opinion should be the sole >> determination of what is SPAM and what is not. I get several hundred AOL >> SPAM reports I must manually unsubscribe from maillists each month >> because they sign up to gain access to a website and then don't want the >> mail. SPAM has become "mail I don't want". >> >> DAve >> >> >> > Any body that would report that message is using some sort of automated > system, and I don't think any automation should be used, with the exception of > spamtraps. Spamtraps are different because they aren't a legitimate address, > so anything they get should be spam. > But they did, that message exactly as typed. Clearly a case of 'I don't recognize the sender address so it must be spam'. I get plenty of those from AOL where the user has to hit the spam button, and does so without regard. I suspect there are Monkeys run amok inside AOL just logging into accounts and clearing the inbox with the spam button. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jrudd at ucsc.edu Sat Sep 9 04:33:58 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Sep 9 04:34:46 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Sep 8, 2006, at 7:35 PM, Res wrote: > On Fri, 8 Sep 2006, John Rudd wrote: >>> if its that IP's first entry its delisted after 2 hours, then if >>> your in it again its longer, and so on, each time gets longer, its a >>> very fair process. >> >> It would be a fair process if their criteria were reasonable and >> accurate. >> >> Since their criteria are neither, the process is anything but fair. > > That depends upon why there were listed, of course we all know > spammers never see what they do as spamming, spamcop do have an > automated listing process if you send to one of their spamtrap > addresses, an address thats never real, never read, nerer given out to > anyone, to send to this address means someones up to no good, be it > deliberate or virus, either way its a > legitmate listing IMHO caused by the sender. Except of course that ... you're wrong. Not just a little wrong, flat out wrong. Autoresponders, if they see a message from a spamtrap, will respond to it. That seems to be what has happened to us. Multiple times. Spamcop's position is that autoresponders are evil. Which, of course, means that Spamcop are a bunch of morons. (sorry, not willing to debate either point: autoresponders, such as vacation programs, aren't evil; spamcop are morons: both are absolute truths) From lday at txk.k12.ar.us Sat Sep 9 04:45:01 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Sep 9 04:45:08 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: <450238BD.4010206@txk.k12.ar.us> Excuse me, but why would a secret e-mail address at a spamtrap send a message to an auto-responder? It wouldn't be secret for very long if it were sending out e-mail messages... When you say "That seems to be what has happened to us" are you admitting there's actually something you don't know? Lynn John Rudd wrote: > On Sep 8, 2006, at 7:35 PM, Res wrote: >> On Fri, 8 Sep 2006, John Rudd wrote: >>>> if its that IP's first entry its delisted after 2 hours, then if >>>> your in it again its longer, and so on, each time gets longer, its >>>> a very fair process. >>> >>> It would be a fair process if their criteria were reasonable and >>> accurate. >>> >>> Since their criteria are neither, the process is anything but fair. >> >> That depends upon why there were listed, of course we all know >> spammers never see what they do as spamming, spamcop do have an >> automated listing process if you send to one of their spamtrap >> addresses, an address thats never real, never read, nerer given out >> to anyone, to send to this address means someones up to no good, be >> it deliberate or virus, either way its a >> legitmate listing IMHO caused by the sender. > > Except of course that ... you're wrong. Not just a little wrong, flat > out wrong. > > Autoresponders, if they see a message from a spamtrap, will respond to > it. That seems to be what has happened to us. Multiple times. > > Spamcop's position is that autoresponders are evil. Which, of course, > means that Spamcop are a bunch of morons. (sorry, not willing to > debate either point: autoresponders, such as vacation programs, aren't > evil; spamcop are morons: both are absolute truths) > From jon at radel.com Sat Sep 9 05:05:01 2006 From: jon at radel.com (Jon Radel) Date: Sat Sep 9 05:05:19 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <450238BD.4010206@txk.k12.ar.us> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: <45023D6D.2030805@radel.com> James L. Day wrote: > Excuse me, but why would a secret e-mail address at a spamtrap send a > message to an auto-responder? It wouldn't be secret for very long if it > were sending out e-mail messages... 1) Wrong question. More useful question: Why would somebody, say a spammer, use an address other than one of their own, say a spamtrap address found on their mailing list, as the purported source of e-mail? Answer: Left as an exercise for the reader. 2) Flawed premise. Spamtrap addresses are much more useful if they are *not* secret. You just take care to publish them in places from which spammers harvest addresses, but in a fashion that makes clear to any reasonably mindful human that stumbles across it that this address is best not used for real correspondence. A secret spamtrap address would be of some use against dictionary address generation, but in general you *want* your spamtrap addresses to be on the spammers lists. --Jon Radel From res at ausics.net Sat Sep 9 05:54:38 2006 From: res at ausics.net (Res) Date: Sat Sep 9 05:54:50 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Fri, 8 Sep 2006, John Rudd wrote: > On Sep 8, 2006, at 7:35 PM, Res wrote: >> That depends upon why there were listed, of course we all know spammers >> never see what they do as spamming, spamcop do have an automated listing >> process if you send to one of their spamtrap addresses, an address thats >> never real, never read, nerer given out to anyone, to send to this address >> means someones up to no good, be it deliberate or virus, either way its a >> legitmate listing IMHO caused by the sender. > > Except of course that ... you're wrong. Not just a little wrong, flat out > wrong. > > Autoresponders, if they see a message from a spamtrap, will respond to it. i never said they didnt, they dont respond to and address on your network just for the hell of it, but with your antichrist attitude towards SC im sure you'll think of a reason. > That seems to be what has happened to us. Multiple times. yes, and how? i mean you are clearly 110% stating it was not your users and they never did this (but ive neer know a spamemr to admit to anything), my question to you is how the hell do you know! Most people in this case are virus infected and most never even know they are doing it themselves! something presented their email address from your mail server to the spamtrap address. everyone is entitled to their own opinion, some ppl applaud SC for their stand and others like you are appauled by it, welcome to life :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jrudd at ucsc.edu Sat Sep 9 06:18:03 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Sep 9 06:18:38 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <450238BD.4010206@txk.k12.ar.us> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: How else do the spamtraps receive mail except by having the email address out there? It gets out _somehow_. Seeded some how, harvested by dictionary attacks, etc.. And once it has been obtained by a spammer, that address can then show up as a return-path in a message. Obviously there's no way to know which addresses being responded to are spamtraps or not, but there's no other explanation for spamcop saying we sent spam to their spamtrap. There's exactly two explanations: 1) one of our students just happens to know the spamtrap address and set their email to forward there instead of their yahoo account (so unlikely that the probability is vanishingly low) 2) a spamtrap showed up in the return-path of some message, and got replied to in a vacation message (not at all an unreasonable possibility, given that the addresses _are_ out there). There aren't any other mechanisms that would have our mail servers sending a message to a spamtrap. We don't send announcements outside of our campus (except via local accounts that forward to an outside address). We don't buy address lists from anyone, etc. And, yes, there are many things I don't know. Things I do know for sure: - there aren't any other explanations for what happened, because no other explanations fit our situation, - autoresponders aren't evil, - spamcop is run by morons. On Sep 8, 2006, at 8:45 PM, James L. Day wrote: > Excuse me, but why would a secret e-mail address at a spamtrap send a > message to an auto-responder? It wouldn't be secret for very long if > it > were sending out e-mail messages... > > When you say "That seems to be what has happened to us" are you > admitting there's actually something you don't know? > > Lynn > > John Rudd wrote: >> On Sep 8, 2006, at 7:35 PM, Res wrote: >>> On Fri, 8 Sep 2006, John Rudd wrote: >>>>> if its that IP's first entry its delisted after 2 hours, then if >>>>> your in it again its longer, and so on, each time gets longer, its >>>>> a very fair process. >>>> >>>> It would be a fair process if their criteria were reasonable and >>>> accurate. >>>> >>>> Since their criteria are neither, the process is anything but fair. >>> >>> That depends upon why there were listed, of course we all know >>> spammers never see what they do as spamming, spamcop do have an >>> automated listing process if you send to one of their spamtrap >>> addresses, an address thats never real, never read, nerer given out >>> to anyone, to send to this address means someones up to no good, be >>> it deliberate or virus, either way its a >>> legitmate listing IMHO caused by the sender. >> >> Except of course that ... you're wrong. Not just a little wrong, flat >> out wrong. >> >> Autoresponders, if they see a message from a spamtrap, will respond to >> it. That seems to be what has happened to us. Multiple times. >> >> Spamcop's position is that autoresponders are evil. Which, of course, >> means that Spamcop are a bunch of morons. (sorry, not willing to >> debate either point: autoresponders, such as vacation programs, aren't >> evil; spamcop are morons: both are absolute truths) >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jrudd at ucsc.edu Sat Sep 9 06:33:23 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Sep 9 06:33:39 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Sep 8, 2006, at 9:54 PM, Res wrote: > On Fri, 8 Sep 2006, John Rudd wrote: > >> On Sep 8, 2006, at 7:35 PM, Res wrote: >>> That depends upon why there were listed, of course we all know >>> spammers never see what they do as spamming, spamcop do have an >>> automated listing process if you send to one of their spamtrap >>> addresses, an address thats never real, never read, nerer given out >>> to anyone, to send to this address means someones up to no good, be >>> it deliberate or virus, either way its a >>> legitmate listing IMHO caused by the sender. >> >> Except of course that ... you're wrong. Not just a little wrong, >> flat out wrong. >> >> Autoresponders, if they see a message from a spamtrap, will respond >> to it. > > i never said they didnt, they dont respond to and address on your > network just for the hell of it, but with your antichrist attitude > towards SC im sure you'll think of a reason. > >> That seems to be what has happened to us. Multiple times. > > yes, and how? i mean you are clearly 110% stating it was not your > users and they never did this (but ive neer know a spamemr to admit to > anything), my question to you is how the hell do you know! > Most people in this case are virus infected and most never even know > they > are doing it themselves! We keep a sharp eye on the behavior of hosts around our network, to ensure that we don't end up with zombies here. When we detect one, we deal with it quickly. We haven't a zombie attack here in quite a while, and the spamcop listings have happened rather recently. We also take other precautions to keep it from happening. Last, we know our users aren't doing it directly because they're not out buying target lists for spamming (it doesn't apply to our business case even remotely ... and, again, we monitor the traffic behavior of our users; AND our announcements get channeled through a particular server to ensure that it doesn't impact our other email services). There isn't anything that would point us to concluding that our users did it directly, nor any recent zombie activity on our network. The only things that makes sense at all, and that we wouldn't be able to track are: user set their account's email forward to a spamtrap (which doesn't really make sense at all), or a spamtrap was in the return-path for a message that hit a vacation autoresponder. > something presented their email address from your mail server to the > spamtrap address. > > > everyone is entitled to their own opinion, some ppl applaud SC for > their stand and others like you are appauled by it, welcome to life :) I would applaud their stand if they did it in a manner which was rational and intelligent ... instead of insane and idiotic. I have no problem with their "stand" (their goals). I have a problem with their methods (which are often inaccurate) and their dogmas (such as their position on autoresponders). From leiw324 at yahoo.com.hk Sat Sep 9 08:56:50 2006 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Sat Sep 9 08:56:54 2006 Subject: ERROR: CVD extraction failure Message-ID: <20060909075650.96888.qmail@web54401.mail.yahoo.com> Hi all, When the MailScanner every start to Virus and Content Scanning that must ERROR: CVD extraction failure. How can I fix this problem ? Mail log: Sep 9 15:44:16 abc MailScanner[23616]: Virus and Content Scanning: Starting Sep 9 15:44:17 abc MailScanner[23616]: ERROR: CVD extraction failure Sep 9 15:44:17 abc MailScanner[23616]: Requeue: 61AFC7F3D.15CEE to 16D187EDF Sep 9 15:44:17 abc MailScanner[23616]: Uninfected: Delivered 1 messages _______________________________________ YM - Â÷½u°T®§ ´Nºâ§A¨S¦³¤Wºô¡A§AªºªB¤Í¤´¥i¥H¯d¤U°T®§µ¹§A¡A·í§A¤Wºô®É´N¯à¥ß§Y¬Ý¨ì¡A¥ô¦ó»¡¸Ü³£ÉN¨«¥¢¡C http://messenger.yahoo.com.hk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060909/64ca0c2c/attachment.html From glenn.steen at gmail.com Sat Sep 9 09:36:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 9 09:36:18 2006 Subject: Hold queue question In-Reply-To: <4501AD4E.4080401@trayerproducts.com> References: <4501AD4E.4080401@trayerproducts.com> Message-ID: <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> On 08/09/06, Green, Rodney wrote: > Hello, > > I'm using Postfix with MailScanner. Can someone tell me what would > happen if I were to release (using postsuper -H queueid) a message in > the hold queue? > Would that message bypass MailScanner? > > Thanks, > Rod > I haven't tested this Rod, but that is very likely what would happen, since you'd effectively move the message over to the deferred queue (which is the domain of the qmgr... and happens after MailScanner...). Why would you want to do that? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 9 09:41:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 9 09:41:38 2006 Subject: Ways to filter other document types In-Reply-To: <450199E0.6020301@nkpanama.com> References: <450199E0.6020301@nkpanama.com> Message-ID: <223f97700609090141y30f7e221p907bc6e51b042a9c@mail.gmail.com> On 08/09/06, Alex Neuman van der Hans wrote: > Any ideas on how to block word or pdf spam, as mentioned in: > > http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1214687,00.html > > It could be an interesting option to add to the phishing filter or to > SA, as spammers are now using these formats. Something like the TNEF > unpack-then-repack approach we're getting now, would probably be the way > to go. > > Anybody already doing something similar? Not doing so, no. But it should be possible to make the same type of approach as done withing htdig and other web indexers... Just use a program that strips all the gunk and look at the actual text:-). Isn't there some SA plugin for this already (akin to fuzzyocr...)? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 9 10:20:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 9 10:20:39 2006 Subject: ERROR: CVD extraction failure In-Reply-To: <20060909075650.96888.qmail@web54401.mail.yahoo.com> References: <20060909075650.96888.qmail@web54401.mail.yahoo.com> Message-ID: <223f97700609090220y3b241cbep44bd136e6d4825a0@mail.gmail.com> On 09/09/06, Wilson Kwok wrote: > > Hi all, > > When the MailScanner every start to Virus and Content Scanning that must > ERROR: CVD extraction failure. > How can I fix this problem ? > > Mail log: > Sep 9 15:44:16 abc MailScanner[23616]: Virus and Content Scanning: Starting > Sep 9 15:44:17 abc MailScanner[23616]: ERROR: CVD extraction failure > Sep 9 15:44:17 abc MailScanner[23616]: Requeue: 61AFC7F3D.15CEE to > 16D187EDF > Sep 9 15:44:17 abc MailScanner[23616]: Uninfected: Delivered 1 messages > > Does clamav work? "clamscan ...."? That error is from libclamav, so ... chances are that you have a broken cvd signature file somewhere. Try running "freshclam -vv" or somesuch... The error might also "selfheal", at the next run of update_virus_scanners ... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at ecs.soton.ac.uk Sat Sep 9 14:41:32 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 9 14:41:41 2006 Subject: MailScanner 4.56 In-Reply-To: <20060908201156.GM20257@doctor.nl2k.ab.ca> References: <20060905120117.GH25367@doctor.nl2k.ab.ca> <4501A548.5040605@ecs.soton.ac.uk> <20060908201156.GM20257@doctor.nl2k.ab.ca> Message-ID: <4502C48C.4080101@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Fri, Sep 08, 2006 at 06:15:52PM +0100, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am about to release a new beta for you folks to test for me. >> The next stable release probably won't be until the beginning of >> October, if I have time. My day job is really busy at the moment, I am >> doing huge rounds of server upgrades this summer. New filestore, new >> file server, new mail system, new virtualisation servers, all sorts of >> stuff. That has to come first. >> > > What OS are these new machines getting? The host OS is Solaris on the filestore, Linux and Cyrus-imap on the mail system, and Linux (RHEL4) on the virtualisation servers. > >> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the >> Problem wrote: >>> Julian when is 4.56 due out? Does it need further Beta Testing? >>> >>> Also a general question to all, how does one >>> redirect spam to a specific spamlist , say spamtrap@domain.tld? >>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.5.0 (Build 1112) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFFAaVKEfZZRxQVtlQRAtK+AKDgIj3WF+u5ASLgB9JYrLwmBKb5KwCcC+fU >> iOkFx7eJkEk64hDzPwoDSpI= >> =CYkN >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFAsSNEfZZRxQVtlQRAspAAJ44khqQK87qk39Oh6lkT5SqphFYNwCg3jOp RmM4NmPwjsKQju6JdpFu3UE= =zIXe -----END PGP SIGNATURE----- From alex at nkpanama.com Sat Sep 9 17:08:47 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Sep 9 17:09:22 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <4502E70F.9010308@nkpanama.com> Res wrote: > Like I said try running greylisting on a network that does several > million emails per day with several MX's, you might say ok retry in 1 > minute, but most daemons wait 10, so by the time one of our guys gets > his email its 40-50 minutes later, i would want to hope they werent in a > critical ebay auction. > > Why not whitelist e-bay's legit MXs? From gmane at tippingmar.com Sat Sep 9 19:48:59 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Sat Sep 9 19:49:22 2006 Subject: install-Clam-SA Message-ID: I downloaded and ran the latest install-Clam-SA today as both my Clamav and SpamAssassin were slightly out of date. I noticed that when Spamassassin was being built it complained that LWP::UserAgent and HTTP::Date were not installed so the sa-update feature would not function. Should these modules be added to the install script or should I install them myself? I am not using sa-update anyway (at least not knowingly), but maybe I should be? Also, I had previously consolidated all of the various /etc/mail/spamassassin/*.pre files into a single init.pre. I was surprised that the install script created new V310.pre and V312.pre files. Mark Nienberg From derek at adcatanzaro.com Sun Sep 10 00:48:51 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Sun Sep 10 00:49:24 2006 Subject: Question In-Reply-To: <44FDCC15.50606@jlewiscooper.com> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDCC15.50606@jlewiscooper.com> Message-ID: <450352E3.8020906@adcatanzaro.com> Greg Borders wrote: > > > Logan Shaw wrote: >> On Tue, 5 Sep 2006, Rob Poe wrote: >>> Is there a way to start MailScanner so that it processes any messages >>> in it's queue, but does not accept new incoming messages? >> >> Well, it's a queue that sendmail and MailScanner share (sendmail >> is the producer, MailScanner is the consumer), so it's not >> really MailScanner that controls whether messages are accepted. >> >> You could kill the incoming sendmail, but I don't recommend it. > > Usage: service MailScanner > {start|stop|status|restart|reload|startin|startout|stopms} > > Couldn't you issue > > service MailScanner stop > service MailScanner startout > > And thus have MS process any messages in queue, and not accept any new > messages. > > We must keep in mind, MailScanner is the puppet master, and the MTA, > virus scanners and SA are all puppets! > > Greg. Borders > Sys. Admin. > JLC Co. Back to the original question. You can have MailScanner process messages in the queue without accepting new messages. As Greg Borders mentioned you have to issue the commands above but one was left out (check_MailScanner). So issue the following: service MailScanner stop (note: I normally issue a "service MailScanner status" after this to make sure MS and sendmail in/out turned off, sometimes I have to do a service MailScanner stop a couple of times to make sure everything is off) service MailScanner startout check_MailScanner This will prevent sendmail from accepting new email while processing all of the messages that are currently in the queue. Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Sun Sep 10 08:57:50 2006 From: res at ausics.net (Res) Date: Sun Sep 10 08:58:06 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <4502E70F.9010308@nkpanama.com> References: <4502E70F.9010308@nkpanama.com> Message-ID: On Sat, 9 Sep 2006, Alex Neuman van der Hans wrote: > Res wrote: > >> Like I said try running greylisting on a network that does several million >> emails per day with several MX's, you might say ok retry in 1 minute, but >> most daemons wait 10, so by the time one of our guys gets his email its >> 40-50 minutes later, i would want to hope they werent in a critical ebay >> auction. >> >> > > Why not whitelist e-bay's legit MXs? Does that mean we have to do it for every organisation that requires it, how about our business clients clients who are on phone saying "emailed it 5 mins ago, so what do u think" "uh i dunno I havent got it" and so on... and who do i invoice to recover the cost of the continual whitelisting.. who do i invoice to cover the cost of CSR who have to filedall these calls... get my drift :) it just is not viable. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sun Sep 10 09:05:08 2006 From: res at ausics.net (Res) Date: Sun Sep 10 09:05:20 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: On Fri, 8 Sep 2006, John Rudd wrote: > > How else do the spamtraps receive mail except by having the email address out > there? It gets out _somehow_. Seeded some how, harvested by dictionary > attacks, etc.. And once it has been obtained by a spammer, that address can > then show up as a return-path in a message. correct, i have had this out with SC before I was told of their system tests and im satisfied its a good idea, i dont know how much of it is general public info, but im sure those that have a real need to know can ask them > > Obviously there's no way to know which addresses being responded to are > spamtraps or not, but there's no other explanation for spamcop saying we sent > spam to their spamtrap. There's exactly two explanations: > > 1) one of our students just happens to know the spamtrap address and set > their email to forward there instead of their yahoo account (so unlikely that > the probability is vanishingly low) > > 2) a spamtrap showed up in the return-path of some message, and got replied > to in a vacation message (not at all an unreasonable possibility, given that > the addresses _are_ out there). So again you in an EDU establishment can say for 110% these students are not virus proned, I have learnt one thing about EDU, especialy in this country, they have the most lapsed security enforcement and policies EDU institutions are the worse in my 14 plus year experience. > There aren't any other mechanisms that would have our mail servers sending a so its completely absolutely impossible for a student to have an infected pc and do this you will state this on your life would you, because you seem to look for and acert blame everywhere else but your students, you appear to not even entertain the idea, this is pure arrogance and tends to tell me it was justified. -- Regards Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sun Sep 10 09:08:54 2006 From: res at ausics.net (Res) Date: Sun Sep 10 09:09:08 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> Message-ID: On Fri, 8 Sep 2006, John Rudd wrote: > We keep a sharp eye on the behavior of hosts around our network, to ensure > that we don't end up with zombies here. When we detect one, we deal with it > quickly. We haven't a zombie attack here in quite a while, and the spamcop > listings have happened rather recently. Just because you dont see it doesnt mean anything, I have overlooked 200K plus users network, and i will refuse to say i knew all the wrong doings, even the odd persons laptop that pops up on a network for an hour a week, which is all it takes, i would never know unless they sent out thousands. > > We also take other precautions to keep it from happening. This is good, but still no iron clad guarantee > Last, we know our users aren't doing it directly because they're not out for the rest of the comments see my previous post to save me duplciating on my day off :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From drew at themarshalls.co.uk Sun Sep 10 09:34:27 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sun Sep 10 09:34:38 2006 Subject: Hold queue question In-Reply-To: <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> References: <4501AD4E.4080401@trayerproducts.com> <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> Message-ID: <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> On 9 Sep 2006, at 09:36, Glenn Steen wrote: > On 08/09/06, Green, Rodney wrote: >> Hello, >> >> I'm using Postfix with MailScanner. Can someone tell me what would >> happen if I were to release (using postsuper -H queueid) a message in >> the hold queue? >> Would that message bypass MailScanner? >> >> Thanks, >> Rod >> > I haven't tested this Rod, but that is very likely what would happen, > since you'd effectively move the message over to the deferred queue > (which is the domain of the qmgr... and happens after MailScanner...). > Why would you want to do that? I'm not even sure the message would stay in the hold queue with out MailScanner picking it up and processing it. In a MailScanner installation, better to do your message 'holding' with the MailScanner quarantine via a ruleset. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From MailScanner at ecs.soton.ac.uk Sun Sep 10 10:34:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 10:34:52 2006 Subject: install-Clam-SA In-Reply-To: References: Message-ID: <4503DC2E.1050203@ecs.soton.ac.uk> I will add them. Thanks for letting me know. Mark Nienberg wrote: > I downloaded and ran the latest install-Clam-SA today as both my > Clamav and SpamAssassin were slightly out of date. I noticed that > when Spamassassin was being built it complained that > > LWP::UserAgent and > HTTP::Date > > were not installed so the sa-update feature would not function. > Should these modules be added to the install script or should I > install them myself? I am not using sa-update anyway (at least not > knowingly), but maybe I should be? > > Also, I had previously consolidated all of the various > /etc/mail/spamassassin/*.pre files into a single init.pre. I was > surprised that the install script created new V310.pre and V312.pre > files. > > Mark Nienberg > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Sep 10 10:38:41 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 10:38:51 2006 Subject: install-Clam-SA In-Reply-To: References: Message-ID: <4503DD21.2050403@ecs.soton.ac.uk> These are both in the libwww-perl bundle, which I think should be already installed on modern Perl systems. If you haven't got them, the use CPAN to install the libwww-perl bundle. Mark Nienberg wrote: > I downloaded and ran the latest install-Clam-SA today as both my > Clamav and SpamAssassin were slightly out of date. I noticed that > when Spamassassin was being built it complained that > > LWP::UserAgent and > HTTP::Date > > were not installed so the sa-update feature would not function. > Should these modules be added to the install script or should I > install them myself? I am not using sa-update anyway (at least not > knowingly), but maybe I should be? > > Also, I had previously consolidated all of the various > /etc/mail/spamassassin/*.pre files into a single init.pre. I was > surprised that the install script created new V310.pre and V312.pre > files. > > Mark Nienberg > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Sep 10 10:40:30 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 10:40:42 2006 Subject: Question In-Reply-To: <450352E3.8020906@adcatanzaro.com> References: <44FD5982.65ED.00A2.0@plattesheriff.org> <44FDCC15.50606@jlewiscooper.com> <450352E3.8020906@adcatanzaro.com> Message-ID: <4503DD8E.70404@ecs.soton.ac.uk> Derek Catanzaro wrote: > Greg Borders wrote: >> >> >> Logan Shaw wrote: >>> On Tue, 5 Sep 2006, Rob Poe wrote: >>>> Is there a way to start MailScanner so that it processes any messages >>>> in it's queue, but does not accept new incoming messages? >>> >>> Well, it's a queue that sendmail and MailScanner share (sendmail >>> is the producer, MailScanner is the consumer), so it's not >>> really MailScanner that controls whether messages are accepted. >>> >>> You could kill the incoming sendmail, but I don't recommend it. >> >> Usage: service MailScanner >> {start|stop|status|restart|reload|startin|startout|stopms} >> >> Couldn't you issue >> >> service MailScanner stop >> service MailScanner startout >> >> And thus have MS process any messages in queue, and not accept any >> new messages. >> >> We must keep in mind, MailScanner is the puppet master, and the MTA, >> virus scanners and SA are all puppets! >> >> Greg. Borders >> Sys. Admin. >> JLC Co. > Back to the original question. You can have MailScanner process > messages in the queue without accepting new messages. As Greg Borders > mentioned you have to issue the commands above but one was left out > (check_MailScanner). So issue the following: > > service MailScanner stop (note: I normally issue a "service > MailScanner status" after this to make sure MS and sendmail in/out > turned off, sometimes I have to do a service MailScanner stop a couple > of times to make sure everything is off) If you wait a few seconds, they will die on their own. They do a whole load of clean-up when they are killed, so as not to leave your system in a mess. This is why the "restart" service operation waits for 30 seconds between stopping and restarting. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Sun Sep 10 11:07:26 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 10 11:07:29 2006 Subject: Hold queue question In-Reply-To: <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> References: <4501AD4E.4080401@trayerproducts.com> <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> Message-ID: <223f97700609100307k47e75d87nedd4293aba228f98@mail.gmail.com> On 10/09/06, Drew Marshall wrote: > > On 9 Sep 2006, at 09:36, Glenn Steen wrote: > > > On 08/09/06, Green, Rodney wrote: > >> Hello, > >> > >> I'm using Postfix with MailScanner. Can someone tell me what would > >> happen if I were to release (using postsuper -H queueid) a message in > >> the hold queue? > >> Would that message bypass MailScanner? > >> > >> Thanks, > >> Rod > >> > > I haven't tested this Rod, but that is very likely what would happen, > > since you'd effectively move the message over to the deferred queue > > (which is the domain of the qmgr... and happens after MailScanner...). > > Why would you want to do that? > > I'm not even sure the message would stay in the hold queue with out > MailScanner picking it up and processing it. In a MailScanner > installation, better to do your message 'holding' with the > MailScanner quarantine via a ruleset. > > Drew Oh it wouldn't stay put, as long as MS is doing it's thing:). Unless one has some other measure to put the message back onto hold, where MS would find it (and process it again). That's pretty much why I asked why one would want this:-). One could of course imagine a situation where messages are piling up, and one would want to "fast-lane" that ?ber-important message to the CEO/PHB/, but ... there would be a certain risk that one would be "shooting ones foot", so to speak:-). If one does a thing like that (God forbid one would use the ALL "id"), one would also open oneself to the same type of problem we had with the deferred/dual postfix setup (there is _no_ locking, and "postsuper -H ..." would be as bad as the qmgr in that type of setup). Not good. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From colin at mainline.co.uk Sun Sep 10 12:35:22 2006 From: colin at mainline.co.uk (Colin Jack) Date: Sun Sep 10 12:34:46 2006 Subject: Question Message-ID: Easy ... start sendmail in queue flushing mode only ;) Something like 'sendmail -q5m' would work fine This will tell sendmail to check the queue every 5 mins but not listen for incoming connections Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 10 September 2006 10:41 > To: MailScanner discussion > Subject: Re: Question > > > > Derek Catanzaro wrote: > > Greg Borders wrote: > >> > >> > >> Logan Shaw wrote: > >>> On Tue, 5 Sep 2006, Rob Poe wrote: > >>>> Is there a way to start MailScanner so that it processes any > >>>> messages in it's queue, but does not accept new incoming > messages? > >>> > >>> Well, it's a queue that sendmail and MailScanner share > (sendmail is > >>> the producer, MailScanner is the consumer), so it's not really > >>> MailScanner that controls whether messages are accepted. > >>> > >>> You could kill the incoming sendmail, but I don't recommend it. > >> > >> Usage: service MailScanner > >> {start|stop|status|restart|reload|startin|startout|stopms} > >> > >> Couldn't you issue > >> > >> service MailScanner stop > >> service MailScanner startout > >> > >> And thus have MS process any messages in queue, and not accept any > >> new messages. > >> > >> We must keep in mind, MailScanner is the puppet master, > and the MTA, > >> virus scanners and SA are all puppets! > >> > >> Greg. Borders > >> Sys. Admin. > >> JLC Co. > > Back to the original question. You can have MailScanner process > > messages in the queue without accepting new messages. As > Greg Borders > > mentioned you have to issue the commands above but one was left out > > (check_MailScanner). So issue the following: > > > > service MailScanner stop (note: I normally issue a "service > > MailScanner status" after this to make sure MS and sendmail in/out > > turned off, sometimes I have to do a service MailScanner > stop a couple > > of times to make sure everything is off) > If you wait a few seconds, they will die on their own. They > do a whole load of clean-up when they are killed, so as not > to leave your system in a mess. This is why the "restart" > service operation waits for 30 seconds between stopping and > restarting. > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jrudd at ucsc.edu Sun Sep 10 14:13:38 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sun Sep 10 14:14:14 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: <75a8399f72664d039e1a4c9229caad77@ucsc.edu> On Sep 10, 2006, at 1:05 AM, Res wrote: > On Fri, 8 Sep 2006, John Rudd wrote: > >> There aren't any other mechanisms that would have our mail servers >> sending a > > so its completely absolutely impossible for a student to have an > infected pc and do this you will state this on your life would you Students are our _least_ trusted class of user, and yes, we take enough precautions against them that there is 0% chance that this was caused by an infected student. From FStein at thehill.org Sun Sep 10 15:52:08 2006 From: FStein at thehill.org (Stein, Mr. Fred) Date: Sun Sep 10 15:53:26 2006 Subject: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 Message-ID: I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a Centos 4.3 server and this is the error I get when I try to restart MailScanner. Any ideas? Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: Unmatched ) in regex; marked by <-- HERE in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. Compilation failed in require at /usr/sbin/MailScanner line 315. [ OK ] This is also true of postfix 2.2.11 on Centos 4.3 server Thanks in advance Fred Fred Stein Network Administrator The Hill School 717 High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org From csweeney at osubucks.org Sun Sep 10 15:54:11 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sun Sep 10 15:54:39 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <4502E70F.9010308@nkpanama.com> Message-ID: <45042713.6030408@osubucks.org> I use a shared database on all my MX machines that share the greylist data. Once a site has gone through the process its allowed to pass future mails without the delay. The list stays valid for a week, so users who get mail regularly from the same places will not be affected by the delay and it still does it job of stopping zombie machines. It also still allows the mail to be received after the set delay period no matter what MX the mail goes to. Res wrote: > On Sat, 9 Sep 2006, Alex Neuman van der Hans wrote: > >> Res wrote: >> >>> Like I said try running greylisting on a network that does several >>> million emails per day with several MX's, you might say ok retry in >>> 1 minute, but most daemons wait 10, so by the time one of our guys >>> gets his email its 40-50 minutes later, i would want to hope they >>> werent in a critical ebay auction. >>> >>> >> >> Why not whitelist e-bay's legit MXs? > Does that mean we have to do it for every organisation that requires > it, how about our business clients clients who are on phone saying > "emailed it 5 mins ago, so what do u think" "uh i dunno I havent got it" > and so on... and who do i invoice to recover the cost of the continual > whitelisting.. who do i invoice to cover the cost of CSR who have to > filedall these calls... get my drift :) it just is not viable. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4022 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060910/08d42340/smime.bin From alex at nkpanama.com Sun Sep 10 17:49:17 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sun Sep 10 17:49:29 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <45042713.6030408@osubucks.org> References: <4502E70F.9010308@nkpanama.com> <45042713.6030408@osubucks.org> Message-ID: <4504420D.2050909@nkpanama.com> Chris Sweeney wrote: > I use a shared database on all my MX machines that share the greylist > data. Once a site has gone through the process its allowed to pass > future mails without the delay. The list stays valid for a week, so > users who get mail regularly from the same places will not be affected > by the delay and it still does it job of stopping zombie machines. It > also still allows the mail to be received after the set delay period no > matter what MX the mail goes to. > I've got the whitelisting set up as high as 30 days. As you said, the first e-mail might not get through immediately but all the others do. From edwardbruce at sbcglobal.net Sun Sep 10 18:42:57 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Sun Sep 10 18:42:52 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: Message-ID: <45044EA1.6040206@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Res wrote: > On Fri, 8 Sep 2006, Logan Shaw wrote: > >> On Fri, 8 Sep 2006, Res wrote: >>> On Thu, 7 Sep 2006, Logan Shaw wrote: >> >>>> Yes, he was saying that, before greylisting, 12-15% of the >>>> traffic gets marked as clean. Presumably that is because >>>> 12-15% of the traffic IS clean, and the rest is not. Then >>>> after greylisting, 80% of the traffic got marked as clean. >>>> Presumably that means 80% of it IS clean. >> >>> Then SA cant be that effective for him. >> >> That doesn't make any sense mathematically. >> >> If I get 100 messages and 20 of them are spam and 80 of them >> are ham, and if SpamAssassin catches all 20 spams and nothing >> else, how does that qualify as "not that effective"? > > depends on how you have your SA setup, mines a 'no mercy' approach > his and yours clearly cant be. > > Like I said try running greylisting on a network that does several > million emails per day with several MX's, you might say ok retry in 1 > minute, but most daemons wait 10, so by the time one of our guys gets > his email its 40-50 minutes later, i would want to hope they werent in a > critical ebay auction. > > Well with the greylisting tool I'm using (sqlgrey) that only happens once. After a 2nd email is received after the specified delay time that from address is whitelisted. After a set number of different email addresses from a domain are whitelisted then the whole domain is whitelisted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBE6hFKUOsSNNbMkRAlAeAKDSH2DtGO50VRSZ1g5dpeG21Y6lygCfb45k acWWZzjjmBc6V3fdVO+T1+I= =SoO/ -----END PGP SIGNATURE----- From ljosnet at gmail.com Sun Sep 10 18:52:01 2006 From: ljosnet at gmail.com (emm1) Date: Sun Sep 10 18:52:05 2006 Subject: Blocking Japanese charsets in sendmail Message-ID: <910ee2ac0609101052k73eba0e7y77740cfe4dde8d7@mail.gmail.com> Hello, does anyone know how I can block Japanese and Chinese chars in sendmail? I have been getting alot of ISO-2022-JP spam mails lately and I was wondering if it's possible to block it. :) Thanks! From glenn.steen at gmail.com Sun Sep 10 19:44:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 10 19:45:08 2006 Subject: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 In-Reply-To: References: Message-ID: <223f97700609101144v60105e64md8f246ff7ddf16f4@mail.gmail.com> On 10/09/06, Stein, Mr. Fred wrote: > I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a Centos 4.3 server and this is the error I get when I try to restart MailScanner. Any ideas? > > Starting MailScanner daemons: > incoming postfix: [ OK ] > outgoing postfix: [ OK ] > MailScanner: Unmatched ) in regex; marked by <-- HERE in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. > Compilation failed in require at /usr/sbin/MailScanner line 315. > [ OK ] > This is also true of postfix 2.2.11 on Centos 4.3 server > Thanks in advance > Fred > As is plain to see, there really is an unbalanced parenthesis there, so... that is a typo on Jules part. Haven't had time (nor energy) to determine what it really should be:-). If Jules or someone else hasn't fixed this come monday, I just *might* find the time (and energy... Pretty low batteries ATM:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Sep 10 19:58:52 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 19:59:06 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix Message-ID: <4504606C.10003@ecs.soton.ac.uk> I have added the new logic to the Max SpamAssassin Size configuration option, with just about all the extra features everyone wanted in here. # SpamAssassin is not very fast when scanning huge messages, so messages # bigger than this value will be truncated to this length for SpamAssassin # testing. The original message will not be affected by this. This value # is a good compromise as very few spam messages are bigger than this. # # Now for the options: # 1) # 2) truncate # 3) continue # # 1) Put in a simple number. # This will be the simple cut-off point for messages that are larger than # this number. # 2) Put in a number followed by 'trackback'. # Once the size limit is reached, MailScanner reverses towards the start # of the message, until it hits a line that is blank. The message passed # to SpamAssassin is truncated there. This stops any part-images being # passed to SpamAssassin, and so avoids rules which trigger on this. # 3) Put in a number followed by 'continue' followed by another number. # Once the size limit is reached, MailScanner continues adding to the data # passed to SpamAssassin, until at most the 2nd number of bytes have been # added looking for a blank line. This tries to complete the image data # that has been started when the 1st number of bytes has been reached, # while imposing a limit on the amount that can be added (to avoid attacks). # # If all this confuses you, just leave it alone at "40k" as that is good. Max SpamAssassin Size = 40k I have only added the logic to the sendmail and Postfix versions so far, as I want to be sure it works before I give it out to everyone. It's on www.mailscanner.info as usual. *Please* can you test this out for me. If you think I have gone over the top, and just produced a system that no-one can work out how to use, then please do tell me and I will remove bits of it again. Personally I think it will only be used by 1% of users at most, which leads me to think I should remove the whole thing and go back to something much simpler again. Your thoughts? -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Sep 10 20:09:27 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 20:09:38 2006 Subject: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 In-Reply-To: <223f97700609101144v60105e64md8f246ff7ddf16f4@mail.gmail.com> References: <223f97700609101144v60105e64md8f246ff7ddf16f4@mail.gmail.com> Message-ID: <450462E7.3060200@ecs.soton.ac.uk> Glenn Steen wrote: > On 10/09/06, Stein, Mr. Fred wrote: >> I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a >> Centos 4.3 server and this is the error I get when I try to restart >> MailScanner. Any ideas? >> >> Starting MailScanner daemons: >> incoming postfix: [ OK ] >> outgoing postfix: [ OK ] >> MailScanner: Unmatched ) in regex; marked by <-- HERE >> in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at >> /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. >> Compilation failed in require at /usr/sbin/MailScanner line 315. >> [ OK ] >> This is also true of postfix 2.2.11 on Centos 4.3 server >> Thanks in advance >> Fred >> > As is plain to see, there really is an unbalanced parenthesis there, > so... that is a typo on Jules part. Haven't had time (nor energy) to > determine what it really should be:-). If Jules or someone else hasn't > fixed this come monday, I just *might* find the time (and energy... > Pretty low batteries ATM:) Fixed in 4.56.4-2. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Sep 10 20:10:58 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 10 20:11:11 2006 Subject: Blocking Japanese charsets in sendmail In-Reply-To: <910ee2ac0609101052k73eba0e7y77740cfe4dde8d7@mail.gmail.com> References: <910ee2ac0609101052k73eba0e7y77740cfe4dde8d7@mail.gmail.com> Message-ID: <45046342.604@ecs.soton.ac.uk> Check the ok_locales or ok_languages (or whatever it's called) in SpamAssassin. This can be done. There are a set of rules (FARAWAY*) which handle this problem. emm1 wrote: > Hello, does anyone know how I can block Japanese and Chinese chars in > sendmail? I have been getting alot of ISO-2022-JP spam mails lately > and I was wondering if it's possible to block it. :) > > Thanks! -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From FStein at thehill.org Sun Sep 10 20:35:20 2006 From: FStein at thehill.org (Stein, Mr. Fred) Date: Sun Sep 10 20:36:50 2006 Subject: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 References: <223f97700609101144v60105e64md8f246ff7ddf16f4@mail.gmail.com> <450462E7.3060200@ecs.soton.ac.uk> Message-ID: Thanks Julian, That fixed the issue. Fred Fred Stein Network Administrator The Hill School 717 High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Sun 9/10/2006 3:09 PM To: MailScanner discussion Subject: Re: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 Glenn Steen wrote: > On 10/09/06, Stein, Mr. Fred wrote: >> I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a >> Centos 4.3 server and this is the error I get when I try to restart >> MailScanner. Any ideas? >> >> Starting MailScanner daemons: >> incoming postfix: [ OK ] >> outgoing postfix: [ OK ] >> MailScanner: Unmatched ) in regex; marked by <-- HERE >> in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at >> /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. >> Compilation failed in require at /usr/sbin/MailScanner line 315. >> [ OK ] >> This is also true of postfix 2.2.11 on Centos 4.3 server >> Thanks in advance >> Fred >> > As is plain to see, there really is an unbalanced parenthesis there, > so... that is a typo on Jules part. Haven't had time (nor energy) to > determine what it really should be:-). If Jules or someone else hasn't > fixed this come monday, I just *might* find the time (and energy... > Pretty low batteries ATM:) Fixed in 4.56.4-2. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- Thanks Julian, That fixed the issue. Fred Fred Stein Network Administrator The Hill School 717 High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Sun 9/10/2006 3:09 PM To: MailScanner discussion Subject: Re: troubles with Mailscanner 4.56.3 and Postfix 2.33 and postfix 2.2.11 Glenn Steen wrote: > On 10/09/06, Stein, Mr. Fred wrote: >> I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a >> Centos 4.3 server and this is the error I get when I try to restart >> MailScanner. Any ideas? >> >> Starting MailScanner daemons: >> incoming postfix: [ OK ] >> outgoing postfix: [ OK ] >> MailScanner: Unmatched ) in regex; marked by <-- HERE >> in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at >> /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. >> Compilation failed in require at /usr/sbin/MailScanner line 315. >> [ OK ] >> This is also true of postfix 2.2.11 on Centos 4.3 server >> Thanks in advance >> Fred >> > As is plain to see, there really is an unbalanced parenthesis there, > so... that is a typo on Jules part. Haven't had time (nor energy) to > determine what it really should be:-). If Jules or someone else hasn't > fixed this come monday, I just *might* find the time (and energy... > Pretty low batteries ATM:) Fixed in 4.56.4-2. