From micoots at yahoo.com Sun Apr 1 05:16:46 2007 From: micoots at yahoo.com (Michael Mansour) Date: Sun Apr 1 04:24:40 2007 Subject: Using Razor with MailScanner/Postfix? Message-ID: <616808.26453.qm@web33314.mail.mud.yahoo.com> Hi, > Just to follow up on my own post here, I've done something that > seems to > work, but would appreciate a sanity check. > > As root: > > Ran razor-admin -create > Ran razor-admin -register > cp -r /root/.razor /var/spool/MailScanner/ > chown -R postfix.postfix /var/spool/MailScanner/ What's the benefit of moving the .razor directory from /root/.razor? Thanks. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com From ka at pacific.net Sun Apr 1 05:50:30 2007 From: ka at pacific.net (Ken) Date: Sun Apr 1 04:58:25 2007 Subject: animated cursors In-Reply-To: <223f97700703310227v543acfc0p264418e6cdd147e5@mail.gmail.com> References: <460D7F02.9020000@pacific.net> <223f97700703310227v543acfc0p264418e6cdd147e5@mail.gmail.com> Message-ID: <460F2C06.70205@pacific.net> Glenn Steen wrote: > On 30/03/07, Ken A wrote: >> re: http://www.securityfocus.com/archive/1/464269 >> Am I correct that a line like so in filetype.rules.conf will block >> animated cursors. >> >> deny RIFF No animated cursors No animated cursor >> >> They are already blocked in filename.rules.conf, but you know how >> windows apps like to open files based on contents! >> > > Yes... and then some (RIFF is a container thing)... Observe: > # file /mnt/win_c/WINDOWS/Cursors/handno.ani > /mnt/win_c/WINDOWS/Cursors/handno.ani: RIFF (little-endian) data, > animated cursor > # file /usr/lib/childsplay/lib/MultiTablesData/correct.wav > /usr/lib/childsplay/lib/MultiTablesData/correct.wav: RIFF > (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 Hz > # > > Might be OK for you, but perhaps you shouldn't assume it to be an > animated cursor right off the bat:-). Why not use "cursor" or even > "animated" instead? A plain cursor file (.cur) is identified as some > Lotus 1-2-3 format on my system here:-). > Thanks Glenn, I wasn't sure of how the regex worked for the rules file and chose the all caps RIFF, rather than 'cursor' or 'animated'. Changing to 'animated'. Ken Anderson Pacific.Net > Cheers From res at ausics.net Sun Apr 1 11:47:38 2007 From: res at ausics.net (Res) Date: Sun Apr 1 10:55:40 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <460BC650.7010508@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> Message-ID: Hi, Been away for a few days... Did you resolve this? On Thu, 29 Mar 2007, Johnny Stork wrote: > Well I updated both now, submit.mc and sendmail.mc. suhutdown sendmail, > rebuilt with "make -C /etc/mail" then restarted sendmail...but the header > still shows gateway.johnnystork.ca? > > Not sure what I am doing wrong here > > John Van Ostrand wrote: >> On Tue, 2007-03-27 at 16:43 -0700, Johnny Stork wrote: >> >>> Since the standard sendmail is not running, where do I put >>> >>> >>> LOCAL_DOMAIN(`smtp.johnnystork.ca')dnl >>> in /etc/mail/sendmail.mc and rebuild sendmail.cf? >>> >>> Or somewhere else? Putting it in /etc/mail/sendmail.mc, rebuilding and >>> restarting the MailScanner service did not appear to make any >>> difference >>> >> >> It should go into /etc/mail/submit.mc, then rebuild submit.cf (usually >> just make -C /etc/mail). >> >> > > -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Apr 1 12:08:09 2007 From: res at ausics.net (Res) Date: Sun Apr 1 11:16:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460BF764.3040105@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> Message-ID: On Thu, 29 Mar 2007, Rick Chadderdon wrote: > Res wrote: >> The fact remains you accept these risks if you run a public mail server, >> just like greylisting > > Yes, I know. And the fact remains that greylisting and SAV are two entirely > different moral questions because of who is initiating the behavior against > whom. They are *all* part of someones anti spam defense, just because you dont like the way some do it, thats really just tuff luck. > I'll live with it, but it's rude behavior. And if a technological method No, its only rude to you because you disagree with it, you wouldnt even know its happening if you werent a log hogger (no offence) (loghogger: one who feels the need to read every single entry in their log files) > I'd prefer to see sender verification as a part of the SMTP protocol. If it Thats not possible for sanity reasons, eg: hosting customers, sending from their home account, using their domain email as sender, the current connection to the remove MTA wont work, because best chances the senders MTA is not the same as their hosting providor. > Okay, so we're in agreement. I guess the difference is that when I don't So you disagree with greylisting as well? Thats the only thing I agreed to :) > users for streaming radio stations and youtbe videos, though. They don't streaming radio is nothing, its 3 to 4 kb/s, hell I do it, saves taking in radios > in their email, that a few users streaming audio and video can actually have > a negative impact. But, as they say, "I can do it at home with just my one then theres something seriously wrong with their network > Just so I know which it is... Do you honestly not see the difference between > affecting a third party and affecting one who is directly dealing with you, > or do you simply not care? I know we don't agree, but I'd kind of like to > know whether it's because you're missing my point - or you don't think the > difference is relevant. I do see your point, you dont like someone asking you if john.smith lives there before they let them in, you expect them to take on good faith that john.smith lives there. > to address them) strikes me as a cheap cop-out. Please understand that I'm > talking only about the moral choices involved, which is why the second and who decides whats moral, what is to you may not be to others. > DNS lookups are what the DNS server is for. SAV is *not* what my mail server > is for. Until it's part of the normal operation of a mailserver, I don't In a perfect world nobody would impersonate anybody, we have not lived in that kind of world for many many many many years. > While I'm not sure that I've been clear enough for everyone to understand the > moral flaws I'm pointing out, I do think I've made them as clear as I can your morals, remember, I think youve made it real clear to this list you despise SV, however I doubt you are going to change anyones mind, because like you, they are looking out for *number one* (themselves) and will take whatever actions they deem appropriate to protect themselves, and so we all should, since nobody else is going to. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Apr 1 12:09:19 2007 From: res at ausics.net (Res) Date: Sun Apr 1 11:17:20 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460BFFD1.30804@pixelhammer.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> <460BF75C.8030504@yeticomputers.com> <460BFB2F.6070406@fractalweb.com> <460BFFD1.30804@pixelhammer.com> Message-ID: On Thu, 29 Mar 2007, DAve wrote: > Agreed. I've enjoyed the civil discussion on SAV, civil discussions are so > rare on MTA lists. I am better prepared to make a judgment for or against > using it in the future because of this thread. Thats crazy, you should enver base your opinion on whats "said" on lists, the only way is to trial it yourself for a month, then do the stats. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Apr 1 12:10:23 2007 From: res at ausics.net (Res) Date: Sun Apr 1 11:18:22 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: On Fri, 30 Mar 2007, Hugo van der Kooij wrote: >> -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db > > Tell us you are kidding us with the cache file living down here. There is nothing wrong with that location, its unusual, most would put it in /var/spool/MailScanner, but if they want it in incoming/ thats entirely fine. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From micoots at yahoo.com Mon Apr 2 08:23:23 2007 From: micoots at yahoo.com (Michael Mansour) Date: Mon Apr 2 07:31:23 2007 Subject: MailScanner gateway stats In-Reply-To: Message-ID: <945492.55056.qm@web33308.mail.mud.yahoo.com> Hi Paul, Paul Baily wrote: Hi all, [A belated] Thanks very much for your advice folks, UxBoD especially. I think I've got the mailgraph script reporting correctly now with MailScanner/sendmail. I got lost in this thread with people talking about different graphing solutions. Could you explain what you did? did you just continue to use Mailgraph? and if so, what did you need to change to get the stats you wanted for mailscanner/sendmail? Thanks. Michael. cheers, and thanks again, Paul. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070402/2f7fd16d/attachment.html From stork at openenterprise.ca Mon Apr 2 09:37:50 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Apr 2 08:46:07 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> Message-ID: <4610B2CE.7090400@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070402/48ed466d/stork.vcf From res at ausics.net Mon Apr 2 09:49:47 2007 From: res at ausics.net (Res) Date: Mon Apr 2 08:57:50 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4610B2CE.7090400@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> Message-ID: On Mon, 2 Apr 2007, Johnny Stork wrote: > No not yet, mail headers still show the local, non routable ip and local > machines domain name. Now this server is behind a firewall so does this make > a difference? Want to send me off-list a copy of your sendmail.mc AND the current sendmail.cf ? I can have a look at it. Include in the private email, the hostname of your gateway machine, this means any name you call it and any actually domain name given to your live ip, any IP's associated with it, any domain names you have set to it internally (by way of /etc/hosts) When your server, behind a nat'd gateway, sends out it should be accepted by the receiver as a live IP (of your NAT box) regardless of what you call it internally. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From dhawal at netmagicsolutions.com Mon Apr 2 13:16:42 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Apr 2 12:25:03 2007 Subject: Using Razor with MailScanner/Postfix? In-Reply-To: References: Message-ID: <4610E61A.20201@netmagicsolutions.com> Paul Hutchings wrote: > Just to follow up on my own post here, I've done something that seems to > work, but would appreciate a sanity check. > > As root: > > Ran razor-admin -create > Ran razor-admin -register > cp -r /root/.razor /var/spool/MailScanner/ > chown -R postfix.postfix /var/spool/MailScanner/ > > Which leaves me with a /var/spool/MailScanner/.razor folder with a bunch > of razor config/registration files readable and writeable by Postfix. > > I then added to /etc/MailScanner/spam.assassin.prefs.conf the line: > > razor_config /var/spool/MailScanner/.razor/razor-agent.conf Also add this to /var/spool/MailScanner/.razor/razor-agent.conf razorhome = /var/spool/MailScanner/.razor From the man page: razorhome Directory where Razor Agents look for files. All files in razor-agent.conf without a full path will be relative to razorhome. The default is /etc/razor/ for root, and ~/.razor/ for every other user. If razorhome does not exist, it will be created. From paul.hutchings at mira.co.uk Mon Apr 2 15:24:45 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Apr 2 14:32:53 2007 Subject: When do config/rule changes take effect? Message-ID: I've just made our MailScanner live. Seems to be doing a cracking job so far. A question though. As I tweak rules do I need to do a full "/etc/init.d/MailScanner restart" or can I somehow force MailScanner to refresh its configuration whilst running? I've RTFM and wasn't too clear on this point. cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From list-mailscanner at linguaphone.com Mon Apr 2 15:31:20 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 2 14:39:22 2007 Subject: When do config/rule changes take effect? In-Reply-To: References: Message-ID: <1175520680.10745.6.camel@gblades-suse.linguaphone-intranet.co.uk> I believe the new config will take effect as each child process reaches its maximum age and gets restarted. On Mon, 2007-04-02 at 14:24, Paul Hutchings wrote: > I've just made our MailScanner live. Seems to be doing a cracking job > so far. > > A question though. > > As I tweak rules do I need to do a full "/etc/init.d/MailScanner > restart" or can I somehow force MailScanner to refresh its configuration > whilst running? > > I've RTFM and wasn't too clear on this point. > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of the intended recipient. > If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From paul at firespam.com Mon Apr 2 15:40:18 2007 From: paul at firespam.com (Paul @ Firespam) Date: Mon Apr 2 14:49:54 2007 Subject: When do config/rule changes take effect? Message-ID: <000901c7752c$73af5630$5b0e0290$@com> >> I believe the new config will take effect as each child process reaches >> its maximum age and gets restarted. Out of curiosity, where is this maximum age defined? And does this apply for spam.whitelist.rules & spam.blacklist.rules changes? Thanks, -- Paul Maddox Technical Director tel: +44 (0) 121 288 6333 mob: +44 (0) 7983 990098 http://www.firespam.com -- This message has been scanned for spam, viruses and phishing attempts by firespam.com From list-mailscanner at linguaphone.com Mon Apr 2 15:46:35 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 2 14:54:41 2007 Subject: When do config/rule changes take effect? In-Reply-To: <000901c7752c$73af5630$5b0e0290$@com> References: <000901c7752c$73af5630$5b0e0290$@com> Message-ID: <1175521595.10746.11.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-04-02 at 14:40, Paul @ Firespam wrote: > >> I believe the new config will take effect as each child process reaches > >> its maximum age and gets restarted. > > Out of curiosity, where is this maximum age defined? Its in the standard mailscanner config file :- # To avoid resource leaks, re-start periodically Restart Every = 14400 > And does this apply for spam.whitelist.rules & spam.blacklist.rules changes? > Yes it does seem to. Each child process that gets started seems to load its own configuration in as you can see if you monitor the mail log file. > > Thanks, > > -- > Paul Maddox > Technical Director > tel: +44 (0) 121 288 6333 > mob: +44 (0) 7983 990098 > http://www.firespam.com > > > > -- > This message has been scanned for spam, viruses and phishing attempts by firespam.com From john at tradoc.fr Mon Apr 2 15:53:15 2007 From: john at tradoc.fr (John Wilcock) Date: Mon Apr 2 15:01:19 2007 Subject: When do config/rule changes take effect? In-Reply-To: References: Message-ID: <46110ACB.9020709@tradoc.fr> Paul Hutchings wrote: > As I tweak rules do I need to do a full "/etc/init.d/MailScanner > restart" or can I somehow force MailScanner to refresh its configuration > whilst running? /etc/init.d/MailScanner reload should do the trick. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From jimc at laridian.com Mon Apr 2 19:18:00 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 18:28:35 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <46110ACB.9020709@tradoc.fr> Message-ID: <00b801c7754a$dd9074d0$6501a8c0@zorak> Hey gang... This is totally off-topic, but I know there are some very smart individuals here who might have some ideas for me. The company I work for recently purchased another company (both companies are very small). Because of how we track bonded sender info and such, I need to have both domains (one for each company) sending outgoing mail on different IPs. Ideally, I don't want to add another mail server and would like to be able to take advantage of all the filtering and such that I have enabled on the existing *nix based mail server. I've been told that it is not possible to set outgoing IPs in SendMail, so I'm looking for suggestions of how I might be able to make this work. I truly appreciate it. Jim Coates From zeeshan.iqbal at amzt.com Mon Apr 2 19:33:36 2007 From: zeeshan.iqbal at amzt.com (Zeeshan Iqbal) Date: Mon Apr 2 18:41:39 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <00b801c7754a$dd9074d0$6501a8c0@zorak> References: <46110ACB.9020709@tradoc.fr> <00b801c7754a$dd9074d0$6501a8c0@zorak> Message-ID: <000001c7754d$0b1a6800$2d2058ca@zeshan376427db> Hi Jim, Go to the Pico /etc/mail/access Allow ur all different ips just like that 172.16.172.0 RELAY 172.16.177.0 RELAY Save and exit And run makemap hash /etc/mail/access Howdy. In my private life, I run a server that does both inbound and outbound mail (largely because the University can afford more connectivity than I can!). I do enjoy running rDNS checks, but find that when I'm connecting through my Treo, a lot of my outbound messages get tagged as spam. What would be the best way to combat this? An example header from a message sent from my Treo: spam, SpamAssassin (not cached, score=7.507, required 6, BOTNET 5.00, DK_POLICY_SIGNSOME 0.00, HELO_EQ_LT4 0.44, HOST_MISMATCH_NET 0.31, MAILTO_TO_SPAM_ADDR 0.28, MSGID_FROM_MTA_ID 0.93, NO_REAL_NAME 0.55) -- Jay Chandler Network Administrator Chapman University From paul.hutchings at mira.co.uk Mon Apr 2 19:46:54 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Apr 2 18:55:03 2007 Subject: MailScanner reporting/stats? tools Message-ID: MailScanner seems to be up and running a treat. Is there anything that will give me some useful stats/reports? I'm running MailScanner with Postfix as MTA on OpenSuse. I'm aware of MailWatch, but it looks a bit of a sod to install/configure for a novice tbh. TIA, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From mailscanner at yeticomputers.com Mon Apr 2 19:47:05 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Apr 2 18:55:15 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> <460BF75C.8030504@yeticomputers.com> <460BFB2F.6070406@fractalweb.com> <460BFFD1.30804@pixelhammer.com> Message-ID: <46114199.5090708@yeticomputers.com> Res wrote: > On Thu, 29 Mar 2007, DAve wrote: > >> Agreed. I've enjoyed the civil discussion on SAV, civil discussions >> are so rare on MTA lists. I am better prepared to make a judgment for >> or against using it in the future because of this thread. Dave, I appreciate that you took the time to listen. :) > > Thats crazy, you should enver base your opinion on whats "said" on > lists, the only way is to trial it yourself for a month, then do the > stats. > See, Res, my ranting did make an impact. :P Sometimes there is more to think about than the "stats". From what I've read, TDMA is nearly 100% effective. Do you use that? Rick From mailscanner at yeticomputers.com Mon Apr 2 19:47:09 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Apr 2 18:55:24 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> Message-ID: <4611419D.7060505@yeticomputers.com> Res wrote: > On Thu, 29 Mar 2007, Rick Chadderdon wrote: > >> I'll live with it, but it's rude behavior. And if a technological >> method > > No, its only rude to you because you disagree with it, you wouldnt > even know its happening if you werent a log hogger (no offence) > > (loghogger: one who feels the need to read every single entry in their > log files) See, this is odd to me. I'm used to many younger people having no idea of what manners are - what rudeness is. But I have gotten the impression from your posts that you're around my age. A rude behavior is rude whether the individual to whom it is directed takes it that way or not. Do you think there needs to be some consensus before something is declared "rude"? How many people need to think something is rude before it actually *is* rude? Is is a percentage of a population? Please, enlighten me. Your lack of concern - and your rudeness - in this regard even lead you to make ill thought out assumptions which I *know* you're smart enough to avoid if you actually cared about the issue. I am not a "log hogger". I peruse my logs on a regular basis to look for trouble signs, but I don't "read every single entry" in those files unless there is a problem I need to track down which *requires* more meticulous attention. On those occasions, if my job is hampered by someone's extraneous log lines, it is cumbersome to say the least. >> I'd prefer to see sender verification as a part of the SMTP >> protocol. If it > > Thats not possible for sanity reasons, eg: hosting customers, sending > from their home account, using their domain email as sender, the > current connection to the remove MTA wont work, because best chances > the senders MTA is not the same as their hosting providor. Mmmm... Oh, I see what you're saying. No, I meant that the SMTP transaction would be modified to be a three-way, probablythree-party handshake. I think you can figure out what I mean. If not, let's please continue the discussion off-list. Regardless, nearly all of the reasons that people reject perfectly functional fixes - most of which would help dramatically reduce the spam problem - is because they are not backwards compatible with someone's way of doing things. Guess what? The existing system is *horribly broken* in regards to spam control. Any working solution is going to have to change the way things are done. Sender verification is doomed to uselessness, anyway, if it ever gets any momentum and actually gets adopted by enough people. The anti-OCR images that are now being sent are a direct response to FuzzyOCR and other such techniques. If spam gets hard to deliver because of SAV, spam software will have built in address verification. A run against your mailing list, and then you fill in the "to: and "from:" fields for your spam run only from verified addresses. And we're back to making *no* difference with our verification checks. Except for the increased use of resources. >> in their email, that a few users streaming audio and video can >> actually have a negative impact. But, as they say, "I can do it at >> home with just my one > > then theres something seriously wrong with their network Well, I know how spoiled you are with your multi-gig network, but trust me, there's nothing wrong with a network that see negative effects from people using all (or most) of the available bandwidth. I guess where you are there's no such thing as a broadband video or audio stream, and I'm sure that you just find some painful way to eliminate users who abuse your kindness. Or maybe your network is just *so* darned fast that you'd never notice. Please. I haven't attacked your competence, just your ethics. I'd appreciate it if you didn't attack mine. (And if we're going to get personal, off-list is definitely the place to go.) >> Just so I know which it is... Do you honestly not see the difference >> between affecting a third party and affecting one who is directly >> dealing with you, or do you simply not care? I know we don't agree, >> but I'd kind of like to know whether it's because you're missing my >> point - or you don't think the difference is relevant. > > I do see your point, you dont like someone asking you if john.smith > lives there before they let them in, you expect them to take on good > faith that john.smith lives there. Okay, rather than assume sarcasm, I'll accept that you don't see my point. I'll leave it here, then, since I don't know how to state it any more clearly. If you are even the slightest bit curious, or want me to try harder, email me, but I won't do it here. >> While I'm not sure that I've been clear enough for everyone to >> understand the moral flaws I'm pointing out, I do think I've made >> them as clear as I can > > your morals, remember, I think youve made it real clear to this list > you despise SV, however I doubt you are going to change anyones mind, > because like you, they are looking out for *number one* (themselves) > and will take whatever actions they deem appropriate to protect > themselves, and so we all should, since nobody else is going to. *Not* like me. I *won't* take every possible action possible to protect myself. I won't affect an innocent third-party to ensure my own safety, for example. I recognize that most people will do whatever they think is best, but I do believe that the knowledge that there are those who won't like their actions will cause some people to at least reflect before they act. Rick From dominian at slackadelic.com Mon Apr 2 19:51:54 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Apr 2 19:00:02 2007 Subject: MailScanner reporting/stats? tools In-Reply-To: References: Message-ID: <461142BA.6050706@slackadelic.com> Paul Hutchings wrote: > MailScanner seems to be up and running a treat. > > Is there anything that will give me some useful stats/reports? > > I'm running MailScanner with Postfix as MTA on OpenSuse. > > I'm aware of MailWatch, but it looks a bit of a sod to install/configure > for a novice tbh. > Paul, MailWatch is not that hard to configure/install. It works quite well. There are plenty of howto's out there talking you through the process. -Matt From jimc at laridian.com Mon Apr 2 19:57:53 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 19:08:28 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <000001c7754d$0b1a6800$2d2058ca@zeshan376427db> Message-ID: <00c501c77550$703e8f10$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Zeeshan Iqbal > Sent: Monday, April 02, 2007 12:34 PM > To: 'MailScanner discussion' > Subject: RE: Multiple Outgoing IPs? > > > Hi Jim, > > Go to the > Pico /etc/mail/access > > Allow ur all different ips just like that > > 172.16.172.0 RELAY > 172.16.177.0 RELAY > > Save and exit > > And run > makemap hash /etc/mail/access > Regards > Zeeshan Iqbal > Zeeshan, Thanks.. but doesn't that only help the incoming situation? I'm looking to tell Sendmail that domain.one.com should go out on one IP and domain.two.com should go out on another IP. Thanks, Jim From sailer at bnl.gov Mon Apr 2 20:01:59 2007 From: sailer at bnl.gov (Tim Sailer) Date: Mon Apr 2 19:10:04 2007 Subject: MailScanner reporting/stats? tools In-Reply-To: References: Message-ID: <20070402180159.GA28471@bnl.gov> On Mon, Apr 02, 2007 at 06:46:54PM +0100, Paul Hutchings wrote: > MailScanner seems to be up and running a treat. > > Is there anything that will give me some useful stats/reports? > > I'm running MailScanner with Postfix as MTA on OpenSuse. > > I'm aware of MailWatch, but it looks a bit of a sod to install/configure > for a novice tbh. Vispan. It takes about 3 minutes to configure and install, and gives basic info to show how your mailscanner is doing. http://www.while.org.uk/index.php?option=com_content&task=view&id=9&Itemid=5 Mailwatch is much more featureful, but I point newbies to vispan to start with. Tim From ssilva at sgvwater.com Mon Apr 2 20:01:56 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 2 19:10:31 2007 Subject: Using Razor with MailScanner/Postfix? In-Reply-To: <616808.26453.qm@web33314.mail.mud.yahoo.com> References: <616808.26453.qm@web33314.mail.mud.yahoo.com> Message-ID: Michael Mansour spake the following on 3/31/2007 8:16 PM: > Hi, > > >> Just to follow up on my own post here, I've done something that >> seems to >> work, but would appreciate a sanity check. >> >> As root: >> >> Ran razor-admin -create >> Ran razor-admin -register >> cp -r /root/.razor /var/spool/MailScanner/ >> chown -R postfix.postfix /var/spool/MailScanner/ > > What's the benefit of moving the .razor directory from /root/.razor? Because when running postfix, mailscanner runs as user postfix, and can't get to roots directory. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Mon Apr 2 20:02:29 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Apr 2 19:11:44 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <000001c7754d$0b1a6800$2d2058ca@zeshan376427db> References: <46110ACB.9020709@tradoc.fr> <00b801c7754a$dd9074d0$6501a8c0@zorak> <000001c7754d$0b1a6800$2d2058ca@zeshan376427db> Message-ID: <46114535.7060901@nkpanama.com> Zeeshan Iqbal wrote: > Hi Jim, > > Go to the > Pico /etc/mail/access > > Allow ur all different ips just like that > > 172.16.172.0 RELAY > 172.16.177.0 RELAY > > Save and exit > > And run > makemap hash /etc/mail/access > Regards > Zeeshan Iqbal > > Unfortunately that adds the possibility of turning his machine into an "internal open relay" without SMTP authentication - something we discussed earlier with Muhammad Nauman, IIRC - which probably isn't what he needs. From hvdkooij at vanderkooij.org Mon Apr 2 20:36:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 2 19:45:04 2007 Subject: MailScanner reporting/stats? tools In-Reply-To: References: Message-ID: On Mon, 2 Apr 2007, Paul Hutchings wrote: > MailScanner seems to be up and running a treat. > > Is there anything that will give me some useful stats/reports? There is Mailgraph: http://mailgraph.schweikert.ch/ Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Mon Apr 2 20:42:18 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 2 19:50:59 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <00c501c77550$703e8f10$6501a8c0@zorak> References: <000001c7754d$0b1a6800$2d2058ca@zeshan376427db> <00c501c77550$703e8f10$6501a8c0@zorak> Message-ID: Jim Coates spake the following on 4/2/2007 10:57 AM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Zeeshan Iqbal >> Sent: Monday, April 02, 2007 12:34 PM >> To: 'MailScanner discussion' >> Subject: RE: Multiple Outgoing IPs? >> >> >> Hi Jim, >> >> Go to the >> Pico /etc/mail/access >> >> Allow ur all different ips just like that >> >> 172.16.172.0 RELAY >> 172.16.177.0 RELAY >> >> Save and exit >> >> And run >> makemap hash /etc/mail/access> >> Regards >> Zeeshan Iqbal >> > > Zeeshan, > > Thanks.. but doesn't that only help the incoming situation? I'm looking to > tell Sendmail that domain.one.com should go out on one IP and domain.two.com > should go out on another IP. > > Thanks, > Jim > How about a couple of virtual machines on one piece of hardware. You could use zen and CentOS 5 when it comes out, or vmware server. You could copy the configs between the machines and then adjust what you need for IP address and hostname. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jimc at laridian.com Mon Apr 2 21:03:01 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 20:13:47 2007 Subject: Multiple Outgoing IPs? In-Reply-To: Message-ID: <00cd01c77559$89486270$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: Monday, April 02, 2007 1:42 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Multiple Outgoing IPs? > > > Jim Coates spake the following on 4/2/2007 10:57 AM: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Zeeshan Iqbal > >> Sent: Monday, April 02, 2007 12:34 PM > >> To: 'MailScanner discussion' > >> Subject: RE: Multiple Outgoing IPs? > >> > >> > >> Hi Jim, > >> > >> Go to the > >> Pico /etc/mail/access > >> > >> Allow ur all different ips just like that > >> > >> 172.16.172.0 RELAY > >> 172.16.177.0 RELAY > >> > >> Save and exit > >> > >> And run > >> makemap hash /etc/mail/access >> > >> Regards > >> Zeeshan Iqbal > >> > > > > Zeeshan, > > > > Thanks.. but doesn't that only help the incoming situation? I'm > > looking to tell Sendmail that domain.one.com should go out > on one IP > > and domain.two.com should go out on another IP. > > > > Thanks, > > Jim > > > How about a couple of virtual machines on one piece of > hardware. You could use zen and CentOS 5 when it comes out, > or vmware server. You could copy the configs between the > machines and then adjust what you need for IP address and hostname. > That's a good idea, but might not be possible. It's a machine that's hosted at a datacenter. I have full access to changing the machine config/adding software etc, but not to rebuilding the OS. Jim From paul at blacknight.ie Mon Apr 2 21:30:53 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Mon Apr 2 20:38:15 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00b801c7754a$dd9074d0$6501a8c0@zorak> References: <00b801c7754a$dd9074d0$6501a8c0@zorak> Message-ID: <461159ED.4000907@blacknight.ie> Jim Coates wrote: > Hey gang... > > This is totally off-topic, but I know there are some very smart individuals > here who might have some ideas for me. > > The company I work for recently purchased another company (both companies > are very small). > > Because of how we track bonded sender info and such, I need to have both > domains (one for each company) sending outgoing mail on different IPs. > > Ideally, I don't want to add another mail server and would like to be able > to take advantage of all the filtering and such that I have enabled on the > existing *nix based mail server. > > I've been told that it is not possible to set outgoing IPs in SendMail, so > I'm looking for suggestions of how I might be able to make this work. > Could you explain a little bit more as to what you need? I'll ask a question or two so I can clarify what I think you want to do. You have an existing scanning machine where domain1.com lives, is that correct? You want domain2.com to have its inbound e-mail sent to this box and have it delivered onto another mailserver by IP address, is that correct? If you could answer that, I'll see what might work for you. Paul -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From jimc at laridian.com Mon Apr 2 21:36:18 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 20:46:53 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <461159ED.4000907@blacknight.ie> Message-ID: <00d701c7755e$2f643360$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Kelly :: Blacknight > Sent: Monday, April 02, 2007 2:31 PM > To: MailScanner discussion > Subject: Re: OT: Multiple Outgoing