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ajos1 at onion.demon.co.uk Sun Sep 10 20:48:08 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sun Sep 10 20:48:16 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix Message-ID: - If both... the Simple system and the new more complex system works... it should not be confusing... as the last line says... if unsure... leave at 40k. So leave the new bits in!! (No deletions!) -----Original Message----- From: MailScanner discussion References: <223f97700609101144v60105e64md8f246ff7ddf16f4@mail.gmail.com> <450462E7.3060200@ecs.soton.ac.uk> Message-ID: <223f97700609101252k7195a890xe3e94e3c99ff841@mail.gmail.com> On 10/09/06, Julian Field wrote: > > > Glenn Steen wrote: > > On 10/09/06, Stein, Mr. Fred wrote: > >> I just upgraded to Mailscanner 4.56.3, I am running postfix 2.33 on a > >> Centos 4.3 server and this is the error I get when I try to restart > >> MailScanner. Any ideas? > >> > >> Starting MailScanner daemons: > >> incoming postfix: [ OK ] > >> outgoing postfix: [ OK ] > >> MailScanner: Unmatched ) in regex; marked by <-- HERE > >> in m/^[ARO].+@(?:\w|-|\.)+\.\w{2,}) <-- HERE / at > >> /usr/lib/MailScanner/MailScanner/Postfix.pm line 911. > >> Compilation failed in require at /usr/sbin/MailScanner line 315. > >> [ OK ] > >> This is also true of postfix 2.2.11 on Centos 4.3 server > >> Thanks in advance > >> Fred > >> > > As is plain to see, there really is an unbalanced parenthesis there, > > so... that is a typo on Jules part. Haven't had time (nor energy) to > > determine what it really should be:-). If Jules or someone else hasn't > > fixed this come monday, I just *might* find the time (and energy... > > Pretty low batteries ATM:) > Fixed in 4.56.4-2. > That's the version I'll be putting on my test system next week then. Thanks. -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pete at enitech.com.au Mon Sep 11 06:29:30 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Sep 11 06:29:46 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <4504606C.10003@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> Message-ID: <4504F43A.2020102@enitech.com.au> Hmm it does seem like a further complication that most of us wont use. But i do appreciate the fine level of tuning that is there if we need it as well. I was going to suggest it might be worth categorising the config file further based on level of complexity or likelihood that it will need modding by your basic users, or having 2 config files - but all of this is yet another level of complexity... Julian Field wrote: > I have added the new logic to the Max SpamAssassin Size configuration > option, with just about all the extra features everyone wanted in here. > > # SpamAssassin is not very fast when scanning huge messages, so messages > # bigger than this value will be truncated to this length for SpamAssassin > # testing. The original message will not be affected by this. This value > # is a good compromise as very few spam messages are bigger than this. > # > # Now for the options: > # 1) > # 2) truncate > # 3) continue > # > # 1) Put in a simple number. > # This will be the simple cut-off point for messages that are larger > than > # this number. > # 2) Put in a number followed by 'trackback'. > # Once the size limit is reached, MailScanner reverses towards the start > # of the message, until it hits a line that is blank. The message passed > # to SpamAssassin is truncated there. This stops any part-images being > # passed to SpamAssassin, and so avoids rules which trigger on this. > # 3) Put in a number followed by 'continue' followed by another number. > # Once the size limit is reached, MailScanner continues adding to the > data > # passed to SpamAssassin, until at most the 2nd number of bytes have > been > # added looking for a blank line. This tries to complete the image data > # that has been started when the 1st number of bytes has been reached, > # while imposing a limit on the amount that can be added (to avoid > attacks). > # > # If all this confuses you, just leave it alone at "40k" as that is good. > Max SpamAssassin Size = 40k > > I have only added the logic to the sendmail and Postfix versions so far, > as I want to be sure it works before I give it out to everyone. > > It's on www.mailscanner.info as usual. > > *Please* can you test this out for me. If you think I have gone over the > top, and just produced a system that no-one can work out how to use, > then please do tell me and I will remove bits of it again. Personally I > think it will only be used by 1% of users at most, which leads me to > think I should remove the whole thing and go back to something much > simpler again. > > Your thoughts? > > From ron at spawar.navy.mil Mon Sep 11 07:44:08 2006 From: ron at spawar.navy.mil (Ron Broersma) Date: Mon Sep 11 07:44:33 2006 Subject: incoming messages stuck in queue due to tnef bug Message-ID: <450505B8.4020504@spawar.navy.mil> I've had some problems with messages that get stuck in mqueue.in, resulting in whole batches that never get processed due to processes that repeatedly die on the same batch. Here's where it fails... read-open /var/spool/MailScanner/incoming/17683/k8ACNk7x003153/i: No such file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm line 435. The offending message had 2 MIME parts, one of which was a winmail.dat. With some more debugging it appeared that processing of that particular winmail.dat had a number of problems, causing MailScanner to get very confused about the filenames and eventually die. Since this appeared to be a TNEF problem, I switched from the external (/usr/bin/tnef) to internal decoder. Things worked much better. I then checked sourceforge and found a newer version (1.4.3) than that distributed with MailScanner (1.4.1). I installed that and switched back to external TNEF, and all is well. No more stuck queues. I recommend that the new TNEF v1.4.3 be included in future MailScanner distributions. --Ron -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3973 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060910/ac0cef2c/smime.bin From P.G.M.Peters at utwente.nl Mon Sep 11 08:36:27 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Sep 11 08:36:34 2006 Subject: MailScanner 4.56 In-Reply-To: References: <20060905120117.GH25367@doctor.nl2k.ab.ca> <4501A548.5040605@ecs.soton.ac.uk> Message-ID: <450511FB.9090702@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote on 9-9-2006 0:30: > Food on the table and roof over the head always has to come first! > Besides, how much could you do if they turn off the electricity! My experience: not much. I have learned that much the last couple of weeks. Almost twice a week a (big) part of the "county" has had power loss over a couple of hours. And one power loss hit the data centre of the local cable company. Resulting in a black screen for all channels but one (strange!). And complaining didn't work because they use VoIP in their call centre and that didn't work either. And neither did their website so no messages their either. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBRH7elLo80lrIdIRAt2UAJ4vHRBuzxcVnAzUslg3M77a7KbAYwCggXwe nGekM2Dx7ROCgv/yXCtD7hw= =JYfc -----END PGP SIGNATURE----- From sergiogc at treelogic.com Mon Sep 11 09:00:40 2006 From: sergiogc at treelogic.com (=?ISO-8859-1?Q?Sergio_Garc=EDa_Caso?=) Date: Mon Sep 11 08:56:30 2006 Subject: MailScanner stops working Message-ID: <450517A8.7020800@treelogic.com> Hello, I have installed MailScanner 4.54.6 with Postfix 2.3, SpamAssasin 3.1.3 and ClamAV 0.88.4 in a Mail Gateway with Ubuntu 5.10. I rotate the logs once a day. In 'MailScanner.conf' I have 'Max Children = 5'. Normally, when the message 'MailScanner child dying of old age' appears in the log, MailScanner restart and it runs ok: ... Sep 8 16:15:33 localhost MailScanner[4526]: MailScanner child dying of old age Sep 8 16:15:33 localhost MailScanner[8310]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... ... then the message 'MailScanner child dying of old age' appears 4 times more (for the other 4 children). The problem happens when the message 'MailScanner child dying of old age' appears less than five times in the log of a day and the log rotates: ... Sep 8 07:36:45 localhost syslogd 1.4.1#17ubuntu3: restart. ... then when 'MailScanner child dying of old age' appears in the new log MS hangs and doesn?t appear more. Can anybody help me? Thanks. From martin.lyberg at gmail.com Mon Sep 11 09:03:55 2006 From: martin.lyberg at gmail.com (Martin) Date: Mon Sep 11 09:04:26 2006 Subject: How to tell wich url that triggered in SURBL? In-Reply-To: <45019B99.40904@alexb.ch> References: <45019B99.40904@alexb.ch> Message-ID: Alex Broens wrote: > Seems its a MailScanner special. > (makes it hard to debug when you have a FP but that's the way it is) Humm.. but how do people define in the configs that the actual domain should be listed in the header of the message? All i want is SA or MS to add the following to my header: Contains an URL listed in the JP blocklist >> * [URIs: site.com] < ----- This line Today i only see the actual points, but i want to know what site triggered those points. How can i do that? Thanks From a.peacock at chime.ucl.ac.uk Mon Sep 11 09:26:27 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Sep 11 09:26:41 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <4504606C.10003@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> Message-ID: <45051DB3.4080206@chime.ucl.ac.uk> Hi Julian, I think this is a good solution to the issues we had been discussing. It allows people to leave things as they until they hit the problems with truncated images, and then they can look at the more sophisticated settings. One typo in the comments. In the list of options you have "truncate", but in the text you have "trackback". Julian Field wrote: > I have added the new logic to the Max SpamAssassin Size configuration > option, with just about all the extra features everyone wanted in here. > > # SpamAssassin is not very fast when scanning huge messages, so messages > # bigger than this value will be truncated to this length for SpamAssassin > # testing. The original message will not be affected by this. This value > # is a good compromise as very few spam messages are bigger than this. > # > # Now for the options: > # 1) > # 2) truncate > # 3) continue > # > # 1) Put in a simple number. > # This will be the simple cut-off point for messages that are larger > than > # this number. > # 2) Put in a number followed by 'trackback'. > # Once the size limit is reached, MailScanner reverses towards the start > # of the message, until it hits a line that is blank. The message passed > # to SpamAssassin is truncated there. This stops any part-images being > # passed to SpamAssassin, and so avoids rules which trigger on this. > # 3) Put in a number followed by 'continue' followed by another number. > # Once the size limit is reached, MailScanner continues adding to the > data > # passed to SpamAssassin, until at most the 2nd number of bytes have > been > # added looking for a blank line. This tries to complete the image data > # that has been started when the 1st number of bytes has been reached, > # while imposing a limit on the amount that can be added (to avoid > attacks). > # > # If all this confuses you, just leave it alone at "40k" as that is good. > Max SpamAssassin Size = 40k > > I have only added the logic to the sendmail and Postfix versions so far, > as I want to be sure it works before I give it out to everyone. > > It's on www.mailscanner.info as usual. > > *Please* can you test this out for me. If you think I have gone over the > top, and just produced a system that no-one can work out how to use, > then please do tell me and I will remove bits of it again. Personally I > think it will only be used by 1% of users at most, which leads me to > think I should remove the whole thing and go back to something much > simpler again. > > Your thoughts? > > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From veliogluh at itu.edu.tr Mon Sep 11 11:26:21 2006 From: veliogluh at itu.edu.tr (Hakan VELIOGLU) Date: Mon Sep 11 11:26:29 2006 Subject: No Message Collected Message-ID: <20060911132621.r359rxxkt5340swc@webmail.itu.edu.tr> Hi, I got a problem with MailScanner. It seems that MailScanner process same e-mail for two times. When the first process has finished and the mail delivered, then MailScanner cleans the spool files of that mail. For this reason the second process couldn't find any spool file and sends an mail whose body is just <<< No Message Collected >>> I could't find a solution for this double processing. Here is a part of log for a mail: Sep 11 04:02:30 server sendmail[15977]: k8B12I6v015977: from=, size=27223, class=0, nrcpts=1, msgid=<001601c6d503$4371d6b0$05094d3c@tonyefp60le6zr>, proto=SMTP, daemon=MTA, relay=24-48-50-111.ashbva.adelphia.net [24.48.50.111] Sep 11 04:02:43 server MailScanner[987]: Message k8B12I6v015977 from 24.48.50.111 (marquita@anglersfishinginfo.com) to itu.edu.tr is spam, SpamAssassin (not cached, score=7.447, required 5, HTML_10_20 0.94, HTML_MESSAGE 0.00, RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99, UNWANTED_LANGUAGE_BODY 2.80) Sep 11 04:02:43 server MailScanner[987]: Spam Actions: message k8B12I6v015977 actions are deliver Sep 11 04:02:43 server MailScanner[31624]: SpamAssassin cache hit for message k8B12I6v015977 Sep 11 04:02:43 server MailScanner[31624]: Message k8B12I6v015977 from 24.48.50.111 (marquita@anglersfishinginfo.com) to itu.edu.tr is spam, SpamAssassin (cached, score=7.447, required 5, HTML_10_20 0.94, HTML_MESSAGE 0.00, RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99, UNWANTED_LANGUAGE_BODY 2.80) Sep 11 04:02:43 server MailScanner[31624]: Spam Actions: message k8B12I6v015977 actions are deliver Sep 11 04:02:46 server MailScanner[987]: HTML Img tag found in message k8B12I6v015977 from marquita@anglersfishinginfo.com Sep 11 04:02:46 server MailScanner[31624]: HTML Img tag found in message k8B12I6v015977 from marquita@anglersfishinginfo.com Sep 11 04:02:46 server sendmail[16466]: k8B12I6v015977: alias ... Sep 11 04:02:46 server sendmail[16466]: k8B12I6v015977: SMTP outgoing connect on server.itu.edu.tr Sep 11 04:02:47 server MailScanner[31624]: Failed to link message body between queues (/var/spool/mqueue/dfk8B12I6v015977 --> /var/spool/mqueue.in/dfk8B12I6v015977) Sep 11 04:02:47 server MailScanner[31624]: Unlinking /var/spool/mqueue.in/qfk8B12I6v015977 failed: No such file or directory Sep 11 04:02:47 server MailScanner[31624]: Unlinking /var/spool/mqueue.in/dfk8B12I6v015977 failed: No such file or directory Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: alias ... Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: SMTP outgoing connect on server.itu.edu.tr Sep 11 04:02:47 server sendmail[16466]: k8B12I6v015977: to=..., delay=00:00:27, xdelay=00:00:01, mailer=esmtp, pri=147223, relay=[...] [...], dsn=2.0.0, stat=Sent (k8B12ki8030987 Message accepted for delivery) Sep 11 04:02:47 server sendmail[16466]: k8B12I6v015977: done; delay=00:00:27, ntries=1 Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: to=..., delay=00:00:27, xdelay=00:00:00, mailer=esmtp, pri=147223, relay=[...] [...], dsn=2.0.0, stat=Sent (k8B12lfd030988 Message accepted for delivery) Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: done; delay=00:00:27, ntries=1 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From zenith.tang at gmail.com Mon Sep 11 11:29:46 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Mon Sep 11 11:29:50 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> Message-ID: <6026a0ab0609110329y8229aa4rb6eddd73140f3dd7@mail.gmail.com> Hi Julian, Would you give some hints about this issue? So Appreciate~~~ The evaluation for the trend SMB 6.0 can be downloaded from http://www.trendmicro.com/ftp/products/interscan/isvw6_lx_GM.tar.gz 2006/9/2, Zenith Tang : > > I dont know why I can't receive the mailing list for each message. > > Back to the topic, > yes, I have changed virus.scanners.conf correspond to /opt/trend/isvw6. > It should be the correct product.as I was able to use the 5.0 version > successfully. > I have also found that it has the isvw-scan utility and changed > trend-wrapper from vscan to isvw-scan and corresponding paths and lib path > but still fail. > > > > Message: 21 > Date: Fri, 1 Sep 2006 10:10:41 +0200 > From: "Glenn Steen" > Subject: Re: Using MailScanner with Trend Micro Interscan Viruswall > for SMB 6.0 > To: "MailScanner discussion" < mailscanner@lists.mailscanner.info> > Message-ID: > <223f97700609010110t3feafbe1m3c0c2c039a893f94@mail.gmail.com > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 01/09/06, Zenith Tang wrote: > > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner > > does not able to use Trend to scan virus. The 5.0 version uses vscan > command > > to scan virus, but 6.0 does not have this command. It seems that the 6.0 > > version does not compatible with MailScanner. Does anyone know how to > make > > MailScanner able to use 6.0 to scan virus? Thanks! > > Disclaimer: I don't use trend, but... Questions: > Does 6.0 install to the directory expected in virus.scanners.conf > (third column)? > Is that really the "correct" product? Seems to me that the package > including the "on-demand" scanning is the ServerProtect one... > > However (looking at the downloaded trial I just got) there seems to be > an isw-scan utility... Might be one needs to just tweak the wrapper a > bit:-). > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060911/402fdb9a/attachment-0001.html From ms-list at alexb.ch Mon Sep 11 12:09:18 2006 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 11 12:09:27 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <4504606C.10003@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> Message-ID: <450543DE.1070007@alexb.ch> Julian, On 9/10/2006 8:58 PM, Julian Field wrote: > I have added the new logic to the Max SpamAssassin Size configuration > option, with just about all the extra features everyone wanted in here. > > # SpamAssassin is not very fast when scanning huge messages, so messages > # bigger than this value will be truncated to this length for SpamAssassin > # testing. The original message will not be affected by this. This value > # is a good compromise as very few spam messages are bigger than this. > # > # Now for the options: > # 1) > # 2) truncate > # 3) continue > I have only added the logic to the sendmail and Postfix versions so far, > as I want to be sure it works before I give it out to everyone. > > It's on www.mailscanner.info as usual. > > *Please* can you test this out for me. If you think I have gone over the > top, and just produced a system that no-one can work out how to use, > then please do tell me and I will remove bits of it again. Personally I > think it will only be used by 1% of users at most, which leads me to > think I should remove the whole thing and go back to something much > simpler again. As you state above "spamassassin is not very fast...." which I'd think makes it a natural to set a max size of the raw msg to be parsed by SA which avoids rocket science. the truncate and/or continue with bytes may not always work for spam and may add to the load by scanning unnecessary large HAM and it seems to me its a trial & error method till one gets the spam_du_jour caught in a jungle of sizes, multiparts, etc, etc. > Your thoughts? Though & wish: apply the VERY simple spamc method: "max msg size" and save lots of cpu time and potential FPs avoiding scanning even chuncks of oversized msgs. (incidentaly scanning chuncks breaks some plugins, full & rawbody rules, etc) Expecting to be tarred and feathered by old MS users..... Alex From dave.list at pixelhammer.com Mon Sep 11 13:12:51 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Sep 11 13:13:04 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <45051DB3.4080206@chime.ucl.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> <45051DB3.4080206@chime.ucl.ac.uk> Message-ID: <450552C3.3040401@pixelhammer.com> > Julian Field wrote: > I have added the new logic to the Max SpamAssassin Size configuration > option, with just about all the extra features everyone wanted in here. > > # SpamAssassin is not very fast when scanning huge messages, so messages > # bigger than this value will be truncated to this length for > SpamAssassin > # testing. The original message will not be affected by this. This value > # is a good compromise as very few spam messages are bigger than this. > # > # Now for the options: > # 1) > # 2) truncate > # 3) continue > # > # 1) Put in a simple number. > # This will be the simple cut-off point for messages that are > larger than > # this number. > # 2) Put in a number followed by 'trackback'. > # Once the size limit is reached, MailScanner reverses towards the > start > # of the message, until it hits a line that is blank. The message > passed > # to SpamAssassin is truncated there. This stops any part-images being > # passed to SpamAssassin, and so avoids rules which trigger on this. > # 3) Put in a number followed by 'continue' followed by another number. > # Once the size limit is reached, MailScanner continues adding to > the data > # passed to SpamAssassin, until at most the 2nd number of bytes > have been > # added looking for a blank line. This tries to complete the image > data > # that has been started when the 1st number of bytes has been reached, > # while imposing a limit on the amount that can be added (to avoid > attacks). > # > # If all this confuses you, just leave it alone at "40k" as that is good. > Max SpamAssassin Size = 40k > > I have only added the logic to the sendmail and Postfix versions so > far, as I want to be sure it works before I give it out to everyone. > > It's on www.mailscanner.info as usual. > > *Please* can you test this out for me. If you think I have gone over > the top, and just produced a system that no-one can work out how to > use, then please do tell me and I will remove bits of it again. > Personally I think it will only be used by 1% of users at most, which > leads me to think I should remove the whole thing and go back to > something much simpler again. > > Your thoughts? > I think that is fine, the one line, one size is simple enough as a default. Those that believe a borked image is spam can still get the whole message loaded into SA. DAve I can try to get it tested, but this week is getting kinda full already. > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From rgreen at trayerproducts.com Mon Sep 11 14:00:44 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Mon Sep 11 14:03:44 2006 Subject: Hold queue question In-Reply-To: <223f97700609100307k47e75d87nedd4293aba228f98@mail.gmail.com> References: <4501AD4E.4080401@trayerproducts.com> <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> <223f97700609100307k47e75d87nedd4293aba228f98@mail.gmail.com> Message-ID: <45055DFC.8000108@trayerproducts.com> Glenn Steen wrote: > > > One could of course imagine a situation where messages are piling up, > and one would want to "fast-lane" that ?ber-important message to the > CEO/PHB/ is>, but ... there would be a certain risk that one would be "shooting > ones foot", so to speak:-). > The reason I asked was because messages were piling up in the queue, as you said, and I thought of using postsuper to release a few messages from the hold queue. I wasn't really sure whether or not they were bypassing MS. The messages were actually just mail from local user to another local user so I knew that they were good. Thanks Glenn and Drew. Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Sep 11 16:01:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 11 16:04:05 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <450505B8.4020504@spawar.navy.mil> References: <450505B8.4020504@spawar.navy.mil> Message-ID: <45057A43.3040304@USherbrooke.ca> Ron Broersma a ?crit : > I've had some problems with messages that get stuck in mqueue.in, > resulting in whole batches that never get processed due to processes > that repeatedly die on the same batch. > > Here's where it fails... > > read-open /var/spool/MailScanner/incoming/17683/k8ACNk7x003153/i: No > such file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm > line 435. > > The offending message had 2 MIME parts, one of which was a > winmail.dat. With some more debugging it appeared that processing of > that particular winmail.dat had a number of problems, causing > MailScanner to get very confused about the filenames and eventually die. > > Since this appeared to be a TNEF problem, I switched from the external > (/usr/bin/tnef) to internal decoder. Things worked much better. I > then checked sourceforge and found a newer version (1.4.3) than that > distributed with MailScanner (1.4.1). I installed that and switched > back to external TNEF, and all is well. No more stuck queues. > > I recommend that the new TNEF v1.4.3 be included in future MailScanner > distributions. > > --Ron > > Ron, Are you talking about this TNEF module (output from MailScanner -v): 0.17 Convert::TNEF Beacuse my version number is way off the ones you mention. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060911/775ab09c/smime.bin From ssilva at sgvwater.com Mon Sep 11 16:16:02 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 11 16:16:42 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <4502303C.3000602@pixelhammer.com> References: <45007753.8040105@dido.ca> <45018E98.30900@pixelhammer.com> <4502303C.3000602@pixelhammer.com> Message-ID: DAve spake the following on 9/8/2006 8:08 PM: > Scott Silva wrote: >> DAve spake the following on 9/8/2006 8:39 AM: >>> John Rudd wrote: >>>> On Sep 8, 2006, at 4:58 AM, Res wrote: >>>> >>>>> On Thu, 7 Sep 2006, Rob Morin wrote: >>>>> >>>>>> I checked the IP and it was not listed. Is it possible to be listed >>>>>> at 7AM and then removed at 10AM? Plus its a gmail.com account/IP >>>>> Yes, spamcop have a time based entry system >>>>> >>>>> if its that IP's first entry its delisted after 2 hours, then if your >>>>> in it again its longer, and so on, each time gets longer, its a very >>>>> fair process. >>>> It would be a fair process if their criteria were reasonable and >>>> accurate. >>>> >>>> Since their criteria are neither, the process is anything but fair. >>>> >>> I don't know if their criteria is fair or not, they never tell me their >>> criteria. I know that if a spamcop subscriber turns in a message as spam >>> from my server, and they list me, and the message body looks something >>> like, >>> >>> "Hi grandson, >>> >>> I hope I got your email address right, your handwriting is hard to read >>> with my cataracts. Grandpa passed this morning, your Mom will call you >>> when you get out of class. I hate to make you miss finals so please >>> don't come to the funeral. Grandpa would understand. >>> >>> Love Grandma" >>> >>> Then there is a problem with their criteria for certain. >>> >>> I still do not believe that a common users opinion should be the sole >>> determination of what is SPAM and what is not. I get several hundred AOL >>> SPAM reports I must manually unsubscribe from maillists each month >>> because they sign up to gain access to a website and then don't want the >>> mail. SPAM has become "mail I don't want". >>> >>> DAve >>> >>> >>> >> Any body that would report that message is using some sort of automated >> system, and I don't think any automation should be used, with the >> exception of >> spamtraps. Spamtraps are different because they aren't a legitimate >> address, >> so anything they get should be spam. >> > > But they did, that message exactly as typed. Clearly a case of 'I don't > recognize the sender address so it must be spam'. I get plenty of those > from AOL where the user has to hit the spam button, and does so without > regard. I suspect there are Monkeys run amok inside AOL just logging > into accounts and clearing the inbox with the spam button. > > DAve > That's the problem right there. It came from AOL -- America on Ludes! The Internet for Dummies. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From shuttlebox at gmail.com Mon Sep 11 16:20:39 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Sep 11 16:20:43 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <45057A43.3040304@USherbrooke.ca> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> Message-ID: <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> On 9/11/06, Denis Beauchemin wrote: > Are you talking about this TNEF module (output from MailScanner -v): > 0.17 Convert::TNEF No. Internal = perl module. External = binary. -- /peter From ssilva at sgvwater.com Mon Sep 11 16:21:56 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 11 16:22:39 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <450238BD.4010206@txk.k12.ar.us> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: James L. Day spake the following on 9/8/2006 8:45 PM: > Excuse me, but why would a secret e-mail address at a spamtrap send a > message to an auto-responder? It wouldn't be secret for very long if it > were sending out e-mail messages... > > When you say "That seems to be what has happened to us" are you > admitting there's actually something you don't know? > > Lynn What an evil person has to do is send an e-mail to your autoresponder with the spamtrap's address spoofed as the reply-to address or the from address. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lshaw at emitinc.com Mon Sep 11 16:27:48 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Sep 11 16:28:02 2006 Subject: Question In-Reply-To: References: Message-ID: On Sun, 10 Sep 2006, Colin Jack wrote: > Easy ... start sendmail in queue flushing mode only ;) > > Something like 'sendmail -q5m' would work fine > > This will tell sendmail to check the queue every 5 mins but not listen > for incoming connections Not sure if that's really going to help. If this is mqueue.in, there are no outgoing messages -- they're taken care of by MailScanner. If it's the regular (outgoing) mqueue, shouldn't it already be running in queue flushing mode only? - Logan From Denis.Beauchemin at USherbrooke.ca Mon Sep 11 16:33:25 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 11 16:34:02 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> Message-ID: <450581C5.6030503@USherbrooke.ca> shuttlebox a ?crit : > On 9/11/06, Denis Beauchemin wrote: >> Are you talking about this TNEF module (output from MailScanner -v): >> 0.17 Convert::TNEF > > No. Internal = perl module. External = binary. > Of course! I'm at 1.4-1 there... but I'm using the internal one. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060911/f3def1b9/smime.bin From hmkash at arl.army.mil Mon Sep 11 16:39:24 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Sep 11 16:39:29 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix Message-ID: <229A346E44379140A59A48951B56E0C00260CC90@ARLABML01.DS.ARL.ARMY.MIL> > Though & wish: apply the VERY simple spamc method: "max msg size" and > save lots of cpu time and potential FPs avoiding scanning even chuncks > of oversized msgs. Seems like it would be very simple to have an option like Max SpamAssassin Size = 45k drop that would just bypass SA entirely if the message size exceeded the specified size. Then I think it would have all of the features that everyone wanted. Thank you very much, Julian, for adding this new feature. Please don't take it out. There's no change from the current behavior, so people that don't need it don't even have to worry/care about it. I think you'll find that more than 1% will use it, if not now, maybe later on as more SA plugins are developed that break with truncated attachments. Howard From MailScanner at ecs.soton.ac.uk Mon Sep 11 17:08:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 11 17:09:10 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <450543DE.1070007@alexb.ch> References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> Message-ID: <450589E9.6090406@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > Julian, > > On 9/10/2006 8:58 PM, Julian Field wrote: >> I have added the new logic to the Max SpamAssassin Size configuration >> option, with just about all the extra features everyone wanted in here. >> >> # SpamAssassin is not very fast when scanning huge messages, so messages >> # bigger than this value will be truncated to this length for >> SpamAssassin >> # testing. The original message will not be affected by this. This value >> # is a good compromise as very few spam messages are bigger than this. >> # >> # Now for the options: >> # 1) >> # 2) truncate >> # 3) continue > > > >> I have only added the logic to the sendmail and Postfix versions so >> far, as I want to be sure it works before I give it out to everyone. >> >> It's on www.mailscanner.info as usual. >> >> *Please* can you test this out for me. If you think I have gone over >> the top, and just produced a system that no-one can work out how to >> use, then please do tell me and I will remove bits of it again. >> Personally I think it will only be used by 1% of users at most, which >> leads me to think I should remove the whole thing and go back to >> something much simpler again. > > > As you state above "spamassassin is not very fast...." which I'd > think makes it a natural to set a max size of the raw msg to be parsed > by SA which avoids rocket science. > > the truncate and/or continue with bytes may not always work for spam > and may add to the load by scanning unnecessary large HAM and it seems > to me its a trial & error method till one gets the spam_du_jour caught > in a jungle of sizes, multiparts, etc, etc. > >> Your thoughts? > > Though & wish: apply the VERY simple spamc method: "max msg size" and > save lots of cpu time and potential FPs avoiding scanning even chuncks > of oversized msgs. > (incidentaly scanning chuncks breaks some plugins, full & rawbody > rules, etc) I really do not like the spamc method. All the spammers have to do is make the message a bit bigger and they complete evade SpamAssassin altogether. Bad news in my book. > > > Expecting to be tarred and feathered by old MS users..... > > > Alex > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFBYnqEfZZRxQVtlQRAkmNAKCBgWt1BExPvB72ZCIdjvl/xh3bSACgzAZd KY8yv+GcAuZmVTKEDWm60ys= =BAyg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Mon Sep 11 17:31:30 2006 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 11 17:31:37 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <450589E9.6090406@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> <450589E9.6090406@ecs.soton.ac.uk> Message-ID: <45058F62.9050007@alexb.ch> On 9/11/2006 6:08 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> Julian, >> >> On 9/10/2006 8:58 PM, Julian Field wrote: >>> I have added the new logic to the Max SpamAssassin Size configuration >>> option, with just about all the extra features everyone wanted in here. >>> >>> # SpamAssassin is not very fast when scanning huge messages, so messages >>> # bigger than this value will be truncated to this length for >>> SpamAssassin >>> # testing. The original message will not be affected by this. This value >>> # is a good compromise as very few spam messages are bigger than this. >>> # >>> # Now for the options: >>> # 1) >>> # 2) truncate >>> # 3) continue >> >> >>> I have only added the logic to the sendmail and Postfix versions so >>> far, as I want to be sure it works before I give it out to everyone. >>> >>> It's on www.mailscanner.info as usual. >>> >>> *Please* can you test this out for me. If you think I have gone over >>> the top, and just produced a system that no-one can work out how to >>> use, then please do tell me and I will remove bits of it again. >>> Personally I think it will only be used by 1% of users at most, which >>> leads me to think I should remove the whole thing and go back to >>> something much simpler again. >> >> As you state above "spamassassin is not very fast...." which I'd >> think makes it a natural to set a max size of the raw msg to be parsed >> by SA which avoids rocket science. >> >> the truncate and/or continue with bytes may not always work for spam >> and may add to the load by scanning unnecessary large HAM and it seems >> to me its a trial & error method till one gets the spam_du_jour caught >> in a jungle of sizes, multiparts, etc, etc. >> >>> Your thoughts? >> Though & wish: apply the VERY simple spamc method: "max msg size" and >> save lots of cpu time and potential FPs avoiding scanning even chuncks >> of oversized msgs. >> (incidentaly scanning chuncks breaks some plugins, full & rawbody >> rules, etc) > I really do not like the spamc method. All the spammers have to do is > make the message a bit bigger and they complete evade SpamAssassin > altogether. Bad news in my book. Julian, same would apply to MS if a spammer sends 50k of gibberish at the begining of a msg plus his URL payload at the endo of the message and you're telling MS to scan the first 40k. so what do you do in both cases? increase the size.. but the CPU and time savings you achieve from avoiding scans of many large msgs is superior than the pain of a theoretically missed missed spam. and what about broken rules? Many ppl use meta rules which scan a full or raw body... and if you stop in the middle of the message, the rules become useless. And third party plugins? (not only OCR) IF you'd add the option to use the "spamc method" it would be VERY appreciated. thanks Alex From MailScanner at ecs.soton.ac.uk Mon Sep 11 18:03:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 11 18:03:28 2006 Subject: No Message Collected In-Reply-To: <20060911132621.r359rxxkt5340swc@webmail.itu.edu.tr> References: <20060911132621.r359rxxkt5340swc@webmail.itu.edu.tr> Message-ID: <450596CD.2050203@ecs.soton.ac.uk> You have your Lock Type set incorrectly. Hakan VELIOGLU wrote: > Hi, > > I got a problem with MailScanner. It seems that MailScanner process same e-mail > for two times. When the first process has finished and the mail delivered, then > MailScanner cleans the spool files of that mail. For this reason the second > process couldn't find any spool file and sends an mail whose body is just <<< > No Message Collected >>> > > I could't find a solution for this double processing. > > > Here is a part of log for a mail: > > Sep 11 04:02:30 server sendmail[15977]: k8B12I6v015977: > from=, size=27223, class=0, nrcpts=1, > msgid=<001601c6d503$4371d6b0$05094d3c@tonyefp60le6zr>, proto=SMTP, daemon=MTA, > relay=24-48-50-111.ashbva.adelphia.net [24.48.50.111] > Sep 11 04:02:43 server MailScanner[987]: Message k8B12I6v015977 from > 24.48.50.111 (marquita@anglersfishinginfo.com) to itu.edu.tr is spam, > SpamAssassin (not cached, score=7.447, required 5, HTML_10_20 0.94, > HTML_MESSAGE 0.00, RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99, > UNWANTED_LANGUAGE_BODY 2.80) > Sep 11 04:02:43 server MailScanner[987]: Spam Actions: message k8B12I6v015977 > actions are deliver > Sep 11 04:02:43 server MailScanner[31624]: SpamAssassin cache hit for message > k8B12I6v015977 > Sep 11 04:02:43 server MailScanner[31624]: Message k8B12I6v015977 from > 24.48.50.111 (marquita@anglersfishinginfo.com) to itu.edu.tr is spam, > SpamAssassin (cached, score=7.447, required 5, HTML_10_20 0.94, HTML_MESSAGE > 0.00, RCVD_IN_NJABL_DUL 1.71, RCVD_IN_SORBS_DUL 1.99, UNWANTED_LANGUAGE_BODY > 2.80) > Sep 11 04:02:43 server MailScanner[31624]: Spam Actions: message k8B12I6v015977 > actions are deliver > Sep 11 04:02:46 server MailScanner[987]: HTML Img tag found in message > k8B12I6v015977 from marquita@anglersfishinginfo.com > Sep 11 04:02:46 server MailScanner[31624]: HTML Img tag found in message > k8B12I6v015977 from marquita@anglersfishinginfo.com > Sep 11 04:02:46 server sendmail[16466]: k8B12I6v015977: alias ... > Sep 11 04:02:46 server sendmail[16466]: k8B12I6v015977: SMTP outgoing connect on > server.itu.edu.tr > Sep 11 04:02:47 server MailScanner[31624]: Failed to link message body between > queues (/var/spool/mqueue/dfk8B12I6v015977 --> > /var/spool/mqueue.in/dfk8B12I6v015977) > Sep 11 04:02:47 server MailScanner[31624]: Unlinking > /var/spool/mqueue.in/qfk8B12I6v015977 failed: No such file or directory > Sep 11 04:02:47 server MailScanner[31624]: Unlinking > /var/spool/mqueue.in/dfk8B12I6v015977 failed: No such file or directory > Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: alias ... > Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: SMTP outgoing connect on > server.itu.edu.tr > Sep 11 04:02:47 server sendmail[16466]: k8B12I6v015977: to=..., delay=00:00:27, > xdelay=00:00:01, mailer=esmtp, pri=147223, relay=[...] [...], dsn=2.0.0, > stat=Sent (k8B12ki8030987 Message accepted for delivery) > Sep 11 04:02:47 server sendmail[16466]: k8B12I6v015977: done; delay=00:00:27, > ntries=1 > Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: to=..., delay=00:00:27, > xdelay=00:00:00, mailer=esmtp, pri=147223, relay=[...] [...], dsn=2.0.0, > stat=Sent (k8B12lfd030988 Message accepted for delivery) > Sep 11 04:02:47 server sendmail[16470]: k8B12I6v015977: done; delay=00:00:27, > ntries=1 > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gmane at tippingmar.com Mon Sep 11 18:07:46 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Sep 11 18:08:32 2006 Subject: install-Clam-SA In-Reply-To: <4503DD21.2050403@ecs.soton.ac.uk> References: <4503DD21.2050403@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > These are both in the libwww-perl bundle, which I think should be > already installed on modern Perl systems. > > If you haven't got them, the use CPAN to install the libwww-perl bundle. With that suggestion, I found that on Fedora Core 5, this is available prepackaged: yum install perl-libwww-perl Thanks for your help, Mark Nienberg From ron at spawar.navy.mil Mon Sep 11 18:55:41 2006 From: ron at spawar.navy.mil (Ron Broersma) Date: Mon Sep 11 18:56:02 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> Message-ID: <4505A31D.9010601@spawar.navy.mil> I'm curious, does anyone else have any anecdotal evidence as to whether Internal or External is better (speed, reliability, etc)? MailScanner.conf comments indicate that there is uncertainty as to which is better. I've been using external just because that is the default. What are others doing? --Ron shuttlebox wrote: > On 9/11/06, Denis Beauchemin wrote: >> Are you talking about this TNEF module (output from MailScanner -v): >> 0.17 Convert::TNEF > > No. Internal = perl module. External = binary. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3973 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060911/c7aac54f/smime.bin From Denis.Beauchemin at USherbrooke.ca Mon Sep 11 19:05:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 11 19:05:39 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <4505A31D.9010601@spawar.navy.mil> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> <4505A31D.9010601@spawar.navy.mil> Message-ID: <4505A563.40403@USherbrooke.ca> Ron Broersma a ?crit : > I'm curious, does anyone else have any anecdotal evidence as to > whether Internal or External is better (speed, reliability, etc)? > MailScanner.conf comments indicate that there is uncertainty as to > which is better. I've been using external just because that is the > default. What are others doing? > Ron, I think I have gone from one to the other over time depending on problems encountered... the internal one should be lighter on CPU, though. I am now using the internal one. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3226 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060911/0f5dc1d8/smime.bin From MailScanner at ecs.soton.ac.uk Mon Sep 11 19:43:06 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 11 19:43:25 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <4505A31D.9010601@spawar.navy.mil> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> <4505A31D.9010601@spawar.navy.mil> Message-ID: <4505AE3A.8060902@ecs.soton.ac.uk> Ron Broersma wrote: > I'm curious, does anyone else have any anecdotal evidence as to > whether Internal or External is better (speed, reliability, etc)? > MailScanner.conf comments indicate that there is uncertainty as to > which is better. I've been using external just because that is the > default. What are others doing? A while ago, the internal one was a lot more flexible than the external one, and was able to process a lot more different formats than the external one. However, the internal one is slower. So if you are likely to have a lot of winmail.dat TNEF messages, perhaps due to having internal badly-configured Exchange servers or novice Outlook users running fairly old versions of Outlook, then you are better off with the faster one, the external one. If you have problems with the external one not being able to analyse winmail.dat TNEF messages, then switch to the internal one. However, recently the external one has had quite a lot of work done to it, and has improved quite a lot. So now you may want to use the external one. But be sure to get the very latest 1.4.3 from sourceforge.net/projects/tnef as earlier versions have a nasty bug involving UTF16-encoded filenames, which can cause MailScanner to crash as it generates files that don't match what it says it has created. I posted this as a bug report few weeks ago, and the author very promptly fixed the problem and released 1.4.3 which works pretty reliably now. So I would probably recommend the external one (version 1.4.3) now, as I haven't found any problems with the new version, and it is faster than the internal one. All future MailScanner releases will include the external tnef-1.4.3. It's a close call now. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From drew at themarshalls.co.uk Mon Sep 11 20:04:28 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Sep 11 20:04:52 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <450543DE.1070007@alexb.ch> References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> Message-ID: <2D55E741-B0FF-4E96-916A-5C3F213E1F89@themarshalls.co.uk> On Mon, September 11, 2006 12:09, Alex Broens wrote: > Though & wish: apply the VERY simple spamc method: "max msg size" and > save lots of cpu time and potential FPs avoiding scanning even chuncks > of oversized msgs. > (incidentaly scanning chuncks breaks some plugins, full & rawbody > rules, > etc) Interestingly Messagelabs does just this: X-Env-Sender: drew@themarshalls.co.uk X-Msg-Ref: server-12.tower-148.messagelabs.com!1157891897!1022432!1 X-StarScan-Version: 5.5.10.7; banners=-,-,- X-SpamReason: No, hits=0.0 required=7.0 tests=Mail larger than max spam size Please note this is made as an observation. I don't understand enough about all the different SA rules to appreciate what the best choice is (Yet!). Certainly I understand the issues of DoS and indeed the potential of missing large spam messages but I can also see the possible benefits of not scanning very large messages at all for some of my very old and underpowered machines, so I am following this debate with a keen interest. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From MailScanner at ecs.soton.ac.uk Mon Sep 11 20:42:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 11 20:42:49 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <2D55E741-B0FF-4E96-916A-5C3F213E1F89@themarshalls.co.uk> References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> <2D55E741-B0FF-4E96-916A-5C3F213E1F89@themarshalls.co.uk> Message-ID: <4505BC2E.2050909@ecs.soton.ac.uk> Drew Marshall wrote: > On Mon, September 11, 2006 12:09, Alex Broens wrote: >> Though & wish: apply the VERY simple spamc method: "max msg size" and >> save lots of cpu time and potential FPs avoiding scanning even chuncks >> of oversized msgs. >> (incidentaly scanning chuncks breaks some plugins, full & rawbody rules, >> etc) > > Interestingly Messagelabs does just this: > > X-Env-Sender: drew@themarshalls.co.uk > X-Msg-Ref: server-12.tower-148.messagelabs.com!1157891897!1022432!1 > X-StarScan-Version: 5.5.10.7; banners=-,-,- > X-SpamReason: No, hits=0.0 required=7.0 tests=Mail larger than max spam > size > That's because they are running spamc to call SpamAssassin. SA is their anti-spam tool of choice. > Please note this is made as an observation. I don't understand enough > about all the different SA rules to appreciate what the best choice is > (Yet!). Certainly I understand the issues of DoS and indeed the > potential of missing large spam messages but I can also see the > possible benefits of not scanning very large messages at all for some > of my very old and underpowered machines, so I am following this > debate with a keen interest. Considering many of the rules work quite successfully with the headers and some of the text of the message, simply ignoring messages over a certain size seems a very silly thing to do. Most of the spam detection rules work perfectly well with only the start of the message. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From drew at themarshalls.co.uk Mon Sep 11 20:52:40 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Sep 11 20:52:50 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <4505BC2E.2050909@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> <2D55E741-B0FF-4E96-916A-5C3F213E1F89@themarshalls.co.uk> <4505BC2E.2050909@ecs.soton.ac.uk> Message-ID: On 11 Sep 2006, at 20:42, Julian Field wrote: >> Please note this is made as an observation. I don't understand >> enough about all the different SA rules to appreciate what the >> best choice is (Yet!). Certainly I understand the issues of DoS >> and indeed the potential of missing large spam messages but I can >> also see the possible benefits of not scanning very large messages >> at all for some of my very old and underpowered machines, so I am >> following this debate with a keen interest. > Considering many of the rules work quite successfully with the > headers and some of the text of the message, simply ignoring > messages over a certain size seems a very silly thing to do. Most > of the spam detection rules work perfectly well with only the start > of the message. Indeed and I have not noticed any obvious issues with the current set up (But then I don't have the message volume demands of many). Sometimes ignorance is bliss :-) -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From hmkash at arl.army.mil Mon Sep 11 21:39:29 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Sep 11 21:39:35 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix Message-ID: <229A346E44379140A59A48951B56E0C00260CC95@ARLABML01.DS.ARL.ARMY.MIL> > Considering many of the rules work quite successfully with the headers > and some of the text of the message And some don't. > simply ignoring messages over a certain size seems a very silly thing to do. What's silly for you may not be silly for someone else. > Most of the spam detection rules work perfectly well with only the > start of the message. And some don't. What I'm trying to say is let the user decide if they want to be silly or not. Howard From ssilva at sgvwater.com Mon Sep 11 22:55:50 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 11 22:56:34 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: <4504606C.10003@ecs.soton.ac.uk> References: <4504606C.10003@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 9/10/2006 11:58 AM: > I have added the new logic to the Max SpamAssassin Size configuration > option, with just about all the extra features everyone wanted in here. > > # SpamAssassin is not very fast when scanning huge messages, so messages > # bigger than this value will be truncated to this length for SpamAssassin > # testing. The original message will not be affected by this. This value > # is a good compromise as very few spam messages are bigger than this. > # > # Now for the options: > # 1) > # 2) truncate > # 3) continue > # > # 1) Put in a simple number. > # This will be the simple cut-off point for messages that are larger > than > # this number. > # 2) Put in a number followed by 'trackback'. > # Once the size limit is reached, MailScanner reverses towards the start > # of the message, until it hits a line that is blank. The message passed > # to SpamAssassin is truncated there. This stops any part-images being > # passed to SpamAssassin, and so avoids rules which trigger on this. > # 3) Put in a number followed by 'continue' followed by another number. > # Once the size limit is reached, MailScanner continues adding to the > data > # passed to SpamAssassin, until at most the 2nd number of bytes have > been > # added looking for a blank line. This tries to complete the image data > # that has been started when the 1st number of bytes has been reached, > # while imposing a limit on the amount that can be added (to avoid > attacks). > # > # If all this confuses you, just leave it alone at "40k" as that is good. > Max SpamAssassin Size = 40k > > I have only added the logic to the sendmail and Postfix versions so far, > as I want to be sure it works before I give it out to everyone. > > It's on www.mailscanner.info as usual. > > *Please* can you test this out for me. If you think I have gone over the > top, and just produced a system that no-one can work out how to use, > then please do tell me and I will remove bits of it again. Personally I > think it will only be used by 1% of users at most, which leads me to > think I should remove the whole thing and go back to something much > simpler again. > > Your thoughts? > > I say, if the defaults stay relatively the same, then go ahead and add anything you want to add. I just don't really want something like this turned on by default, especially after the amazing track record that MailScanner has had over the last few years! I just hope that it doesn't cause you any problems. New code always seems to bring bugs. Just like ants at a picnic. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Tue Sep 12 00:38:58 2006 From: res at ausics.net (Res) Date: Tue Sep 12 00:39:13 2006 Subject: BETA: Max SpamAssassin Size for sendmail and Postfix In-Reply-To: References: <4504606C.10003@ecs.soton.ac.uk> <450543DE.1070007@alexb.ch> <2D55E741-B0FF-4E96-916A-5C3F213E1F89@themarshalls.co.uk> <4505BC2E.2050909@ecs.soton.ac.uk> Message-ID: On Mon, 11 Sep 2006, Drew Marshall wrote: > > On 11 Sep 2006, at 20:42, Julian Field wrote: > > > Indeed and I have not noticed any obvious issues with the current set up (But > then I don't have the message volume demands of many). Sometimes ignorance is > bliss :-) > I agree, the current setup is just fine, the extras may help in 0.00001% of the time, is it worth increasing the load and time just for that? I think not :) However to keep those that might use such a feature happy, perhaps the current method is what is used by default, but alter the extra bits for under the "Advanced SA" section where if one desperately wants to use the extra features of this command they can be added there, and if null, it uses the base "Max SpamAssassin Size =" without the extras -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Sep 12 00:41:13 2006 From: res at ausics.net (Res) Date: Tue Sep 12 00:41:29 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <45042713.6030408@osubucks.org> References: <4502E70F.9010308@nkpanama.com> <45042713.6030408@osubucks.org> Message-ID: On Sun, 10 Sep 2006, Chris Sweeney wrote: > I use a shared database on all my MX machines that share the greylist > data. Once a site has gone through the process its allowed to pass > future mails without the delay. The list stays valid for a week, so > users who get mail regularly from the same places will not be affected > by the delay and it still does it job of stopping zombie machines. It > also still allows the mail to be received after the set delay period no > matter what MX the mail goes to. That is an interesting approach and does make sense, but how many out there actually bother to go to this trouble? not many I'd say. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Sep 12 00:47:22 2006 From: res at ausics.net (Res) Date: Tue Sep 12 00:47:43 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <75a8399f72664d039e1a4c9229caad77@ucsc.edu> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> Message-ID: On Sun, 10 Sep 2006, John Rudd wrote: >> so its completely absolutely impossible for a student to have an infected >> pc and do this you will state this on your life would you > > Students are our _least_ trusted class of user, and yes, we take enough > precautions against them that there is 0% chance that this was caused by an > infected student. There is no way you can guarantee this in this day and age, regardless of if you have 100 or 100K students, regardless of your setup, to think otherwise shows complete ignorance of modern day capabilities. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Sep 12 01:02:30 2006 From: res at ausics.net (Res) Date: Tue Sep 12 01:02:42 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: On Mon, 11 Sep 2006, Scott Silva wrote: > What an evil person has to do is send an e-mail to your autoresponder with the > spamtrap's address spoofed as the reply-to address or the from address. it looks for the envelope sender in received lines, dont be foolish to think SC dont know about forged From's, thats been around for almost as long as Email has -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From taz at taz-mania.com Tue Sep 12 01:13:49 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Sep 12 01:13:52 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: Message-ID: If you use milter-greylist that's standard. I do the exact same thing. Putting the retry triplet into a whitelist is a standard part of greylisting. I use milter-greylist specifically because it will share the database with multiple mx hosts so that if the retry occurs on a different host it all still works, and they both know who's been whitelisted as well. On Tue, 12 Sep 2006 09:41:13 +1000 (EST) Res wrote: >On Sun, 10 Sep 2006, Chris Sweeney wrote: > >>I use a shared database on all my MX machines that share the greylist >>data. Once a site has gone through the process its allowed to pass >>future mails without the delay. The list stays valid for a week, so >>users who get mail regularly from the same places will not be >>affected >>by the delay and it still does it job of stopping zombie machines. >> It >>also still allows the mail to be received after the set delay period >>no >>matter what MX the mail goes to. > >That is an interesting approach and does make sense, but how many out >there actually bother to go to this trouble? not many I'd say. > > >-- >Cheers >Res > >"Just a world that we all must share, it's not enough just to stand >and >stare, is it only a dream that there'll be no more turning away" - >Floyd > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From taz at taz-mania.com Tue Sep 12 01:17:05 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Sep 12 01:17:08 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: Message-ID: The only way to know for 100% that it couldn't be a student is if NO traffic was allowed to the Internet... Otherwise you cannot know for sure what they have done. On Tue, 12 Sep 2006 09:47:22 +1000 (EST) Res wrote: >On Sun, 10 Sep 2006, John Rudd wrote: > >>>so its completely absolutely impossible for a student to have an >>>infected >>>pc and do this you will state this on your life would you >> >>Students are our _least_ trusted class of user, and yes, we take >>enough >>precautions against them that there is 0% chance that this was caused >>by an >>infected student. > >There is no way you can guarantee this in this day and age, >regardless of if you have 100 or 100K students, regardless of your >setup, to think otherwise shows complete ignorance of modern day >capabilities. > > >-- >Cheers >Res > >"Just a world that we all must share, it's not enough just to stand >and >stare, is it only a dream that there'll be no more turning away" - >Floyd > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From r.berber at computer.org Tue Sep 12 01:59:01 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Sep 12 01:59:19 2006 Subject: No logging in Solaris 9 (with workaround) Message-ID: Hi, After upgrading MS to version 4.55.10 I ended with no MS output to the log, changing Sys::Syslog to version 0.18 didn't help. Now I've upgraded to version 4.56.4, same behavior. To make a long story short, after some simple tests using an example in the Sys::Syslog bug list I changed lib/MailScanner/Log.pm as follows: eval { # if ($^O !~ /solaris|sunos|irix/i) { Sys::Syslog::setlogsock('udp'); # } # else { Notice there are 2 changes, the 'udp' since 'unix' did not work in my simple test, 'stream' doesn't work under Solaris, and I commented the test because, somehow, it was skipping the setlogsock operation under Solaris 9. So now it works as expected. My environment is Sol9 sparc, perl 5.8.0, all perl modules upgraded to latest version I found (with cpan). -- Ren? Berber From zenith.tang at gmail.com Tue Sep 12 02:28:06 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Tue Sep 12 02:28:10 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> Message-ID: <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> For more information, I have tried to change the trend-wrapper to use isvw-scan instead of vscan. Here is the output of the error: # /usr/lib/MailScanner/trend-wrapper /opt/trend/isvw6/scan /tmp Error in ../Config.xml: Failed to open file Error in ../Config.xml.bak: Failed to open file ERROR: Unable to initialize scanner, exit scanner. Scan : Release thread pool ... Notify all scan threads to quit... Notification of quit are done. Wait all scan threads to quit... Threads pool size: [0] Top used: [0] All used: [0] Scan time min: [0] Scan time max: [0] Scan time average: [0] Threads pool is released. Scan : summary ... Scanner tasks handled : [0] Scanner duration : [2678029] Scanner performance (task/second) : [0.000000] Scan : Release engine global setting ... Release global context of EManager. Release global context of TMASE. Release global context of VSAPI. Release global context of OPP. Scan : Unregister scan process... ERROR: Unable to send command: [1] ERROR: Unable to unregister from isvw framework. Scan : Release IPC ... Scan : Release configuration ... Scan : Release log context ... ISVW Scanner exits. 2006/9/2, Zenith Tang : > > I dont know why I can't receive the mailing list for each message. > > Back to the topic, > yes, I have changed virus.scanners.conf correspond to /opt/trend/isvw6. > It should be the correct product.as I was able to use the 5.0 version > successfully. > I have also found that it has the isvw-scan utility and changed > trend-wrapper from vscan to isvw-scan and corresponding paths and lib path > but still fail. > > > > Message: 21 > Date: Fri, 1 Sep 2006 10:10:41 +0200 > From: "Glenn Steen" > Subject: Re: Using MailScanner with Trend Micro Interscan Viruswall > for SMB 6.0 > To: "MailScanner discussion" < mailscanner@lists.mailscanner.info> > Message-ID: > <223f97700609010110t3feafbe1m3c0c2c039a893f94@mail.gmail.com > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 01/09/06, Zenith Tang wrote: > > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the MailScanner > > does not able to use Trend to scan virus. The 5.0 version uses vscan > command > > to scan virus, but 6.0 does not have this command. It seems that the 6.0 > > version does not compatible with MailScanner. Does anyone know how to > make > > MailScanner able to use 6.0 to scan virus? Thanks! > > Disclaimer: I don't use trend, but... Questions: > Does 6.0 install to the directory expected in virus.scanners.conf > (third column)? > Is that really the "correct" product? Seems to me that the package > including the "on-demand" scanning is the ServerProtect one... > > However (looking at the downloaded trial I just got) there seems to be > an isw-scan utility... Might be one needs to just tweak the wrapper a > bit:-). > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060912/83f398cc/attachment.html From r.berber at computer.org Tue Sep 12 02:50:33 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Sep 12 02:51:00 2006 Subject: No logging in Solaris 9 (with workaround) In-Reply-To: References: Message-ID: Ren? Berber wrote: [snip] > eval { > # if ($^O !~ /solaris|sunos|irix/i) { > Sys::Syslog::setlogsock('udp'); > # } # else { [snip] My mistake, even if it works as shown above I should have changed it like this (I'm not sure about Irix or SunOS so it may still be wrong): eval { if ($^O !~ /solaris|sunos|irix/i) { Sys::Syslog::setlogsock('unix'); } else { Sys::Syslog::setlogsock('udp'); } } -- Ren? Berber From zenith.tang at gmail.com Tue Sep 12 03:26:41 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Tue Sep 12 03:26:46 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> Message-ID: <6026a0ab0609111926l3b1cea23ve4c365677a06bd78@mail.gmail.com> I just found that if I change the directory to /opt/trend/isvw6/scan to execute the command (as the Config.xml and Config.xml.bak is located in the upper directory), the result will be positive. However, I still can't use it to scan virus. # /usr/lib/MailScanner/trend-wrapper /opt/trend/isvw6/scan /tmp ISVW Scanner Starts.(TAG) Scan : Initializing IPC ... Scan : Scan register the process ... Heartbeat Thread: Started. Scan: Updating scan components... Scan: Updating scan components in (Startup): Virus engine;Spam engine; Scan : Initializing global engine setting... Scan : Initializing thread pool ... Creating thread pool sized of: [20] Scan thread started: [-1207960656] Scan thread started: [-1220543568] Scan thread started: [-1231033424] Scan thread started: [-1241523280] Scan thread started: [-1258292304] Scan thread started: [-1268782160] Scan thread started: [-1281360976] Scan thread started: [-1293943888] Scan thread started: [-1308623952] Scan thread started: [-1319113808] Scan thread started: [-1333789776] Scan thread started: [-1350566992] Scan thread started: [-1361056848] Scan thread started: [-1371546704] Scan thread started: [-1386218576] Scan thread started: [-1400898640] Scan thread started: [-1413481552] Scan thread started: [-1430258768] Scan thread started: [-1440748624] Scan thread started: [-1453327440] 2006/9/12, Zenith Tang : > > For more information, I have tried to change the trend-wrapper to use > isvw-scan instead of vscan. Here is the output of the error: > > # /usr/lib/MailScanner/trend-wrapper /opt/trend/isvw6/scan /tmp > Error in ../Config.xml: Failed to open file > Error in ../Config.xml.bak: Failed to open file > ERROR: Unable to initialize scanner, exit scanner. > Scan : Release thread pool ... > Notify all scan threads to quit... > Notification of quit are done. > Wait all scan threads to quit... > Threads pool size: [0] Top used: [0] All used: [0] > Scan time min: [0] Scan time max: [0] Scan time average: [0] > Threads pool is released. > Scan : summary ... > Scanner tasks handled : [0] > Scanner duration : [2678029] > Scanner performance (task/second) : [0.000000] > Scan : Release engine global setting ... > Release global context of EManager. > Release global context of TMASE. > Release global context of VSAPI. > Release global context of OPP. > Scan : Unregister scan process... > ERROR: Unable to send command: [1] > ERROR: Unable to unregister from isvw framework. > Scan : Release IPC ... > Scan : Release configuration ... > Scan : Release log context ... > ISVW Scanner exits. > > > > 2006/9/2, Zenith Tang : > > > > I dont know why I can't receive the mailing list for each message. > > > > Back to the topic, > > yes, I have changed virus.scanners.conf correspond to /opt/trend/isvw6. > > It should be the correct product.as I was able to use the 5.0 version > > successfully. > > I have also found that it has the isvw-scan utility and changed > > trend-wrapper from vscan to isvw-scan and corresponding paths and lib path > > but still fail. > > > > > > > > Message: 21 > > Date: Fri, 1 Sep 2006 10:10:41 +0200 > > From: "Glenn Steen" > > Subject: Re: Using MailScanner with Trend Micro Interscan Viruswall > > for SMB 6.0 > > To: "MailScanner discussion" < mailscanner@lists.mailscanner.info> > > Message-ID: > > < 223f97700609010110t3feafbe1m3c0c2c039a893f94@mail.gmail.com > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > On 01/09/06, Zenith Tang < zenith.tang@gmail.com > wrote: > > > After I upgrade the Interscan Viruswall from 5.0 to 6.0, the > > MailScanner > > > does not able to use Trend to scan virus. The 5.0 version uses vscan > > command > > > to scan virus, but 6.0 does not have this command. It seems that the > > 6.0 > > > version does not compatible with MailScanner. Does anyone know how to > > make > > > MailScanner able to use 6.0 to scan virus? Thanks! > > > > Disclaimer: I don't use trend, but... Questions: > > Does 6.0 install to the directory expected in virus.scanners.conf > > (third column)? > > Is that really the "correct" product? Seems to me that the package > > including the "on-demand" scanning is the ServerProtect one... > > > > However (looking at the downloaded trial I just got) there seems to be > > an isw-scan utility... Might be one needs to just tweak the wrapper a > > bit:-). > > > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060912/311e3622/attachment.html From res at ausics.net Tue Sep 12 04:27:21 2006 From: res at ausics.net (Res) Date: Tue Sep 12 04:27:38 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: Message-ID: On Mon, 11 Sep 2006, Dennis Willson wrote: > The only way to know for 100% that it couldn't be a student is if NO traffic > was allowed to the Internet... Otherwise you cannot know for sure what they > have done. > my point exactly > > On Tue, 12 Sep 2006 09:47:22 +1000 (EST) > Res wrote: >> On Sun, 10 Sep 2006, John Rudd wrote: >> >>>> so its completely absolutely impossible for a student to have an infected >>>> pc and do this you will state this on your life would you >>> >>> Students are our _least_ trusted class of user, and yes, we take enough >>> precautions against them that there is 0% chance that this was caused by >>> an infected student. >> >> There is no way you can guarantee this in this day and age, regardless of >> if you have 100 or 100K students, regardless of your setup, to think >> otherwise shows complete ignorance of modern day capabilities. >> >> >> -- >> Cheers >> Res >> >> "Just a world that we all must share, it's not enough just to stand and >> stare, is it only a dream that there'll be no more turning away" - Floyd >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -------------------------------------------------- > Dennis Willson > > taz@taz-mania.com > http://www.taz-mania.com > > Ham: ka6lsw > Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas > Blender > > Owner: Kepnet Internet Services > > Life should not be a journey to the grave with the intention of arriving > safely in a nice looking and well preserved body, but rather to skid in > broadside, thoroughly used up, totally worn out, and loudly proclaiming, > "WOW! WHAT A RIDE!" > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jrudd at ucsc.edu Tue Sep 12 04:31:46 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Sep 12 04:32:09 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> Message-ID: <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> On Sep 11, 2006, at 4:47 PM, Res wrote: > On Sun, 10 Sep 2006, John Rudd wrote: > >>> so its completely absolutely impossible for a student to have an >>> infected pc and do this you will state this on your life would you >> >> Students are our _least_ trusted class of user, and yes, we take >> enough precautions against them that there is 0% chance that this was >> caused by an infected student. > > There is no way you can guarantee this in this day and age, regardless > of if you have 100 or 100K students, regardless of your setup, to > think otherwise shows complete ignorance of modern day capabilities. We're in between quarters. The students aren't here right now. The dorms (our residential network, where the student machines would be) are empty, and "resnet" isn't allowed to relay through our MX servers anyway. Care to try again? Further, as I said in other messages, we _heavily_ monitor the messaging behavior of systems on our network submitting messages to/through our MX servers, and my peer department aggressively monitors behaviors of the network itself (flow rates, telltale (and other) signs of IRC botnet activity, fingerprints of compromised systems, etc.). Heavily & Aggressively. Oh, and we also routinely check to see what machines from our network are blacklisted (IIRC, one is, but they aren't submitting messages through our MX servers). It's not that these things never happen, it's that none of them have happened recently enough to have been the issue with spamcop. Really, the only reports we _ever_ get from other agents is: a machine submitted a message directly to their mail server. And, almost always, our response is "we've already taken the machine off of the network", because we have already started responding to the incident. If this spamcop event had happened shortly after one of THOSE reports, I wouldn't have eliminated "spambot or open relay" from the potential list of causes. However as I said, we haven't had one of those events recently. Instead, what we have is: a potential source of spam that has ONLY hit Spamcop's spamtraps. No one else is blacklisting our MX servers. No reports of anyone else having received spam via our network have come to us. None of our frequent and aggressive internal scans have found an internal spam source. The only report has been a lone machine showing up in XBL ... which has not submitted messages through our MX servers. No backlog of messages heading to AOL, Yahoo, etc., because they've started getting flooded via our MX servers. If we had a spambot, what are the odds that it would ONLY hit spamcop spamtraps, and NO other reporting mechanism and none of our own diagnostics? So vanishingly small that it's not even worth acknowledging. You're making assertions for which you have no qualified information. That makes you far more ignorant than I. But let's step past your astounding ignorance... lets say that there had been a spambot on our campus, or an open relay, and it had slipped past our various and thorough diagnostics. If Spamcop had a decent reporting system, we would know which was the case instead of having to determine "autoresponder" by process of elimination. We would know which of our systems had originated the message and we would have immediately tackled it (as we always do when we find them, through our own processes, or through external reports). Instead, because (drum roll) SpamCop is run by morons, we don't directly know, so we have to resort to eliminating unlikely and impossible causes. What we are left with is: autoresponder. Whether my "it was an autoresponder" assertion stands up or not, the "Spamcop is run by morons" assertion still stands. However, given everything else, I am still absolutely confident in my assertions a) that it was an autoresponder, and b) regarding spamcop's idiotic dogma about autoresponders being evil. From jrudd at ucsc.edu Tue Sep 12 04:41:05 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Sep 12 04:41:31 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: Message-ID: <79be8a07c60ed24b5ca818c1078ee6b7@ucsc.edu> I can know: a) that there's no traffic from our student network-ghetto right now, b) that the student network-ghetto isn't allowed to relay through my MX servers, c) exactly what traffic has passed through my MX servers. Tell me again how I can't be 100% sure student infected hosts acting as spambots weren't the cause of my MX servers being blacklisted by spamcop? On Sep 11, 2006, at 5:17 PM, Dennis Willson wrote: > The only way to know for 100% that it couldn't be a student is if NO > traffic was allowed to the Internet... Otherwise you cannot know for > sure what they have done. > > > On Tue, 12 Sep 2006 09:47:22 +1000 (EST) > Res wrote: >> On Sun, 10 Sep 2006, John Rudd wrote: >> >>>> so its completely absolutely impossible for a student to have an >>>> infected pc and do this you will state this on your life would you >>> >>> Students are our _least_ trusted class of user, and yes, we take >>> enough precautions against them that there is 0% chance that this >>> was caused by an infected student. >> >> There is no way you can guarantee this in this day and age, >> regardless of if you have 100 or 100K students, regardless of your >> setup, to think otherwise shows complete ignorance of modern day >> capabilities. >> >> >> -- >> Cheers >> Res >> >> "Just a world that we all must share, it's not enough just to stand >> and >> stare, is it only a dream that there'll be no more turning away" - >> Floyd >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -------------------------------------------------- > Dennis Willson > > taz@taz-mania.com > http://www.taz-mania.com > > Ham: ka6lsw > Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, > Gas Blender > > Owner: Kepnet Internet Services > > Life should not be a journey to the grave with the intention of > arriving safely in a nice looking and well preserved body, but rather > to skid in broadside, thoroughly used up, totally worn out, and loudly > proclaiming, "WOW! WHAT A RIDE!" > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From larskman at gmail.com Tue Sep 12 06:52:48 2006 From: larskman at gmail.com (fname lname) Date: Tue Sep 12 06:52:50 2006 Subject: allow password protected archives Message-ID: I want my site to Allow password zip files and I have the setting set to: Allow Password-Protected Archives = yes but its is still blocking the zip files, how can i debug this or make this work? Password protected file ./k8B4g895022532/1.zip/index.html Virus Scanning: Sophos found 1 infections From glenn.steen at gmail.com Tue Sep 12 08:26:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 12 08:26:49 2006 Subject: Hold queue question In-Reply-To: <45055DFC.8000108@trayerproducts.com> References: <4501AD4E.4080401@trayerproducts.com> <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> <223f97700609100307k47e75d87nedd4293aba228f98@mail.gmail.com> <45055DFC.8000108@trayerproducts.com> Message-ID: <223f97700609120026l633826c5q47645b6a0eb1a809@mail.gmail.com> On 11/09/06, Green, Rodney wrote: > > Glenn Steen wrote: > > > > > > One could of course imagine a situation where messages are piling up, > > and one would want to "fast-lane" that ?ber-important message to the > > CEO/PHB/ > is>, but ... there would be a certain risk that one would be "shooting > > ones foot", so to speak:-). > > > > The reason I asked was because messages were piling up in the queue, as > you said, and I thought of using postsuper to release > a few messages from the hold queue. I wasn't really sure whether or not > they were bypassing MS. The messages were actually > just mail from local user to another local user so I knew that they were > good. You might consider not doing all scanning for "local" users then. For example: I don't do SA on outbound (but do virus scanning and iframe/script/codebase disarming etc) by a wellplaced rulest "whitelisting"... Obviously, what you can skip is up to your policy:-). Might "lighten" the load a bit. Also, one could perhaps look a bit at "tightening down" the postfix "peak throttles", which usually are pretty forgiving. But you knew that;). > Thanks Glenn and Drew. Glad to be of help. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Tue Sep 12 08:38:00 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 12 08:38:49 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: References: Message-ID: <450663D8.5000501@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ren? Berber wrote: > Ren? Berber wrote: > [snip] > >> eval { >> # if ($^O !~ /solaris|sunos|irix/i) { >> Sys::Syslog::setlogsock('udp'); >> # } # else { >> > [snip] > > My mistake, even if it works as shown above I should have changed it like this (I'm not sure about Irix or SunOS so it may still be wrong): > > eval { > if ($^O !~ /solaris|sunos|irix/i) { > Sys::Syslog::setlogsock('unix'); > } else { > Sys::Syslog::setlogsock('udp'); > } > } > Can other Solaris users comment on this please? - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFBmPYEfZZRxQVtlQRAjvgAJ4l7MRQkRTpgaAiR2Lmu2LUy0E1UwCdGJd2 Cwz4+e4d2y5CmMm/RvyAyrg= =C805 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Tue Sep 12 08:50:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 12 08:50:26 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0609111926l3b1cea23ve4c365677a06bd78@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> <6026a0ab0609111926l3b1cea23ve4c365677a06bd78@mail.gmail.com> Message-ID: <223f97700609120050y485658b0o50b2cd78d5534370@mail.gmail.com> On 12/09/06, Zenith Tang wrote: > > I just found that if I change the directory to /opt/trend/isvw6/scan to > execute the command (as the Config.xml and Config.xml.bak is located in the > upper directory), the result will be positive. However, I still can't use it > to scan virus. > > # /usr/lib/MailScanner/trend-wrapper /opt/trend/isvw6/scan > /tmp > ISVW Scanner Starts.(TAG) > Scan : Initializing IPC ... > Scan : Scan register the process ... > Heartbeat Thread: Started. > Scan: Updating scan components... > Scan: Updating scan components in (Startup): Virus engine;Spam engine; > Scan : Initializing global engine setting... > Scan : Initializing thread pool ... > Creating thread pool sized of: [20] > Scan thread started: [-1207960656] > Scan thread started: [-1220543568] > Scan thread started: [-1231033424] > Scan thread started: [-1241523280] > Scan thread started: [-1258292304] > Scan thread started: [-1268782160] > Scan thread started: [-1281360976] > Scan thread started: [-1293943888] > Scan thread started: [-1308623952] > Scan thread started: [-1319113808] > Scan thread started: [-1333789776] > Scan thread started: [-1350566992] > Scan thread started: [-1361056848] > Scan thread started: [-1371546704] > Scan thread started: [-1386218576] > Scan thread started: [-1400898640] > Scan thread started: [-1413481552] > Scan thread started: [-1430258768] > Scan thread started: [-1440748624] > Scan thread started: [-1453327440] > > > I'm still not sure that is the right tool to use... (I never got the eval to install... It had issues with Mandriva:-)... What does a successful scan look like? What options fdo you have to make it less .... talkative? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From zenith.tang at gmail.com Tue Sep 12 09:04:53 2006 From: zenith.tang at gmail.com (Zenith Tang) Date: Tue Sep 12 09:04:56 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <223f97700609120050y485658b0o50b2cd78d5534370@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> <6026a0ab0609111926l3b1cea23ve4c365677a06bd78@mail.gmail.com> <223f97700609120050y485658b0o50b2cd78d5534370@mail.gmail.com> Message-ID: <6026a0ab0609120104s7f575e00h6851d0bd992ecbb1@mail.gmail.com> In SMB ver 5.0, the successful scan look like below, but the result in SMB 6.0 is different. It just showed the message "Scan thread started". It seems that the method for virus scanning changed. #/usr/lib/MailScanner/trend-wrapper /opt/trend/isvw /tmp/virus Virus Scanner v3.1, VSAPI v8.100-1002 Trend Micro Inc. 1996,1997 Pattern version 743 Pattern number 130877 Configuration: -e'{* Directory /tmp/virus /tmp/virus/virZGAOsay4F *** Scan error -92, file /tmp/virus/virZGAOsay4F *** Found virus WORM_BAGLE.GEN-3 in file /tmp/virus/virZGAOsay4F ============================== Directory: Searched : 1 File: Searched : 1 Scan : 1 Infected : 1 Infected : 1(Include files been compressed) Time: Start : 9/12/06 15:54:48 Stop : 9/12/06 15:54:48 Used : 00:00 2006/9/12, Glenn Steen : > > On 12/09/06, Zenith Tang wrote: > > > > I just found that if I change the directory to /opt/trend/isvw6/scan to > > execute the command (as the Config.xml and Config.xml.bak is located in > the > > upper directory), the result will be positive. However, I still can't > use it > > to scan virus. > > > > # /usr/lib/MailScanner/trend-wrapper /opt/trend/isvw6/scan > > /tmp > > ISVW Scanner Starts.(TAG) > > Scan : Initializing IPC ... > > Scan : Scan register the process ... > > Heartbeat Thread: Started. > > Scan: Updating scan components... > > Scan: Updating scan components in (Startup): Virus engine;Spam engine; > > Scan : Initializing global engine setting... > > Scan : Initializing thread pool ... > > Creating thread pool sized of: [20] > > Scan thread started: [-1207960656] > > Scan thread started: [-1220543568] > > Scan thread started: [-1231033424] > > Scan thread started: [-1241523280] > > Scan thread started: [-1258292304] > > Scan thread started: [-1268782160] > > Scan thread started: [-1281360976] > > Scan thread started: [-1293943888] > > Scan thread started: [-1308623952] > > Scan thread started: [-1319113808] > > Scan thread started: [-1333789776] > > Scan thread started: [-1350566992] > > Scan thread started: [-1361056848] > > Scan thread started: [-1371546704] > > Scan thread started: [-1386218576] > > Scan thread started: [-1400898640] > > Scan thread started: [-1413481552] > > Scan thread started: [-1430258768] > > Scan thread started: [-1440748624] > > Scan thread started: [-1453327440] > > > > > > > I'm still not sure that is the right tool to use... (I never got the > eval to install... It had issues with Mandriva:-)... What does a > successful scan look like? What options fdo you have to make it less > .... talkative? > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060912/a3e19675/attachment.html From shuttlebox at gmail.com Tue Sep 12 09:04:58 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Sep 12 09:05:34 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: <450663D8.5000501@ecs.soton.ac.uk> References: <450663D8.5000501@ecs.soton.ac.uk> Message-ID: <625385e30609120104h3294dc25s14e72d5e9c698ba@mail.gmail.com> On 9/12/06, Julian Field wrote: > Can other Solaris users comment on this please? I'm still on 4.50.15 but for a long time I've had to change the socket to udp in the Clam update wrapper or no logging will occur. # diff clamav-autoupdate.060210 clamav-autoupdate 27c27 < eval { Sys::Syslog::setlogsock('unix'); }; # This may fail! --- > eval { Sys::Syslog::setlogsock('udp'); }; # This may fail! # uname -a SunOS ajax.foo.se 5.9 Generic_118558-11 sun4u sparc SUNW,Sun-Fire-V210 -- /peter From martinh at solidstatelogic.com Tue Sep 12 09:22:24 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Sep 12 09:22:37 2006 Subject: allow password protected archives In-Reply-To: References: Message-ID: <45066E40.8010703@solidstatelogic.com> fname lname wrote: > I want my site to Allow password zip files and I have the setting set to: > > Allow Password-Protected Archives = yes > > but its is still blocking the zip files, how can i debug this or make > this work? > > Password protected file ./k8B4g895022532/1.zip/index.html > Virus Scanning: Sophos found 1 infections Hi this is Sophos blocking the attachment as it couldn't scan it, so to be safe its saying it's infected. In MailScanner.conf edit the setting "Allowed Sophos Error Messages" and make sure "Password protected file" is in the list... for example here's my setting for this.. Allowed Sophos Error Messages = "corrupt", "format not supported", "File was encrypted", "The main body of virus data is out of date", "Password protected file" (All in one line, in case in gets split buy various email programs) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From t.d.lee at durham.ac.uk Tue Sep 12 10:31:51 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Sep 12 10:32:00 2006 Subject: List of variables for substitution in reports? In-Reply-To: References: Message-ID: On Tue, 5 Sep 2006, Jim Holland wrote: > On Thu, 31 Aug 2006, David Lee wrote: > > > Julian: The end of a typical report (e.g. "recipient.spam.report.txt") > > has a 'signature' such as: > > > > ----------- snip --------------- > > MailScanner > > Email Virus Scanner > > %org-long-name% > > %web-site% > > > > For all your IT requirements visit: http://www.transtec.co.uk > > ----------- snip --------------- > > > > Our site likes to keep local changes to a minimum, so we try to take your > > reports as they are. > > > > But that final advertisement line isn't appropriate for our site. (And I > > would guess that we probably aren't alone in this.) Having to chop it out > > means a lot of potentially unnecessary maintenance effort as new versions > > of MS go in and their potentially changed reports have to be checked and > > reconciled. > > > > I can understand that you (as MS author) want to give recognition to one > > of your sponsors where reasonably possible. Fair enough; fine. > > > > So could I suggest that you introduce a new variable, such as %sponsor%, > > and use that in your reports. Your default value of %sponsor% could still > > be something about "transtec" (i.e. an untweaked install of MS would > > produce the same result as above). > > > > Supplementary: You might also introduce another variable, say %site-msg%, > > default value empty, which would allow a site to insert its own tag line > > (mission statement etc.) if it so chose. > > > > Hope that helps. (I'd be happy to try to beta-test this for you.) > > I understand your problem, and have the same view of it here. However I > think that this could just be left to the users themselves to sort out > rather than adding yet another option. The work involved in fixing it > yourself is negligible - just run a one-line script in the report > directory such as: > > perl -pi -e 's/For all your IT requirements visit.*//' * > or > perl -pi -e 's/For all your IT requirements visit.*/Our Mission Statement . . ./' * > > and if you want to avoid dealing with all the rpmnew report files > that would appear after an upgrade, just run this before the above in the > same directory: > > for file in *rpmnew; do mv -f $file `echo $file|sed s/.rpmnew//`; done > [...] Possible. But it still seems unnecessarily awkward. Julian tries (I understand) to make things "as reasonably easy as possible as reasonably often as possible for as reasonably many as possible". My suggestion that the inbuilt text: MailScanner thanks transtec Computers for their support becomes a %sponsor-msg%" or similar seems to fall into that category. Whether there is a separate "%site-msg%", is, in one sense a different issue. The main issue is about improved, but easy to drive, flexibility in the report signatures; about taking further the functionality already begun with the current "%org-long-name%" and "%web-site%". (Some folks might have asked for a highly tailorable ruleset here! I'm merely suggesting a settable "%...%" entity.) Julian: Any chance, please, of replacing the fixed text with a "%sponsor-msg"? I'd be happy to beta-test it in the current round and report back. Many thanks. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From drew at themarshalls.co.uk Tue Sep 12 12:24:13 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 12:24:34 2006 Subject: Hold queue question In-Reply-To: <223f97700609120026l633826c5q47645b6a0eb1a809@mail.gmail.com> References: <4501AD4E.4080401@trayerproducts.com> <223f97700609090136n55248d70tf2e2c52f0f9f268@mail.gmail.com> <13B0A382-2A50-4D02-978B-9FB763A3ADDF@themarshalls.co.uk> <223f97700609100307k47e75d87nedd4293aba228f98@mail.gmail.com> <45055DFC.8000108@trayerproducts.com> <223f97700609120026l633826c5q47645b6a0eb1a809@mail.gmail.com> Message-ID: <41983.194.70.180.170.1158060253.squirrel@www.technologytiger.net> On Tue, September 12, 2006 08:26, Glenn Steen wrote: >> > One could of course imagine a situation where messages are piling up, >> > and one would want to "fast-lane" that ?ber-important message to the >> > CEO/PHB/> > is>, but ... there would be a certain risk that one would be "shooting >> > ones foot", so to speak:-). >> > >> >> The reason I asked was because messages were piling up in the queue, as >> you said, and I thought of using postsuper to release >> a few messages from the hold queue. I wasn't really sure whether or not >> they were bypassing MS. The messages were actually >> just mail from local user to another local user so I knew that they were >> good. > > You might consider not doing all scanning for "local" users then. For > example: I don't do SA on outbound (but do virus scanning and > iframe/script/codebase disarming etc) by a wellplaced rulest > "whitelisting"... Obviously, what you can skip is up to your > policy:-). Might "lighten" the load a bit. Also, one could perhaps > look a bit at "tightening down" the postfix "peak throttles", which > usually are pretty forgiving. But you knew that;). You also might want to have a play with your batch sizes and number of children as that will often yield some speed results depending on your type of mail (Average size, volumes etc). I would also have a look at what (If anything, for the benefit of Glenn!) you can reject at smtp stage via RBL or sender/ recipient verification, grey listing etc. Remember this doesn't have to be blanket either, Postfix is pretty flexible, for example I sender verify based on client connection. So if a client that has no PTR record (Or a mismatch) or a ptr that suggests they are on a dsl or dial up connection the envelope from address is verified. I know that doesn't mean it's not spam but it does reduce the rubbish Hotmail/ Yahoo and bank fraud messages. > >> Thanks Glenn and Drew. > > Glad to be of help. Like wise. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From bgmahesh at gmail.com Tue Sep 12 12:45:59 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Tue Sep 12 12:46:03 2006 Subject: Numerical links warning - how to stop it Message-ID: <5227ac5c0609120445i329c3f01h2b077fdecbd670c3@mail.gmail.com> hi When I receive emails internally in my office they use URLs of type http://192.4.68.45/browse/abc.jsp They don't link it but just include the URL. But Mailscanner doesn't like it. How do I stop MS from complaining about this? But I do want MS to complain when the text is something like abc.com but the href is a numerical link. -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060912/2f602f7b/attachment.html From matt at coders.co.uk Tue Sep 12 12:54:31 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Sep 12 12:54:52 2006 Subject: No Message Collected In-Reply-To: <20060911132621.r359rxxkt5340swc@webmail.itu.edu.tr> References: <20060911132621.r359rxxkt5340swc@webmail.itu.edu.tr> Message-ID: <45069FF7.1070101@coders.co.uk> Hakan VELIOGLU wrote: > Hi, > > I got a problem with MailScanner. It seems that MailScanner process same e-mail > for two times. When the first process has finished and the mail delivered, then > MailScanner cleans the spool files of that mail. For this reason the second > process couldn't find any spool file and sends an mail whose body is just <<< > No Message Collected >>> > > I could't find a solution for this double processing. http://www.mailscanner.info/MailScanner.conf.index.html#Lock%20Type From michele at blacknight.ie Tue Sep 12 13:27:23 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Tue Sep 12 13:27:37 2006 Subject: Numerical links warning - how to stop it In-Reply-To: <5227ac5c0609120445i329c3f01h2b077fdecbd670c3@mail.gmail.com> Message-ID: <00c401c6d666$cc9409e0$e3f31151@arthur> Check the configuration in MailScanner.conf There are specific settings for the phishing detection which you can tweak to suit your requirements / preferences Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From glenn.steen at gmail.com Tue Sep 12 14:36:52 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 12 14:36:56 2006 Subject: Using MailScanner with Trend Micro Interscan Viruswall for SMB 6.0 In-Reply-To: <6026a0ab0609120104s7f575e00h6851d0bd992ecbb1@mail.gmail.com> References: <6026a0ab0609012229l4eb50811s55e196cb8704477d@mail.gmail.com> <6026a0ab0609111828q67dcf20dr8aa6066b4420baaf@mail.gmail.com> <6026a0ab0609111926l3b1cea23ve4c365677a06bd78@mail.gmail.com> <223f97700609120050y485658b0o50b2cd78d5534370@mail.gmail.com> <6026a0ab0609120104s7f575e00h6851d0bd992ecbb1@mail.gmail.com> Message-ID: <223f97700609120636k28ea66a4hf5d40b165796e67b@mail.gmail.com> On 12/09/06, Zenith Tang wrote: > > In SMB ver 5.0, the successful scan look like below, but the result in SMB > 6.0 is different. It just showed the message "Scan thread started". It seems > that the method for virus scanning changed. > > #/usr/lib/MailScanner/trend-wrapper /opt/trend/isvw > /tmp/virus > > Virus Scanner v3.1, VSAPI v8.100-1002 > Trend Micro Inc. 1996,1997 > Pattern version 743 > Pattern number 130877 > Configuration: -e'{* > Directory /tmp/virus > /tmp/virus/virZGAOsay4F > *** Scan error -92, file /tmp/virus/virZGAOsay4F > *** Found virus WORM_BAGLE.GEN-3 in file /tmp/virus/virZGAOsay4F > > > ============================== > Directory: > Searched : 1 > File: > Searched : 1 > Scan : 1 > Infected : 1 > Infected : 1(Include files been compressed) > Time: > Start : 9/12/06 15:54:48 > Stop : 9/12/06 15:54:48 > Used : 00:00 > > > Yes, well.... I was thinking more of what it looks like when run by itself, not through the wrapper. Anyway, I can now confirm that this is the wrong product. I repeat: This is the wrong product, to use with MailScanner. This is a webified Mail (SMTP), Web (HTTP) and FTP _proxy server_. One could say that it in many ways is a replacement for MailScanner (with a less complete feature set, in regard to email, and more complete in another, since it handles web and ftp too). The product it has replaced might have contained the on-demand command line scanner, but this one doesn't. The isvw-scan you've found is the "background scanning server" that isvw-http, isvw-ftp and isvw-smtp use to perform their scans (kind of like how spamc/spamd works). How I know? Well, I tricked the installer a bit, so that it deigned to install on my Mandriva 2006.0 testbed... And from there on, it's just a question of using ones eyes:-):-). Look at the fileserver package I mentioned before... That might be the one to use. I haven't confirmed that though (yet!:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at nkpanama.com Tue Sep 12 14:38:29 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Sep 12 14:38:48 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: References: <4502E70F.9010308@nkpanama.com> <45042713.6030408@osubucks.org> Message-ID: <4506B855.5050008@nkpanama.com> Res wrote: > On Sun, 10 Sep 2006, Chris Sweeney wrote: > >> I use a shared database on all my MX machines that share the greylist >> data. Once a site has gone through the process its allowed to pass >> future mails without the delay. The list stays valid for a week, so >> users who get mail regularly from the same places will not be affected >> by the delay and it still does it job of stopping zombie machines. It >> also still allows the mail to be received after the set delay period no >> matter what MX the mail goes to. > > That is an interesting approach and does make sense, but how many out > there actually bother to go to this trouble? not many I'd say. > > I do... :D From dave.list at pixelhammer.com Tue Sep 12 15:08:58 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Sep 12 15:09:13 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <4506B855.5050008@nkpanama.com> References: <4502E70F.9010308@nkpanama.com> <45042713.6030408@osubucks.org> <4506B855.5050008@nkpanama.com> Message-ID: <4506BF7A.6080602@pixelhammer.com> Alex Neuman van der Hans wrote: > Res wrote: >> On Sun, 10 Sep 2006, Chris Sweeney wrote: >> >>> I use a shared database on all my MX machines that share the greylist >>> data. Once a site has gone through the process its allowed to pass >>> future mails without the delay. The list stays valid for a week, so >>> users who get mail regularly from the same places will not be affected >>> by the delay and it still does it job of stopping zombie machines. It >>> also still allows the mail to be received after the set delay period no >>> matter what MX the mail goes to. >> >> That is an interesting approach and does make sense, but how many out >> there actually bother to go to this trouble? not many I'd say. >> >> > I do... :D Yep, as previously stated milter greylist makes this a no brainer and is why we chose it. Works beautifully. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Tue Sep 12 17:02:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 12 17:04:26 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: Res spake the following on 9/11/2006 5:02 PM: > On Mon, 11 Sep 2006, Scott Silva wrote: > >> What an evil person has to do is send an e-mail to your autoresponder >> with the >> spamtrap's address spoofed as the reply-to address or the from address. > > it looks for the envelope sender in received lines, dont be foolish to > think SC dont know about forged From's, thats been around for almost as > long as Email has > All they have to do is get your system to bounce the message. If they happen to know where the spamtrap is, and you don't, then you really have no way of catching it. As simple as this; Mailfrom Spoofed spamtrap address mailto nonexistant user@yourdomain Your server bounces with no user by that name because RFC's say you are supposed to bounce it. You are slammed into a spamcop blacklist. Unless spamcop has gotten smart enough to screen out bounces, which they didn't do when I got hit. Or you have some mechanism of verifying the sender (milter-sender or some equivalent). Yes, I'm not just a ranter, I'm also a victim. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From drew at themarshalls.co.uk Tue Sep 12 17:27:39 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 17:27:56 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: <43406.194.70.180.170.1158078459.squirrel@www.technologytiger.net> On Tue, September 12, 2006 17:02, Scott Silva wrote: > All they have to do is get your system to bounce the message. If they > happen > to know where the spamtrap is, and you don't, then you really have no way > of > catching it. > As simple as this; > Mailfrom Spoofed spamtrap address > mailto nonexistant user@yourdomain > > Your server bounces with no user by that name because RFC's say you are > supposed to bounce it. > > You are slammed into a spamcop blacklist. > > Unless spamcop has gotten smart enough to screen out bounces, which they > didn't do when I got hit. Or you have some mechanism of verifying the > sender > (milter-sender or some equivalent). Yes, I'm not just a ranter, I'm also a > victim. Some would argue should you even be accepting mail for non existant users? If you reject these at SMTP stage then it's not your relay that does the bouncing and therefore not your problem :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From alex at nkpanama.com Tue Sep 12 17:29:05 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Sep 12 17:29:16 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: <4506E051.10104@nkpanama.com> Scott Silva wrote: > Your server bounces with no user by that name because RFC's say you are > supposed to bounce it. Are you sure you're supposed to "take it all in and then bounce it"? I'm not sure you're *required* to "take it all in"; IIRC you always have the right to reject it at the MTA level, right? From Kevin_Miller at ci.juneau.ak.us Tue Sep 12 17:29:51 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Sep 12 17:29:54 2006 Subject: MailScanner init script Message-ID: Looking over the init script, I see both restart and try-restart. What's the difference? One is all on one line and the other spans multiple lines, but other than that they're identical. So why are both in there? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From rgreen at trayerproducts.com Tue Sep 12 17:57:15 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Tue Sep 12 17:58:30 2006 Subject: OT: SMTP Test Script Message-ID: <4506E6EB.4030306@trayerproducts.com> Hello, Does anyone know of a script that will test an SMTP server and emulate different clients/servers connecting to it and issuing commands? Thanks, Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajin at ucalgary.ca Tue Sep 12 18:11:32 2006 From: ajin at ucalgary.ca (Amy Jin) Date: Tue Sep 12 18:11:38 2006 Subject: Problem with the dangerous content check Message-ID: <4506EA44.1040708@ucalgary.ca> Hi everyone, We are using MailScanner version 4.53.6. Most of the time it works well . In order to invoke filename check, we set "dangerous content check = yes", but we met the followed problems with this option several times: we found the MailScanner hung up, we didn't know exactly what check was causing the problem, but after we set this option to 'no', it worked again. Is there anyone has the same problem with dangerous content check? And is there a way to have filename checked without this option? Regards. Amy Jin From prandal at herefordshire.gov.uk Tue Sep 12 18:26:59 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 12 18:27:26 2006 Subject: Problem with the dangerous content check Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F3748E8@isabella.herefordshire.gov.uk> Update to the latest stable version of MailScanner. It could be the loop in the Phishing detection logic which was fixed in 4.53.8 which is causing you your problems. "5/5/2006 -Released stable version 4.53.8. Many apologies, there has been discovery of a bug in the phishing net which may cause problems on some systems. Unfortunately this bug was not detected during beta testing. It warrants the publication of a new "stable" release, I am very sorry to have to do this to you." Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Amy Jin > Sent: 12 September 2006 18:12 > To: mailscanner@lists.mailscanner.info > Subject: Problem with the dangerous content check > > Hi everyone, > > We are using MailScanner version 4.53.6. Most of the time it > works well . > > In order to invoke filename check, we set "dangerous content check = > yes", but we met the followed problems with this option > several times: > we found the MailScanner hung up, we didn't know exactly what > check was > causing the problem, but after we set this option to 'no', it > worked again. > Is there anyone has the same problem with dangerous content > check? And > is there a way to have filename checked without this option? > > Regards. > Amy Jin > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Tue Sep 12 18:29:46 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Sep 12 18:29:49 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <4506EA44.1040708@ucalgary.ca> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> How do you fix this problem? I really do not know even where to start with it. Thank you Banner: WoodenMS2.woodmaclaw.local ESMTP Sendmail 8.13.1/8.13.1; Tue, 12 Sep 2006 12:48:02 -0400 [47 ms] Connect Time: 0.031 seconds - Good Transaction Time: 0.281 seconds - Good Relay Check: OK - This server is not an open relay. Rev DNS Check: OK - 68.74.55.130 resolves to 68-74-55-130.ded.ameritech.net GeoCode Info: Geocoding server is unavailable Session Transcript: HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx 501 5.0.0 Invalid domain name [31 ms] Or at dnsreport.com WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record. MAIL.woodmclaw.com claims to be non-existent host WoodenMS2.woodmaclaw.local: 220 WoodenMS2.woodmaclaw.local ESMTP Sendmail 8.13.1/8.13.1; Tue, 12 Sep 2006 12:51:21 -0400 From naolson at gmail.com Tue Sep 12 18:40:34 2006 From: naolson at gmail.com (Nathan Olson) Date: Tue Sep 12 18:40:36 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> References: <4506EA44.1040708@ucalgary.ca> <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> Message-ID: <8f54b4330609121040t75d6638ft4d76ecfab1d44d2c@mail.gmail.com> errr. .local? Nate From naolson at gmail.com Tue Sep 12 18:41:05 2006 From: naolson at gmail.com (Nathan Olson) Date: Tue Sep 12 18:41:07 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> References: <4506EA44.1040708@ucalgary.ca> <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> Message-ID: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> Do you have split DNS? Nate From michele at blacknight.ie Tue Sep 12 18:41:17 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight.ie) Date: Tue Sep 12 18:41:24 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> Message-ID: <4506F13D.4070903@blacknight.ie> It looks like your mailserver's greeting is incorrect. What's the MTA? -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From naolson at gmail.com Tue Sep 12 18:49:36 2006 From: naolson at gmail.com (Nathan Olson) Date: Tue Sep 12 18:49:39 2006 Subject: OT: SMTP Test Script In-Reply-To: <4506E6EB.4030306@trayerproducts.com> References: <4506E6EB.4030306@trayerproducts.com> Message-ID: <8f54b4330609121049m358f6451n29add2c02e3943b0@mail.gmail.com> You could try roundhouse. http://www.snertsoft.com/sendmail/roundhouse/ Nate From ssilva at sgvwater.com Tue Sep 12 18:49:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 12 18:50:07 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <4506E051.10104@nkpanama.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 9/12/2006 9:29 AM: > Scott Silva wrote: > >> Your server bounces with no user by that name because RFC's say you are >> supposed to bounce it. > > Are you sure you're supposed to "take it all in and then bounce it"? I'm > not sure you're *required* to "take it all in"; IIRC you always have the > right to reject it at the MTA level, right? Alex, you and Drew are both right! I guess I should visit the coffee pot before I start reading the list!! ;-) I got it when my secondary MX accepted the message and then bounced it when the primary rejected it. I am currently trying to get mimedefang going on them to do call-aheads. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Sep 12 19:04:17 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 12 19:06:16 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> References: <4506EA44.1040708@ucalgary.ca> <04D932B0071FE34FA63EBB1977B48D1501A39800@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey spake the following on 9/12/2006 10:29 AM: > How do you fix this problem? I really do not know even where to start > with it. Thank you > > Banner: WoodenMS2.woodmaclaw.local ESMTP Sendmail 8.13.1/8.13.1; Tue, 12 > Sep 2006 12:48:02 -0400 [47 ms] > Connect Time: 0.031 seconds - Good > Transaction Time: 0.281 seconds - Good > Relay Check: OK - This server is not an open relay. > Rev DNS Check: OK - 68.74.55.130 resolves to > 68-74-55-130.ded.ameritech.net > GeoCode Info: Geocoding server is unavailable > Session Transcript: HELO mxtoolbox.com - DIAGNOSTIC TEST - See > http://www.mxtoolbox.com/Policy.aspx > 501 5.0.0 Invalid domain name [31 ms] This one is your server replying to their bad helo "HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx" Everything after the mxtoolbox.com is invalid. > Or at dnsreport.com > > WARN Mail server host name in greeting WARNING: One or more of your > mailservers is claiming to be a host other than what it really is (the > SMTP greeting should be a 3-digit code, followed by a space or a dash, > then the host name). If your mailserver sends out E-mail using this > domain in its EHLO or HELO, your E-mail might get blocked by anti-spam > software. This is also a technical violation of RFC821 4.3 (and RFC2821 > 4.3.1). Note that the hostname given in the SMTP greeting should have an > A record pointing back to the same server. Note that this one test may > use a cached DNS record. > > MAIL.woodmclaw.com claims to be non-existent host > WoodenMS2.woodmaclaw.local: > 220 WoodenMS2.woodmaclaw.local ESMTP Sendmail 8.13.1/8.13.1; Tue, 12 Sep > 2006 12:51:21 -0400 Don't have the .local in your hostname. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From larskman at gmail.com Tue Sep 12 19:35:10 2006 From: larskman at gmail.com (fname lname) Date: Tue Sep 12 19:35:15 2006 Subject: allow password protected archives In-Reply-To: <45066E40.8010703@solidstatelogic.com> References: <45066E40.8010703@solidstatelogic.com> Message-ID: tnx, yup.... you where right! On 9/12/06, Martin Hepworth wrote: > fname lname wrote: > > I want my site to Allow password zip files and I have the setting set to: > > > > Allow Password-Protected Archives = yes > > > > but its is still blocking the zip files, how can i debug this or make > > this work? > > > > Password protected file ./k8B4g895022532/1.zip/index.html > > Virus Scanning: Sophos found 1 infections > Hi > > this is Sophos blocking the attachment as it couldn't scan it, so to be > safe its saying it's infected. > > In MailScanner.conf edit the setting "Allowed Sophos Error Messages" and > make sure "Password protected file" is in the list... for example here's > my setting for this.. > > Allowed Sophos Error Messages = "corrupt", "format not supported", "File > was encrypted", "The main body of virus data is out of date", "Password > protected file" > > (All in one line, in case in gets split buy various email programs) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Tue Sep 12 19:51:59 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Sep 12 19:52:02 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <4506F13D.4070903@blacknight.ie> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501A39884@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon :: > Blacknight.ie > Sent: Tuesday, September 12, 2006 12:41 PM > To: MailScanner discussion > Subject: Re: OT: Invalid domain name during SMTP test > > It looks like your mailserver's greeting is incorrect. > What's the MTA? > > -- > Mr Michele Neylon > Blacknight Solutions > Quality Business Hosting & Colocation > http://www.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > -- MTA is sendmail 8.13.1 From bpumphrey at woodmclaw.com Tue Sep 12 19:54:17 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Sep 12 19:54:21 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nathan Olson > Sent: Tuesday, September 12, 2006 12:41 PM > To: MailScanner discussion > Subject: Re: OT: Invalid domain name during SMTP test > > Do you have split DNS? > > Nate If I understand what split DNS is, yes I do. The DNS is configured to resolve with the local Windows DNS server, then if the windows server does not know the lookup, it will query the internet. From mailscanner at yeticomputers.com Tue Sep 12 19:59:05 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Tue Sep 12 19:59:17 2006 Subject: Autoresponder Evils? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: <45070379.1020507@yeticomputers.com> John Rudd wrote (in the thread: Spamcop.net RBL blocking emails by mistake?): > - autoresponders aren't evil, Of course not, not an absolute evil. But if your autoresponder responds to mail from the internet, sending automatic replies to any address it sees in the "From:" header, then *your* autoresponder *is* evil - and should be banned. I don't know how you're set up, but if it's possible to flood a third party by firing off a bunch of forged messages to your mail server, you're set up wrong. I've seen quite a few people so adamant in their defense of autoresponders that they don't bother trying to make one that does its job without burdening the rest of the 'net for the convenience of the operator. What about those automatic spam detection messages that I've been fighting with increasing frequency? Not long ago I got saturated by a ton of "Your message was rejected because it's spam" automated messages. There was no reason for me to have been sent those - the domain in question has a published SPF record and the spam clearly did not come from an authorized IP address. There's no reason for those messages in the first place - virtually *all* spam comes from a forged address. But no... Some idiot somewhere wants to be sure that if *his* important, legitimate email gets rejected the person who sent it will be notified. As long as *he* isn't inconvenienced, everything is fine. Never mind the fact that he's become a spammer himself and is inconveniencing thousands of other people - his own problem is solved. Challenge-response? Same thing. Bogus virus warnings? Ditto. And, usually, out-of-office and information autoresponders fall into the same category. A significant percentage of the unwanted email that gets through my filters comes from autoresponders of one kind or another. Perhaps yours is properly configured and shouldn't be banned... That would be a nice change from what I normally see. Rick From drew at themarshalls.co.uk Tue Sep 12 20:06:10 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 20:06:21 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> Message-ID: <70C64BF5-1297-4CED-9718-7A874984294E@themarshalls.co.uk> On 12 Sep 2006, at 18:49, Scott Silva wrote: > Alex Neuman van der Hans spake the following on 9/12/2006 9:29 AM: >> Scott Silva wrote: >> >>> Your server bounces with no user by that name because RFC's say >>> you are >>> supposed to bounce it. >> >> Are you sure you're supposed to "take it all in and then bounce >> it"? I'm >> not sure you're *required* to "take it all in"; IIRC you always >> have the >> right to reject it at the MTA level, right? > Alex, you and Drew are both right! I guess I should visit the > coffee pot > before I start reading the list!! ;-) > I got it when my secondary MX accepted the message and then bounced > it when > the primary rejected it. I am currently trying to get mimedefang > going on them > to do call-aheads. Remind me, which MTA are you running? -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From bpumphrey at woodmclaw.com Tue Sep 12 20:10:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Sep 12 20:10:29 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501A39899@woodenex.woodmaclaw.local> > > Or at dnsreport.com > > > > WARN Mail server host name in greeting WARNING: One or more of your > > mailservers is claiming to be a host other than what it really is (the > > SMTP greeting should be a 3-digit code, followed by a space or a dash, > > then the host name). If your mailserver sends out E-mail using this > > domain in its EHLO or HELO, your E-mail might get blocked by anti-spam > > software. This is also a technical violation of RFC821 4.3 (and RFC2821 > > 4.3.1). Note that the hostname given in the SMTP greeting should have an > > A record pointing back to the same server. Note that this one test may > > use a cached DNS record. > > > > MAIL.woodmclaw.com claims to be non-existent host > > WoodenMS2.woodmaclaw.local: > > 220 WoodenMS2.woodmaclaw.local ESMTP Sendmail 8.13.1/8.13.1; Tue, 12 Sep > > 2006 12:51:21 -0400 > Don't have the .local in your hostname. > So you are suggesting just WoodenMS2.woodmaclaw? I need to also change it to WoodenMS2.Woodmclaw Right now I did hostname WoodenMS2.Woodmclaw and now the hostname command reads it as that. From drew at themarshalls.co.uk Tue Sep 12 20:28:48 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 20:28:57 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A39899@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501A39899@woodenex.woodmaclaw.local> Message-ID: <05AD939D-C274-4D46-ACA6-F505718F1A24@themarshalls.co.uk> On 12 Sep 2006, at 20:10, Billy A. Pumphrey wrote: > So you are suggesting just WoodenMS2.woodmaclaw? I need to also > change > it to WoodenMS2.Woodmclaw > > Right now I did hostname WoodenMS2.Woodmclaw and now the hostname > command reads it as that. No, your server should announce it's self as it's FQDN as described in your MX records so: Your MX record is MAIL.woodmclaw.com so your SMTP greeting should be mail.woodmclaw.com and indeed you should also ask the person who manages your IP address (Usually your ISP) to set a PTR against your IP address 68.74.55.130 to provide 'reverse resolution' to mail.woodmclaw.com. I would also suggest you might want to consider a secondary MX, just in case... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From drew at themarshalls.co.uk Tue Sep 12 20:53:27 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 20:53:43 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <05AD939D-C274-4D46-ACA6-F505718F1A24@themarshalls.co.uk> References: <04D932B0071FE34FA63EBB1977B48D1501A39899@woodenex.woodmaclaw.local> <05AD939D-C274-4D46-ACA6-F505718F1A24@themarshalls.co.uk> Message-ID: <5817AFF7-0096-40D9-BBCA-F3DA511C10A0@themarshalls.co.uk> On 12 Sep 2006, at 20:28, Drew Marshall wrote: > > On 12 Sep 2006, at 20:10, Billy A. Pumphrey wrote: > >> So you are suggesting just WoodenMS2.woodmaclaw? I need to also >> change >> it to WoodenMS2.Woodmclaw >> >> Right now I did hostname WoodenMS2.Woodmclaw and now the hostname >> command reads it as that. > > No, your server should announce it's self as it's FQDN as described > in your MX records so: > > Your MX record is MAIL.woodmclaw.com so your SMTP greeting should > be mail.woodmclaw.com and indeed you should also ask the person who > manages your IP address (Usually your ISP) to set a PTR against > your IP address 68.74.55.130 to provide 'reverse resolution' to > mail.woodmclaw.com. > > I would also suggest you might want to consider a secondary MX, > just in case... > I probably ought to add that what you get Sendmail to announce it's self as and what you call your machine (Host name) doesn't have to be the same thing (Or at least it certainly doesn't with Postfix and I have no doubt there is a similar option in Sendmail). -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From r.berber at computer.org Tue Sep 12 21:04:25 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Sep 12 21:05:00 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: <450663D8.5000501@ecs.soton.ac.uk> References: <450663D8.5000501@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Ren? Berber wrote: [snip] >>> eval { >>> if ($^O !~ /solaris|sunos|irix/i) { >>> Sys::Syslog::setlogsock('unix'); >>> } else { >>> Sys::Syslog::setlogsock('udp'); >>> } >>> } >>> > Can other Solaris users comment on this please? Testing other Solaris servers: Solaris 8 / perl 5.6.1(AS) / doesn't work as above, it works with commented else Solaris 9 / perl 5.8.0 / works both ways (as above and commented out else) Solaris 10 / perl 5.8.4 / works both ways (as above and commented out else The second test contradicts my original findings, I had no logging until I changed the code but it should have worked with no setlogsock. -- Ren? Berber From jethro.binks at strath.ac.uk Tue Sep 12 21:26:42 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Sep 12 21:26:45 2006 Subject: Autoresponder Evils? In-Reply-To: <45070379.1020507@yeticomputers.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> Message-ID: <20060912211925.A25554@defjam.cc.strath.ac.uk> On Tue, 12 Sep 2006, Rick Chadderdon wrote: > John Rudd wrote (in the thread: Spamcop.net RBL blocking emails by > mistake?): > > - autoresponders aren't evil, > > Of course not, not an absolute evil. But if your autoresponder responds > to mail from the internet, sending automatic replies to any address it > sees in the "From:" header, then *your* autoresponder *is* evil - and > should be banned. I don't know how you're set up, but if it's possible > to flood a third party by firing off a bunch of forged messages to your > mail server, you're set up wrong. I've seen quite a few people so > adamant in their defense of autoresponders that they don't bother trying > to make one that does its job without burdening the rest of the 'net for > the convenience of the operator. Well, since you asked. Most sensible autoresponders will only send one message within a period of time to a particular correspondent, so 'flooding' one correspondent is impossible (from one autoresponder anyway). If you want to design a sensible autoresponder, then go read this page which I contributed substantially to. It is written with Exim in mind, but the general principles are applicable to any rationally-configurable MTA (or one which could run a program to do these checks at SMTP-time): http://www.exim.org/eximwiki/EximAutoReply > And, usually, out-of-office and information autoresponders fall into the > same category. A significant percentage of the unwanted email that gets > through my filters comes from autoresponders of one kind or another. > Perhaps yours is properly configured and shouldn't be banned... That > would be a nice change from what I normally see. Autoresponders will never go away, and there is no reason why they should. However we can significantly minimise their adverse effects by performing checks such as those detailed above. Happy to hear of other suggestions for checks. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From ssilva at sgvwater.com Tue Sep 12 21:32:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 12 21:34:16 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <70C64BF5-1297-4CED-9718-7A874984294E@themarshalls.co.uk> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> <70C64BF5-1297-4CED-9718-7A874984294E@themarshalls.co.uk> Message-ID: Drew Marshall spake the following on 9/12/2006 12:06 PM: > > On 12 Sep 2006, at 18:49, Scott Silva wrote: > >> Alex Neuman van der Hans spake the following on 9/12/2006 9:29 AM: >>> Scott Silva wrote: >>> >>>> Your server bounces with no user by that name because RFC's say you are >>>> supposed to bounce it. >>> >>> Are you sure you're supposed to "take it all in and then bounce it"? I'm >>> not sure you're *required* to "take it all in"; IIRC you always have the >>> right to reject it at the MTA level, right? >> Alex, you and Drew are both right! I guess I should visit the coffee pot >> before I start reading the list!! ;-) >> I got it when my secondary MX accepted the message and then bounced it >> when >> the primary rejected it. I am currently trying to get mimedefang going >> on them >> to do call-aheads. > > Remind me, which MTA are you running? Sendmail. I just happily started watching mimedefang drop unknown users on the backup MX's. HAHAHAHAHAHAHAHA spammers!!!!! -- Insert /postfix/qmail/exim/ is better below -- -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From postmaster at sitecastle.com Tue Sep 12 21:58:20 2006 From: postmaster at sitecastle.com (Sitecastle Business Hosting) Date: Tue Sep 12 21:59:21 2006 Subject: Is there a way to have MailScanner rewrite the from: field of a tagged message? Message-ID: <000001c6d6ae$2e51e390$3c0a0a0a@neonet.local> I have MailScanner configured to attach the original message to the report email. I do not want the report email to use the original from address. Is there a way in the MailScanner configuration to rewrite the from field on tagged messages only? Thanks, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060912/81a7d552/attachment.html From r.berber at computer.org Tue Sep 12 22:29:56 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Sep 12 22:30:28 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> References: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey wrote: >> -----Original Message----- >> >> Do you have split DNS? >> >> Nate > > If I understand what split DNS is, yes I do. The DNS is configured to > resolve with the local Windows DNS server, then if the windows server > does not know the lookup, it will query the internet. No, split view DNS means you see a local IP address from your LAN and you see the Internet address from outside (for the name of your mail server). The above comment probably means that you can see different names too, but it makes no sense to me, something like server.domain.local from inside and just server.domain from outside... for the same IP address? Anyway, the original problem is probably in /etc/hosts or hostname, not in DNS. You have to see where your mail server gets its name from, with sendmail the commands: echo '$=R' | sendmail -bt -d0.10 will show you the name (Canonical name) and domain info among other things. -- Ren? Berber From ugob at camo-route.com Tue Sep 12 22:31:11 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Sep 12 22:31:32 2006 Subject: Slow completewhois dnsbl? Message-ID: I use some completewhois dnsbl on some servers, and one of them had the incoming mail queue growing today. I checked, and when I checked the size of the incoming mail queue, I got many (dnsbl map: lookup (194.193.167.63.hijacked.dnsiplists.comple) The dnsbl location is hijacked.dnsiplists.completewhois.com' Anyone getting this? From res at ausics.net Tue Sep 12 23:02:23 2006 From: res at ausics.net (Res) Date: Tue Sep 12 23:02:34 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> Message-ID: On Mon, 11 Sep 2006, John Rudd wrote: > > On Sep 11, 2006, at 4:47 PM, Res wrote: > >> On Sun, 10 Sep 2006, John Rudd wrote: >> >>>> so its completely absolutely impossible for a student to have an infected >>>> pc and do this you will state this on your life would you >>> >>> Students are our _least_ trusted class of user, and yes, we take enough >>> precautions against them that there is 0% chance that this was caused by >>> an infected student. >> >> There is no way you can guarantee this in this day and age, regardless of >> if you have 100 or 100K students, regardless of your setup, to think >> otherwise shows complete ignorance of modern day capabilities. > > > We're in between quarters. The students aren't here right now. The dorms > (our residential network, where the student machines would be) are empty, and > "resnet" isn't allowed to relay through our MX servers anyway. Care to try > again? you stated in the past, you enver said recently, I also find it amusing you did not say this in the first place Sorry, no amount of BS on your part will justify your ignorance and arrogance. But dont worry you are not alone, you are also typcial of network admins of EDU's in this country, which is why they will only ever be net admins in educational insititutions, they couldnt cut it elswhere and I hope with your demonstrated ignorance any future prospective employers that you may approach who are on this lsit will remeber your comments. I dont have time to read the rest of your crap, because I have little time for people like you who are so full of themselves and refuse to open both eyes to reality, as far as im concerned this discussion is now over. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Sep 12 23:03:43 2006 From: res at ausics.net (Res) Date: Tue Sep 12 23:03:58 2006 Subject: Anyone using zen.spamhaus.org? In-Reply-To: <4506B855.5050008@nkpanama.com> References: <4502E70F.9010308@nkpanama.com> <45042713.6030408@osubucks.org> <4506B855.5050008@nkpanama.com> Message-ID: On Tue, 12 Sep 2006, Alex Neuman van der Hans wrote: >> That is an interesting approach and does make sense, but how many out there >> actually bother to go to this trouble? not many I'd say. > I do... :D wow... thats 4 now :) I'll still pass tho hehe -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Sep 12 23:06:35 2006 From: res at ausics.net (Res) Date: Tue Sep 12 23:06:45 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> Message-ID: On Tue, 12 Sep 2006, Scott Silva wrote: > Unless spamcop has gotten smart enough to screen out bounces, which they > didn't do when I got hit. Or you have some mechanism of verifying the sender > (milter-sender or some equivalent). Yes, I'm not just a ranter, I'm also a victim. you would have to be pretty unlucky -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mailscanner at yeticomputers.com Tue Sep 12 23:07:12 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Tue Sep 12 23:07:20 2006 Subject: Autoresponder Evils? In-Reply-To: <20060912211925.A25554@defjam.cc.strath.ac.uk> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> Message-ID: <45072F90.30204@yeticomputers.com> Jethro R Binks wrote: > Well, since you asked. > > Most sensible autoresponders will only send one message within a period of > time to a particular correspondent, so 'flooding' one correspondent is > impossible (from one autoresponder anyway). > > If you want to design a sensible autoresponder, I didn't ask, I complained. :) I know what is generally considered to be a "sensible" autoresponder, and I don't care much for them, either. I will allow that they are far less annoying than something which will spray out unlimited responses, but I've yet to see one configured to send out only one response per *domain*. Without that, a joe-jobbed domain with a large number of user accounts can end up absorbing thousands of unwanted autoresponses, one for each valid email address. Flooding one correspondent is bad, but flooding my mail server at all is also bad. Autoresponders shift the burden of work that should belong to their owners to those who are have to deal with the unwanted messages they send out. I find that most people who defend autoresponders are in a way akin to the spam pundits who say, "Just hit delete!" As long as they can do what they want to, they have no care about how it affects those who did not ask for their email. Minimizing their impact is nice and all, but I don't think most people would want me to dump my garbage on their front lawn - even if I only did it once a week. Using an autoresponder that you *know* will send out unwanted mail is deliberately using the resources of others without their consent. If asked, "What else am I supposed to do to solve this problem?" all I can say is, "Don't make your problem mine." > Autoresponders will never go away, and there is no reason why they should. > I agree with the first half of that sentence, but until they stop sending messages to people who don't want them, I strongly disagree with the rest. I suppose this is pretty off topic for the list, and the second time that people defending autoresponders have brought me to this. Rick From Kevin_Miller at ci.juneau.ak.us Tue Sep 12 23:12:09 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Sep 12 23:12:13 2006 Subject: MailScanner stopping Message-ID: Last week there was a thread about MailScanner ceasing to work. I was seeing that behavior - it was running, but was all balled up. Turned out that when 'MailScanner restart' was called that some sendmail processes persisted past the $RESTART_DELAY time. This only appears to happen on later MS servers. Not sure what changes to the init script make the difference - my 4.48 server doesn't have a problem. The pids that MailScanner creates all evaporate almost immediately; the persistent sendmail processes are generally (as nearly as I can tell) connections that smf-sav initiates. (smf-sav is sorta like milter-sender and milter-ahead rolled into one.) I wasn't seeing the problem until I installed it, but it's too nifty to get rid of even if it's not as robust as the milters from Snertsoft. It can take up to a minute or two for all the connections to expire. I'm guessing the remote hosts are maybe doing greet-pause or graylisting when I do the sender verification, which causes them to sit around for a bit. Anyway, my workaround was to introduce the following bit of code in /etc/init.d/MailScanner so that the all the orphaned sendmail processes are gone before trying to restart MailScanner. restart) $0 stop # Initialize the test variable Pidval=sendmail ;; # Loop as long as there's a sendmail process while [ "$Pidval" != "" ]; do # Look for sendmail but ignore the grep Pidval=`ps aux | grep sendmail | grep -v grep` echo echo $Pidval sleep $RESTART_DELAY done $0 start rc_status ;; FWIW, I'm running on SUSE. Not sure if this will affect Postfix/Exim, etc. I assume no responsibility if it breaks your server and all that. Hope this helps others. Julian, et al., is free to use it in future releases at their discretion... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From res at ausics.net Tue Sep 12 23:12:17 2006 From: res at ausics.net (Res) Date: Tue Sep 12 23:12:28 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <4506E051.10104@nkpanama.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> Message-ID: On Tue, 12 Sep 2006, Alex Neuman van der Hans wrote: > Scott Silva wrote: > >> Your server bounces with no user by that name because RFC's say you are >> supposed to bounce it. > > Are you sure you're supposed to "take it all in and then bounce it"? I'm not > sure you're *required* to "take it all in"; IIRC you always have the right to > reject it at the MTA level, right? an unpatched default qmail will accept anything if its in virtual host mode, then another of its processes will bounce it, dumb yes, which amazes me in its default way bernstein claims its so secure (and look theres those lil piggies flying backwards through the air ) so its possible some MTAs like qmail are too dumb to do it any other way :) however the chkusr patch fixes this flaw in 15 seconds. I'm not aware of any other MTA operating this braindead way. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pete at enitech.com.au Tue Sep 12 23:13:36 2006 From: pete at enitech.com.au (Peter Russell) Date: Tue Sep 12 23:13:48 2006 Subject: How do i stop these spams? Message-ID: <45073110.6050801@enitech.com.au> I have heaps o users getting these spams at the moment. We have razor, dcc and pyzor and heaps of ruledujour running. -MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, UNPARSEABLE_RELAY 0.00) Appreciate any tips i can get Pete Subject: casebook H o t stcok a lert. This one is still climbling the stcok chart s al ert Breaking markket news report - TQ WW. P K Lookup: TQ WW. P K Commpany Name: Talyor Aquapoincs Worldwdie, Inc. Recently tradingg for: 0.40 6 Week Target: 1.25 6 Month Target: 4.97 Rating: Immediate b uy Expected: Steadily climb for the top Our featured ccompany TQ WW is a ?Big Fish? in what so far has been a little pond. But all of that is going to change when Wall Street sees the growth they?re experiencing. Whether you love fish, or vegetables, or don?t care for either one, TQ WW needs to be on your plate! Suuccess has already happened for Tailor Made Fish Farms, the original compaany behind TQW W, as you can see by the stories on this page. Do your research, and find out why we think TQ WW could increase as much as 400% or more in the next few weeks. If you?ve been fishing for a great opportunity, OTC PK: T QWW could be the best deal you?ve ever hooked! Talior Aquapnoics Worldiwde, Inc. (OTCP K: TQW W) has developed an easy to operate, land-based modular fish production system that is both sustainable and environmentally responsible. Production of ?year-round? premium quality fish and vegetables is achieved through compact and controlled production areas using much less water than conventional methods resulting in two crops from a single water uptake. This efficient combination of TQW W's fish & vegetable production has two major advantages: We see the possibility of a 250% rise in the very near future, and more may come after word spreads. Go with the flow ? and bu y T QWW when the ?tide? is low, then just wait for it to come in! Huge moneey from a comppany that satisfies ecological needs ? there?s something you don?t see very often. T QWW is primed for huge international growth in the very near future, and as one of the most well-known players in the aquaponics field, TQ WW will bring its industrry to new countries (and new investorss!). It seems like making mmoney with Aquaponcis is as easy as shooting fish in a barrel?and now you can ride the wave with TQ WW! Don?t delay ? do your research on T QWW and contact your brooker immeediately! The time to get in on this great fish story is now! Taiolr Aqauponics Worldwdie, unlike many of its competitors, already succcessfully operates a coommercial scale food production system. The upside for Aquaponics is uncharted, but huge revenues are already being derived from a Tailorr Aquaponicss combined Fish Farming/Vegetable Farming venture in Australia. The research shows us that this is a sstock we want to acquire ? and acquire a great deal of ? before more news makes it across the Pacific. Remember, TQ WW is on traack for inncreases of 250%, 400% or more, but not many people know about it yet. That?s why you need to do your research and make your p l a y today! Any of the above statements with respect to the future predications or goals and e vents may be seen as only forward looking and nothing else. All in formation inside this em ail pertaining to any sort of fiinancial advice need to be understood as in formation and not advice. None of the informati on above can be constructed as any sort of ffinan cial advic e. This is a paidd advertiseement. From res at ausics.net Tue Sep 12 23:28:56 2006 From: res at ausics.net (Res) Date: Tue Sep 12 23:29:10 2006 Subject: {MailScanner: Spam?} How do i stop these spams? In-Reply-To: <45073110.6050801@enitech.com.au> References: <45073110.6050801@enitech.com.au> Message-ID: On Wed, 13 Sep 2006, Peter Russell wrote: > I have heaps o users getting these spams at the moment. We have razor, > dcc and pyzor and heaps of ruledujour running. > > -MailScanner-SpamCheck: not spam, > SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, > FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, > UNPARSEABLE_RELAY 0.00) Interesting I got a much higher score.. X-AIS-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=4.479, required 3, INFO_TLD 0.81, SARE_FWDLOOK 1.67, SARE_LWHUGE 1.00, SARE_OBFUMONEY2 1.00) > Appreciate any tips i can get Use some extra S.A goodies :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From drew at themarshalls.co.uk Tue Sep 12 23:38:14 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Sep 12 23:38:23 2006 Subject: How do i stop these spams? In-Reply-To: <45073110.6050801@enitech.com.au> References: <45073110.6050801@enitech.com.au> Message-ID: <143E9799-F5BE-4854-A3AD-C03DB38F1F37@themarshalls.co.uk> On 12 Sep 2006, at 23:13, Peter Russell wrote: > I have heaps o users getting these spams at the moment. We have > razor, dcc and pyzor and heaps of ruledujour running. > > -MailScanner-SpamCheck: not spam, > SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, > FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, > UNPARSEABLE_RELAY 0.00) BAYES_00 -2.60 < That's the bit that's not helping. You need to teach Bayes that these are spam. If Bayes gives that the default 3.50 then the rest will kick in and take you over 5 points no problem. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From dave.list at pixelhammer.com Tue Sep 12 23:47:00 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Sep 12 23:47:12 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> Message-ID: <450738E4.3090602@pixelhammer.com> Res wrote: > On Tue, 12 Sep 2006, Alex Neuman van der Hans wrote: > >> Scott Silva wrote: >> >>> Your server bounces with no user by that name because RFC's say you are >>> supposed to bounce it. >> >> Are you sure you're supposed to "take it all in and then bounce it"? >> I'm not sure you're *required* to "take it all in"; IIRC you always >> have the right to reject it at the MTA level, right? > > an unpatched default qmail will accept anything if its in virtual host > mode, then another of its processes will bounce it, dumb yes, which > amazes me in its default way bernstein claims its so secure (and look > theres those lil piggies flying backwards through the air ) > so its possible some MTAs like qmail are too dumb to do it any other way :) > > however the chkusr patch fixes this flaw in 15 seconds. > I'm not aware of any other MTA operating this braindead way. > This used to be such a nice place.... -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From lshaw at emitinc.com Tue Sep 12 23:59:48 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Sep 13 00:00:08 2006 Subject: How do i stop these spams? In-Reply-To: <143E9799-F5BE-4854-A3AD-C03DB38F1F37@themarshalls.co.uk> References: <45073110.6050801@enitech.com.au> <143E9799-F5BE-4854-A3AD-C03DB38F1F37@themarshalls.co.uk> Message-ID: On Tue, 12 Sep 2006, Drew Marshall wrote: > On 12 Sep 2006, at 23:13, Peter Russell wrote: >> I have heaps o users getting these spams at the moment. We have razor, dcc >> and pyzor and heaps of ruledujour running. >> >> -MailScanner-SpamCheck: not spam, >> SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, >> FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, >> UNPARSEABLE_RELAY 0.00) > BAYES_00 -2.60 < That's the bit that's not helping. You need to teach Bayes > that these are spam. To elaborate a little bit, "BAYES_00" means "the Bayes module has examined your message and determined that, based on its keywords, it is really very confident this message is NOT spam." It's a little confusing, but basically: BAYES_00 means "almost definitely NOT spam"; BAYES_99 means "almost definitely IS spam"; and, BAYES_50 means "no clear indication either way". Since you are getting BAYES_00 on a spam message, that means one of two things: (1) this particular message is amazingly, exceptionally good at defeating Bayes, or (2) your Bayes database is seriously whacked. I would check other spam and see if you are ever getting anything less than BAYES_50 on them. If you get BAYES_50 on a spam, that doesn't indicate any problem with your configuration: it just means that the Bayes database doesn't know about that spam (or family of spam) yet. If you get higher than BAYES_50, that means Bayes is recognizing spam as spam. But if you get lower than BAYES_50 on a spam, that tends to indicate a configuration problem. Something may be training Bayes the wrong direction. Or maybe Bayes hasn't seen nearly enough spam (in relation to ham) and it is starting to be overly optimistic and conclude that everything is ham and nothing is spam. If you look back at logs and your Bayes scores are way off, it might be best to first correct the configuration error that led to Bayes being trained incorrectly, then toss out the existing Bayes database and start fresh. - Logan From jrudd at ucsc.edu Wed Sep 13 00:00:06 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Sep 13 00:00:28 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> Message-ID: On Sep 12, 2006, at 15:02, Res wrote: > On Mon, 11 Sep 2006, John Rudd wrote: >> On Sep 11, 2006, at 4:47 PM, Res wrote: >>> On Sun, 10 Sep 2006, John Rudd wrote: >>>>> so its completely absolutely impossible for a student to have an >>>>> infected pc and do this you will state this on your life would you >>>> Students are our _least_ trusted class of user, and yes, we take >>>> enough precautions against them that there is 0% chance that this >>>> was caused by an infected student. >>> There is no way you can guarantee this in this day and age, >>> regardless of if you have 100 or 100K students, regardless of your >>> setup, to think otherwise shows complete ignorance of modern day >>> capabilities. >> >> We're in between quarters. The students aren't here right now. The >> dorms (our residential network, where the student machines would be) >> are empty, and "resnet" isn't allowed to relay through our MX servers >> anyway. Care to try again? > > you stated in the past, you enver said recently, I also find it > amusing you did not say this in the first place Just giving you all the rope you needed to to hang yourself with ignorant assertions. It's not my job to keep you from making unfounded assertions by feeding you every fact about a situation, it's your job to not make unfounded assertions when you don't have all of the facts ... and to know when you don't have enough facts about a situation to make assertions about it. I didn't need to say recently. I merely said that I could rule out that students caused it. I don't need to provide an encyclopedia of justifications for a mailing list discussion (as opposed to a formal paper or court case, or something). Though, if you had requested support for it, instead of insulting the myself and the claim, perhaps I would have done that instead of allowing you to make an ass of yourself. However, I agree that this sub-thread has become a waste of time. From jethro.binks at strath.ac.uk Wed Sep 13 00:07:59 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Sep 13 00:08:03 2006 Subject: Autoresponder Evils? In-Reply-To: <45072F90.30204@yeticomputers.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> <45072F90.30204@yeticomputers.com> Message-ID: <20060912234839.T25554@defjam.cc.strath.ac.uk> On Tue, 12 Sep 2006, Rick Chadderdon wrote: > I didn't ask, I complained. :) I know what is generally considered to > be a "sensible" autoresponder, and I don't care much for them, either. > I will allow that they are far less annoying than something which will > spray out unlimited responses, but I've yet to see one configured to > send out only one response per *domain*. To do so would be irrational; why should only one sender from AOL or Hotmail receive the autoresponse and all other millions of potential correspondents not, in a given period of time? > Without that, a joe-jobbed domain with a large number of user accounts > can end up absorbing thousands of unwanted autoresponses, one for each > valid email address. Flooding one correspondent is bad, but flooding my > mail server at all is also bad. Autoresponders shift the burden of work > that should belong to their owners to those who are have to deal with > the unwanted messages they send out. Unfortunately, there is no other mechanism available in email to indicate one's mailbox attention status. Ideally, there would be an SMTP-time mechanism, but unless you are refusing the message, there is no facility to use (and with the state of many MTAs in common use, no guarantee that any of the message the autoresponder is generating will end up with the sender in any legible form). But the problem isn't autoresponders themselves. The problem is identifing a legitimate sender from an illegitimate one. If an autoresponder knew when the sender of an email was legitimate, it would be able to reply reliable. Enter SPF and all those other proposals. How about directing your pent-up venom from castigating autoresponders, even sensible ones, to solving the real problem, and not one of its symptoms. > I find that most people who defend autoresponders are in a way akin to > the spam pundits who say, "Just hit delete!" Ridiculous analogy. > As long as they can do what they want to, they have no care about how it > affects those who did not ask for their email. Minimizing their impact > is nice and all, but I don't think most people would want me to dump my > garbage on their front lawn - even if I only did it once a week. Using > an autoresponder that you *know* will send out unwanted mail is > deliberately using the resources of others without their consent. How does a computer system determine what is "wanted"? If you solve that problem, you will solve many of the ills that afflict our present email system. Don't blame autoresponders, especially sensibly implemented ones, for a problem which is not of their making. > If asked, "What else am I supposed to do to solve this problem?" all I > can say is, "Don't make your problem mine." That's a piss-poor response though. > > Autoresponders will never go away, and there is no reason why they should. > > I agree with the first half of that sentence, but until they stop > sending messages to people who don't want them, I strongly disagree with > the rest. I suppose this is pretty off topic for the list, and the > second time that people defending autoresponders have brought me to > this. I'll say it again: the undesirable behaviour you see from autoresponders is a symtom of a deeper problem, and that is what needs to be solved. Bitching about the symptom is not helpful. There are many business and social reasons that require autoresponders, and if they were all implemented sensibly, then from the user perspective, they wouldn't be a problem. Indeed it is the users who want these features. If you're the manager of a joe-jobbed domain and you have to deal with them, en-masse, well, that's a fact and hazard of having an Internet-connected mail server, just like you would have to deal with a batch of spam directed directly at your domain without the autoresponder middle-man. Sure, it's pretty annoying, even costly, but them's the risks and you have to accept that if you offer a service someone will abuse it sooner or later. I happily grant you leave to bitch about crap autoresponder mechanisms if it makes you happy, and there are very many to bitch about. But do not tar them all with the same brush, and do not make the mistake of saying that autoresponders are the problem when they are not. J. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From res at ausics.net Wed Sep 13 00:10:22 2006 From: res at ausics.net (Res) Date: Wed Sep 13 00:10:31 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <450738E4.3090602@pixelhammer.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> <450738E4.3090602@pixelhammer.com> Message-ID: On Tue, 12 Sep 2006, DAve wrote: >> an unpatched default qmail will accept anything if its in virtual host >> mode, then another of its processes will bounce it, dumb yes, which amazes >> me in its default way bernstein claims its so secure (and look theres those >> lil piggies flying backwards through the air ) >> so its possible some MTAs like qmail are too dumb to do it any other way :) >> >> however the chkusr patch fixes this flaw in 15 seconds. >> I'm not aware of any other MTA operating this braindead way. >> > > This used to be such a nice place.... I know its early but your point is? not attacking qmail i hope lol, oh and it can happen, afterall about 25 years ago, they said pigs will fly before pink floyd reformed and played live with roger waters, and in live aid a year ago, they did exactly that, so apparently, pigs can fly :P -- Cheers Res From michele at blacknight.ie Wed Sep 13 00:18:15 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight.ie) Date: Wed Sep 13 00:18:18 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> <450738E4.3090602@pixelhammer.com> Message-ID: <45074037.4040007@blacknight.ie> Res wrote: > so apparently, pigs can fly :P I've seen plenty of them :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From res at ausics.net Wed Sep 13 00:20:29 2006 From: res at ausics.net (Res) Date: Wed Sep 13 00:20:50 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <45074037.4040007@blacknight.ie> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <4506E051.10104@nkpanama.com> <450738E4.3090602@pixelhammer.com> <45074037.4040007@blacknight.ie> Message-ID: On Wed, 13 Sep 2006, Michele Neylon :: Blacknight.ie wrote: > Res wrote: > >> so apparently, pigs can fly :P > > I've seen plenty of them :) lol. never seen them fly backwards yet tho, that will happen if PF reform properly, then ill be convinced :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pete at enitech.com.au Wed Sep 13 00:46:24 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Sep 13 00:46:37 2006 Subject: How do i stop these spams? In-Reply-To: References: <45073110.6050801@enitech.com.au> <143E9799-F5BE-4854-A3AD-C03DB38F1F37@themarshalls.co.uk> Message-ID: <450746D0.6050708@enitech.com.au> Logan Shaw wrote: > On Tue, 12 Sep 2006, Drew Marshall wrote: >> On 12 Sep 2006, at 23:13, Peter Russell wrote: > >>> I have heaps o users getting these spams at the moment. We have >>> razor, dcc and pyzor and heaps of ruledujour running. >>> >>> -MailScanner-SpamCheck: not spam, >>> SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, >>> FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, >>> UNPARSEABLE_RELAY 0.00) > >> BAYES_00 -2.60 < That's the bit that's not helping. You need to teach >> Bayes that these are spam. > > To elaborate a little bit, "BAYES_00" means "the Bayes module > has examined your message and determined that, based on its > keywords, it is really very confident this message is NOT spam." > > It's a little confusing, but basically: > BAYES_00 means "almost definitely NOT spam"; > BAYES_99 means "almost definitely IS spam"; and, > BAYES_50 means "no clear indication either way". > > Since you are getting BAYES_00 on a spam message, that means > one of two things: > (1) this particular message is amazingly, exceptionally good at > defeating Bayes, or > (2) your Bayes database is seriously whacked. > > I would check other spam and see if you are ever getting > anything less than BAYES_50 on them. If you get BAYES_50 on a > spam, that doesn't indicate any problem with your configuration: > it just means that the Bayes database doesn't know about that > spam (or family of spam) yet. If you get higher than BAYES_50, > that means Bayes is recognizing spam as spam. But if you > get lower than BAYES_50 on a spam, that tends to indicate a > configuration problem. Something may be training Bayes the > wrong direction. Or maybe Bayes hasn't seen nearly enough spam > (in relation to ham) and it is starting to be overly optimistic > and conclude that everything is ham and nothing is spam. > > If you look back at logs and your Bayes scores are way off, > it might be best to first correct the configuration error > that led to Bayes being trained incorrectly, then toss out > the existing Bayes database and start fresh. Thanks i might start again, this is years old DB that uses auto learn and minor amount of manual learned spam. Originally it was the FSL bayes starter DB. Thanks a lot Pete > > - Logan From steve.swaney at fsl.com Wed Sep 13 00:57:06 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Sep 13 00:57:11 2006 Subject: How do i stop these spams? In-Reply-To: <450746D0.6050708@enitech.com.au> Message-ID: <2dd7e01c6d6c7$273db7f0$287ba8c0@office.fsl> Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Russell > Sent: Tuesday, September 12, 2006 7:46 PM > To: MailScanner discussion > Subject: Re: How do i stop these spams? > > > > Logan Shaw wrote: > > On Tue, 12 Sep 2006, Drew Marshall wrote: > >> On 12 Sep 2006, at 23:13, Peter Russell wrote: > > > >>> I have heaps o users getting these spams at the moment. We have > >>> razor, dcc and pyzor and heaps of ruledujour running. > >>> > >>> -MailScanner-SpamCheck: not spam, > >>> SpamAssassin (cached, score=0.203, required 6, BAYES_00 -2.60, > >>> FORGED_RCVD_HELO 0.14, SARE_FWDLOOK 1.67, SARE_OBFUMONEY2 1.00, > >>> UNPARSEABLE_RELAY 0.00) > > > >> BAYES_00 -2.60 < That's the bit that's not helping. You need to teach > >> Bayes that these are spam. > > > > To elaborate a little bit, "BAYES_00" means "the Bayes module > > has examined your message and determined that, based on its > > keywords, it is really very confident this message is NOT spam." > > > > It's a little confusing, but basically: > > BAYES_00 means "almost definitely NOT spam"; > > BAYES_99 means "almost definitely IS spam"; and, > > BAYES_50 means "no clear indication either way". > > > > Since you are getting BAYES_00 on a spam message, that means > > one of two things: > > (1) this particular message is amazingly, exceptionally good at > > defeating Bayes, or > > (2) your Bayes database is seriously whacked. > > > > I would check other spam and see if you are ever getting > > anything less than BAYES_50 on them. If you get BAYES_50 on a > > spam, that doesn't indicate any problem with your configuration: > > it just means that the Bayes database doesn't know about that > > spam (or family of spam) yet. If you get higher than BAYES_50, > > that means Bayes is recognizing spam as spam. But if you > > get lower than BAYES_50 on a spam, that tends to indicate a > > configuration problem. Something may be training Bayes the > > wrong direction. Or maybe Bayes hasn't seen nearly enough spam > > (in relation to ham) and it is starting to be overly optimistic > > and conclude that everything is ham and nothing is spam. > > > > If you look back at logs and your Bayes scores are way off, > > it might be best to first correct the configuration error > > that led to Bayes being trained incorrectly, then toss out > > the existing Bayes database and start fresh. > > Thanks i might start again, this is years old DB that uses auto learn > and minor amount of manual learned spam. Originally it was the FSL bayes > starter DB. > > Thanks a lot > Pete The starter database is still available :) http://www.fsl.com/support.html Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From lday at txk.k12.ar.us Wed Sep 13 03:24:07 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Wed Sep 13 03:24:18 2006 Subject: How do i stop these spams? In-Reply-To: <2dd7e01c6d6c7$273db7f0$287ba8c0@office.fsl> References: <2dd7e01c6d6c7$273db7f0$287ba8c0@office.fsl> Message-ID: <45076BC7.2080408@txk.k12.ar.us> Stephen, There's a broken link on the page: http://www.fsl.com/support.html The hyperlink for this entry: Bayes Starter DB (FreeBSD SA 3.0) ..needs "support/" added to it so that it reads: http://www.fsl.com/support/bayes-FreeBSD-SA-3.0-starter-db.tar.gz Thanks, Lynn Stephen Swaney wrote: > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > The starter database is still available :) > > http://www.fsl.com/support.html > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > From randyf at sibernet.com Wed Sep 13 06:11:37 2006 From: randyf at sibernet.com (Randy Fishel) Date: Wed Sep 13 06:13:24 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: <450663D8.5000501@ecs.soton.ac.uk> References: <450663D8.5000501@ecs.soton.ac.uk> Message-ID: On Sep 12, 2006, at 12:38 AM, Julian Field wrote: > > Ren? Berber wrote: >> Ren? Berber wrote: >> [snip] >> >>> eval { >>> # if ($^O !~ /solaris|sunos|irix/i) { >>> Sys::Syslog::setlogsock('udp'); >>> # } # else { >>> >> [snip] >> >> My mistake, even if it works as shown above I should have changed >> it like this (I'm not sure about Irix or SunOS so it may still be >> wrong): >> >> eval { >> if ($^O !~ /solaris|sunos|irix/i) { >> Sys::Syslog::setlogsock('unix'); >> } else { >> Sys::Syslog::setlogsock('udp'); >> } >> } >> > Can other Solaris users comment on this please? > As Solaris implements Syslog as a network service, it _should_ use some form of a network socket. A 'unix' domain socket implies the open of /dev/log or /dev/ conslog (which may not generate the desired results, especially if the syslog device is a remote machine). However, though using 'udp' might work, I prefer to use 'inet', as it will implement the connection over the protocol that is actually being used (tcp or udp). So my suggestion would be to make this 'Sys::Syslog::setlogsock('inet');' (and what all my syslog perl scripts do without problems from Solaris 2.5.1 to OpenSolaris). rf From glenn.steen at gmail.com Wed Sep 13 07:20:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 07:20:55 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: References: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> Message-ID: <223f97700609122320r50cf00efy9db2cf48083c4ee9@mail.gmail.com> On 12/09/06, Ren? Berber wrote: > Billy A. Pumphrey wrote: > > >> -----Original Message----- > >> > >> Do you have split DNS? > >> > >> Nate > > > > If I understand what split DNS is, yes I do. The DNS is configured to > > resolve with the local Windows DNS server, then if the windows server > > does not know the lookup, it will query the internet. > > No, split view DNS means you see a local IP address from your LAN and you see the Internet address from outside (for the name of your mail server). > > The above comment probably means that you can see different names too, but it makes no sense to me, something like server.domain.local from inside and just server.domain from outside... for the same IP address? It means that Billy has an M$ AD DNS setup according to the (idiotic) gospel according to M$. Nothing else. Also shows why this is such a bad idea:-). IIRC this was deamt up to "alleviate" the problems possibly due to a split DNS. Sigh. There is some KB article that I'm too lazy to find, with all the (laughable) details... > Anyway, the original problem is probably in /etc/hosts or hostname, not in DNS. You have to see where your mail server gets its name from, with sendmail the commands: > > echo '$=R' | sendmail -bt -d0.10 > > will show you the name (Canonical name) and domain info among other things. It is a very long time since I could call myself anything even close to a sendmail guru (editing the cf file directly was the norm then:-)... But even back then you could certainly lie as necessary by just setting the darned thing directly. I'd imagine this to be an m4 macro these days (that probably defaults to hostname as perceived by the resolver/hostname command:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From randyf at sibernet.com Wed Sep 13 07:21:08 2006 From: randyf at sibernet.com (Randy Fishel) Date: Wed Sep 13 07:22:58 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: References: <450663D8.5000501@ecs.soton.ac.uk> Message-ID: <3199AC82-D755-4A05-A722-148699B45AC3@sibernet.com> On Sep 12, 2006, at 1:04 PM, Ren? Berber wrote: > Julian Field wrote: > >> Ren? Berber wrote: > [snip] >>>> eval { >>>> if ($^O !~ /solaris|sunos|irix/i) { >>>> Sys::Syslog::setlogsock('unix'); >>>> } else { >>>> Sys::Syslog::setlogsock('udp'); >>>> } >>>> } >>>> >> Can other Solaris users comment on this please? > > Testing other Solaris servers: > > Solaris 8 / perl 5.6.1(AS) / doesn't work as above, it works with > commented else Try using 'inet', instead of 'udp', and see if that works. > Solaris 9 / perl 5.8.0 / works both ways (as above and > commented out else) > Solaris 10 / perl 5.8.4 / works both ways (as above and > commented out else > > The second test contradicts my original findings, I had no logging > until I changed the code but it should have worked with no setlogsock. > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Sep 13 07:27:26 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 07:27:28 2006 Subject: MailScanner stopping In-Reply-To: References: Message-ID: <223f97700609122327s578d13e2o4f99141e5ba9a38c@mail.gmail.com> On 13/09/06, Kevin Miller wrote: > Last week there was a thread about MailScanner ceasing to work. I was > seeing that behavior - it was running, but was all balled up. Turned > out that when 'MailScanner restart' was called that some sendmail > processes persisted past the $RESTART_DELAY time. This only appears to > happen on later MS servers. Not sure what changes to the init script > make the difference - my 4.48 server doesn't have a problem. > > The pids that MailScanner creates all evaporate almost immediately; the > persistent sendmail processes are generally (as nearly as I can tell) > connections that smf-sav initiates. (smf-sav is sorta like > milter-sender and milter-ahead rolled into one.) I wasn't seeing the > problem until I installed it, but it's too nifty to get rid of even if > it's not as robust as the milters from Snertsoft. > > It can take up to a minute or two for all the connections to expire. > I'm guessing the remote hosts are maybe doing greet-pause or graylisting > when I do the sender verification, which causes them to sit around for a > bit. > Sounds a bit odd... You're not getting tar-pitted by your own internal servers, are you? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From r.berber at computer.org Wed Sep 13 08:17:25 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Sep 13 08:17:52 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: <3199AC82-D755-4A05-A722-148699B45AC3@sibernet.com> References: <450663D8.5000501@ecs.soton.ac.uk> <3199AC82-D755-4A05-A722-148699B45AC3@sibernet.com> Message-ID: Randy Fishel wrote: [snip] >> Testing other Solaris servers: >> >> Solaris 8 / perl 5.6.1(AS) / doesn't work as above, it works with >> commented else > > Try using 'inet', instead of 'udp', and see if that works. Solaris 8 / perl 5.6.1(AS) / works fine with inet, as well as w/o setlogsock() Solaris 9 / perl 5.8.0 / same result as Sol8, but see note[1]. [1] The output is different btw. the test that uses setlogsock('inet') and the one that just opens the log w/o using setlogsock(), the second test's output is in normal syslog format, the first shows a different host name (localhost actually) and doesn't show [ID facility.severity]; same output as the first test happens with 'udp'. [snip] -- Ren? Berber From matt at coders.co.uk Wed Sep 13 09:44:01 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Sep 13 09:44:11 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <223f97700609122320r50cf00efy9db2cf48083c4ee9@mail.gmail.com> References: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> <223f97700609122320r50cf00efy9db2cf48083c4ee9@mail.gmail.com> Message-ID: <4507C4D1.4030703@coders.co.uk> > It is a very long time since I could call myself anything even close > to a sendmail guru (editing the cf file directly was the norm > then:-)... But even back then you could certainly lie as necessary by > just setting the darned thing directly. I'd imagine this to be an m4 > macro these days (that probably defaults to hostname as perceived by > the resolver/hostname command:-). > M4 define(`confDOMAIN_NAME', `myexternalhostname') is probably what you are thinking about or for cf hacking Djmyexternalhostname matt From glenn.steen at gmail.com Wed Sep 13 10:32:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 10:32:22 2006 Subject: OT: Invalid domain name during SMTP test In-Reply-To: <4507C4D1.4030703@coders.co.uk> References: <8f54b4330609121041g3240300fr5b7056f37b1c095b@mail.gmail.com> <04D932B0071FE34FA63EBB1977B48D1501A3988A@woodenex.woodmaclaw.local> <223f97700609122320r50cf00efy9db2cf48083c4ee9@mail.gmail.com> <4507C4D1.4030703@coders.co.uk> Message-ID: <223f97700609130232m491db964w3ba5fb19e150f0d9@mail.gmail.com> On 13/09/06, Matt Hampton wrote: > > > It is a very long time since I could call myself anything even close > > to a sendmail guru (editing the cf file directly was the norm > > then:-)... But even back then you could certainly lie as necessary by > > just setting the darned thing directly. I'd imagine this to be an m4 > > macro these days (that probably defaults to hostname as perceived by > > the resolver/hostname command:-). > > > > M4 > > define(`confDOMAIN_NAME', `myexternalhostname') > > is probably what you are thinking about > > or for cf hacking > > Djmyexternalhostname > > > matt > Exactly. Thanks for the memory-jog:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Wed Sep 13 10:44:13 2006 From: res at ausics.net (Res) Date: Wed Sep 13 10:44:30 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> Message-ID: On Tue, 12 Sep 2006, John Rudd wrote: > However, I agree that this sub-thread has become a waste of time. I dont think so, its shown where a few people stand on dealing and accepting network security issues, and who is so far up himself he can state clearly his students are perfect darling little angles :) *cough* From gmatt at nerc.ac.uk Wed Sep 13 13:56:42 2006 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Wed Sep 13 13:56:52 2006 Subject: incoming messages stuck in queue due to tnef bug In-Reply-To: <4505AE3A.8060902@ecs.soton.ac.uk> References: <450505B8.4020504@spawar.navy.mil> <45057A43.3040304@USherbrooke.ca> <625385e30609110820o1273dd00h229254a86ee6b678@mail.gmail.com> <4505A31D.9010601@spawar.navy.mil> <4505AE3A.8060902@ecs.soton.ac.uk> Message-ID: <4508000A.8020908@nerc.ac.uk> If anyone is interested, the following .spec file will build the tnef rpm for RHEL (CentOS) v4.4. The one that comes with the tarball is slightly off... GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -------------- next part -------------- # rpm spec file for tnef 1.4.3 Summary: Decodes MS-TNEF attachments. Name: tnef Version: 1.4.3 Release: 1 Group: Mail/Encoders Copyright: GPL Source: http://world.std.com/~damned/tnef-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-root Prefix: /usr Vendor: Angst Programming I.G. URL: http://tnef.sourceforge.net Packager: Mark Simpson %description TNEF is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment. %prep %setup %build CFLAGS=${RPM_OPT_FLAGS} ./configure --prefix=%{prefix} --datarootdir=%{prefix}/share make all %install make "DESTDIR=${RPM_BUILD_ROOT}" install %clean rm -rf ${RPM_BUILD_ROOT} %files %defattr(-,root,root) %doc README COPYING ChangeLog AUTHORS NEWS TODO BUGS %{prefix}/bin/tnef %{prefix}/share/man/man1/tnef.1 -------------- next part -------------- # rpm spec file for tnef 1.4.3 Summary: Decodes MS-TNEF attachments. Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 1 Group: Mail/Encoders Copyright: GPL Source: http://world.std.com/~damned/tnef-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-root Prefix: @prefix@ Vendor: Angst Programming I.G. URL: http://tnef.sourceforge.net Packager: Mark Simpson <@PACKAGE_BUGREPORT@> %description TNEF is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment. %prep %setup %build CFLAGS=${RPM_OPT_FLAGS} ./configure --prefix=%{prefix} --datarootdir=%{prefix}/share make all %install make "DESTDIR=${RPM_BUILD_ROOT}" install %clean rm -rf ${RPM_BUILD_ROOT} %files %defattr(-,root,root) %doc README COPYING ChangeLog AUTHORS NEWS TODO BUGS %{prefix}/bin/tnef %{prefix}/share/man/man1/tnef.1 From rgreen at trayerproducts.com Wed Sep 13 14:09:52 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Wed Sep 13 14:11:53 2006 Subject: OT: Backup MX Message-ID: <45080320.9060700@trayerproducts.com> Hello, We recently had a day of downtime for our Internet connection. We don't have a backup MX to queue mail while our mail server is unreachable. My question is this. If I were to get a DSL connection setup and connect a backup DNS server and backup MX server, would there be a way for users to access incoming mail that is queued on the backup MX? How is something like this normally handled? We rely on e-mail here and need some sort of backup plan if our main connection goes down. Thanks for any suggestions. Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rgreen at trayerproducts.com Wed Sep 13 14:14:47 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Wed Sep 13 14:16:49 2006 Subject: OT: Backup MX In-Reply-To: <45080320.9060700@trayerproducts.com> References: <45080320.9060700@trayerproducts.com> Message-ID: <45080447.7010007@trayerproducts.com> Green, Rodney wrote: > > Hello, > > We recently had a day of downtime for our Internet connection. We > don't have a backup MX to queue mail while our mail server is > unreachable. > > My question is this. If I were to get a DSL connection setup and > connect a backup DNS server and backup MX server, would there be a way > for users to access incoming mail that is queued on the backup MX? How > is something like this normally handled? We rely on e-mail here and > need some sort of backup plan if our main connection goes down. > > Thanks for any suggestions. > Rod > > > Just to add a little more information.. I'm using postfix as our MTA and of course MailScanner. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cobalt-users1 at fishnet.co.uk Wed Sep 13 14:27:37 2006 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Wed Sep 13 14:27:46 2006 Subject: OT: Sendmail: stopping RBL checks for authenticated users Message-ID: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> Hi, Sorry for the OT but you guys seem to know everything! We have a client who is a roaming user (all over Asia at the moment) and the IPs he connects with sometimes end up in RBL lists. I want to setup the submission port (587) and configure it to allow authenticated users only (no other restrictions). Does anyone know the correct submit.mc format to allow this? I already have smtp auth/sasl configured in the main sendmail but the RBL check are done before the auth checks. My googling has so far come up with lots of people asking the question but no definite answers. Lots of other answers, but not this one. Thanks if you can help. Ian -- IMPORTANT: This email is intended for the use of the individual addressee (s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self- esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an Irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the cat next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please place it in a warm oven for 40 minutes and add some nutmeg and egg whites. Whisk briefly and let it stand for 2 hours before icing. From rgreen at trayerproducts.com Wed Sep 13 14:33:19 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Wed Sep 13 14:35:13 2006 Subject: OT: Backup MX In-Reply-To: <45080447.7010007@trayerproducts.com> References: <45080320.9060700@trayerproducts.com> <45080447.7010007@trayerproducts.com> Message-ID: <4508089F.8080004@trayerproducts.com> Green, Rodney wrote: > > > Green, Rodney wrote: >> >> Hello, >> >> We recently had a day of downtime for our Internet connection. We >> don't have a backup MX to queue mail while our mail server is >> unreachable. >> >> My question is this. If I were to get a DSL connection setup and >> connect a backup DNS server and backup MX server, would there be a way >> for users to access incoming mail that is queued on the backup MX? >> How is something like this normally handled? We rely on e-mail here and >> need some sort of backup plan if our main connection goes down. >> >> Thanks for any suggestions. >> Rod >> >> >> > > Just to add a little more information.. I'm using postfix as our MTA > and of course MailScanner. > > > > Replying to my own post yet again. :-) I think my answer is in how DNS and MX records work. I guess I was confused by the term "backup mx." It looks like I would need to setup a duplicate mail server on the DSL connection, with a different FQDN, of course, and set it up as a final destination for mail. Then in DNS I would set up that new server with a lower priority than the normal server. If the primary server is down mail should then be delivered to the server on the DSL connection and be accessible to the users with a simple configuration change. Does this sound correct? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jon at radel.com Wed Sep 13 14:37:58 2006 From: jon at radel.com (Jon Radel) Date: Wed Sep 13 14:37:39 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> Message-ID: <450809B6.7030409@radel.com> Res wrote: > > On Tue, 12 Sep 2006, John Rudd wrote: > >> However, I agree that this sub-thread has become a waste of time. > > I dont think so, its shown where a few people stand on dealing and > accepting network security issues, and who is so far up himself he can > state clearly his students are perfect darling little angles :) *cough* > Oh, I quite agree. It's allowed me to to put you (could I have your full name please--just to be complete--thanks) on my version of that list you alluded to earlier. You get a "severe reading comprehension problems or troll" notation. Thanks much. --Jon Radel From jon at radel.com Wed Sep 13 14:56:36 2006 From: jon at radel.com (Jon Radel) Date: Wed Sep 13 14:56:26 2006 Subject: OT: Backup MX In-Reply-To: <4508089F.8080004@trayerproducts.com> References: <45080320.9060700@trayerproducts.com> <45080447.7010007@trayerproducts.com> <4508089F.8080004@trayerproducts.com> Message-ID: <45080E14.1000202@radel.com> Green, Rodney wrote: > > > > Green, Rodney wrote: >> >> >> Green, Rodney wrote: >>> >>> Hello, >>> >>> We recently had a day of downtime for our Internet connection. We >>> don't have a backup MX to queue mail while our mail server is >>> unreachable. >>> >>> My question is this. If I were to get a DSL connection setup and >>> connect a backup DNS server and backup MX server, would there be a way >>> for users to access incoming mail that is queued on the backup MX? >>> How is something like this normally handled? We rely on e-mail here and >>> need some sort of backup plan if our main connection goes down. >>> >>> Thanks for any suggestions. >>> Rod >>> >>> >>> >> >> Just to add a little more information.. I'm using postfix as our MTA >> and of course MailScanner. >> >> >> >> > > Replying to my own post yet again. :-) > > I think my answer is in how DNS and MX records work. I guess I was > confused by the term "backup mx." It looks like I would need to setup a > duplicate mail server on the DSL connection, with a different FQDN, of > course, and set it up as a final destination for mail. Then in DNS I > would set up that new server with a lower priority than the normal > server. If the primary server is down mail should then be delivered to > the server on the DSL connection and be accessible to the users with a > simple configuration change. Does this sound correct? > No. It sounds like a horrible mess. Manually maintaining the same users on two independent servers. A single user's mail split across two servers, with where a piece of mail sits depending on connectivity between the sender and your servers (your "backup" server would get some e-mail even if your main connection was nominally up, and it wouldn't *all* be spam). Easiest of all would probably be buying one of the turn-key boxes available that allows you plug in multiple ISP connections and handles all the connectivity tracking and fiddling with multiple NAT tables for you. I suspect they come with explicit hints on how to setup your MX records to interop with their box. (I'd give brand names if I could recall any at the moment.) Probably second easiest would be to simply multi-home your SMTP server, with an address from each ISP. It would then accept connections across either connection. Another possibility would be to actually have a backup MX server, but make sure it could reach your mail server across a LAN connection so that it could forward incoming mail. This one wouldn't help with the problem of off-site clients reaching the server across the Internet. Lots of choices, many of them driven by factors you've not covered here. --Jon Radel From dickenson at cfmc.com Wed Sep 13 14:58:35 2006 From: dickenson at cfmc.com (Jim Dickenson) Date: Wed Sep 13 14:58:50 2006 Subject: OT: Backup MX In-Reply-To: <4508089F.8080004@trayerproducts.com> Message-ID: If you do that then everyone will need to check for email on both servers. If there is any "glitch" with your primary then mail will go to your secondary. Also much spam will end up there and unless you clear it out you will have mailboxes full. What I would do is think about putting in a second network card and have the system be on both networks. This way you can use the DSL server as a gateway to your real server and all email can still be delivered to your real server. Alternatively you could put a second network card in your primary server and have it be both your primary and secondary. -- Jim Dickenson mailto:dickenson@cfmc.com CfMC http://www.cfmc.com/ > From: "Green, Rodney" > Reply-To: MailScanner discussion > Date: Wed, 13 Sep 2006 09:33:19 -0400 > To: MailScanner discussion > Subject: Re: OT: Backup MX > > > > Green, Rodney wrote: >> >> >> Green, Rodney wrote: >>> >>> Hello, >>> >>> We recently had a day of downtime for our Internet connection. We >>> don't have a backup MX to queue mail while our mail server is >>> unreachable. >>> >>> My question is this. If I were to get a DSL connection setup and >>> connect a backup DNS server and backup MX server, would there be a way >>> for users to access incoming mail that is queued on the backup MX? >>> How is something like this normally handled? We rely on e-mail here and >>> need some sort of backup plan if our main connection goes down. >>> >>> Thanks for any suggestions. >>> Rod >>> >>> >>> >> >> Just to add a little more information.. I'm using postfix as our MTA >> and of course MailScanner. >> >> >> >> > > Replying to my own post yet again. :-) > > I think my answer is in how DNS and MX records work. I guess I was > confused by the term "backup mx." It looks like I would need to setup a > duplicate mail server on the DSL connection, with a different FQDN, of > course, and set it up as a final destination for mail. Then in DNS I > would set up that new server with a lower priority than the normal > server. If the primary server is down mail should then be delivered to > the server on the DSL connection and be accessible to the users with a > simple configuration change. Does this sound correct? > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rgreen at trayerproducts.com Wed Sep 13 15:04:46 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Wed Sep 13 15:06:08 2006 Subject: OT: Backup MX In-Reply-To: <45080E14.1000202@radel.com> References: <45080320.9060700@trayerproducts.com> <45080447.7010007@trayerproducts.com> <4508089F.8080004@trayerproducts.com> <45080E14.1000202@radel.com> Message-ID: <45080FFE.4000202@trayerproducts.com> Jon Radel wrote: > Green, Rodney wrote: > >> >> Green, Rodney wrote: >> >>> Green, Rodney wrote: >>> >>>> Hello, >>>> >>>> We recently had a day of downtime for our Internet connection. We >>>> don't have a backup MX to queue mail while our mail server is >>>> unreachable. >>>> >>>> My question is this. If I were to get a DSL connection setup and >>>> connect a backup DNS server and backup MX server, would there be a way >>>> for users to access incoming mail that is queued on the backup MX? >>>> How is something like this normally handled? We rely on e-mail here and >>>> need some sort of backup plan if our main connection goes down. >>>> >>>> Thanks for any suggestions. >>>> Rod >>>> >>>> >>>> >>>> >>> Just to add a little more information.. I'm using postfix as our MTA >>> and of course MailScanner. >>> >>> >>> >>> >>> >> Replying to my own post yet again. :-) >> >> I think my answer is in how DNS and MX records work. I guess I was >> confused by the term "backup mx." It looks like I would need to setup a >> duplicate mail server on the DSL connection, with a different FQDN, of >> course, and set it up as a final destination for mail. Then in DNS I >> would set up that new server with a lower priority than the normal >> server. If the primary server is down mail should then be delivered to >> the server on the DSL connection and be accessible to the users with a >> simple configuration change. Does this sound correct? >> >> > > No. It sounds like a horrible mess. Manually maintaining the same > users on two independent servers. A single user's mail split across two > servers, with where a piece of mail sits depending on connectivity > between the sender and your servers (your "backup" server would get some > e-mail even if your main connection was nominally up, and it wouldn't > *all* be spam). > > Easiest of all would probably be buying one of the turn-key boxes > available that allows you plug in multiple ISP connections and handles > all the connectivity tracking and fiddling with multiple NAT tables for > you. I suspect they come with explicit hints on how to setup your MX > records to interop with their box. (I'd give brand names if I could > recall any at the moment.) > > Probably second easiest would be to simply multi-home your SMTP server, > with an address from each ISP. It would then accept connections across > either connection. > > Another possibility would be to actually have a backup MX server, but > make sure it could reach your mail server across a LAN connection so > that it could forward incoming mail. This one wouldn't help with the > problem of off-site clients reaching the server across the Internet. > > Lots of choices, many of them driven by factors you've not covered here. > > --Jon Radel > Ahh.. I didn't think of multi-homing the mail server. That seems like it might be the best option. I'll look into doing that. Thanks everyone! Rod -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From colin at mainline.co.uk Wed Sep 13 15:44:28 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Sep 13 15:43:50 2006 Subject: Attachments Message-ID: Hope one of you MailScanner gurus can help! We are having clients complaining that some messages with attachments aren't arriving ... example (which I have replicated): This morning I sent a message to a particular client who is having problems. Attachment is a .zip of 2Mb Our MTA (Exchange) says it has been delivered successfully The receiving server maillog has no entries at all as far as I can see I receive no bounce (yet) .. I have checked the filename.rules.conf and filetype.rules.conf and they allow .zip files If I put the following entry at the top of the filetype.rules.conf and filename.rules.conf allow . - - then all works fine. I would like some filtering of files but cannot afford to have apparently innocuous files causing mail to evaporate ;) Thanks Colin From sconway at wlnet.com Wed Sep 13 15:45:41 2006 From: sconway at wlnet.com (Stephen Conway) Date: Wed Sep 13 15:46:29 2006 Subject: No Message Collected Message-ID: <00d801c6d743$4956be00$b000000a@skyhawk> Hello: I am running with below: Slackware Linux Sendmail 8.10.2 Perl 5.6.1 MailScanner-4.55.10 SpamAssassin 3.1.0 McAfee A/V After upgrading to MailScanner-4.55.10 , all is working for some time, but recently I have started to get 'No Message Collected' from time to time on messages. Can anyone advise a reason? I have seen in the archives that changing the "Lock Type = " setting can help this issue, if so what should I use? flock ? Any help is appreciated. -- ShipMail Now 30% Faster From Denis.Beauchemin at USherbrooke.ca Wed Sep 13 16:05:55 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Sep 13 16:06:33 2006 Subject: Attachments In-Reply-To: References: Message-ID: <45081E53.8020202@USherbrooke.ca> Colin Jack a ?crit : > Hope one of you MailScanner gurus can help! > > We are having clients complaining that some messages with attachments > aren't arriving ... > > example (which I have replicated): > > This morning I sent a message to a particular client who is having > problems. > Attachment is a .zip of 2Mb > Our MTA (Exchange) says it has been delivered successfully > The receiving server maillog has no entries at all as far as I can see > I receive no bounce (yet) .. > > I have checked the filename.rules.conf and filetype.rules.conf and they > allow .zip files > > If I put the following entry at the top of the filetype.rules.conf and > filename.rules.conf > > allow . - - > > then all works fine. > > I would like some filtering of files but cannot afford to have > apparently innocuous files causing mail to evaporate ;) > > Thanks > > Colin > > Colin, The explanation is probably in you maillog file. Sendmail (or whichever MTA you use) should log every connection it receives and log things like envelope sender, time of day and message ID. Then grepping that message ID should tell you what happened to your mail. Also you should put MS in verbose mode or run it in debug mode to get the full details about what is happening. Verbose mode (MailScanner.conf): Log Spam = yes Log Silent Viruses = yes Log Dangerous HTML Tags = yes Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060913/0992a37b/smime.bin From martinh at solidstatelogic.com Wed Sep 13 16:15:50 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Sep 13 16:16:07 2006 Subject: .bmp files.. Message-ID: <450820A6.4000304@solidstatelogic.com> All given .bmp files still seem to be blocked but the filename rules on a default MS install, how many people have disables this check as alot of people seem to send great big bmps as part of their signatures? I get quite a lot of FP's and was seriously contemplating turning this rule off. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ssilva at sgvwater.com Wed Sep 13 16:17:57 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 13 16:17:31 2006 Subject: No Message Collected In-Reply-To: <00d801c6d743$4956be00$b000000a@skyhawk> References: <00d801c6d743$4956be00$b000000a@skyhawk> Message-ID: Stephen Conway spake the following on 9/13/2006 7:45 AM: > Hello: > > I am running with below: > > Slackware Linux > Sendmail 8.10.2 > Perl 5.6.1 > MailScanner-4.55.10 > SpamAssassin 3.1.0 > McAfee A/V > > After upgrading to MailScanner-4.55.10 , all is working for some time, but > recently I have started to get 'No Message Collected' from time to time on > messages. Can anyone advise a reason? I have seen in the archives that > changing the "Lock Type = " setting can help this issue, if so what should I > use? flock ? > > Any help is appreciated. > > First things first. That version of sendmail has a major security exploit. You should try to find a version later than 8.12.7. You might as well look for something in the 8.13 range because of the added features like greet_pause. Usually the no message collected means that the remote system dropped the connection before finishing the message. Flock is the proper setting for that version of sendmail. How old is your Slackware? I looked as far back as 8.0 and it came with sendmail 8.11.4. You might consider updating just for the security vulnerabilities that an old distro can have. You don't want to have a rootkitted zombie out there, do you? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Wed Sep 13 16:18:39 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Sep 13 16:18:52 2006 Subject: Stats Collection Message-ID: <67d5607e4937cd9b22d5c69ae64b9bf1@localhost> Hi All, I have been modifying the mailgraph script that is floating around on the net to get the necessary statistics from Postfix and MailScanner. The Postfix side of things is all completed, but I am having a few issues with the MailScanner side. The problem I have is that I could use the line :- if($prog eq 'MailScanner') { if($text =~ /Uninfected/ ) { my $clean = substr($text,index($text,"Delivered")+10,(index($text,"messages")-(index($text,"Delivered")+11))); while ($clean > 0) { event($time, 'sent'); $clean--; } } but this includes emails that get forwarded based on the SPAM actions, and therefore does not give a true representation of clean emails processed, like you would see in MailWatch. Virus counting etc is all working fine, so would it be possible to show in the output to maillog the true number of clean emails processed in each batch ? Thanks, --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From naolson at gmail.com Wed Sep 13 16:26:34 2006 From: naolson at gmail.com (Nathan Olson) Date: Wed Sep 13 16:26:36 2006 Subject: .bmp files.. In-Reply-To: <450820A6.4000304@solidstatelogic.com> References: <450820A6.4000304@solidstatelogic.com> Message-ID: <8f54b4330609130826uec7d5b1w7e02a8df619647a5@mail.gmail.com> People who send bitmaps in their signatures should be LARTed. Nate From Denis.Beauchemin at USherbrooke.ca Wed Sep 13 16:26:55 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Sep 13 16:27:20 2006 Subject: .bmp files.. In-Reply-To: <450820A6.4000304@solidstatelogic.com> References: <450820A6.4000304@solidstatelogic.com> Message-ID: <4508233F.6040706@USherbrooke.ca> Martin Hepworth a ?crit : > All > given .bmp files still seem to be blocked but the filename rules on a > default MS install, how many people have disables this check as alot > of people seem to send great big bmps as part of their signatures? > > I get quite a lot of FP's and was seriously contemplating turning this > rule off. > I never turned it on... was relying on our AV to block the bad ones... and had no infections because of it. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060913/cffc33cf/smime.bin From ssilva at sgvwater.com Wed Sep 13 16:29:54 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 13 16:29:48 2006 Subject: OT: Sendmail: stopping RBL checks for authenticated users In-Reply-To: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> References: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> Message-ID: Ian spake the following on 9/13/2006 6:27 AM: > Hi, > > Sorry for the OT but you guys seem to know everything! > > We have a client who is a roaming user (all over Asia at the moment) and the IPs he > connects with sometimes end up in RBL lists. > > I want to setup the submission port (587) and configure it to allow authenticated > users only (no other restrictions). Does anyone know the correct submit.mc format to > allow this? > > I already have smtp auth/sasl configured in the main sendmail but the RBL check are > done before the auth checks. > > My googling has so far come up with lots of people asking the question but no definite > answers. Lots of other answers, but not this one. > > Thanks if you can help. > > Ian AFAIR you need "feature (delay_checks)" That way smtp auth comes first. But I could be wrong. Just because I answered first doesn't mean I'm right. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solidstatelogic.com Wed Sep 13 16:31:18 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Sep 13 16:31:28 2006 Subject: .bmp files.. In-Reply-To: <8f54b4330609130826uec7d5b1w7e02a8df619647a5@mail.gmail.com> References: <450820A6.4000304@solidstatelogic.com> <8f54b4330609130826uec7d5b1w7e02a8df619647a5@mail.gmail.com> Message-ID: <45082446.1060704@solidstatelogic.com> Nathan Olson wrote: > People who send bitmaps in their signatures should be LARTed. > > Nate Well, yes I have been educating people to get people that email them NOT to send 50K bmps in every email but..... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From sconway at wlnet.com Wed Sep 13 16:45:19 2006 From: sconway at wlnet.com (Stephen Conway) Date: Wed Sep 13 16:45:21 2006 Subject: No Message Collected In-Reply-To: Message-ID: <00f501c6d74b$9e0c8ee0$b000000a@skyhawk> Hello Scott: Thanks for the information. Yes indeed we are in the process of upgrading that server including Sendmail, and the entire distribution. I will try the flock setting. The Slackware version is 7 I believe, although we have patched the network services previously. Thanks for the assistance and advise. Regards, Stephen -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Wednesday, September 13, 2006 11:18 AM To: mailscanner@lists.mailscanner.info Subject: Re: No Message Collected Stephen Conway spake the following on 9/13/2006 7:45 AM: > Hello: > > I am running with below: > > Slackware Linux > Sendmail 8.10.2 > Perl 5.6.1 > MailScanner-4.55.10 > SpamAssassin 3.1.0 > McAfee A/V > > After upgrading to MailScanner-4.55.10 , all is working for some time, > but recently I have started to get 'No Message Collected' from time to > time on messages. Can anyone advise a reason? I have seen in the > archives that changing the "Lock Type = " setting can help this issue, > if so what should I use? flock ? > > Any help is appreciated. > > First things first. That version of sendmail has a major security exploit. You should try to find a version later than 8.12.7. You might as well look for something in the 8.13 range because of the added features like greet_pause. Usually the no message collected means that the remote system dropped the connection before finishing the message. Flock is the proper setting for that version of sendmail. How old is your Slackware? I looked as far back as 8.0 and it came with sendmail 8.11.4. You might consider updating just for the security vulnerabilities that an old distro can have. You don't want to have a rootkitted zombie out there, do you? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 13 17:01:39 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 13 17:01:43 2006 Subject: MailScanner stopping In-Reply-To: <223f97700609122327s578d13e2o4f99141e5ba9a38c@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 13/09/06, Kevin Miller wrote: >> Last week there was a thread about MailScanner ceasing to work. I >> was seeing that behavior - it was running, but was all balled up. >> Turned out that when 'MailScanner restart' was called that some >> sendmail processes persisted past the $RESTART_DELAY time. This >> only appears to happen on later MS servers. Not sure what changes >> to the init script make the difference - my 4.48 server doesn't have >> a problem. >> >> The pids that MailScanner creates all evaporate almost immediately; >> the persistent sendmail processes are generally (as nearly as I can >> tell) connections that smf-sav initiates. (smf-sav is sorta like >> milter-sender and milter-ahead rolled into one.) I wasn't seeing the >> problem until I installed it, but it's too nifty to get rid of even >> if it's not as robust as the milters from Snertsoft. >> >> It can take up to a minute or two for all the connections to expire. >> I'm guessing the remote hosts are maybe doing greet-pause or >> graylisting when I do the sender verification, which causes them to >> sit around for a bit. >> > Sounds a bit odd... You're not getting tar-pitted by your own internal > servers, are you? Nope - doing a ps aux shows the connections and associated far end. Most connections close pretty fast, there's just one or two, maybe three that persist. Not the same one's of course, since at any given random moment I could be connected to almost anyone. The idea that some sendmail processes persist longer than the $RESTART_DELAY has been mentioned in other contexts for a long time. It's just that it was a very random occurance historically. Now (at least in my case) it is more frequent. I assume that in general it's not a good idea to restart until all is cleaned up, hence the hack. A real bash programmer could probably make it prettier. For some reason the newline doesn't kick in when I echo the the output of ps. Don't know why. Don't really need the echos in there at all, but I find them handy to see where I'm stalled, even if the formatting is butt-ugly. S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at yeticomputers.com Wed Sep 13 18:19:00 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Wed Sep 13 18:19:13 2006 Subject: Autoresponder Evils? In-Reply-To: <20060912234839.T25554@defjam.cc.strath.ac.uk> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> <45072F90.30204@yeticomputers.com> <20060912234839.T25554@defjam.cc.strath.ac.uk> Message-ID: <45083D84.9020603@yeticomputers.com> Jethro R Binks wrote: > But the problem isn't autoresponders themselves. No, it's the people who insist on using them. (sigh) I acknowledge that the *root* problem is the desire to do a particular thing with a system that was not designed to do so either intelligently or securely in a world with spam. This does not mean that one should rush in with a flawed solution when other people are going to be required to deal with the consequences of said solution. >> I find that most people who defend autoresponders are in a way akin >> to the spam pundits who say, "Just hit delete!" > > Ridiculous analogy. No, it's not. 1. You have something you want to do. This thing benefits you. (Send UCE. Send Autoresponses.) 2. The thing you want to do affects others without their consent. (Processing unwanted mail, regardless of content.) 