IPs? > > > Jim Coates wrote: > > Hey gang... > > > > This is totally off-topic, but I know there are some very smart > > individuals here who might have some ideas for me. > > > > The company I work for recently purchased another company (both > > companies are very small). > > > > Because of how we track bonded sender info and such, I need to have > > both domains (one for each company) sending outgoing mail > on different > > IPs. > > > > Ideally, I don't want to add another mail server and would > like to be > > able to take advantage of all the filtering and such that I have > > enabled on the existing *nix based mail server. > > > > I've been told that it is not possible to set outgoing IPs in > > SendMail, so I'm looking for suggestions of how I might be able to > > make this work. > > > > Could you explain a little bit more as to what you need? I'll ask a > question or two so I can clarify what I think you want to do. > > You have an existing scanning machine where domain1.com > lives, is that > correct? > > You want domain2.com to have its inbound e-mail sent to this box and > have it delivered onto another mailserver by IP address, is > that correct? > > If you could answer that, I'll see what might work for you. > > Paul > > Paul, Here is exactly what I need: Domain one and domain two both already come inbound to the same box via unique DNS mail records that both point to the same IP. SendMail is currently configured to accept both domains and route them to local users (which is exactly how I want it to work on that end). I don't need to relay to another box, what I am looking to do is take mail originating from the mail server and send it outbound from a different IP. For example, if I send an email to you as "jim@domain.one" it will come from one IP address. If I send you an email as "jim@domain.two", I want it to come from a different IP address. I have multiple public IPs available to my box, I just don't know if its possible to configure SendMail to always associate a particular outbound domain with one IP and another outbound domain with another IP. Does that make sense? What we are trying to do is separate out the email so that bonded sender information for one domain is not affected by the bounces and such from another domain. Thanks, Jim From ssilva at sgvwater.com Mon Apr 2 21:41:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 2 20:49:38 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <00cd01c77559$89486270$6501a8c0@zorak> References: <00cd01c77559$89486270$6501a8c0@zorak> Message-ID: Jim Coates spake the following on 4/2/2007 12:03 PM: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Scott Silva >> Sent: Monday, April 02, 2007 1:42 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Multiple Outgoing IPs? >> >> >> Jim Coates spake the following on 4/2/2007 10:57 AM: >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>>> Of Zeeshan Iqbal >>>> Sent: Monday, April 02, 2007 12:34 PM >>>> To: 'MailScanner discussion' >>>> Subject: RE: Multiple Outgoing IPs? >>>> >>>> >>>> Hi Jim, >>>> >>>> Go to the >>>> Pico /etc/mail/access >>>> >>>> Allow ur all different ips just like that >>>> >>>> 172.16.172.0 RELAY >>>> 172.16.177.0 RELAY >>>> >>>> Save and exit >>>> >>>> And run >>>> makemap hash /etc/mail/access>>> >>>> Regards >>>> Zeeshan Iqbal >>>> >>> Zeeshan, >>> >>> Thanks.. but doesn't that only help the incoming situation? I'm >>> looking to tell Sendmail that domain.one.com should go out >> on one IP >>> and domain.two.com should go out on another IP. >>> >>> Thanks, >>> Jim >>> >> How about a couple of virtual machines on one piece of >> hardware. You could use zen and CentOS 5 when it comes out, >> or vmware server. You could copy the configs between the >> machines and then adjust what you need for IP address and hostname. >> > > That's a good idea, but might not be possible. It's a machine that's hosted > at a datacenter. I have full access to changing the machine config/adding > software etc, but not to rebuilding the OS. > > Jim > Then vmware would be better for you. You could install it in the base server, add just one virtual machine, and host the other domain on the VM Set the virtual net interface to bridged, and you can set the other ip address on it. As long as the main machine stays up, the second domain should stay up. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From doc at maddoc.net Mon Apr 2 21:44:34 2007 From: doc at maddoc.net (Doc Schneider) Date: Mon Apr 2 20:52:41 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00d701c7755e$2f643360$6501a8c0@zorak> References: <00d701c7755e$2f643360$6501a8c0@zorak> Message-ID: <46115D22.70504@maddoc.net> Jim Coates wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Paul Kelly :: Blacknight >> Sent: Monday, April 02, 2007 2:31 PM >> To: MailScanner discussion >> Subject: Re: OT: Multiple Outgoing IPs? >> >> >> Jim Coates wrote: >>> Hey gang... >>> >>> This is totally off-topic, but I know there are some very smart >>> individuals here who might have some ideas for me. >>> >>> The company I work for recently purchased another company (both >>> companies are very small). >>> >>> Because of how we track bonded sender info and such, I need to have >>> both domains (one for each company) sending outgoing mail >> on different >>> IPs. >>> >>> Ideally, I don't want to add another mail server and would >> like to be >>> able to take advantage of all the filtering and such that I have >>> enabled on the existing *nix based mail server. >>> >>> I've been told that it is not possible to set outgoing IPs in >>> SendMail, so I'm looking for suggestions of how I might be able to >>> make this work. >>> >> Could you explain a little bit more as to what you need? I'll ask a >> question or two so I can clarify what I think you want to do. >> >> You have an existing scanning machine where domain1.com >> lives, is that >> correct? >> >> You want domain2.com to have its inbound e-mail sent to this box and >> have it delivered onto another mailserver by IP address, is >> that correct? >> >> If you could answer that, I'll see what might work for you. >> >> Paul >> >> > > > Paul, > > Here is exactly what I need: > > Domain one and domain two both already come inbound to the same box via > unique DNS mail records that both point to the same IP. SendMail is > currently configured to accept both domains and route them to local users > (which is exactly how I want it to work on that end). > > I don't need to relay to another box, what I am looking to do is take mail > originating from the mail server and send it outbound from a different IP. > > For example, if I send an email to you as "jim@domain.one" it will come from > one IP address. If I send you an email as "jim@domain.two", I want it to > come from a different IP address. > > I have multiple public IPs available to my box, I just don't know if its > possible to configure SendMail to always associate a particular outbound > domain with one IP and another outbound domain with another IP. > > Does that make sense? > > What we are trying to do is separate out the email so that bonded sender > information for one domain is not affected by the bounces and such from > another domain. > > Thanks, > Jim > Check out genericstable. I use it with sendmail to have different users come from different domains. Example: user1 user1@domain.one user2 user2@domain.two As long as the domains are different IPs it should do what you're wanting. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From alex at nkpanama.com Mon Apr 2 21:47:48 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Apr 2 20:56:37 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <46115D22.70504@maddoc.net> References: <00d701c7755e$2f643360$6501a8c0@zorak> <46115D22.70504@maddoc.net> Message-ID: <46115DE4.1080400@nkpanama.com> Doc Schneider wrote: > Jim Coates wrote: > >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of Paul Kelly :: Blacknight >>> Sent: Monday, April 02, 2007 2:31 PM >>> To: MailScanner discussion >>> Subject: Re: OT: Multiple Outgoing IPs? >>> >>> >>> Jim Coates wrote: >>> >>>> Hey gang... >>>> >>>> This is totally off-topic, but I know there are some very smart >>>> individuals here who might have some ideas for me. >>>> >>>> The company I work for recently purchased another company (both >>>> companies are very small). >>>> >>>> Because of how we track bonded sender info and such, I need to have >>>> both domains (one for each company) sending outgoing mail >>>> >>> on different >>> >>>> IPs. >>>> >>>> Ideally, I don't want to add another mail server and would >>>> >>> like to be >>> >>>> able to take advantage of all the filtering and such that I have >>>> enabled on the existing *nix based mail server. >>>> >>>> I've been told that it is not possible to set outgoing IPs in >>>> SendMail, so I'm looking for suggestions of how I might be able to >>>> make this work. >>>> >>>> >>> Could you explain a little bit more as to what you need? I'll ask a >>> question or two so I can clarify what I think you want to do. >>> >>> You have an existing scanning machine where domain1.com >>> lives, is that >>> correct? >>> >>> You want domain2.com to have its inbound e-mail sent to this box and >>> have it delivered onto another mailserver by IP address, is >>> that correct? >>> >>> If you could answer that, I'll see what might work for you. >>> >>> Paul >>> >>> >>> >> Paul, >> >> Here is exactly what I need: >> >> Domain one and domain two both already come inbound to the same box via >> unique DNS mail records that both point to the same IP. SendMail is >> currently configured to accept both domains and route them to local users >> (which is exactly how I want it to work on that end). >> >> I don't need to relay to another box, what I am looking to do is take mail >> originating from the mail server and send it outbound from a different IP. >> >> For example, if I send an email to you as "jim@domain.one" it will come from >> one IP address. If I send you an email as "jim@domain.two", I want it to >> come from a different IP address. >> >> I have multiple public IPs available to my box, I just don't know if its >> possible to configure SendMail to always associate a particular outbound >> domain with one IP and another outbound domain with another IP. >> >> Does that make sense? >> >> What we are trying to do is separate out the email so that bonded sender >> information for one domain is not affected by the bounces and such from >> another domain. >> >> Thanks, >> Jim >> >> > > Check out genericstable. I use it with sendmail to have different users > come from different domains. > > Example: > user1 user1@domain.one > user2 user2@domain.two > > As long as the domains are different IPs it should do what you're wanting. > > Not exactly. He means "use a different IP address for every outgoing connection depending on the domain name used for the message". Not sure if he means the domain on the *envelope* or on the *header*, which are two different things. From gerard at seibercom.net Mon Apr 2 21:51:52 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Apr 2 20:59:57 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00d701c7755e$2f643360$6501a8c0@zorak> References: <461159ED.4000907@blacknight.ie> <00d701c7755e$2f643360$6501a8c0@zorak> Message-ID: <20070402155152.6687f033@localhost> On Mon, 2 Apr 2007 14:36:18 -0500 "Jim Coates" wrote: > Here is exactly what I need: > > Domain one and domain two both already come inbound to the same box > via unique DNS mail records that both point to the same IP. SendMail > is currently configured to accept both domains and route them to > local users (which is exactly how I want it to work on that end). > > I don't need to relay to another box, what I am looking to do is take > mail originating from the mail server and send it outbound from a > different IP. > > For example, if I send an email to you as "jim@domain.one" it will > come from one IP address. If I send you an email as > "jim@domain.two", I want it to come from a different IP address. > > I have multiple public IPs available to my box, I just don't know if > its possible to configure SendMail to always associate a particular > outbound domain with one IP and another outbound domain with another > IP. > > Does that make sense? > > What we are trying to do is separate out the email so that bonded > sender information for one domain is not affected by the bounces and > such from another domain. I thought it was possible with Sendmail; however, not having used it in years, I don't remember for sure anymore. It is possible in Postfix-2.4, which has just been released. I get the impression thought that you are not interested in trading MTA's. -- Gerard TRANSVESTITE: Someone who spends his junior year at college abroad. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070402/ffa00d34/signature.bin From jimc at laridian.com Mon Apr 2 21:50:25 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 21:01:01 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <46115DE4.1080400@nkpanama.com> Message-ID: <00e201c77560$287365b0$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: Monday, April 02, 2007 2:48 PM > To: MailScanner discussion > Subject: Re: OT: Multiple Outgoing IPs? > Importance: High > > > Doc Schneider wrote: > > Jim Coates wrote: > > > >>> -----Original Message----- > >>> From: mailscanner-bounces@lists.mailscanner.info > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >>> Of Paul Kelly :: Blacknight > >>> Sent: Monday, April 02, 2007 2:31 PM > >>> To: MailScanner discussion > >>> Subject: Re: OT: Multiple Outgoing IPs? > >>> > >>> > >>> Jim Coates wrote: > >>> > >>>> Hey gang... > >>>> > >>>> This is totally off-topic, but I know there are some very smart > >>>> individuals here who might have some ideas for me. > >>>> > >>>> The company I work for recently purchased another company (both > >>>> companies are very small). > >>>> > >>>> Because of how we track bonded sender info and such, I > need to have > >>>> both domains (one for each company) sending outgoing mail > >>>> > >>> on different > >>> > >>>> IPs. > >>>> > >>>> Ideally, I don't want to add another mail server and would > >>>> > >>> like to be > >>> > >>>> able to take advantage of all the filtering and such that I have > >>>> enabled on the existing *nix based mail server. > >>>> > >>>> I've been told that it is not possible to set outgoing IPs in > >>>> SendMail, so I'm looking for suggestions of how I might > be able to > >>>> make this work. > >>>> > >>>> > >>> Could you explain a little bit more as to what you need? > I'll ask a > >>> question or two so I can clarify what I think you want to do. > >>> > >>> You have an existing scanning machine where domain1.com > >>> lives, is that > >>> correct? > >>> > >>> You want domain2.com to have its inbound e-mail sent to > this box and > >>> have it delivered onto another mailserver by IP address, is > >>> that correct? > >>> > >>> If you could answer that, I'll see what might work for you. > >>> > >>> Paul > >>> > >>> > >>> > >> Paul, > >> > >> Here is exactly what I need: > >> > >> Domain one and domain two both already come inbound to the > same box > >> via unique DNS mail records that both point to the same > IP. SendMail > >> is currently configured to accept both domains and route them to > >> local users (which is exactly how I want it to work on that end). > >> > >> I don't need to relay to another box, what I am looking to > do is take > >> mail originating from the mail server and send it outbound from a > >> different IP. > >> > >> For example, if I send an email to you as "jim@domain.one" it will > >> come from one IP address. If I send you an email as > >> "jim@domain.two", I want it to come from a different IP address. > >> > >> I have multiple public IPs available to my box, I just > don't know if > >> its possible to configure SendMail to always associate a > particular > >> outbound domain with one IP and another outbound domain > with another > >> IP. > >> > >> Does that make sense? > >> > >> What we are trying to do is separate out the email so that bonded > >> sender information for one domain is not affected by the > bounces and > >> such from another domain. > >> > >> Thanks, > >> Jim > >> > >> > > > > Check out genericstable. I use it with sendmail to have different > > users come from different domains. > > > > Example: > > user1 user1@domain.one > > user2 user2@domain.two > > > > As long as the domains are different IPs it should do what you're > > wanting. > > > > > Not exactly. He means "use a different IP address for every outgoing > connection depending on the domain name used for the > message". Not sure > if he means the domain on the *envelope* or on the *header*, > which are > two different things. > -- That is a good question, Alex. I'm not sure which it should be either. I am assuming the IP of the header domain. Jim From jimc at laridian.com Mon Apr 2 21:52:31 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 21:03:07 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <20070402155152.6687f033@localhost> Message-ID: <00e801c77560$73a175e0$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gerard Seibert > Sent: Monday, April 02, 2007 2:52 PM > To: MailScanner discussion > Subject: Re: OT: Multiple Outgoing IPs? > > > On Mon, 2 Apr 2007 14:36:18 -0500 > "Jim Coates" wrote: > > > Here is exactly what I need: > > > > Domain one and domain two both already come inbound to the same box > > via unique DNS mail records that both point to the same IP. > SendMail > > is currently configured to accept both domains and route > them to local > > users (which is exactly how I want it to work on that end). > > > > I don't need to relay to another box, what I am looking to > do is take > > mail originating from the mail server and send it outbound from a > > different IP. > > > > For example, if I send an email to you as "jim@domain.one" it will > > come from one IP address. If I send you an email as > "jim@domain.two", > > I want it to come from a different IP address. > > > > I have multiple public IPs available to my box, I just > don't know if > > its possible to configure SendMail to always associate a particular > > outbound domain with one IP and another outbound domain > with another > > IP. > > > > Does that make sense? > > > > What we are trying to do is separate out the email so that bonded > > sender information for one domain is not affected by the > bounces and > > such from another domain. > > I thought it was possible with Sendmail; however, not having > used it in years, I don't remember for sure anymore. It is > possible in Postfix-2.4, which has just been released. I get > the impression thought that you are not interested in trading MTA's. > > -- > Gerard Gerard, My only hesitation is that I've not ever set up MailScanner/SpamAssassin and a few other programs (Mailman, SendStudio etc) to work with Postfix, so I have little to no experience with using it. Jim From alex at nkpanama.com Mon Apr 2 22:00:07 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Apr 2 21:08:59 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00e201c77560$287365b0$6501a8c0@zorak> References: <00e201c77560$287365b0$6501a8c0@zorak> Message-ID: <461160C7.4050408@nkpanama.com> Jim Coates wrote: > > That is a good question, Alex. I'm not sure which it should be either. > > I am assuming the IP of the header domain. > > Jim > > I don't think there's an easy answer to this. My own personal choice would be to merge both incoming IPs/domains/etc. in the box so that it takes e-mail coming in on both IPs and uses whichever one I choose to be the primary one for outgoing. I could also see myself running different sendmail processes using different sendmail.mc's (-> sendmail.cf's) bound to different IP addresses to keep them procedurally different. I could run a shared (or separate) MailScanner process for each, with shared .conf's and .rules (or separate), or using the same MySQL database. From paul at blacknight.ie Mon Apr 2 22:03:08 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Mon Apr 2 21:10:28 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00d701c7755e$2f643360$6501a8c0@zorak> References: <00d701c7755e$2f643360$6501a8c0@zorak> Message-ID: <4611617C.9040500@blacknight.ie> Jim Coates wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Paul Kelly :: Blacknight >> Sent: Monday, April 02, 2007 2:31 PM >> To: MailScanner discussion >> Subject: Re: OT: Multiple Outgoing IPs? >> >> >> Jim Coates wrote: >>> Hey gang... >>> >>> This is totally off-topic, but I know there are some very smart >>> individuals here who might have some ideas for me. >>> >>> The company I work for recently purchased another company (both >>> companies are very small). >>> >>> Because of how we track bonded sender info and such, I need to have >>> both domains (one for each company) sending outgoing mail >> on different >>> IPs. >>> >>> Ideally, I don't want to add another mail server and would >> like to be >>> able to take advantage of all the filtering and such that I have >>> enabled on the existing *nix based mail server. >>> >>> I've been told that it is not possible to set outgoing IPs in >>> SendMail, so I'm looking for suggestions of how I might be able to >>> make this work. >>> >> Could you explain a little bit more as to what you need? I'll ask a >> question or two so I can clarify what I think you want to do. >> >> You have an existing scanning machine where domain1.com >> lives, is that >> correct? >> >> You want domain2.com to have its inbound e-mail sent to this box and >> have it delivered onto another mailserver by IP address, is >> that correct? >> >> If you could answer that, I'll see what might work for you. >> >> Paul >> >> > > > Paul, > > Here is exactly what I need: > > Domain one and domain two both already come inbound to the same box via > unique DNS mail records that both point to the same IP. SendMail is > currently configured to accept both domains and route them to local users > (which is exactly how I want it to work on that end). > > I don't need to relay to another box, what I am looking to do is take mail > originating from the mail server and send it outbound from a different IP. > > For example, if I send an email to you as "jim@domain.one" it will come from > one IP address. If I send you an email as "jim@domain.two", I want it to > come from a different IP address. > > I have multiple public IPs available to my box, I just don't know if its > possible to configure SendMail to always associate a particular outbound > domain with one IP and another outbound domain with another IP. > > Does that make sense? > > What we are trying to do is separate out the email so that bonded sender > information for one domain is not affected by the bounces and such from > another domain. > > Thanks, > Jim > I don't think you'll get the job done with 1 box. Adding a Xen instance for the second one would be trivial enough to do with the current box. Depending on which distro that is. Both ubuntu and debian would probably be the easiest to work with :) Possibly having 2 MTA's would work each bound to a specific IP address as apposed to them listening on all IP's the way it defaults. You could probably make that work, ymmv though. Paul -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From matt at coders.co.uk Mon Apr 2 22:08:12 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Apr 2 21:16:13 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00e801c77560$73a175e0$6501a8c0@zorak> References: <00e801c77560$73a175e0$6501a8c0@zorak> Message-ID: <461162AC.4080406@coders.co.uk> Jim Coates wrote: >>> I have multiple public IPs available to my box, I just >> don't know if >>> its possible to configure SendMail to always associate a particular >>> outbound domain with one IP and another outbound domain >> with another >>> IP. Makes perfect sense. However a straightforward sendmail installation can only have one "client" ip per protocol (i.e. you can have one client address for IPv4 and one for IPv6 but not 2 for IPv4). However there may be a way around this but it depends on whether you are willing to accept a small delay in your outbound email for one of the domains. Here's how I would do it. Modify your existing sendmail.mc file and add the following line: CLIENT_OPTIONS(`Family=inet, Address=A.B.C.D')dnl Create a separate config file with CLIENT_OPTIONS(`Family=inet, Address=A.B.C.E')dnl FEATURE(queuegroup, `mqueue2')dnl QUEUE_GROUP(`mqueue2', `P=/var/spool/mqueue2') Then modify "Outgoing Queue Dir" in MailScanner to a rule set to put the second domain into the new queue directory. Modify the queue runner interval on the queue for a suitable value and volia. (if you use NAT for your system there is also the "b" Daemon port modifier which will send outbound email from the same IP address that it was received) matt From jimc at laridian.com Mon Apr 2 22:09:12 2007 From: jimc at laridian.com (Jim Coates) Date: Mon Apr 2 21:19:49 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <461162AC.4080406@coders.co.uk> Message-ID: <00ea01c77562$c86c1600$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hampton > Sent: Monday, April 02, 2007 3:08 PM > To: MailScanner discussion > Subject: Re: OT: Multiple Outgoing IPs? > > > Jim Coates wrote: > > >>> I have multiple public IPs available to my box, I just > >> don't know if > >>> its possible to configure SendMail to always associate a > particular > >>> outbound domain with one IP and another outbound domain > >> with another > >>> IP. > > Makes perfect sense. However a straightforward sendmail installation > can only have one "client" ip per protocol (i.e. you can have > one client > address for IPv4 and one for IPv6 but not 2 for IPv4). > > However there may be a way around this but it depends on > whether you are > willing to accept a small delay in your outbound email for one of the > domains. > > Here's how I would do it. > > Modify your existing sendmail.mc file and add the following line: > > CLIENT_OPTIONS(`Family=inet, Address=A.B.C.D')dnl > > Create a separate config file with > > CLIENT_OPTIONS(`Family=inet, Address=A.B.C.E')dnl > FEATURE(queuegroup, `mqueue2')dnl > QUEUE_GROUP(`mqueue2', `P=/var/spool/mqueue2') > > > Then modify "Outgoing Queue Dir" in MailScanner to a rule set > to put the > second domain into the new queue directory. > > Modify the queue runner interval on the queue for a suitable > value and > volia. > > > (if you use NAT for your system there is also the "b" Daemon port > modifier which will send outbound email from the same IP > address that it > was received) > > > matt Thanks guys... I will see what I can work out with this info and my hosting company. Jim From jase at sensis.com Mon Apr 2 22:12:53 2007 From: jase at sensis.com (Desai, Jason) Date: Mon Apr 2 21:26:15 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00d701c7755e$2f643360$6501a8c0@zorak> Message-ID: <1951DC816E1A9F469307B05FA183F4387B94FB@corpatsmail1.corp.sensis.com> > Does that make sense? > > What we are trying to do is separate out the email so that > bonded sender > information for one domain is not affected by the bounces and > such from > another domain. Sounds like you want different routing tables based on the email domain. If you're using Linux, you might be able to use iptables to mark certain packets, and have them use a different routing table with a different default route. The hard part will be how to mark the packets. I don't know sendmail, but if you could get it to use a particular source ip address based on the domain that would provide a way to mark the packets. See the Linux Advanced Routing howto. http://lartc.org/howto/lartc.netfilter.html Jase From res at ausics.net Mon Apr 2 23:57:16 2007 From: res at ausics.net (Res) Date: Mon Apr 2 23:05:25 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <00b801c7754a$dd9074d0$6501a8c0@zorak> References: <00b801c7754a$dd9074d0$6501a8c0@zorak> Message-ID: On Mon, 2 Apr 2007, Jim Coates wrote: > Because of how we track bonded sender info and such, I need to have both > domains (one for each company) sending outgoing mail on different IPs. Look at Sendmail 8.14.x This will probably mean dumping whatever flavour distros ancient version you have installed and useing the tarball. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From mike at vesol.com Tue Apr 3 00:01:34 2007 From: mike at vesol.com (Mike Kercher) Date: Mon Apr 2 23:10:16 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <00b801c7754a$dd9074d0$6501a8c0@zorak> References: <46110ACB.9020709@tradoc.fr> <00b801c7754a$dd9074d0$6501a8c0@zorak> Message-ID: <6115482898C59848B35DB9D491C9A28E4D04@srv1.home.middlefinger.net> mailscanner-bounces@lists.mailscanner.info <> scribbled on : : Hey gang... : : This is totally off-topic, but I know there are some very : smart individuals here who might have some ideas for me. : : The company I work for recently purchased another company : (both companies are very small). : : Because of how we track bonded sender info and such, I need : to have both domains (one for each company) sending outgoing : mail on different IPs. : : Ideally, I don't want to add another mail server and would : like to be able to take advantage of all the filtering and : such that I have enabled on the existing *nix based mail server. : : I've been told that it is not possible to set outgoing IPs in : SendMail, so I'm looking for suggestions of how I might be : able to make this work. : : I truly appreciate it. : : Jim Coates How about running two instances of sendmail and binding each one to a specific IP address? Mike From christian at columbiafuels.com Tue Apr 3 00:28:50 2007 From: christian at columbiafuels.com (Christian Rasmussen) Date: Mon Apr 2 23:36:57 2007 Subject: Multiple Outgoing IPs? In-Reply-To: <6115482898C59848B35DB9D491C9A28E4D04@srv1.home.middlefinger.net> References: <46110ACB.9020709@tradoc.fr> <00b801c7754a$dd9074d0$6501a8c0@zorak> <6115482898C59848B35DB9D491C9A28E4D04@srv1.home.middlefinger.net> Message-ID: <2023D81BC0235143A46589958FF543F502F5DDC4@bigbird.columbiafuels.com> An interesting challenge. Is anyone here running Mailscanner in a chroot environment? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Monday, April 02, 2007 3:02 PM To: MailScanner discussion Subject: RE: Multiple Outgoing IPs? mailscanner-bounces@lists.mailscanner.info <> scribbled on : : Hey gang... : : This is totally off-topic, but I know there are some very : smart individuals here who might have some ideas for me. : : The company I work for recently purchased another company : (both companies are very small). : : Because of how we track bonded sender info and such, I need : to have both domains (one for each company) sending outgoing : mail on different IPs. : : Ideally, I don't want to add another mail server and would : like to be able to take advantage of all the filtering and : such that I have enabled on the existing *nix based mail server. : : I've been told that it is not possible to set outgoing IPs in : SendMail, so I'm looking for suggestions of how I might be : able to make this work. : : I truly appreciate it. : : Jim Coates How about running two instances of sendmail and binding each one to a specific IP address? Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gmane at tippingmar.com Tue Apr 3 02:58:21 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Tue Apr 3 02:06:42 2007 Subject: MailScanner reporting/stats? tools In-Reply-To: References: Message-ID: Paul Hutchings wrote: > MailScanner seems to be up and running a treat. > > Is there anything that will give me some useful stats/reports? > > I'm running MailScanner with Postfix as MTA on OpenSuse. > > I'm aware of MailWatch, but it looks a bit of a sod to install/configure > for a novice tbh. Logwatch has basic stats. www.logwatch.org Be sure to download the latest version rather than using an older one that came with your distro. Sample: MailScanner Status: 476 messages Scanned by MailScanner 8.0 Total MB 386 Spam messages detected by MailScanner 374 Spam messages with action(s) delete 12 Spam messages with action(s) deliver 4 Content Problems found by MailScanner 94 Messages delivered by MailScanner Content Report: (Total Seen = 4) phishing tags: 1 Time(s) web bug tags: 3 Time(s) Phishing Report: (Total Seen = 2) pr.atwola.com: 1 Time(s) Detail: pr.atwola.com claiming to be www.aol.com: 1 Time(s) From Stefan.Fournier at gmx.de Tue Apr 3 11:31:47 2007 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Tue Apr 3 10:39:50 2007 Subject: (no subject) Message-ID: <20070403093147.212060@gmx.net> Matt Hampton wrote: > Jim Coates wrote: > >>>> I have multiple public IPs available to my box, I just >>> don't know if >>>> its possible to configure SendMail to always associate a particular >>>> outbound domain with one IP and another outbound domain >>> with another >>>> IP. > > Makes perfect sense. However a straightforward sendmail installation > can only have one "client" ip per protocol (i.e. you can have one client > address for IPv4 and one for IPv6 but not 2 for IPv4). > > However there may be a way around this but it depends on whether you are > willing to accept a small delay in your outbound email for one of the > domains. > > Here's how I would do it. > > Modify your existing sendmail.mc file and add the following line: > > CLIENT_OPTIONS(`Family=inet, Address=A.B.C.D')dnl > > Create a separate config file with > > CLIENT_OPTIONS(`Family=inet, Address=A.B.C.E')dnl > FEATURE(queuegroup, `mqueue2')dnl > QUEUE_GROUP(`mqueue2', `P=/var/spool/mqueue2') > > > Then modify "Outgoing Queue Dir" in MailScanner to a rule set to put the > second domain into the new queue directory. > > Modify the queue runner interval on the queue for a suitable value and > volia. > > > (if you use NAT for your system there is also the "b" Daemon port > modifier which will send outbound email from the same IP address that it > was received) > > > matt This is how we do it and it works very stable in a large environment. Also make sure that the ip-address in CLIENT_OPTIONS coresponds to confDOMAIN_NAME For sendmail 8.14 there is a feature implemented to do this, IIRC. Best Regards, Stefan -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail From gmatt at nerc.ac.uk Tue Apr 3 12:39:31 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Apr 3 11:47:41 2007 Subject: Whitelisting certain outbound messages In-Reply-To: <46113F9F.8050205@chapman.edu> References: <46113F9F.8050205@chapman.edu> Message-ID: <46122EE3.5040400@nerc.ac.uk> This is a spamassassin question but nonetheless... Jay Chandler wrote: > I do enjoy running rDNS checks, but find that when I'm connecting > through my Treo, a lot of my outbound messages get tagged as spam. What > would be the best way to combat this? > > An example header from a message sent from my Treo: > > spam, SpamAssassin (not cached, score=7.507, required 6, BOTNET 5.00, > DK_POLICY_SIGNSOME 0.00, HELO_EQ_LT4 0.44, HOST_MISMATCH_NET 0.31, > MAILTO_TO_SPAM_ADDR 0.28, MSGID_FROM_MTA_ID 0.93, NO_REAL_NAME 0.55) > its pretty obvious that your botnet score is the main cause of the spam score. I have had to reduce the botnet score down to 1.0 because it is too aggressive for our environment. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From paul.hutchings at mira.co.uk Tue Apr 3 13:13:43 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Apr 3 12:22:00 2007 Subject: Adding Signature based on header? Message-ID: I have MailScanner on a Postfix box. I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and a separate Authenticated SMTP listener. I have a Signature rule to only sign email from my internal mail servers IP address. How would I apply this signature to email sent via the Authenticated SMTP listener? AIUI Postfix adds some sort of "Authenticated User" header, can I have a From: rule based on that? As an aside, thanks to anyone and everyone who has answered the numerous questions I've posted over the last week or so, it's much appreciated and the end result is fantastic assuming it's not about to implode on me :-) cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From res at ausics.net Tue Apr 3 14:42:11 2007 From: res at ausics.net (Res) Date: Tue Apr 3 13:50:21 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46114199.5090708@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> <460BF75C.8030504@yeticomputers.com> <460BFB2F.6070406@fractalweb.com> <460BFFD1.30804@pixelhammer.com> <46114199.5090708@yeticomputers.com> Message-ID: On Mon, 2 Apr 2007, Rick Chadderdon wrote: >> Thats crazy, you should enver base your opinion on whats "said" on lists, >> the only way is to trial it yourself for a month, then do the stats. >> > > See, Res, my ranting did make an impact. :P Sometimes there is more to > think about than the "stats". From what I've read, TDMA is nearly 100% > effective. Do you use that? If anyone who works for me did that without any testing to see the end real results I woulds dismiss them immediately as incompetant. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Tue Apr 3 14:51:00 2007 From: res at ausics.net (Res) Date: Tue Apr 3 13:59:09 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4611419D.7060505@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> Message-ID: On Mon, 2 Apr 2007, Rick Chadderdon wrote: >> (loghogger: one who feels the need to read every single entry in their log >> files) > > See, this is odd to me. I'm used to many younger people having no idea of > what manners are - what rudeness is. But I have gotten the impression from > your posts that you're around my age. A rude behavior is rude whether the > individual to whom it is directed takes it that way or not. Do you think > there needs to be some consensus before something is declared "rude"? How > many people need to think something is rude before it actually *is* rude? Is > is a percentage of a population? Please, enlighten me. Everybody is out to do whats best for their own network, if you said I think its rude you use an RBL that may or may not list you, is it rude? NO! its not! I also do not find it rude for those useing SV that want to ask my smtp, as *I* understand they are trying to protect their networks and support any action they take in doing so. > > Your lack of concern - and your rudeness - in this regard even lead you to there is no need for a concern. you see there is befcause you dont like one particular method someone takes to prtect THEIR network. > if you actually cared about the issue. I am not a "log hogger". I peruse my > logs on a regular basis to look for trouble signs, but I don't "read every > single entry" in those files unless there is a problem I need to track down Then how the hell else do you know all your data is being consumed by SV. in fact I *BET* the bytes value of all your posts in this thread hus far is far more than the total SV's that hit your server in a month. >> Thats not possible for sanity reasons, eg: hosting customers, sending from > > Mmmm... Oh, I see what you're saying. No, I meant that the SMTP transaction > would be modified to be a three-way, probablythree-party handshake. I think the same thing as what you are crying about now *shakes head* > you can figure out what I mean. If not, let's please continue the discussion > off-list. Regardless, nearly all of the reasons that people reject perfectly theres nothing to discuss, you dont like it and despise those useing it, I dont care if someone uses it against us as I know they are only trying to protect their customers from spam, I don't (as yet) do it, but support those who do use it. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From alex at nkpanama.com Tue Apr 3 15:03:04 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Apr 3 14:11:58 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: References: <00b801c7754a$dd9074d0$6501a8c0@zorak> Message-ID: <46125088.2060207@nkpanama.com> Res wrote: > On Mon, 2 Apr 2007, Jim Coates wrote: > >> Because of how we track bonded sender info and such, I need to have both >> domains (one for each company) sending outgoing mail on different IPs. > > Look at Sendmail 8.14.x > > This will probably mean dumping whatever flavour distros ancient > version you have installed and useing the tarball. > > Unless you have a redhat-like distro; if you do, you can find the rpms (with source rpms as well) at http://www.city-fan.org/ftp/contrib/mail/ From dhawal at netmagicsolutions.com Tue Apr 3 15:13:30 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Apr 3 14:21:52 2007 Subject: Adding Signature based on header? In-Reply-To: References: Message-ID: <461252FA.7090503@netmagicsolutions.com> Paul Hutchings wrote: > I have MailScanner on a Postfix box. > > I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and > a separate Authenticated SMTP listener. > > I have a Signature rule to only sign email from my internal mail servers > IP address. > > How would I apply this signature to email sent via the Authenticated > SMTP listener? > > AIUI Postfix adds some sort of "Authenticated User" header, can I have a > From: rule based on that? MailScanner doesn't support header based rules, however you can write a custom function to do this.. The headers are available as @{$message->{headers}} in the Message Object, so you can use a Custom Function to get the result of a header check and a yes/no result for a rule. Has anyone on the list written a header based custom function that can be trivially modified for such a purpose? From steve.freegard at fsl.com Tue Apr 3 15:54:05 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Apr 3 15:02:18 2007 Subject: Adding Signature based on header? In-Reply-To: <461252FA.7090503@netmagicsolutions.com> References: <461252FA.7090503@netmagicsolutions.com> Message-ID: <46125C7D.1010102@fsl.com> Hi Dhawal/Paul, Dhawal Doshy wrote: > Paul Hutchings wrote: >> I have MailScanner on a Postfix box. >> >> I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and >> a separate Authenticated SMTP listener. >> >> I have a Signature rule to only sign email from my internal mail servers >> IP address. >> How would I apply this signature to email sent via the Authenticated >> SMTP listener? >> >> AIUI Postfix adds some sort of "Authenticated User" header, can I have a >> From: rule based on that? > > MailScanner doesn't support header based rules, however you can write a > custom function to do this.. The headers are available > as @{$message->{headers}} in the Message Object, so you can use a Custom > Function to get the result of a header check and a yes/no result for a > rule. > > Has anyone on the list written a header based custom function that can > be trivially modified for such a purpose? > No - but if one of you can mail me some examples - I have some code in MailScanner that does something similar that I should be able to modify and put on the Wiki as this would seem to be pretty useful in a lot of cases. Cheers, Steve. From mailscanner at yeticomputers.com Tue Apr 3 15:57:16 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Tue Apr 3 15:05:30 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> Message-ID: <46125D3C.1010907@yeticomputers.com> Res wrote: [...] I'm going to give you the benefit of the doubt and simply assume that my writing style is not clear enough for me to make a point to you. Our conversation is degrading more with each exchange, and each reply from you gets further from addressing what I actually said and is more argumentative against what you apparently think I said. If you're sincere, and are actually replying to points you believe I'm making, I welcome further private discussion. If you're being deliberately obtuse for the joy of argument, please don't bother - I don't enjoy that kind of fight, anymore. (You should have seen me back in the Fidonet days, though... That was fun.) Thanks for sharing your viewpoint. Rick From dhawal at netmagicsolutions.com Tue Apr 3 16:51:23 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Apr 3 15:59:45 2007 Subject: Adding Signature based on header? In-Reply-To: <46125C7D.1010102@fsl.com> References: <461252FA.7090503@netmagicsolutions.com> <46125C7D.1010102@fsl.com> Message-ID: <461269EB.9010008@netmagicsolutions.com> Steve Freegard wrote: > Hi Dhawal/Paul, > > Dhawal Doshy wrote: >> Paul Hutchings wrote: >>> I have MailScanner on a Postfix box. >>> >>> I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and >>> a separate Authenticated SMTP listener. >>> >>> I have a Signature rule to only sign email from my internal mail servers >>> IP address. How would I apply this signature to email sent via the >>> Authenticated >>> SMTP listener? >>> >>> AIUI Postfix adds some sort of "Authenticated User" header, can I have a >>> From: rule based on that? >> >> MailScanner doesn't support header based rules, however you can write >> a custom function to do this.. The headers are >> available as @{$message->{headers}} in the Message Object, so you can >> use a Custom Function to get the result of a header check and a yes/no >> result for a rule. >> >> Has anyone on the list written a header based custom function that can >> be trivially modified for such a purpose? > > No - but if one of you can mail me some examples - I have some code in > MailScanner that does something similar that I should be able to modify > and put on the Wiki as this would seem to be pretty useful in a lot of > cases. Would this be enough?? See the part "(Authenticated sender: dhawal@netmagicsolutions.com)" Return-Path: Received: (qmail 2963 invoked from network); 3 Apr 2007 14:47:12 -0000 Received: from db.netmagicians.com (202.87.39.111) by netmagicsolutions.com with SMTP; 3 Apr 2007 14:47:12 -0000 Received: from db.netmagicians.com (db.netmagicians.com [202.87.39.111]) (Authenticated sender: dhawal@netmagicsolutions.com) by db.netmagicians.com (Postfix) with ESMTP id 0934B40109F for ; Tue, 3 Apr 2007 20:15:26 +0530 (IST) Message-Id: <20070403144528.0934B40109F@db.netmagicians.com> Date: Tue, 3 Apr 2007 20:15:26 +0530 (IST) From: dhawal@netmagicsolutions.com To: undisclosed-recipients:; Thanks a ton, Steve.. From ka at pacific.net Tue Apr 3 17:28:49 2007 From: ka at pacific.net (Ken A) Date: Tue Apr 3 16:36:51 2007 Subject: Adding Signature based on header? In-Reply-To: <46125C7D.1010102@fsl.com> References: <461252FA.7090503@netmagicsolutions.com> <46125C7D.1010102@fsl.com> Message-ID: <461272B1.5020807@pacific.net> Steve Freegard wrote: > Hi Dhawal/Paul, > > Dhawal Doshy wrote: >> Paul Hutchings wrote: >>> I have MailScanner on a Postfix box. >>> >>> I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and >>> a separate Authenticated SMTP listener. >>> >>> I have a Signature rule to only sign email from my internal mail servers >>> IP address. How would I apply this signature to email sent via the >>> Authenticated >>> SMTP listener? >>> >>> AIUI Postfix adds some sort of "Authenticated User" header, can I have a >>> From: rule based on that? >> >> MailScanner doesn't support header based rules, however you can write >> a custom function to do this.. The headers are >> available as @{$message->{headers}} in the Message Object, so you can >> use a Custom Function to get the result of a header check and a yes/no >> result for a rule. >> >> Has anyone on the list written a header based custom function that can >> be trivially modified for such a purpose? >> > > No - but if one of you can mail me some examples - I have some code in > MailScanner that does something similar that I should be able to modify > and put on the Wiki as this would seem to be pretty useful in a lot of > cases. Here's a trivial example. We use this to avoid using the SA cache on messages that for some reason or another we want to score differently for different users, so caching the score would break our ability to do this. # don't use SA Cache if a certain header is found. sub DontCache { my($message) = @_; return 1 unless $message; # Default if no message passed in my(@fullHeaders,$id,$dontCache); @fullHeaders = @{$message->{headers}}; foreach(@fullHeaders){ chomp(); # if mesg was released from a quarantine somewhere else if($_ =~ /^X-disposition: released from quarantine at XYZ/){ $id = $message->{id}; # MailScanner::Log::InfoLog("Not using SA Cache: $id"); $dontCache = 1; } # elsif{ other conditions } { $dontCache = 1; } } if($dontCache) { return 0; } return 1; } Ken Anderson Pacific.Net > > Cheers, > Steve. From MailScanner at ecs.soton.ac.uk Tue Apr 3 19:27:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 3 18:38:31 2007 Subject: I'm back at home Message-ID: <46128E8E.1060508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 tubes, a ventilator, 2 nurses and a technician looking after just me, 24 hours a day. They finally brought me round when I was well enough, and I then spent the next 2 weeks learning how breathe, talk, use my hands, walk and all the necessary stuff like that. So I am now back at home, and have my parents living in my house with me helping to look after me. We are all getting on fine, and life would be really hard if they weren't here. They have fixed everything and cleared out all my old junk that I don't want any more, so I now have a nice tidy house again with plenty of spare space. I won't be able to find anything for a while, but it's really nice to have everything neat and tidy again :-) It's going to be a fair while before I'm up to doing anything to do with MailScanner. This note is basically to send a very big thankyou for all the Get Well Soon cards you have sent me from all over the world, along with all the emails sending your best wishes too. They are all very much appreciated and it really brightened up my day every time someone from work called in with some more cards from around the globe. So thank you very much for all of them! So I'm still alive, though it was very touch and go for the first 10 days, and more or less back in the land of the living. Don't expect any more than the odd health update for a while yet though :-) Cheers, Jules. - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG A51NIGqJNFlMF/fWrHVR4Jo= =cjkn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dhawal at netmagicsolutions.com Tue Apr 3 19:38:15 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Apr 3 18:46:36 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <46129107.9030503@netmagicsolutions.com> Welcome back, it is great to hear from you!! Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > From butler at globeserver.com Tue Apr 3 19:42:36 2007 From: butler at globeserver.com (Philip Butler) Date: Tue Apr 3 18:50:47 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Jules, We have all been blessed to get to know you through your work. But as you say, that's back-burner now. You have been blessed with great parents and co-workers - let's all take a moment to thank them also !! From here on out, I for one, will be thankful for Jules first and your work second. As your recovery continues, please enjoy the simple things - such as knowing that thousands around the world have been praying for you !! Phil Butler On Apr 3, 2007, at 1:27 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just > me, 24 > hours a day. They finally brought me round when I was well enough, > and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house > with me > helping to look after me. We are all getting on fine, and life > would be > really hard if they weren't here. They have fixed everything and > cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do > with > MailScanner. > > This note is basically to send a very big thankyou for all the Get > Well > Soon cards you have sent me from all over the world, along with all > the > emails sending your best wishes too. They are all very much > appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect > any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From tmartins at gmail.com Tue Apr 3 19:43:07 2007 From: tmartins at gmail.com (Thiago Martins) Date: Tue Apr 3 18:51:13 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) Your health in first place. Nice to see you are recovering and all best wishes from Brazil. []?s Thiago From dominian at slackadelic.com Tue Apr 3 19:45:05 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 3 18:53:22 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461292A1.6030901@slackadelic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- Julian, Glad to see you back up and "on your feet" so to speak! You don't worry about MailScanner, its working fine as it is. Rest up then when you feel up to it.. attack it! -Matt From dyioulos at firstbhph.com Tue Apr 3 19:46:16 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Apr 3 18:54:24 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <200704031346.17321.dyioulos@firstbhph.com> On Tuesday 03 April 2007 1:27 pm, Julian Field wrote: > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > Julian, We're all so very happy that you're on the mend! MailScanner and everything else'll take a back seat while you come back to good health. May your time off be restful and relaxing. Best regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jimc at laridian.com Tue Apr 3 19:46:45 2007 From: jimc at laridian.com (Jim Coates) Date: Tue Apr 3 18:57:22 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <015e01c77618$0c869df0$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Tuesday, April 03, 2007 12:28 PM > To: MailScanner discussion > Subject: I'm back at home > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after > just me, 24 > hours a day. They finally brought me round when I was well > enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my > house with me > helping to look after me. We are all getting on fine, and > life would be > really hard if they weren't here. They have fixed everything > and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything > neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything > to do with > MailScanner. > > This note is basically to send a very big thankyou for all > the Get Well > Soon cards you have sent me from all over the world, along > with all the > emails sending your best wishes too. They are all very much > appreciated > and it really brightened up my day every time someone from > work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't > expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. Welcome home, Julian!! Glad to hear you are back and getting better. A clean house never hurts either... any chance your parents would come clean mine, now!?! :) Jim Coates From paul at blacknight.ie Tue Apr 3 19:50:14 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Tue Apr 3 18:57:38 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461293D6.8060204@blacknight.ie> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > Are you now part cyborg? :) Sounds a bit robocopish what with the technician and all :) > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > Fair play to the parents! > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. No rush dude, we're all doing our best to keep things going :) > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > Fair play Jules. Take it handy and keep us up to date on your health. Plenty of rest dude, those cyborg implants will take a bit of getting used to ;) Best Regards, Paul > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From chandler.lists at chapman.edu Tue Apr 3 19:55:18 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Tue Apr 3 19:03:28 2007 Subject: Whitelisting certain outbound messages In-Reply-To: <46122EE3.5040400@nerc.ac.uk> References: <46113F9F.8050205@chapman.edu> <46122EE3.5040400@nerc.ac.uk> Message-ID: <46129506.2030300@chapman.edu> Greg Matthews wrote: > its pretty obvious that your botnet score is the main cause of the > spam score. I have had to reduce the botnet score down to 1.0 because > it is too aggressive for our environment. > > GREG Right-- but it's great for inbound messages. I guess I was hoping there was some way to apply different metrics to outbound mail than inbound... -- Jay Chandler Network Administrator Chapman University From dnsadmin at 1bigthink.com Tue Apr 3 20:01:57 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Apr 3 19:10:22 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <200704031802.l33I2Efi025008@mxt.1bigthink.com> At 01:27 PM 4/3/2007, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi folks, Glad to hear you are on the mend Julian! The group is still up and alive as ever and the software is running just fine. Take care of yourself and enjoy the downtime as best you can. Cheers, Glenn Parsons From iad.scoot at gmail.com Tue Apr 3 20:03:56 2007 From: iad.scoot at gmail.com (Iad Scoot) Date: Tue Apr 3 19:12:06 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <88bd43930704031103oc76aff8v46da006e8906bffb@mail.gmail.com> Julian, Your health is a whole lot more important than MS right now - it's fine and will be fine until you are ready to play with it again. Glad to hear that you are home, nothing beats being able to sleep under your own roof...keep getting better and we'll keep you in our thoughts and prayers. Best to you, Iad On 4/3/07, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070403/3e6f9db4/attachment.html From lists at jfworks.net Tue Apr 3 20:05:11 2007 From: lists at jfworks.net (James Fagan) Date: Tue Apr 3 19:12:08 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <46129757.40904@jfworks.net> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > Glad to see that you are well enough to be at home. It may not have as many things that go "beep" as the hospital, but all the same, a much better place. Take your time and rest up. Thanks for the update. James From jayesha_shinde at yahoo.com Tue Apr 3 20:04:51 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Tue Apr 3 19:12:56 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <878059.44181.qm@web54406.mail.yahoo.com> Hi Julian , Welcome back to home Get healthy very soon, Thanks & Regards Jayesh --- Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care > with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician > looking after just me, 24 > hours a day. They finally brought me round when I > was well enough, and I > then spent the next 2 weeks learning how breathe, > talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living > in my house with me > helping to look after me. We are all getting on > fine, and life would be > really hard if they weren't here. They have fixed > everything and cleared > out all my old junk that I don't want any more, so I > now have a nice > tidy house again with plenty of spare space. I won't > be able to find > anything for a while, but it's really nice to have > everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing > anything to do with > MailScanner. > > This note is basically to send a very big thankyou > for all the Get Well > Soon cards you have sent me from all over the world, > along with all the > emails sending your best wishes too. They are all > very much appreciated > and it really brightened up my day every time > someone from work called > in with some more cards from around the globe. So > thank you very much > for all of them! > > So I'm still alive, though it was very touch and go > for the first 10 > days, and more or less back in the land of the > living. Don't expect any > more than the odd health update for a while yet > though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at > www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 > 5947 1415 B654 > For all your IT requirements visit > www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit > www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > ____________________________________________________________________________________ Don't get soaked. Take a quick peek at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather From jimc at laridian.com Tue Apr 3 20:10:54 2007 From: jimc at laridian.com (Jim Coates) Date: Tue Apr 3 19:21:30 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <46125088.2060207@nkpanama.com> Message-ID: <016701c7761b$6bf76b40$6501a8c0@zorak> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: Tuesday, April 03, 2007 8:03 AM > To: MailScanner discussion > Subject: Re: OT: Multiple Outgoing IPs? > > > Res wrote: > > On Mon, 2 Apr 2007, Jim Coates wrote: > > > >> Because of how we track bonded sender info and such, I > need to have > >> both domains (one for each company) sending outgoing mail on > >> different IPs. > > > > Look at Sendmail 8.14.x > > > > This will probably mean dumping whatever flavour distros ancient > > version you have installed and useing the tarball. > > > > > Unless you have a redhat-like distro; if you do, you can find > the rpms > (with source rpms as well) at > http://www.city-fan.org/ftp/contrib/mail/ > Well, I talked to my ISP about the "multiple instances of SendMail" and this was the response they gave me: Sendmail by default listens on all avialable ip addresses. Using the outline you've provided does the following: 2 seperate instances of sendmail, 1 listening on the base ip while the other listens on the second ip. One then can be configured to relay all mail received to a smart host, while the other doesn't. However, the doesn't prevent a user from using the first instance. (Nor am I actually sure how to split the configs amongst sendmail instlalations). Additionally, /usr/sbin/sendmail only points to the first queue. There isn't any way for this to selectively point to the second queue. The only way to get mail injected to the second queue is by talking to port 25 on the ip address of the second instance. Any mail generated from scripts will not work as expected. Sendmail will always use the base ip address when sending mail. If there is a way to change this, I haven't been able to find any information online regarding this. Does this sound right? Jim From chris at bluecobras.com Tue Apr 3 20:07:44 2007 From: chris at bluecobras.com (chris@bluecobras.com) Date: Tue Apr 3 19:22:09 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <20070403140744.e1aspgu6g40k4cso@www.bluecobras.com> Julian, this is the day I have been waiting for. A simple couple of words would have been fine but just to hear from you yourself is awesome. This is a great day indeed. I know you have heard nothing but your health is the most important thing and it is but enjoying life is part of that. So sit back and do the things you can that you have wanted to do but didn't have the time. Send us an email every now and then and we will be happy. When you are well enough we will be happy to have you back doing your thing. Get well and enjoy! Chris Hammond Richmond, VA Quoting Julian Field : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store From Kevin_Miller at ci.juneau.ak.us Tue Apr 3 20:28:55 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Apr 3 19:36:49 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, snip > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect > any more than the odd health update for a while yet though :-) Great to hear you're back in the land of the living. You haven't missed much. No major bugs have cropped up in the last month (that I recall anyway), no "must have or I'll be banished to Siberia" feature requests. So you can rest easy. And now that you're awake, hopefully your folks can rest easy too! I'm sure the worry was quite a strain on them. Our thoughts & prayers are with them as well as yourself. To save you reading five thousand emails, here's a brief recap: some folks don't like sender verification res is still an evil bunny Glenn's on vacation in S.E. Asia Um, yup, that about sums it up. Here's to a speedy recuperation... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From bpumphrey at woodmclaw.com Tue Apr 3 20:35:44 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Apr 3 19:43:50 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D150268F802@woodenex.woodmaclaw.local> I am super glad to hear this. I prayed for you as well as lots of other folks. Have a good awesome rest period. I thank your parents for being there for you, I think all of the MailScanner users/people that have been there for you. Billy Pumphrey IT Manager Wooden & McLaughlin > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > From itdept at fractalweb.com Tue Apr 3 20:38:56 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Apr 3 19:47:10 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <46129F40.2030509@fractalweb.com> Julian Field wrote: > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > Julian, You literally had thousands of people worldwide worrying about you, and we've been waiting for a message from you. Welcome back! I spent part of the weekend telling my 7-year-old son about the "Six Million Dollar Man" and how cool it all was, back in the early/mid 70s. Reading your description above sounds somewhat similar to what they put the character through after his big crash. So, gotta ask...can you run really fast now? And is there a sort of odd, mechanical sound that happens whenever you do something in slow motion? ;-) Good to hear you're on the mend. Be thankful too that you have such a strong family. Cheers from Vancouver Canada, Chris From edwardbruce at sbcglobal.net Tue Apr 3 20:45:08 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Apr 3 19:53:13 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <4612A0B4.5020000@sbcglobal.net> Great news Julian. From lists at tessalate.net Tue Apr 3 20:47:36 2007 From: lists at tessalate.net (YAN) Date: Tue Apr 3 19:56:13 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <200704031847.l33IlfNs080367@mx1.tessalate.net> Glad to hear your back home Jules... Take your time and get well before you start thinking of making a comeback... Don't rush these things, health is much more important than work, even though we sometimes loose sight of this. Regards and best wishes YAN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 03 April 2007 18:28 > To: MailScanner discussion > Subject: I'm back at home > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after > just me, 24 > hours a day. They finally brought me round when I was well > enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my > house with me > helping to look after me. We are all getting on fine, and > life would be > really hard if they weren't here. They have fixed everything > and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything > neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything > to do with > MailScanner. > > This note is basically to send a very big thankyou for all > the Get Well > Soon cards you have sent me from all over the world, along > with all the > emails sending your best wishes too. They are all very much > appreciated > and it really brightened up my day every time someone from > work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't > expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > --------------------------------------------------------------------- > This email and attachments have been scanned by Tessalate MailScanner > for all known viruses, spam, trojans and other dangerous content. > To protect your email and reduce spam please visit www.tessalate.net > or email mailscanner@tessalate.net for further information. > --------------------------------------------------------------------- > > From rabellino at di.unito.it Tue Apr 3 20:48:42 2007 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Apr 3 19:57:17 2007 Subject: I'm back at home References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <001d01c77620$baee9f20$6489a8c0@di.unito.it> ... No expectation at all, only a big big big Welcome Back ! -- ing. Sergio Rabellino Dipartimento di Informatica ICT Services Director C.so Svizzera 185, 10149 - Torino From dyioulos at firstbhph.com Tue Apr 3 20:57:47 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Apr 3 20:05:42 2007 Subject: I'm back at home In-Reply-To: <46129F40.2030509@fractalweb.