3. Your response when asked to stop or find a better solution is, basically, "No. I (and others) need to do this. You're running a mail server. *You* solve it, or just deal with it, but I won't stop." (Same response I hear from spammers.) Yes, matters of scale, intent and the direct impact of the two may differ. I accept that you honestly believe that an attempt to minimize the amount of garbage an automated reply system spews makes it okay when it *does* make a mistake. I deal with a *lot* more spam than I do misfiring autoresponders. None of that makes the behavior of even a sensibly configured autoresponder acceptable when it flings a few thousand messages at an innocent mail server. Look, I understand that no system is ever going to be perfect, but a system that automatically generates email should do better than these do. Even the sensible ones. I currently manage email for about 30 active domains and 60 or so that get almost no use. That makes my current setup tiny. I reject between 12000 and 30000 messages at the MTA level every day. (With not a single user complaint to date. Yay!) MailScanner and SA do a wonderful job with the rest. Out of the unwanted mail that gets through untagged on any given day, about 80% will be image spam, 10% will be other spam and the remaining 10% will be split among challenge-response messages, bogus virus/spam bounces/warnings and autoresponders. It is *not* a serious problem. My issue is philosophical, not immensely practical. That said, I have been hammered by autoresponders in the past, even sensibly configured ones. Risk of having a mail server on the net? Yes. So is spam, as you said. But after hammering someone's mail server, rather than sitting back smugly satisfied that their setup is "sensible" one should make an effort to fix the problem. Or at least... apologize? Failure to do so is rude. And the number of people I've seen whining about being reported to an RBL for doing "nothing wrong" just reminds me of how many people really are rude. (John Rudd: I'm not including you - I don't know your specifics. I don't use SpamCop, either, although it's because people such as yourself have made me fear false-positive user complaints. I already have great results from the set I use, which includes TrendMicro.) >> If asked, "What else am I supposed to do to solve this problem?" >> all I can say is, "Don't make your problem mine." > > That's a piss-poor response though. Yeah, it probably is. I'd be a lot more popular - and a lot more wealthy - if I could solve the problem of automatically identifying unwanted mail. But do you think it's appropriate to spread your problems to others without their consent? To say that if I don't have an answer to your needs that I should "just deal?" I find that rude. It's my responsibility to solve my own problems. Absolutely. But if those problems are caused by the actions of another, I have the right to at least ask them to *stop it*. And if I should ban (or cause to be banned) a mail server that has flooded mine, the owner of that server should "just deal." Right? Users want this - you're right about that. Even when it's explained to them what problems there can be with autoresponders, they still want them. So it's our job to figure out how to create one that works without creating problems for anyone. Or it's our job to figure out a better way to do the same thing. The problem is not that a better solution can't be developed. The problem is that people don't want a different solution. > I happily grant you leave to bitch about crap autoresponder > mechanisms if it makes you happy, and there are very many to bitch > about. But do not tar them all with the same brush, and do not make > the mistake of saying that autoresponders are the problem when they > are not. So... Are the users the problem? The administrators who can't convince the users to try different solutions? The developers who can't create a magically perfect autoresponder? I'm not using the same brush, anyway. I have a "hideously awful, should be destroyed immediately" brush and a "this sucks, but probably isn't worth doing anything about" brush. There are no perfect autoresponders, and there will not be until the issue of authoritatively identifying the legitimacy of any given email is solved. Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060913/3dd84a65/attachment.html From ugob at camo-route.com Wed Sep 13 18:26:10 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Sep 13 18:27:03 2006 Subject: Slow completewhois dnsbl? In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > I use some completewhois dnsbl on some servers, and one of them had the > incoming mail queue growing today. I checked, and when I checked the > size of the incoming mail queue, I got many > > (dnsbl map: lookup (194.193.167.63.hijacked.dnsiplists.comple) > > The dnsbl location is hijacked.dnsiplists.completewhois.com' > > Anyone getting this? > Sorry, it was a DNS resolution issue. Seems to be caused by a bug in bind. Updated the package with yum and problem is gone. Regards, Ugo From taz at taz-mania.com Wed Sep 13 19:02:24 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Sep 13 19:02:30 2006 Subject: OT: Backup MX In-Reply-To: <4508089F.8080004@trayerproducts.com> Message-ID: Actually running a backup MX is a good thing. You can multi-home the backup MX (I refer to this as a mail hub), This hub is setup as a lower priority MX, then it would be setup to forward all email for your domain(s) to the real server via the second interface. The hub should not have to know anything about users. I have a setup where I have two hubs that forward to the end user mail server. The end user mail server never directly receives email from the internet. All Spam filtering is done out at the hubs so the server the users deal with has all its CPU power to handle users requests and they see good response times from the server regardless of how much load the hubs are under due to Spam scanning/filtering. While a lot of people know this.... remember the DSL line will need a static IP address. On Wed, 13 Sep 2006 09:33:19 -0400 "Green, Rodney" wrote: > > >Green, Rodney wrote: >> >> >>Green, Rodney wrote: >>> >>>Hello, >>> >>>We recently had a day of downtime for our Internet connection. We >>>don't have a backup MX to queue mail while our mail server is >>>unreachable. >>> >>>My question is this. If I were to get a DSL connection setup and >>>connect a backup DNS server and backup MX server, would there be a >>>way >>>for users to access incoming mail that is queued on the backup MX? >>>How is something like this normally handled? We rely on e-mail here >>>and >>>need some sort of backup plan if our main connection goes down. >>> >>>Thanks for any suggestions. >>>Rod >>> >>> >>> >> >>Just to add a little more information.. I'm using postfix as our MTA >>and of course MailScanner. >> >> >> >> > >Replying to my own post yet again. :-) > >I think my answer is in how DNS and MX records work. I guess I was >confused by the term "backup mx." It looks like I would need to setup >a duplicate mail server on the DSL connection, with a different FQDN, >of course, and set it up as a final destination for mail. Then in DNS >I would set up that new server with a lower priority than the normal >server. If the primary server is down mail should then be delivered >to the server on the DSL connection and be accessible to the users >with a simple configuration change. Does this sound correct? > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham: ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From lodder at delodder.be Wed Sep 13 19:54:20 2006 From: lodder at delodder.be (Philippe Delodder) Date: Wed Sep 13 19:53:48 2006 Subject: bayes not sure of use Message-ID: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have actived bayes in the spam.assassin.prefs.conf, but I don't see it in the MailScanner-SpamCheck. Is this normal I use Mailscanner 4.55.10 with postfix 2.2.10 and spamassassin 3.0.6 Pls help me clear this out - -- Philippe Delodder lodder@delodder.be http://www.delodder.be -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFCFPc3KvtrDGPcVURAgUpAJ9GGCpSEBZAWj2EJkANqzwN98sKmACfeXQE QOoV3/cFfoavSMIIbaWQgk4= =xQIg -----END PGP SIGNATURE----- From mkettler at evi-inc.com Wed Sep 13 20:03:57 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Sep 13 20:04:07 2006 Subject: bayes not sure of use In-Reply-To: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> References: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> Message-ID: <4508561D.3040000@evi-inc.com> Philippe Delodder wrote: > Hi, > > I have actived bayes in the spam.assassin.prefs.conf, but I don't see it > in the MailScanner-SpamCheck. You shouldn't need to enable it. SpamAssassin defaults to having bayes enabled. That said, bayes will not just magically start scoring messages as soon as you turn it on. Bayes needs to learn at least 200 spam and 200 nonspam messages before it will have enough tokens to make reasonable scores, so SpamAssassin will refuse to use it until then. By default SA will auto-learn messages, but it can take a long time to learn enough nonspam messages. However, you can accelerate this by training messages manually with sa-learn. From lshaw at emitinc.com Wed Sep 13 20:12:15 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Sep 13 20:12:30 2006 Subject: bayes not sure of use In-Reply-To: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> References: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> Message-ID: On Wed, 13 Sep 2006, Philippe Delodder wrote: > I have actived bayes in the spam.assassin.prefs.conf, but I don't see it > in the MailScanner-SpamCheck. > > Is this normal I use Mailscanner 4.55.10 with postfix 2.2.10 and > spamassassin 3.0.6 The bayes database must have some training data to populate its database of keywords and their probabilities. It needs to see some examples of spam messages and some examples of non-spam, at least 200 of each. Until it has enough training data, it will not put a score on any message. In the default configuration, training of the bayes database happens automatically: messages with very low or high scores (based on all the other rules) are fed to it. So, you can just wait for a while and eventually it should see enough ham and enough spam messages to build up training data and should start working on its own. If you want to get it working sooner (or if you want to correct mistakes it has made), you can train it with the "sa-learn" command. "sa-learn --dump magic" will tell you how many spam and ham messages you've seen so far. Look for the "nham" and "nspam" rows in the output. - Logan From steve.swaney at fsl.com Wed Sep 13 20:25:25 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Sep 13 20:25:30 2006 Subject: How do i stop these spams? In-Reply-To: <45076BC7.2080408@txk.k12.ar.us> Message-ID: <003f01c6d76a$5d6da5d0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James L. Day > Sent: Tuesday, September 12, 2006 10:24 PM > To: MailScanner discussion > Subject: Re: How do i stop these spams? > > Stephen, > > There's a broken link on the page: > > http://www.fsl.com/support.html > > The hyperlink for this entry: > > Bayes Starter DB (FreeBSD SA 3.0) > > ..needs "support/" added to it so that it reads: > > http://www.fsl.com/support/bayes-FreeBSD-SA-3.0-starter-db.tar.gz > > Thanks, > Lynn > This link is fixed now. I'm still working on a few others. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From jrudd at ucsc.edu Wed Sep 13 21:07:21 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Sep 13 21:08:42 2006 Subject: Autoresponder Evils? In-Reply-To: <45083D84.9020603@yeticomputers.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> <45072F90.30204@yeticomputers.com> <20060912234839.T25554@defjam.cc.strath.ac.uk> <45083D84.9020603@yeticomputers.com> Message-ID: <2a5a01717bcd6c6727de4078ae6b4b91@ucsc.edu> On Sep 13, 2006, at 10:19, Rick Chadderdon wrote: > Jethro R Binks wrote: > > > But the problem isn't autoresponders themselves. > > No, it's the people who insist on using them. No, the problem is spam. The secondary problem are people who use a tool without understanding it and using it responsibly. (and/or people who distribute versions of the tool which are difficult or impossible to use responsibly) In neither case is the problem the autoresponder tool itself, nor is the problem "people who insist on using the autoresponder tool". > (sigh) > > I acknowledge that the *root* problem is the desire to do a > particular thing with a system that was not designed to do so either > intelligently or securely in a world with spam.? This does not mean > that one should rush in with a flawed solution when other people are > going to be required to deal with the consequences of said solution. That's the tail wagging the dog. Autoresponders predate the spam problem. By a lot. So, it's not that someone rushed into a world with spam and added a flawed solution to a timeliness of email response problem. They created a timeliness of email response solution, then spam came into the world, and arguably not everyone implementing that solution has updated themselves to address that change in the world. Advocating banning of autoresponders says that no such adaption can possibly happen, and that the autoresponders themselves are the problem. I think both of those statements are fundamentally flawed. > >> I find that most people who defend autoresponders are in a way akin > >> to the spam pundits who say, "Just hit delete!" > > > > Ridiculous analogy. > > No, it's not.? > > 1.? You have something you want to do.? This thing benefits you.?? > (Send UCE.? Send Autoresponses.) It also potentially benefits the sender, as they may want to know that any time-critical or business-critical process will be on hold while I'm away ... and that they therefore should have contacted someone else (which is hopefully specified in the message), or be given a time frame before I'll be able to respond. It is NOT just something that I want to do (my managers and customers impose it upon me, actually), and it is NOT just something that benefits me (it actually provides me with no benefits other than getting my manager off of my back), it also benefits my customers. (my customers in this case being the faculty, staff, and students of the university) > 2.? The thing you want to do affects others without their consent.? > (Processing unwanted mail, regardless of content.) With their consent. If someone sends me email, they give implicit consent to receiving a reply from me. I would agree that there should be some diligence in ensuring that the sender is actually the sender. For a non-autoresponder that's easier: read the message, see whether it appears to be legit or not. For an autoresponder, what is due diligence? (I offer an answer at the end) > 3.? Your response when asked to stop or find a better solution is, > basically, "No.? I (and others) need to do this.? You're running a > mail server.? *You* solve it, or just deal with it, but I won't > stop."? (Same response I hear from spammers.) If the argument here was "refine the autoresponder solution", that would be one thing. For one, it is not the same as "autoresponders are evil and should be banned". It would be more like "autoresponders need to be used responsibly". I don't think I've seen _anyone_ here argue against them being used responsibly. The argument here is whether or not it is reasonable to advocate banning autoresponders outright. It is not. (some suggestions that I would make for refining the autoresponder solution, and what constitutes due diligence for autoresponders, are: making sure that your autoresponder doesn't reply to things which your own system believes to be spam (ie. your own anti-spam solution marked it as spam), and tries to do another step in validation with something like domain keys, when that's available (maybe SPF, but SPF has its own set of limitations which may make it an unreasonable requirement); IMO, if possible, set up Spam Assassin to do DomainKeys and SPF checks; if the message is marked as spam by SA, don't let your autoresponder reply to it; otherwise, if SA doesn't mark it as spam, you've done due diligence in attempting to discern whether or not it should be responded to, and you can feed it to your autoresponder ... if you want to be extra diligent, you could set your "do or don't autorespond" threshold to be lower than your spam threshold (3 or 4, instead of 5?)). From colin at mainline.co.uk Wed Sep 13 21:17:46 2006 From: colin at mainline.co.uk (Colin Jack) Date: Wed Sep 13 21:17:58 2006 Subject: Attachments Message-ID: Hmmm ... it looks like MailScanner is refusing the attachments because the .zip file contains unacceptable files ... e.g. .exe and .chm This seems a little over the zealous. We usually suggest to clients mailing .exe files (install files for example) to .zip them up to get through filters!! What is the best way to deal with this? Can I tell MailScanner not to look inside .zip files Thanks Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Denis Beauchemin > Sent: 13 September 2006 16:06 > To: MailScanner discussion > Subject: Re: Attachments > > Colin Jack a écrit : > > Hope one of you MailScanner gurus can help! > > > > We are having clients complaining that some messages with > attachments > > aren't arriving ... > > > > example (which I have replicated): > > > > This morning I sent a message to a particular client who is having > > problems. > > Attachment is a .zip of 2Mb > > Our MTA (Exchange) says it has been delivered successfully The > > receiving server maillog has no entries at all as far as I > can see I > > receive no bounce (yet) .. > > > > I have checked the filename.rules.conf and filetype.rules.conf and > > they allow .zip files > > > > If I put the following entry at the top of the > filetype.rules.conf and > > filename.rules.conf > > > > allow . - - > > > > then all works fine. > > > > I would like some filtering of files but cannot afford to have > > apparently innocuous files causing mail to evaporate ;) > > > > Thanks > > > > Colin > > > > > Colin, > > The explanation is probably in you maillog file. Sendmail > (or whichever MTA you use) should log every connection it > receives and log things like envelope sender, time of day and > message ID. Then grepping that message ID should tell you > what happened to your mail. > > Also you should put MS in verbose mode or run it in debug > mode to get the full details about what is happening. > > Verbose mode (MailScanner.conf): > Log Spam = yes > Log Silent Viruses = yes > Log Dangerous HTML Tags = yes > > Denis > > -- > _ > °v° Denis Beauchemin, analyste > /(_)\ Université de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > From mkettler at evi-inc.com Wed Sep 13 21:26:03 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Sep 13 21:26:16 2006 Subject: Attachments In-Reply-To: References: Message-ID: <4508695B.8090207@evi-inc.com> Colin Jack wrote: > Hmmm ... it looks like MailScanner is refusing the attachments because > the .zip file contains unacceptable files ... e.g. .exe and .chm > > This seems a little over the zealous. We usually suggest to clients > mailing .exe files (install files for example) to .zip them up to get > through filters!! > > What is the best way to deal with this? Can I tell MailScanner not to > look inside .zip files > >From MailScanner.conf: # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. # # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password-Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 0 From dan.farmer at phonedir.com Wed Sep 13 21:33:49 2006 From: dan.farmer at phonedir.com (Dan Farmer) Date: Wed Sep 13 21:34:42 2006 Subject: Attachments In-Reply-To: References: Message-ID: <72642056-ED87-4FA2-B1D1-47728165B306@phonedir.com> On Sep 13, 2006, at 2:17 PM, Colin Jack wrote: > Hmmm ... it looks like MailScanner is refusing the attachments because > the .zip file contains unacceptable files ... e.g. .exe and .chm > > This seems a little over the zealous. We usually suggest to clients > mailing .exe files (install files for example) to .zip them up to get > through filters!! > > What is the best way to deal with this? Can I tell MailScanner not to > look inside .zip files # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. # # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password- Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 0 From glenn.steen at gmail.com Wed Sep 13 21:45:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 21:45:27 2006 Subject: MailScanner stopping In-Reply-To: References: <223f97700609122327s578d13e2o4f99141e5ba9a38c@mail.gmail.com> Message-ID: <223f97700609131345w135b223ah3366b49ecf6cf87e@mail.gmail.com> On 13/09/06, Kevin Miller wrote: > Glenn Steen wrote: > > On 13/09/06, Kevin Miller wrote: > >> Last week there was a thread about MailScanner ceasing to work. I > >> was seeing that behavior - it was running, but was all balled up. > >> Turned out that when 'MailScanner restart' was called that some > >> sendmail processes persisted past the $RESTART_DELAY time. This > >> only appears to happen on later MS servers. Not sure what changes > >> to the init script make the difference - my 4.48 server doesn't have > >> a problem. > >> > >> The pids that MailScanner creates all evaporate almost immediately; > >> the persistent sendmail processes are generally (as nearly as I can > >> tell) connections that smf-sav initiates. (smf-sav is sorta like > >> milter-sender and milter-ahead rolled into one.) I wasn't seeing the > >> problem until I installed it, but it's too nifty to get rid of even > >> if it's not as robust as the milters from Snertsoft. > >> > >> It can take up to a minute or two for all the connections to expire. > >> I'm guessing the remote hosts are maybe doing greet-pause or > >> graylisting when I do the sender verification, which causes them to > >> sit around for a bit. > >> > > Sounds a bit odd... You're not getting tar-pitted by your own internal > > servers, are you? > > Nope - doing a ps aux shows the connections and associated far end. > Most connections close pretty fast, there's just one or two, maybe three > that persist. Not the same one's of course, since at any given random > moment I could be connected to almost anyone. Fair enough. > The idea that some sendmail processes persist longer than the > $RESTART_DELAY has been mentioned in other contexts for a long time. > It's just that it was a very random occurance historically. Now (at > least in my case) it is more frequent. And I'm sure you've scrutinized every possible angle (and some impossible:-) as to why it's more frequent now, so I'll shut up about that:-) > I assume that in general it's not a good idea to restart until all is > cleaned up, hence the hack. Good idea, yes. > A real bash programmer could probably make > it prettier. Pretty doesn't come into it when scripting... Usual code health, yes, but not "pretty":-). After all, when scripting in we're after function... If we wanted pretty we'd not do it in a shell:-):-) > For some reason the newline doesn't kick in when I echo > the the output of ps. Don't know why. Don't really need the echos in > there at all, but I find them handy to see where I'm stalled, even if > the formatting is butt-ugly. I think I know why, or at least some part of it... You have a rather "bad" error in that case statement... I'll just copy it here and comment in it: restart) $0 stop # Initialize the test variable Pidval=sendmail ;; # <---- This line terminates the case started at the "restart)". # Everything below this line, until the next case is just _never executed_ # Loop as long as there's a sendmail process while [ "$Pidval" != "" ]; do # Look for sendmail but ignore the grep Pidval=`ps aux | grep sendmail | grep -v grep` echo echo $Pidval sleep $RESTART_DELAY done $0 start rc_status # This is where you should have have the double semi-colons (;;) ... Further, some distros try to be overly clever about their sysV init scripts, so even with that corrected, you might get some rather non-obvious displays from those echos. But then, it really should work OK with that fixed. The "style" doesn't matter much, and the technique to do the waiting is pretty standard... What you could do is "enhance" it with a counter, so that you only iterate a set number of times (6 times would give you three minutes). > > S'later... > > ...Kevin Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 13 22:00:26 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 22:00:30 2006 Subject: OT: Backup MX In-Reply-To: References: <4508089F.8080004@trayerproducts.com> Message-ID: <223f97700609131400o41a15282jf1b04a4f90aa5015@mail.gmail.com> On 13/09/06, Dennis Willson wrote: > > Actually running a backup MX is a good thing. You can multi-home the > backup MX (I refer to this as a mail hub), This hub is setup as a > lower priority MX, then it would be setup to forward all email for > your domain(s) to the real server via the second interface. The hub > should not have to know anything about users. > > I have a setup where I have two hubs that forward to the end user mail > server. The end user mail server never directly receives email from > the internet. All Spam filtering is done out at the hubs so the server > the users deal with has all its CPU power to handle users requests and > they see good response times from the server regardless of how much > load the hubs are under due to Spam scanning/filtering. > > While a lot of people know this.... remember the DSL line will need a > static IP address. > > Just adding a tad to Dennis advice: The hubs need be equal in one thing: Setup to fight spam etc. Meaning that the relays will need know enough about the users (if running PF, just hypothetically:-) to know which mails to accept for relay and which not to accept. If one does as Dennis, and have hubs that are equal in all sense except priority (and connectivity), one should be able to cope by mirroring/rsyncing selected config directories... and having bayes (and whatnot:) in sql. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Wed Sep 13 22:13:12 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 13 22:13:15 2006 Subject: MailScanner stopping In-Reply-To: <223f97700609131345w135b223ah3366b49ecf6cf87e@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 13/09/06, Kevin Miller wrote: >> Glenn Steen wrote: >>> On 13/09/06, Kevin Miller wrote: >>>> Last week there was a thread about MailScanner ceasing to work. I >>>> was seeing that behavior - it was running, but was all balled up. >>>> Turned out that when 'MailScanner restart' was called that some >>>> sendmail processes persisted past the $RESTART_DELAY time. This >>>> only appears to happen on later MS servers. Not sure what changes >>>> to the init script make the difference - my 4.48 server doesn't >>>> have a problem. >>>> >>>> The pids that MailScanner creates all evaporate almost immediately; >>>> the persistent sendmail processes are generally (as nearly as I can >>>> tell) connections that smf-sav initiates. (smf-sav is sorta like >>>> milter-sender and milter-ahead rolled into one.) I wasn't seeing >>>> the problem until I installed it, but it's too nifty to get rid of >>>> even if it's not as robust as the milters from Snertsoft. >>>> >>>> It can take up to a minute or two for all the connections to >>>> expire. I'm guessing the remote hosts are maybe doing greet-pause >>>> or graylisting when I do the sender verification, which causes >>>> them to sit around for a bit. >>>> >>> Sounds a bit odd... You're not getting tar-pitted by your own >>> internal servers, are you? >> >> Nope - doing a ps aux shows the connections and associated far end. >> Most connections close pretty fast, there's just one or two, maybe >> three that persist. Not the same one's of course, since at any >> given random moment I could be connected to almost anyone. > > Fair enough. > >> The idea that some sendmail processes persist longer than the >> $RESTART_DELAY has been mentioned in other contexts for a long time. >> It's just that it was a very random occurance historically. Now (at >> least in my case) it is more frequent. > > And I'm sure you've scrutinized every possible angle (and some > impossible:-) as to why it's more frequent now, so I'll shut up about > that:-) > >> I assume that in general it's not a good idea to restart until all is >> cleaned up, hence the hack. > Good idea, yes. >> A real bash programmer could probably make >> it prettier. > Pretty doesn't come into it when scripting... Usual code health, yes, > but not "pretty":-). After all, when scripting in shell> we're after function... If we wanted pretty we'd not do it in a > shell:-):-) >> For some reason the newline doesn't kick in when I echo >> the the output of ps. Don't know why. Don't really need the echos >> in there at all, but I find them handy to see where I'm stalled, >> even if the formatting is butt-ugly. > > I think I know why, or at least some part of it... You have a rather > "bad" error in that case statement... I'll just copy it here and > comment in it: > restart) > $0 stop > # Initialize the test variable > Pidval=sendmail > ;; # <---- This line terminates the case started at the "restart)". > # Everything below this line, until the next case is just _never > executed_ # Loop as long as there's a sendmail process > while [ "$Pidval" != "" ]; > do > # Look for sendmail but ignore the grep > Pidval=`ps aux | grep sendmail | grep -v grep` > echo > echo $Pidval > sleep $RESTART_DELAY > done > $0 start > rc_status > # This is where you should have have the double semi-colons (;;) ... > > Further, some distros try to be overly clever about their sysV init > scripts, so even with that corrected, you might get some rather > non-obvious displays from those echos. But then, it really should work > OK with that fixed. > The "style" doesn't matter much, and the technique to do the waiting > is pretty standard... What you could do is "enhance" it with a > counter, so that you only iterate a set number of times (6 times would > give you three minutes). Thanks Glenn. As it turns out, I just made that mistake in what I posted here. I tried it out on my servers and they worked as advertised (that's how I knew the newline wasn't working right). I probably copied from the editor prior to a bit of cleanup. By a stroke of luck all my servers looked fine when I checked them just now. Not sure I'd want a counter in there since the idea is to be absolutely sure that everything is shut down bere restarting. Appreciate the clarification none the less, as I was thinking they were just comment delimeters similar to the # sign. Learn something new every day... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Wed Sep 13 22:56:08 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 13 22:56:12 2006 Subject: MailScanner stopping In-Reply-To: References: <223f97700609131345w135b223ah3366b49ecf6cf87e@mail.gmail.com> Message-ID: <223f97700609131456w53462ee6rdb2897108f1be8d4@mail.gmail.com> On 13/09/06, Kevin Miller wrote: (snip) > Thanks Glenn. As it turns out, I just made that mistake in what I > posted here. I tried it out on my servers and they worked as advertised > (that's how I knew the newline wasn't working right). I probably copied > from the editor prior to a bit of cleanup. By a stroke of luck all my > servers looked fine when I checked them just now. :) I always tend to emphasise "skill" over "luck"... Especially when its time for the anual raise:-) > Not sure I'd want a counter in there since the idea is to be absolutely > sure that everything is shut down bere restarting. The thinking is that you'd set the counter so that you wouldn't hang forever, but still extend the wait period dynamically, and reasonably. Then again, one can always kill it (or -:-). > Appreciate the clarification none the less, as I was thinking they were > just comment delimeters similar to the # sign. Learn something new > every day... Indeed. The newline thing is probably "init magic" then:-). Do you run it through "service ..." or similar? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jethro.binks at strath.ac.uk Wed Sep 13 23:00:54 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Sep 13 23:00:57 2006 Subject: Autoresponder Evils? In-Reply-To: <45083D84.9020603@yeticomputers.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> <45072F90.30204@yeticomputers.com> <20060912234839.T25554@defjam.cc.strath.ac.uk> <45083D84.9020603@yeticomputers.com> Message-ID: <20060913225336.S32555@defjam.cc.strath.ac.uk> On Wed, 13 Sep 2006, Rick Chadderdon wrote: > Users want this - you're right about that. Even when it's explained to > them what problems there can be with autoresponders, they still want > them. So it's our job to figure out how to create one that works > without creating problems for anyone. Or it's our job to figure out a > better way to do the same thing. The problem is not that a better > solution can't be developed. The problem is that people don't want a > different solution. Well, they haven't actually been offered much of an alternative so far, so I find it is difficult to see that conclusion. Nevertheless, amen to your comments: there is a problem to be solved; it is either: design an autoresponder system that never replies 'inappropriately' (which will no doubt piggy-back any anti-forgery system in email); or: implement a completely new method of indicating mailbox-attention-status that isn't vulnerable to forgery in the first place. > There are no perfect autoresponders, and there will not be until the > issue of authoritatively identifying the legitimacy of any given email > is solved. Absolutely; so until that happens, let's make all autoresponders as sensible and reasonable as they can be, and live with the inconveniences they impose on the few, rather than throwing them out and inconveniencing the many. Unfortunately, neither position is enforceable, but we'd probably have more luck leaning on vendors to implement sensible autoresponders than we would leaning on them to remove the feature completely ... And on that note, I have nothing more to add, but it has been interesting :) Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From pete at enitech.com.au Thu Sep 14 02:26:04 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Sep 14 02:26:23 2006 Subject: bayes not sure of use In-Reply-To: References: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> Message-ID: <4508AFAC.2000406@enitech.com.au> Logan Shaw wrote: > On Wed, 13 Sep 2006, Philippe Delodder wrote: >> I have actived bayes in the spam.assassin.prefs.conf, but I don't see it >> in the MailScanner-SpamCheck. >> >> Is this normal I use Mailscanner 4.55.10 with postfix 2.2.10 and >> spamassassin 3.0.6 > > The bayes database must have some training data to populate its > database of keywords and their probabilities. It needs to see > some examples of spam messages and some examples of non-spam, > at least 200 of each. Until it has enough training data, > it will not put a score on any message. > > In the default configuration, training of the bayes database > happens automatically: messages with very low or high scores > (based on all the other rules) are fed to it. So, you can > just wait for a while and eventually it should see enough ham > and enough spam messages to build up training data and should > start working on its own. > > If you want to get it working sooner (or if you want to correct > mistakes it has made), you can train it with the "sa-learn" > command. > > "sa-learn --dump magic" will tell you how many spam and > ham messages you've seen so far. Look for the "nham" and > "nspam" rows in the output. > > - Logan Use the starter DB from FSL, it will get you going in thee right direction. http://www.fsl.com/support.html From res at ausics.net Thu Sep 14 03:25:36 2006 From: res at ausics.net (Res) Date: Thu Sep 14 03:25:49 2006 Subject: Spamcop.net RBL blocking emails by mistake? In-Reply-To: <450809B6.7030409@radel.com> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <75a8399f72664d039e1a4c9229caad77@ucsc.edu> <1225a4cc2c86392f4e849cb4cc297e31@ucsc.edu> <450809B6.7030409@radel.com> Message-ID: On Wed, 13 Sep 2006, Jon Radel wrote: > troll" notation. Thank you :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Sep 14 03:31:02 2006 From: res at ausics.net (Res) Date: Thu Sep 14 03:31:15 2006 Subject: OT: Sendmail: stopping RBL checks for authenticated users In-Reply-To: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> References: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> Message-ID: On Wed, 13 Sep 2006, Ian wrote: > I want to setup the submission port (587) and configure it to allow authenticated > users only (no other restrictions). Does anyone know the correct submit.mc format to > allow this? You can not use every conf feature in MSP submit.mc, there are some that are strictly not allowed, on default it takes all other settings from sendmail.cf, in your case try adding this... FEATURE(`delay_checks', 'friend') to your submit.mc and remaking submit.cf -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From alex at nkpanama.com Thu Sep 14 03:43:22 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Sep 14 03:43:32 2006 Subject: OT: Sendmail: stopping RBL checks for authenticated users In-Reply-To: References: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk> Message-ID: <4508C1CA.1080006@nkpanama.com> Scott Silva wrote: > Ian spake the following on 9/13/2006 6:27 AM: > AFAIR you need "feature (delay_checks)" > That way smtp auth comes first. > But I could be wrong. Just because I answered first doesn't mean I'm right. > You should also look into: dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl just remove the "dnl" so it looks like: DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl and you'll have port 587 (with AUTH required) enabled. From MailScanner at ecs.soton.ac.uk Thu Sep 14 09:01:32 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 09:01:52 2006 Subject: .bmp files.. In-Reply-To: <4508233F.6040706@USherbrooke.ca> References: <450820A6.4000304@solidstatelogic.com> <4508233F.6040706@USherbrooke.ca> Message-ID: <45090C5C.90000@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Beauchemin wrote: > Martin Hepworth a ?crit : >> All >> given .bmp files still seem to be blocked but the filename rules on >> a default MS install, how many people have disables this check as >> alot of people seem to send great big bmps as part of their signatures? >> >> I get quite a lot of FP's and was seriously contemplating turning >> this rule off. >> > I never turned it on... was relying on our AV to block the bad ones... > and had no infections because of it. > > Denis > I would advise disabling that rule, the vulnerability which caused me to add it was fixed quite a long time ago. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFCQxdEfZZRxQVtlQRAjweAKClD8pL1MPxuDKoag6t3JfsF1I35wCgwe33 Vm8nD55mTMohTaxaFeL3cVU= =Ahih -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From lodder at delodder.be Thu Sep 14 09:14:18 2006 From: lodder at delodder.be (Philippe Delodder) Date: Thu Sep 14 09:13:30 2006 Subject: bayes not sure of use In-Reply-To: References: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> Message-ID: <1150.81.244.13.95.1158221658.squirrel@mail.delodder.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Wed, 13 Sep 2006, Philippe Delodder wrote: >> I have actived bayes in the spam.assassin.prefs.conf, but I don't see it >> in the MailScanner-SpamCheck. >> >> Is this normal I use Mailscanner 4.55.10 with postfix 2.2.10 and >> spamassassin 3.0.6 > > The bayes database must have some training data to populate its > database of keywords and their probabilities. It needs to see > some examples of spam messages and some examples of non-spam, > at least 200 of each. Until it has enough training data, > it will not put a score on any message. > > In the default configuration, training of the bayes database > happens automatically: messages with very low or high scores > (based on all the other rules) are fed to it. So, you can > just wait for a while and eventually it should see enough ham > and enough spam messages to build up training data and should > start working on its own. > > If you want to get it working sooner (or if you want to correct > mistakes it has made), you can train it with the "sa-learn" > command. > > "sa-learn --dump magic" will tell you how many spam and > ham messages you've seen so far. Look for the "nham" and > "nspam" rows in the output. > > - Logan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I have a large db of bayes: [root@dionysus ~]# sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf - --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2037 0 non-token data: nspam 0.000 0 1150 0 non-token data: nham 0.000 0 273812 0 non-token data: ntokens 0.000 0 1051647943 0 non-token data: oldest atime 0.000 0 1158174730 0 non-token data: newest atime 0.000 0 1158199340 0 non-token data: last journal sync atime 0.000 0 1158166029 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count And i still don't see it :( so i don't think this is the problem pls help me further - -- Philippe Delodder lodder@delodder.be http://www.delodder.be -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFCQ9a3KvtrDGPcVURAkRGAJkBeEi4oQgV7LeGQuV+bdlgmNg7zQCeKUsh g0w1+Oku4Q56RaW34GVcAqc= =rKbn -----END PGP SIGNATURE----- From colin at mainline.co.uk Thu Sep 14 09:19:08 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Sep 14 09:19:22 2006 Subject: Attachments Message-ID: Many thanks Matt and Dan. I'm a bit of a MailScanner newb. Colin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Kettler > Sent: Wednesday, September 13, 2006 9:26 PM > To: MailScanner discussion > Subject: Re: Attachments > > Colin Jack wrote: > > Hmmm ... it looks like MailScanner is refusing the > attachments because > > the .zip file contains unacceptable files ... e.g. .exe and .chm > > > > This seems a little over the zealous. We usually suggest to clients > > mailing .exe files (install files for example) to .zip them > up to get > > through filters!! > > > > What is the best way to deal with this? Can I tell > MailScanner not to > > look inside .zip files > > > > >From MailScanner.conf: > > # The maximum depth to which zip archives will be unpacked, > to allow for # checking filenames and filetypes within zip archives. > # > # Note: This setting does *not* affect virus scanning in > archives at all. > # > # To disable this feature set this to 0. > # A common useful setting is this option = 0, and Allow > Password-Protected # Archives = no. That block > password-protected archives but does not do # any > filename/filetype checks on the files within the archive. > # This can also be the filename of a ruleset. > > Maximum Archive Depth = 0 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martinh at solidstatelogic.com Thu Sep 14 09:24:22 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Sep 14 09:24:41 2006 Subject: Attachments In-Reply-To: References: Message-ID: <450911B6.1000607@solidstatelogic.com> Colin Jack wrote: > Hmmm ... it looks like MailScanner is refusing the attachments because > the .zip file contains unacceptable files ... e.g. .exe and .chm > > This seems a little over the zealous. We usually suggest to clients > mailing .exe files (install files for example) to .zip them up to get > through filters!! > > What is the best way to deal with this? Can I tell MailScanner not to > look inside .zip files > > Thanks > > Colin > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Denis Beauchemin >> Sent: 13 September 2006 16:06 >> To: MailScanner discussion >> Subject: Re: Attachments >> >> Colin Jack a ?crit : >>> Hope one of you MailScanner gurus can help! >>> >>> We are having clients complaining that some messages with >> attachments >>> aren't arriving ... >>> >>> example (which I have replicated): >>> >>> This morning I sent a message to a particular client who is having >>> problems. >>> Attachment is a .zip of 2Mb >>> Our MTA (Exchange) says it has been delivered successfully The >>> receiving server maillog has no entries at all as far as I >> can see I >>> receive no bounce (yet) .. >>> >>> I have checked the filename.rules.conf and filetype.rules.conf and >>> they allow .zip files >>> >>> If I put the following entry at the top of the >> filetype.rules.conf and >>> filename.rules.conf >>> >>> allow . - - >>> >>> then all works fine. >>> >>> I would like some filtering of files but cannot afford to have >>> apparently innocuous files causing mail to evaporate ;) >>> >>> Thanks >>> >>> Colin >>> >>> >> Colin, >> >> The explanation is probably in you maillog file. Sendmail >> (or whichever MTA you use) should log every connection it >> receives and log things like envelope sender, time of day and >> message ID. Then grepping that message ID should tell you >> what happened to your mail. >> >> Also you should put MS in verbose mode or run it in debug >> mode to get the full details about what is happening. >> >> Verbose mode (MailScanner.conf): >> Log Spam = yes >> Log Silent Viruses = yes >> Log Dangerous HTML Tags = yes >> >> Denis >> Colin be aware of quite a few viruses hiding inside zip files.. hence this functionality. If you don't scan inside zip files you are opening a known threat. Treat this risk accordingly.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Thu Sep 14 09:25:01 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Sep 14 09:25:11 2006 Subject: .bmp files.. In-Reply-To: <45090C5C.90000@ecs.soton.ac.uk> References: <450820A6.4000304@solidstatelogic.com> <4508233F.6040706@USherbrooke.ca> <45090C5C.90000@ecs.soton.ac.uk> Message-ID: <450911DD.8000609@solidstatelogic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Denis Beauchemin wrote: >> Martin Hepworth a ?crit : >>> All >>> given .bmp files still seem to be blocked but the filename rules on >>> a default MS install, how many people have disables this check as >>> alot of people seem to send great big bmps as part of their signatures? >>> >>> I get quite a lot of FP's and was seriously contemplating turning >>> this rule off. >>> >> I never turned it on... was relying on our AV to block the bad ones... >> and had no infections because of it. >> >> Denis >> > I would advise disabling that rule, the vulnerability which caused me to > add it was fixed quite a long time ago. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFCQxdEfZZRxQVtlQRAjweAKClD8pL1MPxuDKoag6t3JfsF1I35wCgwe33 > Vm8nD55mTMohTaxaFeL3cVU= > =Ahih > -----END PGP SIGNATURE----- > Jules OK I'll do that - any chance of removing this in the next beta? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From colin at mainline.co.uk Thu Sep 14 09:33:32 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Sep 14 09:32:53 2006 Subject: Attachments Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin Hepworth > Sent: Thursday, September 14, 2006 9:24 AM > To: MailScanner discussion > Subject: Re: Attachments > > Colin Jack wrote: > > Hmmm ... it looks like MailScanner is refusing the > attachments because > > the .zip file contains unacceptable files ... e.g. .exe and .chm > > > > This seems a little over the zealous. We usually suggest to clients > > mailing .exe files (install files for example) to .zip them > up to get > > through filters!! > > > > What is the best way to deal with this? Can I tell > MailScanner not to > > look inside .zip files > > > > Thanks > > > > Colin > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Denis Beauchemin > >> Sent: 13 September 2006 16:06 > >> To: MailScanner discussion > >> Subject: Re: Attachments > >> > >> Colin Jack a écrit : > >>> Hope one of you MailScanner gurus can help! > >>> > >>> We are having clients complaining that some messages with > >> attachments > >>> aren't arriving ... > >>> > >>> example (which I have replicated): > >>> > >>> This morning I sent a message to a particular client who > is having > >>> problems. > >>> Attachment is a .zip of 2Mb > >>> Our MTA (Exchange) says it has been delivered successfully The > >>> receiving server maillog has no entries at all as far as I > >> can see I > >>> receive no bounce (yet) .. > >>> > >>> I have checked the filename.rules.conf and > filetype.rules.conf and > >>> they allow .zip files > >>> > >>> If I put the following entry at the top of the > >> filetype.rules.conf and > >>> filename.rules.conf > >>> > >>> allow . - - > >>> > >>> then all works fine. > >>> > >>> I would like some filtering of files but cannot afford to have > >>> apparently innocuous files causing mail to evaporate ;) > >>> > >>> Thanks > >>> > >>> Colin > >>> > >>> > >> Colin, > >> > >> The explanation is probably in you maillog file. Sendmail (or > >> whichever MTA you use) should log every connection it receives and > >> log things like envelope sender, time of day and message ID. Then > >> grepping that message ID should tell you what happened to > your mail. > >> > >> Also you should put MS in verbose mode or run it in debug > mode to get > >> the full details about what is happening. > >> > >> Verbose mode (MailScanner.conf): > >> Log Spam = yes > >> Log Silent Viruses = yes > >> Log Dangerous HTML Tags = yes > >> > >> Denis > >> > > Colin > be aware of quite a few viruses hiding inside zip files.. > hence this functionality. > > If you don't scan inside zip files you are opening a known > threat. Treat this risk accordingly.. > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Thanks for the heads up on this Martin. I agree with you. Difficult to know what to do really ... clients want to be able to attach stuff but don't want viruses. Colin From MailScanner at ecs.soton.ac.uk Thu Sep 14 09:38:48 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 09:39:14 2006 Subject: .bmp files.. In-Reply-To: <450911DD.8000609@solidstatelogic.com> References: <450820A6.4000304@solidstatelogic.com> <4508233F.6040706@USherbrooke.ca> <45090C5C.90000@ecs.soton.ac.uk> <450911DD.8000609@solidstatelogic.com> Message-ID: <04DB3414-EF73-4D1D-AAD8-4FB69BB51284@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14 Sep 2006, at 09:25, Martin Hepworth wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> Denis Beauchemin wrote: >>> Martin Hepworth a ?crit : >>>> All >>>> given .bmp files still seem to be blocked but the filename >>>> rules on a default MS install, how many people have disables >>>> this check as alot of people seem to send great big bmps as part >>>> of their signatures? >>>> >>>> I get quite a lot of FP's and was seriously contemplating >>>> turning this rule off. >>>> >>> I never turned it on... was relying on our AV to block the bad >>> ones... and had no infections because of it. >>> >>> Denis >>> >> I would advise disabling that rule, the vulnerability which caused >> me to add it was fixed quite a long time ago. >> - -- Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.5.0 (Build 1112) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> wj8DBQFFCQxdEfZZRxQVtlQRAjweAKClD8pL1MPxuDKoag6t3JfsF1I35wCgwe33 >> Vm8nD55mTMohTaxaFeL3cVU= >> =Ahih >> -----END PGP SIGNATURE----- > Jules > > OK I'll do that - any chance of removing this in the next beta? Done. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFCRUZEfZZRxQVtlQRAuUxAKDK542z29Db/MgyOb+f9M+K/G+uSQCg5N6P ClVKsw4oNj9Q4v9aE4tOSuA= =E72V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Sep 14 10:00:38 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 10:00:58 2006 Subject: Attachments In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14 Sep 2006, at 09:33, Colin Jack wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Martin Hepworth >> Sent: Thursday, September 14, 2006 9:24 AM >> To: MailScanner discussion >> Subject: Re: Attachments >> >> Colin Jack wrote: >>> Hmmm ... it looks like MailScanner is refusing the >> attachments because >>> the .zip file contains unacceptable files ... e.g. .exe and .chm >>> >>> This seems a little over the zealous. We usually suggest to clients >>> mailing .exe files (install files for example) to .zip them >> up to get >>> through filters!! >>> >>> What is the best way to deal with this? Can I tell >> MailScanner not to >>> look inside .zip files >>> >>> Thanks >>> >>> Colin >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>>> Denis Beauchemin >>>> Sent: 13 September 2006 16:06 >>>> To: MailScanner discussion >>>> Subject: Re: Attachments >>>> >>>> Colin Jack a ?crit : >>>>> Hope one of you MailScanner gurus can help! >>>>> >>>>> We are having clients complaining that some messages with >>>> attachments >>>>> aren't arriving ... >>>>> >>>>> example (which I have replicated): >>>>> >>>>> This morning I sent a message to a particular client who >> is having >>>>> problems. >>>>> Attachment is a .zip of 2Mb >>>>> Our MTA (Exchange) says it has been delivered successfully The >>>>> receiving server maillog has no entries at all as far as I >>>> can see I >>>>> receive no bounce (yet) .. >>>>> >>>>> I have checked the filename.rules.conf and >> filetype.rules.conf and >>>>> they allow .zip files >>>>> >>>>> If I put the following entry at the top of the >>>> filetype.rules.conf and >>>>> filename.rules.conf >>>>> >>>>> allow . - - >>>>> >>>>> then all works fine. >>>>> >>>>> I would like some filtering of files but cannot afford to have >>>>> apparently innocuous files causing mail to evaporate ;) >>>>> >>>>> Thanks >>>>> >>>>> Colin >>>>> >>>>> >>>> Colin, >>>> >>>> The explanation is probably in you maillog file. Sendmail (or >>>> whichever MTA you use) should log every connection it receives and >>>> log things like envelope sender, time of day and message ID. Then >>>> grepping that message ID should tell you what happened to >> your mail. >>>> >>>> Also you should put MS in verbose mode or run it in debug >> mode to get >>>> the full details about what is happening. >>>> >>>> Verbose mode (MailScanner.conf): >>>> Log Spam = yes >>>> Log Silent Viruses = yes >>>> Log Dangerous HTML Tags = yes >>>> >>>> Denis >>>> >> >> Colin >> be aware of quite a few viruses hiding inside zip files.. >> hence this functionality. >> >> If you don't scan inside zip files you are opening a known >> threat. Treat this risk accordingly.. >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> > > Thanks for the heads up on this Martin. > > I agree with you. > > Difficult to know what to do really ... clients want to be able to > attach stuff but don't want viruses. AV programs will usually pick up the contents of zip files, they scan inside them anyway. So setting max archive depth = 0 isn't really dangerous. > > Colin > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFCRo3EfZZRxQVtlQRAnB7AKCZXqLi4PX5a+LL1CgP1BMVTzmNKgCfaF22 smbzKSXhOTU3OXIqbFzcI0c= =Clin -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From holger at gebhardweb.de Thu Sep 14 10:51:23 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Thu Sep 14 10:51:24 2006 Subject: Bug in SweepViruses.pm? References: Message-ID: <012e01c6d7e3$568606d0$0164320a@pcconhg203> Hi Group, i noticed a small failure in Maillog... I use two virus scanners, f-secure and clamavmodule. In MailScanner.conf the first entry is clamavmodule and the second is f-secure . When i receive a Virusmessage all thems to work... The Maillog shows all the the infected mails, the virussender ip, etc. The Mail is blocked and the Postmaster receives a warning... I use MailScanner-MRTG for counting viruses. The counting script match a logline created by MailScanner: "Virus Scanning found .. viruses". The Logline is created in MessageBatch.pm "sub VirusScan". This function starts "scanbatch" in SweepViruses.pm. "Scanbatch" runs all the virustests and finaly returns a number of viruses found ($NumInfections). Here is a small bug... When the first scanner (clamav) found one virus and the second does not, the value of "$NumInfections" is always "0" (must be 1). When i change the order of the scanners in MailScanner.conf for example to f-secure and clamavmodule the value of "$NumInfections" is "1". It seems that the last Scanner overwrites all other results in this variable? Hope anyone can help? Holger From MailScanner at ecs.soton.ac.uk Thu Sep 14 12:01:30 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 12:02:04 2006 Subject: Bug in SweepViruses.pm? In-Reply-To: <012e01c6d7e3$568606d0$0164320a@pcconhg203> References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> Message-ID: <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 246 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060914/75749e82/PGP.bin From holger at gebhardweb.de Thu Sep 14 12:58:15 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Thu Sep 14 12:58:14 2006 Subject: Bug in SweepViruses.pm? References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> Message-ID: <03b001c6d7f5$1040cf40$0164320a@pcconhg203> Thanks Julian, the patch only works particulary... With the applied patch all scanners followed a known virus shows "...found .. infections" and the Viruscount grow with every scanner found the virus. I think when only one file is infected and both scanners find a virus (with different Virusnames) the Viruscount might always be 1? ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Cc: "Steve Freegard" Sent: Thursday, September 14, 2006 1:01 PM Subject: Re: Bug in SweepViruses.pm? > Please can you try applying the attached patch to SweepViruses.pm. It > is a 1 character change :-) > Many thanks for reporting it. I hope it doesn't do much harm to > MailWatch or DefenderMX. > > > -------------------------------------------------------------------------------- > > > On 14 Sep 2006, at 10:51, Holger Gebhard wrote: > >> Hi Group, >> >> i noticed a small failure in Maillog... >> I use two virus scanners, f-secure and clamavmodule. >> >> In MailScanner.conf the first entry is clamavmodule and the second >> is f-secure . >> >> When i receive a Virusmessage all thems to work... >> The Maillog shows all the the infected mails, the virussender ip, etc. >> The Mail is blocked and the Postmaster receives a warning... >> >> I use MailScanner-MRTG for counting viruses. >> The counting script match a logline created by MailScanner: "Virus >> Scanning found .. viruses". >> >> The Logline is created in MessageBatch.pm "sub VirusScan". >> This function starts "scanbatch" in SweepViruses.pm. >> "Scanbatch" runs all the virustests and finaly returns a number of >> viruses found ($NumInfections). >> >> Here is a small bug... >> >> When the first scanner (clamav) found one virus and the second does >> not, the value of "$NumInfections" is always "0" (must be 1). >> When i change the order of the scanners in MailScanner.conf for >> example to f-secure and clamavmodule the value of "$NumInfections" >> is "1". >> It seems that the last Scanner overwrites all other results in this >> variable? >> >> Hope anyone can help? >> >> >> Holger >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > -------------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Thu Sep 14 16:04:01 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 14 16:06:29 2006 Subject: Attachments In-Reply-To: <450911B6.1000607@solidstatelogic.com> References: <450911B6.1000607@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 9/14/2006 1:24 AM: > Colin Jack wrote: >> Hmmm ... it looks like MailScanner is refusing the attachments because >> the .zip file contains unacceptable files ... e.g. .exe and .chm >> >> This seems a little over the zealous. We usually suggest to clients >> mailing .exe files (install files for example) to .zip them up to get >> through filters!! >> >> What is the best way to deal with this? Can I tell MailScanner not to >> look inside .zip files >> >> Thanks >> >> Colin >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Denis Beauchemin >>> Sent: 13 September 2006 16:06 >>> To: MailScanner discussion >>> Subject: Re: Attachments >>> >>> Colin Jack a ?crit : >>>> Hope one of you MailScanner gurus can help! >>>> >>>> We are having clients complaining that some messages with >>> attachments >>>> aren't arriving ... >>>> >>>> example (which I have replicated): >>>> >>>> This morning I sent a message to a particular client who is having >>>> problems. >>>> Attachment is a .zip of 2Mb >>>> Our MTA (Exchange) says it has been delivered successfully The >>>> receiving server maillog has no entries at all as far as I >>> can see I >>>> receive no bounce (yet) .. >>>> >>>> I have checked the filename.rules.conf and filetype.rules.conf and >>>> they allow .zip files >>>> >>>> If I put the following entry at the top of the >>> filetype.rules.conf and >>>> filename.rules.conf >>>> >>>> allow . - - >>>> >>>> then all works fine. >>>> >>>> I would like some filtering of files but cannot afford to have >>>> apparently innocuous files causing mail to evaporate ;) >>>> >>>> Thanks >>>> >>>> Colin >>>> >>>> >>> Colin, >>> >>> The explanation is probably in you maillog file. Sendmail (or >>> whichever MTA you use) should log every connection it receives and >>> log things like envelope sender, time of day and message ID. Then >>> grepping that message ID should tell you what happened to your mail. >>> >>> Also you should put MS in verbose mode or run it in debug mode to get >>> the full details about what is happening. >>> >>> Verbose mode (MailScanner.conf): >>> Log Spam = yes >>> Log Silent Viruses = yes >>> Log Dangerous HTML Tags = yes >>> >>> Denis >>> > > Colin > be aware of quite a few viruses hiding inside zip files.. hence this > functionality. > > If you don't scan inside zip files you are opening a known threat. Treat > this risk accordingly.. The maximum archive depth setting doesn't stop the virus scanners from looking in archive files, it just stops the filename and filetype rules from looking. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lodder at delodder.be Thu Sep 14 16:33:46 2006 From: lodder at delodder.be (Philippe Delodder) Date: Thu Sep 14 16:34:34 2006 Subject: bayes not sure of use In-Reply-To: <1150.81.244.13.95.1158221658.squirrel@mail.delodder.be> References: <2174.87.64.239.19.1158173660.squirrel@mail.delodder.be> <1150.81.244.13.95.1158221658.squirrel@mail.delodder.be> Message-ID: <4509765A.4080503@delodder.be> Philippe Delodder wrote: > > > On Wed, 13 Sep 2006, Philippe Delodder wrote: > >> I have actived bayes in the spam.assassin.prefs.conf, but I don't > see it > >> in the MailScanner-SpamCheck. > >> > >> Is this normal I use Mailscanner 4.55.10 with postfix 2.2.10 and > >> spamassassin 3.0.6 > > The bayes database must have some training data to populate its > > database of keywords and their probabilities. It needs to see > > some examples of spam messages and some examples of non-spam, > > at least 200 of each. Until it has enough training data, > > it will not put a score on any message. > > > In the default configuration, training of the bayes database > > happens automatically: messages with very low or high scores > > (based on all the other rules) are fed to it. So, you can > > just wait for a while and eventually it should see enough ham > > and enough spam messages to build up training data and should > > start working on its own. > > > If you want to get it working sooner (or if you want to correct > > mistakes it has made), you can train it with the "sa-learn" > > command. > > > "sa-learn --dump magic" will tell you how many spam and > > ham messages you've seen so far. Look for the "nham" and > > "nspam" rows in the output. > > > - Logan > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > > I have a large db of bayes: > [root@dionysus ~]# sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf > --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 2037 0 non-token data: nspam > 0.000 0 1150 0 non-token data: nham > 0.000 0 273812 0 non-token data: ntokens > 0.000 0 1051647943 0 non-token data: oldest atime > 0.000 0 1158174730 0 non-token data: newest atime > 0.000 0 1158199340 0 non-token data: last journal sync > atime > 0.000 0 1158166029 0 non-token data: last expiry atime > 0.000 0 0 0 non-token data: last expire atime > delta > 0.000 0 0 0 non-token data: last expire > reduction count > > And i still don't see it :( so i don't think this is the problem pls help > me further > It was an permission issue it's solved now -- Philippe Delodder lodder@delodder.be http://www.delodder.be -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060914/ac6c792e/signature.bin From KGoods at AIAInsurance.com Thu Sep 14 16:47:37 2006 From: KGoods at AIAInsurance.com (Ken Goods) Date: Thu Sep 14 16:54:00 2006 Subject: Attachments Message-ID: <13C0059880FDD3118DC600508B6D4A6D013D8BE8@aiainsurance.com> >> Colin Jack wrote: >>> Hmmm ... it looks like MailScanner is refusing the attachments >>> because the .zip file contains unacceptable files ... e.g. .exe and >>> .chm >>> >>> This seems a little over the zealous. We usually suggest to clients >>> mailing .exe files (install files for example) to .zip them up to >>> get through filters!! >>> >>> What is the best way to deal with this? Can I tell MailScanner not >>> to look inside .zip files >>> >>> Thanks >>> >>> Colin Colin, Just thought I'd add my 2 cents.... What I have done here is to instruct my users to rename any executables to .txt then instruct their recipient to rename the attachment back to .exe once they have received it. This does three things... first, it gets my (very technically illiterate) users to be aware of file extensions to begin with and to know what I'm talking about when I say this one or that one is potentially dangerous. (it also helps them get used to renaming files) Second, since the file has come from somebody they know (I instruct them to pre-contact the recipient so they are expecting an executable) and has instructions on how to make the file back into an executable, it makes them more aware of the way viruses are propagated via email and there is less chance that someone will inadvertently open a virus (of course I run two virus scanners to this is a slim chance anyway). And third, and I guess most importantly, it gets the file through any filetype checking based on the extension. (Outlook, OE... etc..) Besides, anti-virus software will still catch viruses regardless of the file extension. One can argue that zipping them up is a better way to handle it but in my experience with *my* users, I have found it's easier for them to simply rename the file on both ends. This has been working very well here for the last couple years... YMMV This was a solution I didn't see mentioned so I thought I'd throw it into the mix. Kind regards, Ken Goods Network Administrator AIA/CropUSA Insurance, Inc. From martinh at solidstatelogic.com Thu Sep 14 17:08:36 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Sep 14 17:08:46 2006 Subject: Attachments In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D013D8BE8@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D013D8BE8@aiainsurance.com> Message-ID: <45097E84.1070205@solidstatelogic.com> Ken Goods wrote: >>> Colin Jack wrote: >>>> Hmmm ... it looks like MailScanner is refusing the attachments >>>> because the .zip file contains unacceptable files ... e.g. .exe and >>>> .chm >>>> >>>> This seems a little over the zealous. We usually suggest to clients >>>> mailing .exe files (install files for example) to .zip them up to >>>> get through filters!! >>>> >>>> What is the best way to deal with this? Can I tell MailScanner not >>>> to look inside .zip files >>>> >>>> Thanks >>>> >>>> Colin > > Colin, > > Just thought I'd add my 2 cents.... > What I have done here is to instruct my users to rename any executables to > .txt then instruct their recipient to rename the attachment back to .exe > once they have received it. > > This does three things... first, it gets my (very technically illiterate) > users to be aware of file extensions to begin with and to know what I'm > talking about when I say this one or that one is potentially dangerous. (it > also helps them get used to renaming files) Second, since the file has come > from somebody they know (I instruct them to pre-contact the recipient so > they are expecting an executable) and has instructions on how to make the > file back into an executable, it makes them more aware of the way viruses > are propagated via email and there is less chance that someone will > inadvertently open a virus (of course I run two virus scanners to this is a > slim chance anyway). And third, and I guess most importantly, it gets the > file through any filetype checking based on the extension. (Outlook, OE... > etc..) Besides, anti-virus software will still catch viruses regardless of > the file extension. > > One can argue that zipping them up is a better way to handle it but in my > experience with *my* users, I have found it's easier for them to simply > rename the file on both ends. This has been working very well here for the > last couple years... YMMV > > This was a solution I didn't see mentioned so I thought I'd throw it into > the mix. > > Kind regards, > Ken Goods > Network Administrator > AIA/CropUSA Insurance, Inc. > for what it's worth I normally get at least 2 exe's diguised as something else that are blocked by MS BEFORE the AV companies updated their signature - last one was 6 weeks ago! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From KGoods at AIAInsurance.com Thu Sep 14 17:19:14 2006 From: KGoods at AIAInsurance.com (Ken Goods) Date: Thu Sep 14 17:25:37 2006 Subject: Attachments Message-ID: <13C0059880FDD3118DC600508B6D4A6D013D8BE9@aiainsurance.com> Martin Hepworth wrote: > Ken Goods wrote: >>>> Colin Jack wrote: >>>>> Hmmm ... it looks like MailScanner is refusing the attachments >>>>> because the .zip file contains unacceptable files ... e.g. .exe >>>>> and .chm >>>>> >>>>> This seems a little over the zealous. We usually suggest to >>>>> clients mailing .exe files (install files for example) to .zip >>>>> them up to get through filters!! >>>>> >>>>> What is the best way to deal with this? Can I tell MailScanner >>>>> not to look inside .zip files >>>>> >>>>> Thanks >>>>> >>>>> Colin >> >> Colin, >> >> Just thought I'd add my 2 cents.... >> What I have done here is to instruct my users to rename any >> executables to .txt then instruct their recipient to rename the >> attachment back to .exe once they have received it. >> >> This does three things... first, it gets my (very technically >> illiterate) users to be aware of file extensions to begin with and >> to know what I'm talking about when I say this one or that one is >> potentially dangerous. (it also helps them get used to renaming >> files) Second, since the file has come from somebody they know (I >> instruct them to pre-contact the recipient so they are expecting an >> executable) and has instructions on how to make the file back into >> an executable, it makes them more aware of the way viruses are >> propagated via email and there is less chance that someone will >> inadvertently open a virus (of course I run two virus scanners to >> this is a slim chance anyway). And third, and I guess most >> importantly, it gets the file through any filetype checking based on >> the extension. (Outlook, OE... etc..) Besides, anti-virus software >> will still catch viruses regardless of the file extension. >> >> One can argue that zipping them up is a better way to handle it but >> in my experience with *my* users, I have found it's easier for them >> to simply rename the file on both ends. This has been working very >> well here for the last couple years... YMMV >> >> This was a solution I didn't see mentioned so I thought I'd throw it >> into the mix. >> >> Kind regards, >> Ken Goods >> Network Administrator >> AIA/CropUSA Insurance, Inc. >> > > > for what it's worth I normally get at least 2 exe's diguised as > something else that are blocked by MS BEFORE the AV companies updated > their signature - last one was 6 weeks ago! > > -- Martin, You're absolutely correct... I should have started by saying that I'm in the enviable position of being able to block about 20 countries (port 25) at the firewall including China, most of southeast asia, and various other countries that are known virus mills. To be honest I don't think we've had any "real" viruses (besides phishing emails) hit the door in a few months. If this changes and we start getting some in I'll no doubt have to make some changes. Good catch! Kind regards, Ken Goods Network Administrator AIA/CropUSA Insurance, Inc. From MailScanner at ecs.soton.ac.uk Thu Sep 14 18:06:09 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 18:06:26 2006 Subject: Bug in SweepViruses.pm? In-Reply-To: <03b001c6d7f5$1040cf40$0164320a@pcconhg203> References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> <03b001c6d7f5$1040cf40$0164320a@pcconhg203> Message-ID: <45098C01.5040508@ecs.soton.ac.uk> How about I use the minimum value of all the counters from the different virus scanners? How do we define what this number represents? Maybe it's best to use the maximum value of all the counters, as this will hopefully reflect the number of different viruses found, regardless of their name? That sounds good to me. What do you think? Holger Gebhard wrote: > Thanks Julian, > > the patch only works particulary... > With the applied patch all scanners followed a known virus shows > "...found .. infections" and the Viruscount grow with every scanner > found the virus. > I think when only one file is infected and both scanners find a virus > (with different Virusnames) the Viruscount might always be 1? > > > ----- Original Message ----- From: "Julian Field" > > To: "MailScanner discussion" > Cc: "Steve Freegard" > Sent: Thursday, September 14, 2006 1:01 PM > Subject: Re: Bug in SweepViruses.pm? > > >> Please can you try applying the attached patch to SweepViruses.pm. It >> is a 1 character change :-) >> Many thanks for reporting it. I hope it doesn't do much harm to >> MailWatch or DefenderMX. >> >> >> > > > -------------------------------------------------------------------------------- > > > >> >> >> On 14 Sep 2006, at 10:51, Holger Gebhard wrote: >> >>> Hi Group, >>> >>> i noticed a small failure in Maillog... >>> I use two virus scanners, f-secure and clamavmodule. >>> >>> In MailScanner.conf the first entry is clamavmodule and the second >>> is f-secure . >>> >>> When i receive a Virusmessage all thems to work... >>> The Maillog shows all the the infected mails, the virussender ip, etc. >>> The Mail is blocked and the Postmaster receives a warning... >>> >>> I use MailScanner-MRTG for counting viruses. >>> The counting script match a logline created by MailScanner: "Virus >>> Scanning found .. viruses". >>> >>> The Logline is created in MessageBatch.pm "sub VirusScan". >>> This function starts "scanbatch" in SweepViruses.pm. >>> "Scanbatch" runs all the virustests and finaly returns a number of >>> viruses found ($NumInfections). >>> >>> Here is a small bug... >>> >>> When the first scanner (clamav) found one virus and the second does >>> not, the value of "$NumInfections" is always "0" (must be 1). >>> When i change the order of the scanners in MailScanner.conf for >>> example to f-secure and clamavmodule the value of "$NumInfections" >>> is "1". >>> It seems that the last Scanner overwrites all other results in this >>> variable? >>> >>> Hope anyone can help? >>> >>> >>> Holger >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> -- >> Julian Field >> MailScanner@ecs.soton.ac.uk >> >> >> > > > -------------------------------------------------------------------------------- > > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From colin at mainline.co.uk Thu Sep 14 18:06:56 2006 From: colin at mainline.co.uk (Colin Jack) Date: Thu Sep 14 18:06:50 2006 Subject: Attachments Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ken Goods > Sent: Thursday, September 14, 2006 4:48 PM > To: 'MailScanner discussion' > Subject: RE: Attachments > > >> Colin Jack wrote: > >>> Hmmm ... it looks like MailScanner is refusing the attachments > >>> because the .zip file contains unacceptable files ... > e.g. .exe and > >>> .chm > >>> > >>> This seems a little over the zealous. We usually suggest > to clients > >>> mailing .exe files (install files for example) to .zip them up to > >>> get through filters!! > >>> > >>> What is the best way to deal with this? Can I tell > MailScanner not > >>> to look inside .zip files > >>> > >>> Thanks > >>> > >>> Colin > > Colin, > > Just thought I'd add my 2 cents.... > What I have done here is to instruct my users to rename any > executables to .txt then instruct their recipient to rename > the attachment back to .exe once they have received it. > > This does three things... first, it gets my (very technically > illiterate) users to be aware of file extensions to begin > with and to know what I'm talking about when I say this one > or that one is potentially dangerous. (it also helps them get > used to renaming files) Second, since the file has come from > somebody they know (I instruct them to pre-contact the > recipient so they are expecting an executable) and has > instructions on how to make the file back into an executable, > it makes them more aware of the way viruses are propagated > via email and there is less chance that someone will > inadvertently open a virus (of course I run two virus > scanners to this is a slim chance anyway). And third, and I > guess most importantly, it gets the file through any filetype > checking based on the extension. (Outlook, OE... > etc..) Besides, anti-virus software will still catch viruses > regardless of the file extension. > > One can argue that zipping them up is a better way to handle > it but in my experience with *my* users, I have found it's > easier for them to simply rename the file on both ends. This > has been working very well here for the last couple years... YMMV > > This was a solution I didn't see mentioned so I thought I'd > throw it into the mix. > > Kind regards, > Ken Goods > Network Administrator > AIA/CropUSA Insurance, Inc. > Thanks Ken - yeah we already do that (well we say remove the last letter and replace it with an underscore, but same principal). The zip problem arises where support staff email patches etc. with things like update.exe, dodgy.dll etc. inside a zip. http://www.mainline.co.uk/spam_error.html Just out of interest ... the default setting for Archive Depth seems to be '2' and '0' turns it off ... so what does '1' do? ;) Colin From rgreen at trayerproducts.com Thu Sep 14 18:09:36 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Thu Sep 14 18:12:00 2006 Subject: OT: Backup MX In-Reply-To: <223f97700609131400o41a15282jf1b04a4f90aa5015@mail.gmail.com> References: <4508089F.8080004@trayerproducts.com> <223f97700609131400o41a15282jf1b04a4f90aa5015@mail.gmail.com> Message-ID: <45098CD0.4040603@trayerproducts.com> Glenn Steen wrote: > On 13/09/06, Dennis Willson wrote: >> >> Actually running a backup MX is a good thing. You can multi-home the >> backup MX (I refer to this as a mail hub), This hub is setup as a >> lower priority MX, then it would be setup to forward all email for >> your domain(s) to the real server via the second interface. The hub >> should not have to know anything about users. >> >> I have a setup where I have two hubs that forward to the end user mail >> server. The end user mail server never directly receives email from >> the internet. All Spam filtering is done out at the hubs so the server >> the users deal with has all its CPU power to handle users requests and >> they see good response times from the server regardless of how much >> load the hubs are under due to Spam scanning/filtering. >> >> While a lot of people know this.... remember the DSL line will need a >> static IP address. >> >> > Just adding a tad to Dennis advice: > The hubs need be equal in one thing: Setup to fight spam etc. Meaning > that the relays will need know enough about the users (if running PF, > just hypothetically:-) to know which mails to accept for relay and > which not to accept. If one does as Dennis, and have hubs that are > equal in all sense except priority (and connectivity), one should be > able to cope by mirroring/rsyncing selected config directories... and > having bayes (and whatnot:) in sql. > Cool. Thanks for the advice guys. Now to come up with a diagram on how it's all going to work. :-) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Sep 14 18:47:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 14 18:48:22 2006 Subject: Attachments In-Reply-To: References: Message-ID: Colin Jack spake the following on 9/14/2006 10:06 AM: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Ken Goods >> Sent: Thursday, September 14, 2006 4:48 PM >> To: 'MailScanner discussion' >> Subject: RE: Attachments >> >>>> Colin Jack wrote: >>>>> Hmmm ... it looks like MailScanner is refusing the attachments >>>>> because the .zip file contains unacceptable files ... >> e.g. .exe and >>>>> .chm >>>>> >>>>> This seems a little over the zealous. We usually suggest >> to clients >>>>> mailing .exe files (install files for example) to .zip them up to >>>>> get through filters!! >>>>> >>>>> What is the best way to deal with this? Can I tell >> MailScanner not >>>>> to look inside .zip files >>>>> >>>>> Thanks >>>>> >>>>> Colin >> Colin, >> >> Just thought I'd add my 2 cents.... >> What I have done here is to instruct my users to rename any >> executables to .txt then instruct their recipient to rename >> the attachment back to .exe once they have received it. >> >> This does three things... first, it gets my (very technically >> illiterate) users to be aware of file extensions to begin >> with and to know what I'm talking about when I say this one >> or that one is potentially dangerous. (it also helps them get >> used to renaming files) Second, since the file has come from >> somebody they know (I instruct them to pre-contact the >> recipient so they are expecting an executable) and has >> instructions on how to make the file back into an executable, >> it makes them more aware of the way viruses are propagated >> via email and there is less chance that someone will >> inadvertently open a virus (of course I run two virus >> scanners to this is a slim chance anyway). And third, and I >> guess most importantly, it gets the file through any filetype >> checking based on the extension. (Outlook, OE... >> etc..) Besides, anti-virus software will still catch viruses >> regardless of the file extension. >> >> One can argue that zipping them up is a better way to handle >> it but in my experience with *my* users, I have found it's >> easier for them to simply rename the file on both ends. This >> has been working very well here for the last couple years... YMMV >> >> This was a solution I didn't see mentioned so I thought I'd >> throw it into the mix. >> >> Kind regards, >> Ken Goods >> Network Administrator >> AIA/CropUSA Insurance, Inc. >> > > Thanks Ken - yeah we already do that (well we say remove the last letter > and replace it with an underscore, but same principal). The zip problem > arises where support staff email patches etc. with things like > update.exe, dodgy.dll etc. inside a zip. > http://www.mainline.co.uk/spam_error.html > > Just out of interest ... the default setting for Archive Depth seems to > be '2' and '0' turns it off ... so what does '1' do? ;) > > Colin > I think archive depth is the level of directories recursed. So if your zip has a directory 6 levels deep, setting at 1 would only look at the root, 2 would look down at the 1st level below the root and so on. So setting at 2 would let a file below this level pass through. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Thu Sep 14 19:13:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 14 19:13:50 2006 Subject: Bug in SweepViruses.pm? In-Reply-To: <45098C01.5040508@ecs.soton.ac.uk> References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> <03b001c6d7f5$1040cf40$0164320a@pcconhg203> <45098C01.5040508@ecs.soton.ac.uk> Message-ID: <223f97700609141113u2b77e3rf260002581fbae46@mail.gmail.com> On 14/09/06, Julian Field wrote: > How about I use the minimum value of all the counters from the different > virus scanners? And what would that mean? Not sure that would be good at all:-). > How do we define what this number represents? > Maybe it's best to use the maximum value of all the counters, as this > will hopefully reflect the number of different viruses found, regardless > of their name? > > That sounds good to me. > What do you think? Yep, that one gets my vote:). > > Holger Gebhard wrote: > > Thanks Julian, > > > > the patch only works particulary... > > With the applied patch all scanners followed a known virus shows > > "...found .. infections" and the Viruscount grow with every scanner > > found the virus. > > I think when only one file is infected and both scanners find a virus > > (with different Virusnames) the Viruscount might always be 1? > > > > > > ----- Original Message ----- From: "Julian Field" > > > > To: "MailScanner discussion" > > Cc: "Steve Freegard" > > Sent: Thursday, September 14, 2006 1:01 PM > > Subject: Re: Bug in SweepViruses.pm? > > > > > >> Please can you try applying the attached patch to SweepViruses.pm. It > >> is a 1 character change :-) > >> Many thanks for reporting it. I hope it doesn't do much harm to > >> MailWatch or DefenderMX. > >> > >> > >> > > > > > > -------------------------------------------------------------------------------- > > > > > > > >> > >> > >> On 14 Sep 2006, at 10:51, Holger Gebhard wrote: > >> > >>> Hi Group, > >>> > >>> i noticed a small failure in Maillog... > >>> I use two virus scanners, f-secure and clamavmodule. > >>> > >>> In MailScanner.conf the first entry is clamavmodule and the second > >>> is f-secure . > >>> > >>> When i receive a Virusmessage all thems to work... > >>> The Maillog shows all the the infected mails, the virussender ip, etc. > >>> The Mail is blocked and the Postmaster receives a warning... > >>> > >>> I use MailScanner-MRTG for counting viruses. > >>> The counting script match a logline created by MailScanner: "Virus > >>> Scanning found .. viruses". > >>> > >>> The Logline is created in MessageBatch.pm "sub VirusScan". > >>> This function starts "scanbatch" in SweepViruses.pm. > >>> "Scanbatch" runs all the virustests and finaly returns a number of > >>> viruses found ($NumInfections). > >>> > >>> Here is a small bug... > >>> > >>> When the first scanner (clamav) found one virus and the second does > >>> not, the value of "$NumInfections" is always "0" (must be 1). > >>> When i change the order of the scanners in MailScanner.conf for > >>> example to f-secure and clamavmodule the value of "$NumInfections" > >>> is "1". > >>> It seems that the last Scanner overwrites all other results in this > >>> variable? > >>> > >>> Hope anyone can help? > >>> > >>> > >>> Holger > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >> > >> -- > >> Julian Field > >> MailScanner@ecs.soton.ac.uk > >> > >> > >> > > > > > > -------------------------------------------------------------------------------- > > > > > > > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 14 19:35:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 14 19:35:31 2006 Subject: OT: Backup MX In-Reply-To: <45098CD0.4040603@trayerproducts.com> References: <4508089F.8080004@trayerproducts.com> <223f97700609131400o41a15282jf1b04a4f90aa5015@mail.gmail.com> <45098CD0.4040603@trayerproducts.com> Message-ID: <223f97700609141135j48903e78t1c5c74e970a8f802@mail.gmail.com> On 14/09/06, Green, Rodney wrote: > (snip) > Cool. Thanks for the advice guys. Now to come up with a diagram on how > it's all going to work. :-) > Well... it's pretty easy and straightforward, when you think on it:-). If you wan't some help with the topology drawing, I just might be able to help... Would need some info on your current setup first though, so mail me directly if you would want to do that (that type of info isn't really list-material:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Thu Sep 14 19:44:54 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 14 19:45:09 2006 Subject: Bug in SweepViruses.pm? In-Reply-To: <223f97700609141113u2b77e3rf260002581fbae46@mail.gmail.com> References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> <03b001c6d7f5$1040cf40$0164320a@pcconhg203> <45098C01.5040508@ecs.soton.ac.uk> <223f97700609141113u2b77e3rf260002581fbae46@mail.gmail.com> Message-ID: <4509A326.50802@ecs.soton.ac.uk> Glenn Steen wrote: > On 14/09/06, Julian Field wrote: >> How about I use the minimum value of all the counters from the different >> virus scanners? > And what would that mean? Not sure that would be good at all:-). > >> How do we define what this number represents? >> Maybe it's best to use the maximum value of all the counters, as this >> will hopefully reflect the number of different viruses found, regardless >> of their name? >> >> That sounds good to me. >> What do you think? > Yep, that one gets my vote:). In which case, find the line that is changed by the patch (patch files are easily human-readable) and change it to this: $$rCounter = $Counter if $Counter>$$rCounter; # Set up output value This will make it use the maximum of the different numbers of viruses found by the AV packages. -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gordon at itnt.co.za Thu Sep 14 21:13:15 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Thu Sep 14 21:13:21 2006 Subject: loop and load problems.. Message-ID: <000d01c6d83a$36f50d50$0d02a8c0@Gordon> ITNT Banner CampaignI have a problem on my mailscanner where my avg load goes suddenly from 0.5 to 1.5 and remains there for days including weekends when there is very little traffic. After some investigation I found the following; [root@sentinal3 ~]# tail -f /var/log/mail/info | grep messages Sep 14 21:50:15 sentinal3 MailScanner[5803]: Spam Checks: Found 23 spam messages Sep 14 21:50:24 sentinal3 MailScanner[6015]: New Batch: Scanning 30 messages, 288635 bytes Sep 14 21:50:52 sentinal3 MailScanner[6015]: Spam Checks: Found 23 spam messages Sep 14 21:51:03 sentinal3 MailScanner[7661]: New Batch: Scanning 30 messages, 288635 bytes Sep 14 21:51:23 sentinal3 MailScanner[7661]: Spam Checks: Found 23 spam messages Sep 14 21:51:32 sentinal3 MailScanner[7733]: New Batch: Scanning 30 messages, 288635 bytes Sep 14 21:51:56 sentinal3 MailScanner[7733]: Spam Checks: Found 23 spam messages Sep 14 21:52:03 sentinal3 MailScanner[7567]: New Batch: Scanning 30 messages, 288635 bytes I stopped delivery by blocking port 25 with my firewall and found that mailscanner was not doing anything with the above messages, going into a loop and causing one of the child processes to sit at 45-60% of cpu usage. When I check the mail queue there are messages that are 2 days old sitting in the queue with a status sending. When I delete these the rest of the messages are processed and the load drops to 0.13..... Anyone have any ideas? Thanks Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn From mailscanner at yeticomputers.com Thu Sep 14 21:31:45 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Sep 14 21:32:03 2006 Subject: Autoresponder Evils? In-Reply-To: <2a5a01717bcd6c6727de4078ae6b4b91@ucsc.edu> References: <45007753.8040105@dido.ca> <450238BD.4010206@txk.k12.ar.us> <45070379.1020507@yeticomputers.com> <20060912211925.A25554@defjam.cc.strath.ac.uk> <45072F90.30204@yeticomputers.com> <20060912234839.T25554@defjam.cc.strath.ac.uk> <45083D84.9020603@yeticomputers.com> <2a5a01717bcd6c6727de4078ae6b4b91@ucsc.edu> Message-ID: <4509BC31.4090702@yeticomputers.com> John Rudd wrote: >> I acknowledge that the *root* problem is the desire to do a >> particular thing with a system that was not designed to do so >> either intelligently or securely in a world with spam. This does >> not mean that one should rush in with a flawed solution when other >> people are going to be required to deal with the consequences of >> said solution. > (sigh) > > That's the tail wagging the dog. Autoresponders predate the spam > problem. By a lot. I wasn't intentionally implying that they didn't. I was stating that they were designed at a time where the spam problem didn't exist. SMTP itself suffers from the same thing. I can see now that the last sentence of my statement could have been better phrased. >>> Ridiculous analogy. >> >> No, it's not. >> >> 1. You have something you want to do. This thing benefits you. > > It also potentially benefits the sender, as they may want to know > that any time-critical or business-critical process will be on hold > while I'm away ... > >> 2. The thing you want to do affects others without their consent. > > With their consent. If someone sends me email, they give implicit > consent to receiving a reply from me. > >> 3. Your response when asked to stop or find a better solution is, >> basically, "No. I (and others) need to do this. You're running a >> mail server. *You* solve it, or just deal with it, but I won't >> stop." > > If the argument here was "refine the autoresponder solution", that > would be one thing. For one, it is not the same as "autoresponders > are evil and should be banned". It would be more like > "autoresponders need to be used responsibly". I don't think I've > seen _anyone_ here argue against them being used responsibly. Every argument you use here has been used by spammers, as well. 1. It benefits the recipient of my autoresponse = it benefits the recipient of my spam. 2. With their consent = many of these people want my spam. 3. Autoresponders used responsibly aren't bad = spam sent responsibly isn't bad. I tend to overstate things to make a point since I'm an absolutist, but I do recognize that those who use sensible autresponders aren't "as bad" as most spammers. Would we complain about spam if it was always sent responsibly? If every piece of UCE was clearly labeled in such a way that it could be reliably filtered? I think that most people who think of autoresponders as a necessary tool would have little problem with spam under those conditions. I'd be a lot happier than I am now, but I'd still have a problem with spammers. They'd still be using my resources without my consent. Even well the best configured autoresponders will quite happily consume the resources of others *without their consent* if triggered in the right (wrong?) way by a spammer. If you have a system in place which uses my resources without my consent, I will complain. I'm not talking about implied consent. I don't mind if I get an autoreply to something I sent. I don't tend to think much of the person who set it up, but that's my personal issue. If your autoresponder spams me, expect me to get annoyed. If someone develops a new exploit and a web form that I control spams you, I expect *you* to complain, perhaps even banning me until I fix it. My issue with autoresponders is that most people will not admit that they're broken, even in their best configurations. Let's say that your autoresponder sends my mail server a few thousand out-of-office or informational messages that hit throughout a large portion of my userbase on a given domain. Let's say that I end up fielding a few dozen phone calls over the course of that day because of this flood. And let's say I ask you to fix your broken autoresponder because I have other things I'd rather be doing than explaining to a couple of dozen users that someone didn't hack their accounts and send mail from them. Would you make changes to fix the problem (even if was simply blacklisting my domain in your server) or would you ignore the issue, believing that you'd already made your best effort? Your suggestions for refining autoresponders were all great. Mmmm... Maybe I'd even consider a system which used them all as sensible enough to put in production. Maybe I'll build one. I'm trying to put together a standalone system that uses Postfix, Cyrus IMAP, a database for the account info (currently MySQL), Apache, MailScanner and the like. I've used web-cyradm for a long time, but have grown discouraged with it in many ways, and it's not really (in my opinion) enterprise ready. But sieve would be a good way to implement your suggestions in an autoresponder. Nothing is without flaws, obviously. The question when deploying a solution is, I guess, "How do the benefits compare to the risks?" Automobiles, airlines, guns, recreational drugs... All much more socially important than this issue, but arguably all with benefits and risks. There are people who would ban any one of them, claiming that the risks were too great. I'd ban none of them. Would I ban all autoresponders? (sigh) Honestly? (grrrrr...) No. No, but I would certainly ban one that flooded my server and whose operator told me he'd done nothing wrong. And, vindictively, I would probably report that server to any RBL that likes to ban autoresponders. Do the benefits of autoresponders outweigh their flaws? Not as most of them are currently implemented, I believe, but the risks aren't great enough to implement a generic ban. The one you suggest, John? Maybe. Now you made more work for me. I hope you're happy. :P Rick From ssilva at sgvwater.com Thu Sep 14 21:49:15 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 14 21:50:46 2006 Subject: loop and load problems.. In-Reply-To: <000d01c6d83a$36f50d50$0d02a8c0@Gordon> References: <000d01c6d83a$36f50d50$0d02a8c0@Gordon> Message-ID: Gordon Colyn spake the following on 9/14/2006 1:13 PM: > ITNT Banner CampaignI have a problem on my mailscanner where my avg load > goes suddenly from 0.5 to 1.5 and remains there for days including weekends > when there is very little traffic. After some investigation I found the > following; > > [root@sentinal3 ~]# tail -f /var/log/mail/info | grep messages > Sep 14 21:50:15 sentinal3 MailScanner[5803]: Spam Checks: Found 23 spam > messages > Sep 14 21:50:24 sentinal3 MailScanner[6015]: New Batch: Scanning 30 > messages, 288635 bytes > Sep 14 21:50:52 sentinal3 MailScanner[6015]: Spam Checks: Found 23 spam > messages > Sep 14 21:51:03 sentinal3 MailScanner[7661]: New Batch: Scanning 30 > messages, 288635 bytes > Sep 14 21:51:23 sentinal3 MailScanner[7661]: Spam Checks: Found 23 spam > messages > Sep 14 21:51:32 sentinal3 MailScanner[7733]: New Batch: Scanning 30 > messages, 288635 bytes > Sep 14 21:51:56 sentinal3 MailScanner[7733]: Spam Checks: Found 23 spam > messages > Sep 14 21:52:03 sentinal3 MailScanner[7567]: New Batch: Scanning 30 > messages, 288635 bytes > > I stopped delivery by blocking port 25 with my firewall and found that > mailscanner was not doing anything with the above messages, going into a > loop and causing one of the child processes to sit at 45-60% of cpu usage. > > When I check the mail queue there are messages that are 2 days old sitting > in the queue with a status sending. When I delete these the rest of the > messages are processed and the load drops to 0.13..... > > Anyone have any ideas? Which TNEF decoder are you using? Internal or external. Is the external fairly current. Did you actually delete those messages, or just move them so you could analyze their content? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From r.berber at computer.org Fri Sep 15 01:50:58 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Sep 15 01:51:34 2006 Subject: No logging in Solaris 9 (with workaround) - question? In-Reply-To: References: <450663D8.5000501@ecs.soton.ac.uk> <3199AC82-D755-4A05-A722-148699B45AC3@sibernet.com> Message-ID: Ren? Berber wrote: > Randy Fishel wrote: > [snip] >>> Testing other Solaris servers: >>> >>> Solaris 8 / perl 5.6.1(AS) / doesn't work as above, it works with >>> commented else >> Try using 'inet', instead of 'udp', and see if that works. > > Solaris 8 / perl 5.6.1(AS) / works fine with inet, as well as w/o setlogsock() > Solaris 9 / perl 5.8.0 / same result as Sol8, but see note[1]. > > [1] The output is different btw. the test that uses setlogsock('inet') and the one that just opens the log w/o using setlogsock(), the second test's output is in normal syslog format, the first shows a different host name (localhost actually) and doesn't show [ID facility.severity]; same output as the first test happens with 'udp'. This last difference in output is said to be a bug in the Solaris syslog (ref: http://rt.cpan.org/Public/Bug/Display.html?id=19622), so I changed again the call to: use Sys::Syslog qw(:DEFAULT setlogsock); ... setlogsock('native'); Now the output from MS looks normal (hostname, ID, facility, & level is correct). Notice I made the above 2 changes, I never tested if the setlogsock() call was returning false since the default set didn't include it. -- Ren? Berber From febrianto at sioenasia.com Fri Sep 15 03:18:58 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Fri Sep 15 03:30:01 2006 Subject: OOT: Pyzor discovery problem Message-ID: Sorry for the OTT. I use pyzor in spamassassin and run ferfectly well, catch spam that slip from rbl list, but today I see some error log. When I run it manual, it give this error log. [xxx@yyy ~]# pyzor --homedir /etc/mail/pyzor discover downloading servers from http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x Traceback (most recent call last): File "/usr/bin/pyzor", line 4, in ? pyzor.client.run() File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run ExecCall().run() File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 178, in run self.servers = self.get_servers(servers_fn) File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 393, in get_servers servers.read(open(servers_fn)) File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 123, in read self.append(pyzor.Address.from_str(line)) File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 458, in from_str fields[1] = int(fields[1]) IndexError: list index out of range I have to disable pyzor until I fix the problem. Should I reinstall pyzor again? TIA. From alex at nkpanama.com Fri Sep 15 05:29:19 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Sep 15 05:29:44 2006 Subject: Attachments In-Reply-To: <45097E84.1070205@solidstatelogic.com> References: <13C0059880FDD3118DC600508B6D4A6D013D8BE8@aiainsurance.com> <45097E84.1070205@solidstatelogic.com> Message-ID: <450A2C1F.1010400@nkpanama.com> Martin Hepworth wrote: > > for what it's worth I normally get at least 2 exe's diguised as > something else that are blocked by MS BEFORE the AV companies updated > their signature - last one was 6 weeks ago! > And this file renaming won't work if you're using the "file" command to check for executables. From info at datacom.co.ls Fri Sep 15 06:17:14 2006 From: info at datacom.co.ls (Thato Molise) Date: Fri Sep 15 06:17:30 2006 Subject: MailScanner wont start! Message-ID: <004101c6d886$34feaa00$0b01a8c0@motechserver> Hi All I know this question might have been asked many times but Im a newbie in the forum ps bear with me.. After installing latest version of MailScanner in my RHL3.0 ES I get the following error when I try to start its deamon... Can't locate Time/HiRes.