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <46129F40.2030509@fractalweb.com> Message-ID: <200704031457.47900.dyioulos@firstbhph.com> On Tuesday 03 April 2007 2:38 pm, Chris Yuzik wrote: > Julian Field wrote: > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > > hours a day. They finally brought me round when I was well enough, and I > > then spent the next 2 weeks learning how breathe, talk, use my hands, > > walk and all the necessary stuff like that. > Jules, Pity you couldn't have just kept the nurses and done away with the rest :-) Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Apr 3 20:57:59 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 3 20:06:13 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 4/3/2007 10:27 AM: > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > Great to hear you are back! Take your time getting better, we have been doing our best to keep things as smooth as possible. Although there were a few off topic discussions that went a little further then you would have allowed, things have been holding up the best they can. When you do finally get back to coding, the ideas will probably be as thick as thieves, and you won't know where to start. Just being in your own space again probably feels great! Best wishes in your recovery, Scott -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Apr 3 21:00:38 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 3 20:13:07 2007 Subject: I'm back at home In-Reply-To: <461293D6.8060204@blacknight.ie> References: <46128E8E.1060508@ecs.soton.ac.uk> <461293D6.8060204@blacknight.ie> Message-ID: Paul Kelly :: Blacknight spake the following on 4/3/2007 10:50 AM: > Julian Field wrote: > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, > 24 hours a day. They finally brought me round when I was well enough, > and I then spent the next 2 weeks learning how breathe, talk, use my > hands, walk and all the necessary stuff like that. > > >> Are you now part cyborg? :) Sounds a bit robocopish what with the >> technician and all :) > > So I am now back at home, and have my parents living in my house with > me helping to look after me. We are all getting on fine, and life > would be really hard if they weren't here. They have fixed everything > and cleared out all my old junk that I don't want any more, so I now > have a nice tidy house again with plenty of spare space. I won't be > able to find anything for a while, but it's really nice to have > everything neat and tidy again :-) > > >> Fair play to the parents! > > It's going to be a fair while before I'm up to doing anything to do > with MailScanner. > >> No rush dude, we're all doing our best to keep things going :) > > > This note is basically to send a very big thankyou for all the Get > Well Soon cards you have sent me from all over the world, along with > all the emails sending your best wishes too. They are all very much > appreciated and it really brightened up my day every time someone from > work called in with some more cards from around the globe. So thank > you very much for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect > any more than the odd health update for a while yet though :-) > > >> Fair play Jules. Take it handy and keep us up to date on your health. >> Plenty of rest dude, those cyborg implants will take a bit of getting >> used to ;) > >> Best Regards, > >> Paul I can just see it now; Resistance is futile, spammer! You will be assimilated! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From tmartins at gmail.com Tue Apr 3 21:05:05 2007 From: tmartins at gmail.com (Thiago Martins) Date: Tue Apr 3 20:13:09 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? Message-ID: Hi folks. Is there any possibilities to insert some header or any other way to make Microsoft Outlook or Exchange know that a message is SPAM? There is a folder in Outlook for SPAM and sometimes it flag some messages as SPAM automatically. I believe this is done using some header in the mail body. Any ideas about that? Sorry for my English and thanks in advance. -- []?s Thiago From dominian at slackadelic.com Tue Apr 3 21:08:58 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 3 20:17:11 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: <4612A64A.4030705@slackadelic.com> Thiago Martins wrote: > Hi folks. > > Is there any possibilities to insert some header or any other way to > make Microsoft Outlook or Exchange know that a message is SPAM? > > There is a folder in Outlook for SPAM and sometimes it flag some > messages as SPAM automatically. I believe this is done using some > header in the mail body. > > Any ideas about that? > > Sorry for my English and thanks in advance. > Thiago, Your English is fine :) There is a way to insert custom headers, however, I'm not quite sure what it is without reading the documentation, but I do remember seeing it! -Matt From drew at technologytiger.net Tue Apr 3 21:10:41 2007 From: drew at technologytiger.net (Drew Marshall) Date: Tue Apr 3 20:18:50 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: On 3 Apr 2007, at 18:27, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just > me, 24 > hours a day. They finally brought me round when I was well enough, > and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. Scary stuff! > > So I am now back at home, and have my parents living in my house > with me > helping to look after me. We are all getting on fine, and life > would be > really hard if they weren't here. They have fixed everything and > cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) Parents are great things. Often over looked occasionally undervalued but _always_ there when you need them! > It's going to be a fair while before I'm up to doing anything to do > with > MailScanner. Not a problem for anyone I am sure. We can manage. > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect > any > more than the odd health update for a while yet though :-) It is truly great to hear from you. When Tim broke the news several weeks ago I think it is true to say that hundreds if not thousands of people were shocked and distressed to hear of your plight. I am sure these same people will be delighted that their well wishes, in what ever accent, language and faith have been responded to. Keep getting stronger and as hard as it might be, don't try to do too much too soon. It really is not worth it for any one. Number one priority must be you and no one else. I am sure your mother will agree you are not too old to get your bottom smacked if you misbehave and mothers always know (Or so mine keeps telling me!) :-). Kindest regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From ryan-list at marinocrane.com Tue Apr 3 21:16:09 2007 From: ryan-list at marinocrane.com (Ryan Pitt) Date: Tue Apr 3 20:25:04 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <4612A7F9.1090602@marinocrane.com> Julian Field wrote: > Hi folks, Hi Julian, Good to have you back! Ryan Pitt Connecticut, USA From joost at waversveld.nl Tue Apr 3 21:22:15 2007 From: joost at waversveld.nl (Joost Waversveld) Date: Tue Apr 3 20:30:20 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <20070403212215.qfkn0vb8e8w0gkwk@webmail.waversveld.nl> > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) It's always nice to have an clean house without putting any effort into it yourself! ;-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. Don't bother... MailScanner is not that important, your health is more important... > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! It was the least we could do for you, so no problem... > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > That's ok, we will forgive you ;-) Give it time. We're just so happy to hear from you! All the best from the Netherlands... Joost Waversveld From Kevin_Miller at ci.juneau.ak.us Tue Apr 3 21:25:42 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Apr 3 20:33:37 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: Thiago Martins wrote: > Hi folks. > > Is there any possibilities to insert some header or any other way to > make Microsoft Outlook or Exchange know that a message is SPAM? > > There is a folder in Outlook for SPAM and sometimes it flag some > messages as SPAM automatically. I believe this is done using some > header in the mail body. The easiest thing is to let MailScanner add text to the subject line, and write a rule. It won't update the IMF in Exchange or anything, but it's easy to shunt things off to a folder. An Outlook add in that I've been pretty happy with is called SpamBayes (http://spambayes.sourceforge.net/) which can help Outlook deal with the little that slips through MailScanner. May or may not be a good fit for your site. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From tmartins at gmail.com Tue Apr 3 21:49:57 2007 From: tmartins at gmail.com (Thiago Martins) Date: Tue Apr 3 20:58:02 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: Hi Kevin. Thanks for the link. I will test spambayes. I know that changing the subject is the easiest way, but you know, our bosses never want the easy way. :) I have other problems too. Here we don?t allow any mail marked as SPAM (high or not) to go to the user. There is a dedicate person to check the quarantine and release false positives. Maybe it would be nicer to let low spam pass and let the user decide. But not a long ago there was Lotus Notes + Securiq and this behavior is a legacy from those suffering times and it will take some time to change this. We still have some Notes clients, but in a year they will rest in peace ... The exchange admin told me that it is not possible to create a rule from the server to play with the subject and move messages to the spam folder in outlook. That?s why I want to play with IMF. This way I can store only high spam and let low spam pass to the users. I have to assume users are very dumb and can?t create a rule by them. If this can be done using any kind of GPO or using the exchange server or adding headers to be parsed by IMF it will be my choice. I have no experience with exchange. I always used Unix mailers and MTAs so I?m a bit lost here. Thanks. On 4/3/07, Kevin Miller wrote: > Thiago Martins wrote: > > Hi folks. > > > > Is there any possibilities to insert some header or any other way to > > make Microsoft Outlook or Exchange know that a message is SPAM? > > > > There is a folder in Outlook for SPAM and sometimes it flag some > > messages as SPAM automatically. I believe this is done using some > > header in the mail body. > > The easiest thing is to let MailScanner add text to the subject line, > and write a rule. It won't update the IMF in Exchange or anything, but > it's easy to shunt things off to a folder. > > An Outlook add in that I've been pretty happy with is called SpamBayes > (http://spambayes.sourceforge.net/) which can help Outlook deal with the > little that slips through MailScanner. May or may not be a good fit for > your site. > > ...Kevin From root at doctor.nl2k.ab.ca Tue Apr 3 22:16:04 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 3 21:23:54 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <20070403201604.GA21796@doctor.nl2k.ab.ca> On Tue, Apr 03, 2007 at 06:27:42PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Nice to hear from you again! We all missed you. Hopefully, your health will improve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Tue Apr 3 22:28:31 2007 From: ka at pacific.net (Ken A) Date: Tue Apr 3 21:36:33 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <4612B8EF.9080209@pacific.net> Great news. Take care & rest! When you get around to remembering how fun perl is, MailScanner will be here. Until then, forgetaboutit and just get well. Ken Anderson Pacific.Net Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > From mike at vesol.com Tue Apr 3 22:36:41 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Apr 3 21:45:34 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <6115482898C59848B35DB9D491C9A28E4D0A@srv1.home.middlefinger.net> mailscanner-bounces@lists.mailscanner.info <> scribbled on : : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : So I am now back at home, and have my parents living in my : house with me helping to look after me. We are all getting on : fine, and life would be really hard if they weren't here. : They have fixed everything and cleared out all my old junk : that I don't want any more, so I now have a nice tidy house : again with plenty of spare space. I won't be able to find : anything for a while, but it's really nice to have everything : neat and tidy again :-) : : Cheers, : Jules. : Jules, Glad to hear you are back home! There really ARE easier ways to get a housekeeper though! Next time, just ask for some advice! Best wishes Mike From Kevin_Miller at ci.juneau.ak.us Tue Apr 3 22:10:28 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 4 07:35:11 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: Thiago Martins wrote: > Hi Kevin. > > Thanks for the link. I will test spambayes. > > I know that changing the subject is the easiest way, but you know, our > bosses never want the easy way. :) Yup. Can't blame them though - it does make the subject line uglier. Especially for false positives. > I have other problems too. Here we don?t allow any mail marked as SPAM > (high or not) to go to the user. There is a dedicate person to check > the quarantine and release false positives. Maybe it would be nicer to I reject high scoring spam, and quarantine low scoring spam. I don't usually check for false positives though unless someone calls and asks if something got lost. It's pretty infrequent. The quarantined messages live on the MailScanner box and are deleted after a month. I don't think I'd set it up to pass low scoring spam. My users seem pretty happy with things as they are. > let low spam pass and let the user decide. But not a long ago there > was Lotus Notes + Securiq and this behavior is a legacy from those > suffering times and it will take some time to change this. > > We still have some Notes clients, but in a year they will rest in > peace ... > > The exchange admin told me that it is not possible to create a rule > from the server to play with the subject and move messages to the spam > folder in outlook. That?s why I want to play with IMF. This way I can > store only high spam and let low spam pass to the users. I don't know any way to get a server side rule to do that without an addin, but I've never looked into it really either. I think he's right though. Would be nice if there were an easy way. > I have to assume users are very dumb and can?t create a rule by them. > If this can be done using any kind of GPO or using the exchange server > or adding headers to be parsed by IMF it will be my choice. Most will figure it out, especially if you do up some directions. The rest benefit from some personal attention. Don't know how many users you have; we're running around 400. Most we never hear from. Are you using MailWatch (mailwatch.sourceforge.net)? It can be configured to let your users check for themselves. Some months back there was a discussion here about adding headers with MailScanner that the IMF would recognize and act upon. Check the archives for this subject: "RE: Setting Exchange SCL from MailScanner", particularly Brian Duncan's reply on Feb 12, 2007. > I have no experience with exchange. I always used Unix mailers and > MTAs so I?m a bit lost here. HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From bamcomp at yahoo.com Tue Apr 3 22:20:10 2007 From: bamcomp at yahoo.com (Brett Moss) Date: Wed Apr 4 07:35:12 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <534633.9907.qm@web30015.mail.mud.yahoo.com> --- Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care > with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician > looking after just me, 24 > hours a day. They finally brought me round when I > was well enough, and I > then spent the next 2 weeks learning how breathe, > talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living > in my house with me > helping to look after me. We are all getting on > fine, and life would be > really hard if they weren't here. They have fixed > everything and cleared > out all my old junk that I don't want any more, so I > now have a nice > tidy house again with plenty of spare space. I won't > be able to find > anything for a while, but it's really nice to have > everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing > anything to do with > MailScanner. > > This note is basically to send a very big thankyou > for all the Get Well > Soon cards you have sent me from all over the world, > along with all the > emails sending your best wishes too. They are all > very much appreciated > and it really brightened up my day every time > someone from work called > in with some more cards from around the globe. So > thank you very much > for all of them! > > So I'm still alive, though it was very touch and go > for the first 10 > days, and more or less back in the land of the > living. Don't expect any > more than the odd health update for a while yet > though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at > www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 > 5947 1415 B654 > For all your IT requirements visit > www.transtec.co.uk Jules, I'm glad to hear you are getting well. My best wishes for a continued easy and speedy recovery. Brett ____________________________________________________________________________________ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121 From ms-list at alexb.ch Tue Apr 3 22:49:21 2007 From: ms-list at alexb.ch (Alex Broens) Date: Wed Apr 4 07:35:12 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <4612CBE1.4080800@alexb.ch> On 4/3/2007 7:27 PM, Julian Field wrote: > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) Welcome back Julian! We're here if you need us... Alex From res at ausics.net Tue Apr 3 23:02:31 2007 From: res at ausics.net (Res) Date: Wed Apr 4 07:35:12 2007 Subject: I'm back at home In-Reply-To: <461292A1.6030901@slackadelic.