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 65. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. How can I fix this problem error message? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060915/aa926ec1/attachment.html From alvaro at hostalia.com Fri Sep 15 07:58:46 2006 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Fri Sep 15 07:58:55 2006 Subject: MailScanner wont start! In-Reply-To: <004101c6d886$34feaa00$0b01a8c0@motechserver> References: <004101c6d886$34feaa00$0b01a8c0@motechserver> Message-ID: <450A4F26.1070909@hostalia.com> Thato Molise wrote: Hi! > After installing latest version of MailScanner in my RHL3.0 ES I get the following error when I try to start its deamon... > > Can't locate Time/HiRes.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 65. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > > How can I fix this problem error message? Execute CPAN: #cpan and then: cpan> install Time::HiRes Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From glenn.steen at gmail.com Fri Sep 15 08:20:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 15 08:20:40 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: References: Message-ID: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> On 15/09/06, Budi Febrianto wrote: > > Sorry for the OTT. > > I use pyzor in spamassassin and run ferfectly well, catch spam that slip > from rbl list, but today I see some error log. > When I run it manual, it give this error log. > > [xxx@yyy ~]# pyzor --homedir /etc/mail/pyzor discover > downloading servers from > http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x > Traceback (most recent call last): > File "/usr/bin/pyzor", line 4, in ? > pyzor.client.run() > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run > ExecCall().run() > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 178, in run > self.servers = self.get_servers(servers_fn) > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 393, in > get_servers > servers.read(open(servers_fn)) > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 123, in > read > self.append(pyzor.Address.from_str(line)) > File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 458, in > from_str > fields[1] = int(fields[1]) > IndexError: list index out of range > > I have to disable pyzor until I fix the problem. Should I reinstall pyzor > again? > > TIA. > Might be a file that's corrupted... Try doing the discover (and a subsequent ping) to some other directory. If that works, simple remove the old and redo, if not, well... then I suppose a reinstall is in order (which would rewrite any corrupted files). You shouldn't need disable pyzor, bu... better safe than sorry, I suppose:-). IIRC doing discoveries all the time (well, once per day:-) isn't really necessary with pyzor... Unless I remember wrong there only is one server, and thats the way things are. So one could well hold of with the discoveries until one sees that pyzor just don't work:-). A philosophical musing one could have is on the reliability of a service that only have one central server ... :-). Puts all those "TimoutErrors" into perspective:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Sep 15 08:25:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 15 08:25:25 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> References: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> Message-ID: <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> On 15/09/06, Glenn Steen wrote: (snip) > Might be a file that's corrupted... Try doing the discover (and a > subsequent ping) to some other directory. If that works, simple remove > the old and redo, if not, well... then I suppose a reinstall is in > order (which would rewrite any corrupted files). You shouldn't need > disable pyzor, bu... better safe than sorry, I suppose:-). > IIRC doing discoveries all the time (well, once per day:-) isn't > really necessary with pyzor... Unless I remember wrong there only is > one server, and thats the way things are. So one could well hold of > with the discoveries until one sees that pyzor just don't work:-). > > A philosophical musing one could have is on the reliability of a > service that only have one central server ... :-). Puts all those > "TimoutErrors" into perspective:-) > (Yeah yeah... me proving I'm a postfix user, by replying to myself:-) If this is due to fs corruption, you should (of course) endevor to do some fsck'ing... Even journalised filesystems (read "ext3") might need that from time to time... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Sep 15 08:58:30 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 15 08:58:50 2006 Subject: MailScanner wont start! In-Reply-To: <004101c6d886$34feaa00$0b01a8c0@motechserver> References: <004101c6d886$34feaa00$0b01a8c0@motechserver> Message-ID: <75DA766F-3C1A-4604-A988-CC8E31E85D09@ecs.soton.ac.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 246 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060915/f342bfb7/PGP.bin From martinh at solidstatelogic.com Fri Sep 15 09:22:56 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Sep 15 09:23:20 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> References: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> Message-ID: <450A62E0.503@solidstatelogic.com> Glenn Steen wrote: > On 15/09/06, Glenn Steen wrote: > (snip) >> Might be a file that's corrupted... Try doing the discover (and a >> subsequent ping) to some other directory. If that works, simple remove >> the old and redo, if not, well... then I suppose a reinstall is in >> order (which would rewrite any corrupted files). You shouldn't need >> disable pyzor, bu... better safe than sorry, I suppose:-). >> IIRC doing discoveries all the time (well, once per day:-) isn't >> really necessary with pyzor... Unless I remember wrong there only is >> one server, and thats the way things are. So one could well hold of >> with the discoveries until one sees that pyzor just don't work:-). >> >> A philosophical musing one could have is on the reliability of a >> service that only have one central server ... :-). Puts all those >> "TimoutErrors" into perspective:-) >> > (Yeah yeah... me proving I'm a postfix user, by replying to myself:-) > > If this is due to fs corruption, you should (of course) endevor to do > some fsck'ing... Even journalised filesystems (read "ext3") might need > that from time to time... > > From what I can see pyzor is having problems...there's only one server and I can never "pyzor ping" it...always times out and I've not had a pyzor score in my spam for weeks... I know certain people have offered some server space/bandwidth to the maintainer but the offer doesn't seem to have been taken up... I'm considering turning it off and getting razor2 going instead (i've already got dcc) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Fri Sep 15 10:39:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 15 10:39:42 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: <450A62E0.503@solidstatelogic.com> References: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> <450A62E0.503@solidstatelogic.com> Message-ID: <223f97700609150239h56c4bbdt9f5da5f964662208@mail.gmail.com> On 15/09/06, Martin Hepworth wrote: > Glenn Steen wrote: > > On 15/09/06, Glenn Steen wrote: > > (snip) > >> Might be a file that's corrupted... Try doing the discover (and a > >> subsequent ping) to some other directory. If that works, simple remove > >> the old and redo, if not, well... then I suppose a reinstall is in > >> order (which would rewrite any corrupted files). You shouldn't need > >> disable pyzor, bu... better safe than sorry, I suppose:-). > >> IIRC doing discoveries all the time (well, once per day:-) isn't > >> really necessary with pyzor... Unless I remember wrong there only is > >> one server, and thats the way things are. So one could well hold of > >> with the discoveries until one sees that pyzor just don't work:-). > >> > >> A philosophical musing one could have is on the reliability of a > >> service that only have one central server ... :-). Puts all those > >> "TimoutErrors" into perspective:-) > >> > > (Yeah yeah... me proving I'm a postfix user, by replying to myself:-) > > > > If this is due to fs corruption, you should (of course) endevor to do > > some fsck'ing... Even journalised filesystems (read "ext3") might need > > that from time to time... > > > > > > From what I can see pyzor is having problems...there's only one server > and I can never "pyzor ping" it...always times out and I've not had a > pyzor score in my spam for weeks... > > I know certain people have offered some server space/bandwidth to the > maintainer but the offer doesn't seem to have been taken up... > > I'm considering turning it off and getting razor2 going instead (i've > already got dcc) > Oh yes, this is very true... In fact, I've been running all three for quite some time (For those DIGEST_MULTIPLE scores:-). Used to be that pyzor was really contributing,but now it is more incidental than anything:-). On the other hand, I've actually succeeded pinging it lately, so ... things might not be all black:P ------- # pyzor ping 66.250.40.33:24441 (200, 'OK') # pyzor discover downloading servers from http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x # pyzor ping 66.250.40.33:24441 TimeoutError: # pyzor ping 66.250.40.33:24441 (200, 'OK') # pyzor ping 66.250.40.33:24441 TimeoutError: # pyzor ping 66.250.40.33:24441 (200, 'OK') ------ All those were done in a pretty quick succession, so ... illustrates the problems it has pretty well:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From colin at mainline.co.uk Fri Sep 15 10:42:57 2006 From: colin at mainline.co.uk (Colin Jack) Date: Fri Sep 15 10:42:18 2006 Subject: Attachments Message-ID: > > > > Thanks Ken - yeah we already do that (well we say remove the last > > letter and replace it with an underscore, but same > principal). The zip > > problem arises where support staff email patches etc. with > things like > > update.exe, dodgy.dll etc. inside a zip. > > http://www.mainline.co.uk/spam_error.html > > > > Just out of interest ... the default setting for Archive > Depth seems > > to be '2' and '0' turns it off ... so what does '1' do? ;) > > > > Colin > > > I think archive depth is the level of directories recursed. > So if your zip has a directory 6 levels deep, setting at 1 > would only look at the root, 2 would look down at the 1st > level below the root and so on. > So setting at 2 would let a file below this level pass through. > -- Ah okay .... that makes sense Thanks Colin From Peter.Bates at lshtm.ac.uk Fri Sep 15 10:53:10 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Fri Sep 15 10:53:58 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: <450A62E0.503@solidstatelogic.com> References: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com><223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> <450A62E0.503@solidstatelogic.com> Message-ID: <450A861602000076000070AD@193.63.251.15> Hello all... > Martin Hepworth 15/09/06 09:22:56 >>> > From what I can see pyzor is having problems...there's only one server >and I can never "pyzor ping" it...always times out and I've not had a >pyzor score in my spam for weeks... I'd definitely agree with this, and disabled Pyzor (I have DCC and Razor2, so you could argue I'm well into overkill territory) earlier this week, as a result of the consistent 'TimeOutError' responses from a ping. One thing I've definitely seen (albeit only once) is when doing a 'discover' is the client being unable to reach the Sourceforge site in a timely fashion to get some output to fill the 'servers' file. This resulted in a mangled 'servers' file which naturally make the client throw a wobbly every time. For this reason now I keep a copy of the servers file and just do a diff/md5sum from time to time to see if it's changed. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From holger at gebhardweb.de Fri Sep 15 11:19:48 2006 From: holger at gebhardweb.de (Holger Gebhard) Date: Fri Sep 15 11:19:53 2006 Subject: Bug in SweepViruses.pm? References: <012e01c6d7e3$568606d0$0164320a@pcconhg203> <67AC0E0A-C1F4-4855-9632-DB5071E3FDE4@ecs.soton.ac.uk> <03b001c6d7f5$1040cf40$0164320a@pcconhg203> <45098C01.5040508@ecs.soton.ac.uk><223f97700609141113u2b77e3rf260002581fbae46@mail.gmail.com> <4509A326.50802@ecs.soton.ac.uk> Message-ID: <013b01c6d8b0$79288460$0164320a@pcconhg203> Very nice solution, just changed the Code-Line in SweepViruses.pm... Now the Summary only shows the number of different Viruses :-) Is possible to modify the Logline "...found .. infections" in sub TryCommercial a litte bit? The variable "$$rCounter" is still a number >0 after a Virus is found. So after the first Virus for all Scanners a Logline is added with Infectioncount, regardless of they have a virus found or not. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, September 14, 2006 8:44 PM Subject: Re: Bug in SweepViruses.pm? > Glenn Steen wrote: >> On 14/09/06, Julian Field wrote: >>> How about I use the minimum value of all the counters from the different >>> virus scanners? >> And what would that mean? Not sure that would be good at all:-). >> >>> How do we define what this number represents? >>> Maybe it's best to use the maximum value of all the counters, as this >>> will hopefully reflect the number of different viruses found, regardless >>> of their name? >>> >>> That sounds good to me. >>> What do you think? >> Yep, that one gets my vote:). > > In which case, find the line that is changed by the patch (patch files are > easily human-readable) and change it to this: > $$rCounter = $Counter if $Counter>$$rCounter; # Set up output value > This will make it use the maximum of the different numbers of viruses > found by the AV packages. > > -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From febrianto at sioenasia.com Fri Sep 15 11:24:55 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Fri Sep 15 11:20:34 2006 Subject: OOT: Pyzor discovery problem (SOLVED) In-Reply-To: <450A62E0.503@solidstatelogic.com> Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 09/15/2006 03:22:56 PM: > Glenn Steen wrote: > > On 15/09/06, Glenn Steen wrote: > > (snip) > >> Might be a file that's corrupted... Try doing the discover (and a > >> subsequent ping) to some other directory. If that works, simple remove > >> the old and redo, if not, well... then I suppose a reinstall is in > >> order (which would rewrite any corrupted files). You shouldn't need > >> disable pyzor, bu... better safe than sorry, I suppose:-). > >> IIRC doing discoveries all the time (well, once per day:-) isn't > >> really necessary with pyzor... Unless I remember wrong there only is > >> one server, and thats the way things are. So one could well hold of > >> with the discoveries until one sees that pyzor just don't work:-). > >> > >> A philosophical musing one could have is on the reliability of a > >> service that only have one central server ... :-). Puts all those > >> "TimoutErrors" into perspective:-) > >> > > (Yeah yeah... me proving I'm a postfix user, by replying to myself:-) > > > > If this is due to fs corruption, you should (of course) endevor to do > > some fsck'ing... Even journalised filesystems (read "ext3") might need > > that from time to time... > > > > > > From what I can see pyzor is having problems...there's only one server > and I can never "pyzor ping" it...always times out and I've not had a > pyzor score in my spam for weeks... > > I know certain people have offered some server space/bandwidth to the > maintainer but the offer doesn't seem to have been taken up... > > I'm considering turning it off and getting razor2 going instead (i've > already got dcc) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Yes, I believe it's a connection problem. Because it works now and I didn't do anything. Maybe it's time to look for dcc or razor2 solutions. Thanks you all. From gordon at itnt.co.za Fri Sep 15 12:56:40 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Sep 15 13:30:45 2006 Subject: Stop checking mail through mailscanner on large emails Message-ID: <028e01c6d8c2$ba3c3200$0a02a8c0@Gordon> ITNT Banner CampaignIs there any way to stop mailscanner from scanning mail larger than 1mb? Most spam is a lot smaller than that and will reduce load on my servers with the larger emails. Thanks Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 From dhawal at netmagicsolutions.com Fri Sep 15 13:43:17 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Sep 15 13:43:37 2006 Subject: Stop checking mail through mailscanner on large emails In-Reply-To: <028e01c6d8c2$ba3c3200$0a02a8c0@Gordon> References: <028e01c6d8c2$ba3c3200$0a02a8c0@Gordon> Message-ID: <450A9FE5.4060702@netmagicsolutions.com> Gordon Colyn wrote: > ITNT Banner CampaignIs there any way to stop mailscanner from scanning mail > larger than 1mb? Most spam is a lot smaller than that and will reduce load > on my servers with the larger emails. I do not know the answer to your query.. but you have used spaces in your '%org-name%' parameter. See MailScanner.conf # **** RULE: It must not contain any spaces! **** %org-name% = your.short.org.name.here - dhawal From glenn.steen at gmail.com Fri Sep 15 13:46:07 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 15 13:46:12 2006 Subject: Stop checking mail through mailscanner on large emails In-Reply-To: <028e01c6d8c2$ba3c3200$0a02a8c0@Gordon> References: <028e01c6d8c2$ba3c3200$0a02a8c0@Gordon> Message-ID: <223f97700609150546u518c72e8j99c743a42ed5398d@mail.gmail.com> On 15/09/06, Gordon Colyn wrote: > ITNT Banner CampaignIs there any way to stop mailscanner from scanning mail > larger than 1mb? Most spam is a lot smaller than that and will reduce load > on my servers with the larger emails. > > Thanks > MailScanner doesn't do that.... it only sends a (configurable) smaller part of the message (30-40 KiB) to SpamAssassin... so this is mostly already covered. Virus scanners are another deal though. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From walmiro_muzzi at yahoo.com.br Fri Sep 15 15:42:17 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Fri Sep 15 15:42:26 2006 Subject: Mailscanner stop! Message-ID: <450ABBC9.80706@yahoo.com.br> Hi all, I am with a problem in mailscanner. It is stopping. He works, works, works and suddenly he stops. It swims appears in log no error, simply does not verify no new email. It is necessary to restart it so that new Batchs is executed. How I correct this problem? Thanks in advance. []s Walmiro Muzzi From michele at blacknight.ie Fri Sep 15 15:59:23 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Fri Sep 15 15:59:30 2006 Subject: SpamAssassin Cache Size? Message-ID: <033a01c6d8d7$8843a2a0$e3f31151@arthur> What kind of size should this be? We're seeing it grow to nearly 2 gigs on one server, so we're wondering if there's something wrong that we've missed Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From martinh at solidstatelogic.com Fri Sep 15 16:06:23 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Sep 15 16:06:43 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <033a01c6d8d7$8843a2a0$e3f31151@arthur> References: <033a01c6d8d7$8843a2a0$e3f31151@arthur> Message-ID: <450AC16F.6070700@solidstatelogic.com> Michele Neylon :: Blacknight Solutions wrote: > What kind of size should this be? > > We're seeing it grow to nearly 2 gigs on one server, so we're wondering if > there's something wrong that we've missed > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > Michele Is it expiring old stuff (you should see messages to that effect in the maillog) or just growing and growing? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From cobalt-users1 at fishnet.co.uk Fri Sep 15 16:38:29 2006 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Fri Sep 15 16:38:38 2006 Subject: OT: Sendmail: stopping RBL checks for authenticated users In-Reply-To: <4508C1CA.1080006@nkpanama.com> References: <45081559.18701.92A6CF@cobalt-users1.fishnet.co.uk>, , <4508C1CA.1080006@nkpanama.com> Message-ID: <450AD705.5396.B5743A1@cobalt-users1.fishnet.co.uk> On 13 Sep 2006 at 21:43, Alex Neuman van der Hans wrote: > Scott Silva wrote: > > Ian spake the following on 9/13/2006 6:27 AM: > > AFAIR you need "feature (delay_checks)" > > That way smtp auth comes first. > > But I could be wrong. Just because I answered first doesn't mean I'm right. > > Hi, I have now configured the sendmail delay_checks feature and it looks like the one I want. All test have worked ok and I'm ready to let the users at it. One of the nice side effects of this is I can see the FROM & TO addresses of any mail which gets dropped because of RBLs. It should make it easier to track down when there are problems. Thanks for the help. > You should also look into: > > dnl # The following causes sendmail to additionally listen to port 587 for > dnl # mail from MUAs that authenticate. Roaming users who can't reach their > dnl # preferred sendmail daemon due to port 25 being blocked or > redirected find > dnl # this useful. > dnl # > dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl > > just remove the "dnl" so it looks like: > DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl > > and you'll have port 587 (with AUTH required) enabled. I will take a look at this as well and see if it can give me anything more. Should be useful for the few remaining AOL users out there. Thanks Ian -- ------------------------------------------------------------- Ian Gibbons Fish.Net Ltd Providing Internet Solutions http://www.fishnet.co.uk e-mail IanGibbons@fishnet.co.uk Tel +44 (0)1457 819600 Fax +44 (0)1457 819602 ------------------------------------------------------------- From prandal at herefordshire.gov.uk Fri Sep 15 16:40:32 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 15 16:44:10 2006 Subject: SpamAssassin Cache Size? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F374F87@isabella.herefordshire.gov.uk> You could stop MailScanner, delete the cache file, restart and see if the problem recurs. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michele Neylon :: Blacknight Solutions > Sent: 15 September 2006 15:59 > To: 'MailScanner discussion' > Subject: SpamAssassin Cache Size? > > What kind of size should this be? > > We're seeing it grow to nearly 2 gigs on one server, so we're > wondering if > there's something wrong that we've missed > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Fri Sep 15 16:42:58 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 15 16:50:55 2006 Subject: Mailscanner stop! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580F374F88@isabella.herefordshire.gov.uk> We need a bit of a clue here... Which version of MailScanner / spamassassin? Which virus scanners are you using? On which operating system version is it running? Is there enough free disk space on your server? What configuration tweaks have you done, if any? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Walmiro Muzzi > Sent: 15 September 2006 15:42 > To: MailScanner discussion > Subject: Mailscanner stop! > > Hi all, > > > I am with a problem in mailscanner. It is stopping. > > He works, works, works and suddenly he stops. > > It swims appears in log no error, simply does not verify no new email. > > It is necessary to restart it so that new Batchs is executed. > > How I correct this problem? > > Thanks in advance. > > > []s > Walmiro Muzzi > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ka at pacific.net Fri Sep 15 16:52:53 2006 From: ka at pacific.net (Ken A) Date: Fri Sep 15 16:51:28 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <033a01c6d8d7$8843a2a0$e3f31151@arthur> References: <033a01c6d8d7$8843a2a0$e3f31151@arthur> Message-ID: <450ACC55.1010605@pacific.net> You can tune related settings in /usr/lib/MailScanner/MailScanner/SA.pm $HamCacheLife $SpamCacheLife $HighSpamCacheLife $VirusesCacheLife $ExpireFrequency Ken A. Pacific.Net Michele Neylon :: Blacknight Solutions wrote: > What kind of size should this be? > > We're seeing it grow to nearly 2 gigs on one server, so we're wondering if > there's something wrong that we've missed > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > From fabienpenso at gmail.com Fri Sep 15 16:52:22 2006 From: fabienpenso at gmail.com (Fabien Penso) Date: Fri Sep 15 16:52:24 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F374F87@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F374F87@isabella.herefordshire.gov.uk> Message-ID: <89fe6f1b0609150852m4bef3fddre5c0bab1fcfc84c7@mail.gmail.com> On 9/15/06, Randal, Phil wrote: > You could stop MailScanner, delete the cache file, restart and see if > the problem recurs. Same here, and the problem recurs. I have a huge 2Gig within /var/spool/MailScanner/spamassassin with many files like : bayes_toks.expire19883 any fix is welcome. From michele at blacknight.ie Fri Sep 15 17:05:18 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Fri Sep 15 17:05:23 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <450AC16F.6070700@solidstatelogic.com> Message-ID: <036701c6d8e0$bd357930$e3f31151@arthur> Martin Hepworth wrote: > > Is it expiring old stuff (you should see messages to that effect in > the > maillog) or just growing and growing? Both! It expires stuff but also grows.. We nuked it earlier this afternoon, so I'll be keeping an eye on it, but I'd love to know what other people are getting Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From martinh at solidstatelogic.com Fri Sep 15 17:06:55 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Sep 15 17:07:11 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <89fe6f1b0609150852m4bef3fddre5c0bab1fcfc84c7@mail.gmail.com> References: <86144ED6CE5B004DA23E1EAC0B569B580F374F87@isabella.herefordshire.gov.uk> <89fe6f1b0609150852m4bef3fddre5c0bab1fcfc84c7@mail.gmail.com> Message-ID: <450ACF9F.3040304@solidstatelogic.com> Fabien Penso wrote: > On 9/15/06, Randal, Phil wrote: >> You could stop MailScanner, delete the cache file, restart and see if >> the problem recurs. > > Same here, and the problem recurs. I have a huge 2Gig within > /var/spool/MailScanner/spamassassin with many files like : > > bayes_toks.expire19883 > > any fix is welcome. the bayes_toks* are different to the spamassassin cache Michele is referring to.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dhawal at netmagicsolutions.com Fri Sep 15 17:09:33 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Sep 15 17:09:52 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <033a01c6d8d7$8843a2a0$e3f31151@arthur> References: <033a01c6d8d7$8843a2a0$e3f31151@arthur> Message-ID: <450AD03D.3020207@netmagicsolutions.com> Michele Neylon :: Blacknight Solutions wrote: > What kind of size should this be? > > We're seeing it grow to nearly 2 gigs on one server, so we're wondering if > there's something wrong that we've missed Mine is about 15MB on a heavily loaded server (100K mails per day).. check some things. a. 'SpamAssassin Cache Timings' in MailScanner.conf b. Permissions / location of the SpamAssassin.cache.db c. Something possibly wrong with your version of sqlite (actually perl-DBD-sqlite) mine is perl-DBD-SQLite-1.11-1 - dhawal From mkettler at evi-inc.com Fri Sep 15 17:31:56 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 15 17:32:06 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <89fe6f1b0609150852m4bef3fddre5c0bab1fcfc84c7@mail.gmail.com> References: <86144ED6CE5B004DA23E1EAC0B569B580F374F87@isabella.herefordshire.gov.uk> <89fe6f1b0609150852m4bef3fddre5c0bab1fcfc84c7@mail.gmail.com> Message-ID: <450AD57C.5060309@evi-inc.com> Fabien Penso wrote: > On 9/15/06, Randal, Phil wrote: >> You could stop MailScanner, delete the cache file, restart and see if >> the problem recurs. > > Same here, and the problem recurs. I have a huge 2Gig within > /var/spool/MailScanner/spamassassin with many files like : > > bayes_toks.expire19883 > > any fix is welcome. That's not the SpamAssassin cache (which is a thing MailScanner creates, not SA). That's a spamassassin owned file, and is the temp-file being used by SA to expire bayes tokens. Those left-over files are caused by MailScanner errantly timing-out SA processes during opportunistic bayes expiry. Fix suggestion: Simple: Massively extend your timeout for spammassassin in MailScanner.conf SpamAssassin Timeout = 600 Personally, I've never had MS legitimately kill a SA process. EVER. The only times I've had MS kill SA was when the timeouts in MS were shorter than those in SA, or if SA was busy doing database expiry. More involved: Do the above AND: -Disable bayes_auto_expire in /etc/mail/spamassassin/local.cf bayes_auto_expire 0 -Create a daily cron-job to run sa-learn --force-expire. Make sure your spam.assassin.prefs.conf is linked to a .cf file in /etc/mail/spamassassin/, or use the -p option to tell sa-learn to parse your spam.assassin.prefs.conf. Otherwise it might not pick up on your relocated bayes DB in /var/spool. From paul at blacknight.ie Fri Sep 15 17:34:19 2006 From: paul at blacknight.ie (Paul Kelly :: Blacknight Solutions) Date: Fri Sep 15 17:34:18 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <450AD03D.3020207@netmagicsolutions.com> References: <033a01c6d8d7$8843a2a0$e3f31151@arthur> <450AD03D.3020207@netmagicsolutions.com> Message-ID: <450AD60B.4040706@blacknight.ie> Dhawal Doshy wrote: > Michele Neylon :: Blacknight Solutions wrote: >> What kind of size should this be? >> >> We're seeing it grow to nearly 2 gigs on one server, so we're >> wondering if >> there's something wrong that we've missed > > Mine is about 15MB on a heavily loaded server (100K mails per day).. > check some things. > > a. 'SpamAssassin Cache Timings' in MailScanner.conf > b. Permissions / location of the SpamAssassin.cache.db > c. Something possibly wrong with your version of sqlite (actually > perl-DBD-sqlite) mine is perl-DBD-SQLite-1.11-1 We've the same version. We're replacing the current box next week, so we're not going to dwell on this particular issue too much. Paul > > - dhawal -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From krgehlba at lexairinc.com Fri Sep 15 17:45:20 2006 From: krgehlba at lexairinc.com (Renee Gehlbach) Date: Fri Sep 15 17:45:49 2006 Subject: per-user mcp rules Message-ID: <7.0.1.0.0.20060915120939.0195eaf0@lexairinc.com> Hi all, I am trying to finish setting up a new mail server. It is running mailscanner v. 4.54 with sendmail v. 8.12 on FreeBSD v. 6.1. I am attempting to set up mcp with different settings for different users, to please different people. (The owner's wife gets upset if anything off-color reaches her mailbox, whereas the engineers need a much higher tolerance as some of their technical terms would be considered dirty in other contexts. Not to mention that I'd ruin a lot of people's days if their jokes had to fall into the same level of decency as the owner's wife wants to have in her mailbox, although that is not the primary consideration.) I have set up rules for mcp actions and mcp high scoring actions based on ToCc: matches, which in general seems to work fairly well. However, when there are multiple recipients, the first rule that any of the recipients matches is the rule used for that message, which defeats the purpose of having individualized rules in the first place. Does anyone know a way around this problem? I've seen instructions for postfix users on how to split messages with multiple recipients into multiple messages with one recipient, but have not been able to find similar instructions for sendmail. Renee From ka at pacific.net Fri Sep 15 17:53:25 2006 From: ka at pacific.net (Ken A) Date: Fri Sep 15 17:52:01 2006 Subject: per-user mcp rules In-Reply-To: <7.0.1.0.0.20060915120939.0195eaf0@lexairinc.com> References: <7.0.1.0.0.20060915120939.0195eaf0@lexairinc.com> Message-ID: <450ADA85.8050808@pacific.net> Renee Gehlbach wrote: > Hi all, > > I am trying to finish setting up a new mail server. It is running > mailscanner v. 4.54 with sendmail v. 8.12 on FreeBSD v. 6.1. I am > attempting to set up mcp with different settings for different users, to > please different people. (The owner's wife gets upset if anything > off-color reaches her mailbox, whereas the engineers need a much higher > tolerance as some of their technical terms would be considered dirty in > other contexts. Not to mention that I'd ruin a lot of people's days if > their jokes had to fall into the same level of decency as the owner's > wife wants to have in her mailbox, although that is not the primary > consideration.) > > I have set up rules for mcp actions and mcp high scoring actions based > on ToCc: matches, which in general seems to work fairly well. However, > when there are multiple recipients, the first rule that any of the > recipients matches is the rule used for that message, which defeats the > purpose of having individualized rules in the first place. Does anyone > know a way around this problem? I've seen instructions for postfix > users on how to split messages with multiple recipients into multiple > messages with one recipient, but have not been able to find similar > instructions for sendmail. That was quite funny. Thanks. :-) http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient Ken > > Renee > From martinh at solidstatelogic.com Fri Sep 15 17:54:17 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Sep 15 17:54:29 2006 Subject: per-user mcp rules In-Reply-To: <7.0.1.0.0.20060915120939.0195eaf0@lexairinc.com> References: <7.0.1.0.0.20060915120939.0195eaf0@lexairinc.com> Message-ID: <450ADAB9.2030905@solidstatelogic.com> Renee Gehlbach wrote: > Hi all, > > I am trying to finish setting up a new mail server. It is running > mailscanner v. 4.54 with sendmail v. 8.12 on FreeBSD v. 6.1. I am > attempting to set up mcp with different settings for different users, to > please different people. (The owner's wife gets upset if anything > off-color reaches her mailbox, whereas the engineers need a much higher > tolerance as some of their technical terms would be considered dirty in > other contexts. Not to mention that I'd ruin a lot of people's days if > their jokes had to fall into the same level of decency as the owner's > wife wants to have in her mailbox, although that is not the primary > consideration.) > > I have set up rules for mcp actions and mcp high scoring actions based > on ToCc: matches, which in general seems to work fairly well. However, > when there are multiple recipients, the first rule that any of the > recipients matches is the rule used for that message, which defeats the > purpose of having individualized rules in the first place. Does anyone > know a way around this problem? I've seen instructions for postfix > users on how to split messages with multiple recipients into multiple > messages with one recipient, but have not been able to find similar > instructions for sendmail. > > Renee > Renee see http://www.fsl.com/support/QuarantineReport.tar.gz for instructions on this -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From walmiro_muzzi at yahoo.com.br Fri Sep 15 18:34:52 2006 From: walmiro_muzzi at yahoo.com.br (Walmiro Muzzi) Date: Fri Sep 15 18:35:05 2006 Subject: Mailscanner stop! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580F374F88@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580F374F88@isabella.herefordshire.gov.uk> Message-ID: <450AE43C.5060903@yahoo.com.br> Hi Phil, thanks for answering. I'm using Debian Sarge 3.1. The version are... Mailscanner: 4.41.3-2 Spamassassin: 3.0.3-2sarge1 Clamav: 0.88.4-0volati MTA: Postfix 2.1.5-9 Too much space: /dev/mapper/vol1-root 20G 742M 18G 4% / tmpfs 443M 0 443M 0% /dev/shm /dev/md0 89M 11M 73M 13% /boot /dev/mapper/vol1-var 90G 813M 84G 1% /var /dev/mapper/vol1-var--log 960M 364M 545M 41% /var/log Mine mailscanner.conf is here: Forgive me for post here but the pastbin.com is with problems. %report-dir% = /etc/MailScanner/reports/en %etc-dir% = /etc/MailScanner %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp # System settings Max Children = 1 Run As User = postfix Run As Group = postfix Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner/MailScanner.pid Restart Every = 14400 MTA = postfix #Sendmail = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = root Quarantine Group = www-data Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Maximum Attachments Per Message = 200 Expand TNEF = yes Deliver Unparsable TNEF = no TNEF Expander = internal TNEF Timeout = 120 File Command = #DISABLED /usr/bin/file File Timeout = 20 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Maximum Message Size = 0 Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 2 Find Archives By Content = yes Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = no Allowed Sophos Error Messages = Sophos IDE Dir = /usr/local/Sophos/ide Sophos Lib Dir = /usr/local/Sophos/lib Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 5 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Dangerous Content Scanning = yes Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = yes Virus Subject Text = {Virus?} Filename Modify Subject = yes Filename Subject Text = {Filename?} Content Modify Subject = yes Content Subject Text = {Dangerous Content?} Spam Modify Subject = yes Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {Spam?} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Send Notices = yes Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = filtro Local Postmaster = filtro Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = # # ORDB-RBL SBL+XBL # You can un-comment this to enable them Spam Domain List = Spam Lists To Reach High Score = 3 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist Definite Spam Is High Scoring = no Ignore Spam Whitelist If Recipients Exceed = 20 Use SpamAssassin = yes Max SpamAssassin Size = 30000 Required SpamAssassin Score = 6 High SpamAssassin Score = 10 SpamAssassin Auto Whitelist = no SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Spam Score = yes Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no Spam Actions = store High Scoring Spam Actions = store Non Spam Actions = deliver Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = yes Log Spam = yes Log Non Spam = yes Log Permitted Filenames = no Log Permitted Filetypes = no Log Silent Viruses = yes Log Dangerous HTML Tags = yes SpamAssassin User State Dir = /var/lib/MailScanner SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = MCP Checks = no First Check = mcp MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = yes MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = yes High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100000 MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Spam Score Number Format = %d MailScanner Version Number = 4.41.3 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = &MailWatchLogging Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /var/lock/subsys/MailScanner Custom Functions Dir = /etc/MailScanner/CustomFunctions Thanks again []s Walmiro Muzzi Randal, Phil wrote: > We need a bit of a clue here... > > Which version of MailScanner / spamassassin? > > Which virus scanners are you using? > > On which operating system version is it running? > > Is there enough free disk space on your server? > > What configuration tweaks have you done, if any? > > Cheers, > > Phil > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >>-----Original Message----- >>From: mailscanner-bounces@lists.mailscanner.info >>[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>Of Walmiro Muzzi >>Sent: 15 September 2006 15:42 >>To: MailScanner discussion >>Subject: Mailscanner stop! >> >>Hi all, >> >> >> I am with a problem in mailscanner. It is stopping. >> >>He works, works, works and suddenly he stops. >> >>It swims appears in log no error, simply does not verify no new email. >> >>It is necessary to restart it so that new Batchs is executed. >> >>How I correct this problem? >> >>Thanks in advance. >> >> >>[]s >>Walmiro Muzzi >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! >> From gmane at tippingmar.com Fri Sep 15 18:51:47 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Sep 15 18:52:51 2006 Subject: OOT: Pyzor discovery problem In-Reply-To: <450A62E0.503@solidstatelogic.com> References: <223f97700609150020g64a5108n58f589b35ec15bfc@mail.gmail.com> <223f97700609150025w28adae9eu10010bf54a0139c@mail.gmail.com> <450A62E0.503@solidstatelogic.com> Message-ID: Martin Hepworth wrote: > > From what I can see pyzor is having problems...there's only one server > and I can never "pyzor ping" it...always times out and I've not had a > pyzor score in my spam for weeks... > > I know certain people have offered some server space/bandwidth to the > maintainer but the offer doesn't seem to have been taken up... > > I'm considering turning it off and getting razor2 going instead (i've > already got dcc) > There is an alternative pyzor server at 82.94.255.100:24441 just put that in your .pyzor/servers file manually. I too run pyzor with dcc and razor, but I don't think it's overkill. Pyzor and Razor are similar, but dcc is completely different. I think the server above is provided by a frustrated pyzor user, but I'm not sure if it syncs to the real pyzor server or if pyzor clients report to it directly. I do know it is a more reliable connection, and I see pyzor hits in my logs. Mark Nienberg From AHKAPLAN at PARTNERS.ORG Fri Sep 15 18:59:04 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Sep 15 18:59:21 2006 Subject: Error Message Concerning Connection to local MySQL server Message-ID: <9C63A4713C4E3342B90428CE44806A73026798D7@PHSXMB5.partners.org> Hi there - I was checking through the root mail file and I came across the following error message: Warning: mysql_pconnect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /var/www/html/mailscanner/functions.php on line 497 Could not connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) The version of MailScanner 4.54-1 and it is running with ClamAV 0.88.1. Sendmail is version 8.13.7 and the operating system is Fedora Core 5. What do I need to do to correct this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060915/d355e75b/attachment.html From mkettler at evi-inc.com Fri Sep 15 19:15:42 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 15 19:15:50 2006 Subject: Error Message Concerning Connection to local MySQL server In-Reply-To: <9C63A4713C4E3342B90428CE44806A73026798D7@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A73026798D7@PHSXMB5.partners.org> Message-ID: <450AEDCE.5010900@evi-inc.com> Kaplan, Andrew H. wrote: > Hi there ? > > > > I was checking through the root mail file and I came across the > following error message: > > > > Warning: mysql_pconnect(): Can?t connect to local MySQL server through > socket ?/var/lib/mysql/mysql.sock? (2) in > /var/www/html/mailscanner/functions.php on line 497 > > Could not connect to database: Can?t connect to local MySQL server > through socket ?/var/lib/mysql/mysql.sock? (2) > > > > The version of MailScanner 4.54-1 and it is running with ClamAV 0.88.1. > Sendmail is version 8.13.7 and the operating system is Fedora Core 5. > > > > What do I need to do to correct this? > >From the looks of it, that's not MailScanner, but MailWatch. From AHKAPLAN at PARTNERS.ORG Fri Sep 15 19:21:58 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Sep 15 19:22:14 2006 Subject: Error Message Concerning Connection to local MySQL server Message-ID: <9C63A4713C4E3342B90428CE44806A73026798DB@PHSXMB5.partners.org> Thanks for your reply, I will forward this e-mail to the MailWatch user list. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, September 15, 2006 2:16 PM To: MailScanner discussion Subject: Re: Error Message Concerning Connection to local MySQL server Kaplan, Andrew H. wrote: > Hi there - > > > > I was checking through the root mail file and I came across the > following error message: > > > > Warning: mysql_pconnect(): Can't connect to local MySQL server through > socket '/var/lib/mysql/mysql.sock' (2) in > /var/www/html/mailscanner/functions.php on line 497 > > Could not connect to database: Can't connect to local MySQL server > through socket '/var/lib/mysql/mysql.sock' (2) > > > > The version of MailScanner 4.54-1 and it is running with ClamAV 0.88.1. > Sendmail is version 8.13.7 and the operating system is Fedora Core 5. > > > > What do I need to do to correct this? > >From the looks of it, that's not MailScanner, but MailWatch. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Fri Sep 15 19:24:31 2006 From: ka at pacific.net (Ken A) Date: Fri Sep 15 19:23:06 2006 Subject: Error Message Concerning Connection to local MySQL server In-Reply-To: <9C63A4713C4E3342B90428CE44806A73026798D7@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A73026798D7@PHSXMB5.partners.org> Message-ID: <450AEFDF.4060706@pacific.net> Kaplan, Andrew H. wrote: > Hi there - > > > > I was checking through the root mail file and I came across the following error > message: > > > > Warning: mysql_pconnect(): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (2) in /var/www/html/mailscanner/functions.php on > line 497 > > Could not connect to database: Can't connect to local MySQL server through > socket '/var/lib/mysql/mysql.sock' (2) > > > > The version of MailScanner 4.54-1 and it is running with ClamAV 0.88.1. Sendmail > is version 8.13.7 and the operating system is Fedora Core 5. > > > > What do I need to do to correct this? > > > Have you tried 'service mysqld start' ? Ken A. Pacific.Net From AHKAPLAN at PARTNERS.ORG Fri Sep 15 19:29:23 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Sep 15 19:29:32 2006 Subject: Error Message Concerning Connection to local MySQL server Message-ID: <9C63A4713C4E3342B90428CE44806A73026798DD@PHSXMB5.partners.org> Thanks for your reply. I realize what my mistake was: I tried to run the command as sudo user and it failed. When I did the same as root, it worked. Thanks. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, September 15, 2006 2:25 PM To: MailScanner discussion Subject: Re: Error Message Concerning Connection to local MySQL server Kaplan, Andrew H. wrote: > Hi there - > > > > I was checking through the root mail file and I came across the following error > message: > > > > Warning: mysql_pconnect(): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (2) in /var/www/html/mailscanner/functions.php on > line 497 > > Could not connect to database: Can't connect to local MySQL server through > socket '/var/lib/mysql/mysql.sock' (2) > > > > The version of MailScanner 4.54-1 and it is running with ClamAV 0.88.1. Sendmail > is version 8.13.7 and the operating system is Fedora Core 5. > > > > What do I need to do to correct this? > > > Have you tried 'service mysqld start' ? Ken A. Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Sep 15 19:39:53 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 15 19:40:31 2006 Subject: MailScanner wont start! In-Reply-To: <004101c6d886$34feaa00$0b01a8c0@motechserver> References: <004101c6d886$34feaa00$0b01a8c0@motechserver> Message-ID: <450AF379.1020804@USherbrooke.ca> Thato Molise a ?crit : > Hi All > > I know this question might have been asked many times but Im a newbie > in the forum ps bear with me.. > > After installing latest version of MailScanner in my RHL3.0 ES I get > the following error when I try to start its deamon... > > Can't locate Time/HiRes.pm in @INC (@INC contains: > /usr/lib/MailScanner /usr/lib/perl5/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/5.8.0 > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl > /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 . > /usr/lib/MailScanner) at /usr/sbin/MailScanner line 65. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. > How can I fix this problem error message? > > Use up2date to install the missing RPM: up2date perl-Time-HiRes Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060915/d6661b44/smime.bin From Denis.Beauchemin at USherbrooke.ca Fri Sep 15 19:47:43 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 15 19:47:57 2006 Subject: SpamAssassin Cache Size? In-Reply-To: <036701c6d8e0$bd357930$e3f31151@arthur> References: <036701c6d8e0$bd357930$e3f31151@arthur> Message-ID: <450AF54F.70905@USherbrooke.ca> Michele Neylon :: Blacknight Solutions a ?crit : > Martin Hepworth wrote: > > >> Is it expiring old stuff (you should see messages to that effect in >> the >> maillog) or just growing and growing? >> > > Both! > > It expires stuff but also grows.. We nuked it earlier this afternoon, so > I'll be keeping an eye on it, but I'd love to know what other people are > getting > > > Michele, Our 3 servers have files less than 4MB. The whole directory is also under 4MB. I am doing as Matt suggested and am expiring things with a cron job. It takes close to 3 minutes on some servers during whith MS is not scanning any email (I stopped it)! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060915/d23be9d4/smime-0001.bin From ka at pacific.net Fri Sep 15 22:58:14 2006 From: ka at pacific.net (Ken A) Date: Fri Sep 15 22:56:50 2006 Subject: MailScanner object codebase settings Message-ID: <450B21F6.5040303@pacific.net> Does any of the "Object Codebase=" checking in MailScanner block creation of ActiveX objects like this? http://downloads.securityfocus.com/vulnerabilities/exploits/19738.html Looks like