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <461292A1.6030901@slackadelic.com> Message-ID: On Tue, 3 Apr 2007, Matt Hayes wrote: > Glad to see you back up and "on your feet" so to speak! You don't worry > about MailScanner, its working fine as it is. Rest up then when you feel up > to it.. attack it! I'll second that! Good to hear your well on your way in recovery -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Tue Apr 3 23:09:36 2007 From: res at ausics.net (Res) Date: Wed Apr 4 07:35:13 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: <46125088.2060207@nkpanama.com> References: <00b801c7754a$dd9074d0$6501a8c0@zorak> <46125088.2060207@nkpanama.com> Message-ID: On Tue, 3 Apr 2007, Alex Neuman van der Hans wrote: > Res wrote: >> On Mon, 2 Apr 2007, Jim Coates wrote: >> >>> Because of how we track bonded sender info and such, I need to have both >>> domains (one for each company) sending outgoing mail on different IPs. >> >> Look at Sendmail 8.14.x >> >> This will probably mean dumping whatever flavour distros ancient version >> you have installed and useing the tarball. >> >> > Unless you have a redhat-like distro; if you do, you can find the rpms (with > source rpms as well) at http://www.city-fan.org/ftp/contrib/mail/ > The only problem with redhat, is for the same reason I said dump the distro flavours version... they only back patch for security, they dont include the patches that are for new features, nor always stay up to date fully current in releases. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From alex at nkpanama.com Tue Apr 3 23:47:38 2007 From: alex at nkpanama.com (Alex Neuman) Date: Wed Apr 4 07:35:14 2007 Subject: Call For Open Source Awards 2007 Nominations Message-ID: <56781.200.46.17.228.1175640458.squirrel@nkpanama.com> Help nominate MailScanner for the Open Source Awards... http://radar.oreilly.com/archives/2007/04/call_for_open_s.html From alex at nkpanama.com Tue Apr 3 23:51:17 2007 From: alex at nkpanama.com (Alex Neuman) Date: Wed Apr 4 07:35:15 2007 Subject: I'm back at home In-Reply-To: <4612A7F9.1090602@marinocrane.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <4612A7F9.1090602@marinocrane.com> Message-ID: <60702.200.46.17.228.1175640677.squirrel@nkpanama.com> > Julian Field wrote: >> Hi folks, When that message was delivered, and news of Julian's recovery reached the list, I felt a disturbance on the Net... as if millions of spammers suddenly cried out in terror, and were suddenly silenced... ;-) From christian at columbiafuels.com Wed Apr 4 00:31:59 2007 From: christian at columbiafuels.com (Christian Rasmussen) Date: Wed Apr 4 07:35:15 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: <2023D81BC0235143A46589958FF543F502F5DDCE@bigbird.columbiafuels.com> Your Exchange admin is lying to you. All you need to do is tell IMF to move what it thinks is spam to the users Outlook Junk E-mail folder. Then create a custom rule to recognize the subject line that has been modified by MS and max the IMF score based on that. I've been using MS with Exchange and IMF for quite some time now and it works like a hot damn. Plenty of google fodder on the subject http://www.google.com/search?sourceid=navclient&aq=t&ie=UTF-8&rls=GGLJ,GGLJ:2006-48,GGLJ:en&q=IMF+custom+weighting Feel free to contact me if you run into any grief, it's easy enough for an exchange admin to figure out ;-) Cheers, -Christian -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Thiago Martins Sent: Tuesday, April 03, 2007 12:50 PM To: MailScanner discussion Subject: Re: How to flag SPAM in MS Exchange/Outlook using Mailscanner? Hi Kevin. Thanks for the link. I will test spambayes. I know that changing the subject is the easiest way, but you know, our bosses never want the easy way. :) I have other problems too. Here we don?t allow any mail marked as SPAM (high or not) to go to the user. There is a dedicate person to check the quarantine and release false positives. Maybe it would be nicer to let low spam pass and let the user decide. But not a long ago there was Lotus Notes + Securiq and this behavior is a legacy from those suffering times and it will take some time to change this. We still have some Notes clients, but in a year they will rest in peace ... The exchange admin told me that it is not possible to create a rule from the server to play with the subject and move messages to the spam folder in outlook. That?s why I want to play with IMF. This way I can store only high spam and let low spam pass to the users. I have to assume users are very dumb and can?t create a rule by them. If this can be done using any kind of GPO or using the exchange server or adding headers to be parsed by IMF it will be my choice. I have no experience with exchange. I always used Unix mailers and MTAs so I?m a bit lost here. Thanks. On 4/3/07, Kevin Miller wrote: > Thiago Martins wrote: > > Hi folks. > > > > Is there any possibilities to insert some header or any other way to > > make Microsoft Outlook or Exchange know that a message is SPAM? > > > > There is a folder in Outlook for SPAM and sometimes it flag some > > messages as SPAM automatically. I believe this is done using some > > header in the mail body. > > The easiest thing is to let MailScanner add text to the subject line, > and write a rule. It won't update the IMF in Exchange or anything, but > it's easy to shunt things off to a folder. > > An Outlook add in that I've been pretty happy with is called SpamBayes > (http://spambayes.sourceforge.net/) which can help Outlook deal with the > little that slips through MailScanner. May or may not be a good fit for > your site. > > ...Kevin -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Wed Apr 4 00:59:43 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Apr 4 07:35:16 2007 Subject: Adding Signature based on header? In-Reply-To: <461269EB.9010008@netmagicsolutions.com> References: <461252FA.7090503@netmagicsolutions.com> <46125C7D.1010102@fsl.com> <461269EB.9010008@netmagicsolutions.com> Message-ID: <4612EA6F.3080403@fsl.com> Hi Dhawal, Dhawal Doshy wrote: > Steve Freegard wrote: >> Hi Dhawal/Paul, >> >> Dhawal Doshy wrote: >>> Paul Hutchings wrote: >>>> I have MailScanner on a Postfix box. >>>> >>>> I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and >>>> a separate Authenticated SMTP listener. >>>> >>>> I have a Signature rule to only sign email from my internal mail >>>> servers >>>> IP address. How would I apply this signature to email sent via the >>>> Authenticated >>>> SMTP listener? >>>> >>>> AIUI Postfix adds some sort of "Authenticated User" header, can I >>>> have a >>>> From: rule based on that? >>> >>> MailScanner doesn't support header based rules, however you can write >>> a custom function to do this.. The headers are >>> available as @{$message->{headers}} in the Message Object, so you can >>> use a Custom Function to get the result of a header check and a >>> yes/no result for a rule. >>> >>> Has anyone on the list written a header based custom function that >>> can be trivially modified for such a purpose? >> >> No - but if one of you can mail me some examples - I have some code in >> MailScanner that does something similar that I should be able to >> modify and put on the Wiki as this would seem to be pretty useful in a >> lot of cases. > > Would this be enough?? See the part "(Authenticated sender: > dhawal@netmagicsolutions.com)" > > Return-Path: > Received: (qmail 2963 invoked from network); 3 Apr 2007 14:47:12 -0000 > Received: from db.netmagicians.com (202.87.39.111) > by netmagicsolutions.com with SMTP; 3 Apr 2007 14:47:12 -0000 > Received: from db.netmagicians.com (db.netmagicians.com [202.87.39.111]) > (Authenticated sender: dhawal@netmagicsolutions.com) > by db.netmagicians.com (Postfix) with ESMTP id 0934B40109F > for ; Tue, 3 Apr 2007 20:15:26 +0530 > (IST) > Message-Id: <20070403144528.0934B40109F@db.netmagicians.com> > Date: Tue, 3 Apr 2007 20:15:26 +0530 (IST) > From: dhawal@netmagicsolutions.com > To: undisclosed-recipients:; > > Thanks a ton, Steve.. > I've done an initial version which is attached and that I have done some basic testing with, it takes a list of trusted IPs and the regexps that should be checked against the headers from the trusted IPs to see if the connection is authenticated. Any problems - run set my($debug) = 1; and run MailScanner --debug to see what it is doing. Cheers, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: SignCleanMessagesFunction.tar.gz Type: application/x-gzip Size: 1109 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/faa91eb9/SignCleanMessagesFunction.tar-0001.gz From mikechoo at opensos.net Wed Apr 4 04:00:58 2007 From: mikechoo at opensos.net (Michael Choo) Date: Wed Apr 4 07:35:20 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <1C630011-0623-4EB0-9BBB-808B98A6529B@opensos.net> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/4ea4a567/PGP.bin From res at ausics.net Wed Apr 4 05:00:06 2007 From: res at ausics.net (Res) Date: Wed Apr 4 07:35:20 2007 Subject: Time to update file command Message-ID: In case you haven't already seen it, and as it is related to MailScanner and anti virus... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From pete at enitech.com.au Wed Apr 4 05:11:50 2007 From: pete at enitech.com.au (Peter Russell) Date: Wed Apr 4 07:35:21 2007 Subject: Postfix HOLD method Message-ID: <46132586.1050301@enitech.com.au> Hello, could anyone offer me some tips on improving the HOLD method for postfix? my header_checks file contains ]# vi /etc/postfix/header_checks # For MailScanner /^from userid 0/ OK /^from userid 89/ OK /^Received/ HOLD Some one suggested this a while ago as a way to hold messages for checking that are inbound but not ones released from quarantine via mailwatch. For some reason it doesnt work anymore and i have changed anything. Whats the best way to achieve this? Thanks in advance Pete From x72m35 at gmail.com Wed Apr 4 06:00:32 2007 From: x72m35 at gmail.com (Lasantha Marian) Date: Wed Apr 4 07:35:21 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461330F0.5050108@gmail.com> Dear Jules, It's wonderful to hear you are back and recuperating. Please take extra care of your health now. MailScanner can and we can certainly wait, after all it is a robust piece of software. Wishing you long lasting good health. Lasantha from Sri Lanka. *-------- Original Message --------* *Subject: * I'm back at home *Date: * Tue, 03/Apr/2007 10:57:42 PM +0550 *From: * Julian Field *To: * MailScanner discussion > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/5daf1a26/attachment.html From micoots at yahoo.com Wed Apr 4 08:17:52 2007 From: micoots at yahoo.com (Michael Mansour) Date: Wed Apr 4 08:26:01 2007 Subject: mailstats per domain Message-ID: <953570.77225.qm@web33315.mail.mud.yahoo.com> Hi, I need a system of measuring/reporting how much bandwidth a domain uses for its mail. I run 2 inbound MX servers which forward (clean) mail to another mail server holding user inboxes. I've thought of various ways this can be done, and have googled for many different stats software but nothing I find can show how much megabytes are used by a domain. Any suggestions are welcome. Thankyou. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/df158d3d/attachment.html From uxbod at splatnix.net Wed Apr 4 08:40:44 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Apr 4 08:48:58 2007 Subject: mailstats per domain In-Reply-To: <953570.77225.qm@web33315.mail.mud.yahoo.com> References: <953570.77225.qm@web33315.mail.mud.yahoo.com> Message-ID: At which point do you want to calculate the bandwidth; at inbound MX or when it is passed through as clean? If when clean, why not install MailWatch http://mailwatch.sourceforge.net as this will log all the email to a MySQL database. Two of the fields are to_domain and size. From this you will be able to calculate the bandwidth used by domain. Regards, UxBoD On Wed, 4 Apr 2007 17:17:52 +1000 (EST), Michael Mansour wrote: > Hi, > > I need a system of measuring/reporting how much bandwidth a domain uses > for its mail. > > I run 2 inbound MX servers which forward (clean) mail to another mail > server holding user inboxes. > > I've thought of various ways this can be done, and have googled for many > different stats software but nothing I find can show how much megabytes are > used by a domain. > > Any suggestions are welcome. > > Thankyou. > > Michael. > > > Send instant messages to your online friends > http://au.messenger.yahoo.com > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Wed Apr 4 08:46:05 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Apr 4 08:54:43 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461357BD.7000907@chime.ucl.ac.uk> Hi Jules, Fantastic news. It is really great to hear from you again. Best wishes for your long term rehabilitation. Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Wed Apr 4 08:57:09 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 4 09:05:27 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: Message-ID: Hi In MailScanner.conf theres a section.. What to do with spam One of the options is header "name: value" You can set this provide a header you're MS-Exch IMF rules can trigger on.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Thiago Martins > Sent: 03 April 2007 20:05 > To: MailScanner discussion > Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? > > Hi folks. > > Is there any possibilities to insert some header or any other way to > make Microsoft Outlook or Exchange know that a message is SPAM? > > There is a folder in Outlook for SPAM and sometimes it flag some > messages as SPAM automatically. I believe this is done using some > header in the mail body. > > Any ideas about that? > > Sorry for my English and thanks in advance. > > -- > []?s > Thiago > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From gmatt at nerc.ac.uk Wed Apr 4 09:12:07 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Wed Apr 4 09:20:25 2007 Subject: Whitelisting certain outbound messages In-Reply-To: <46129506.2030300@chapman.edu> References: <46113F9F.8050205@chapman.edu> <46122EE3.5040400@nerc.ac.uk> <46129506.2030300@chapman.edu> Message-ID: <46135DD7.7060801@nerc.ac.uk> Jay Chandler wrote: > Greg Matthews wrote: >> its pretty obvious that your botnet score is the main cause of the >> spam score. I have had to reduce the botnet score down to 1.0 because >> it is too aggressive for our environment. >> >> GREG > Right-- but it's great for inbound messages. I guess I was hoping there > was some way to apply different metrics to outbound mail than inbound... > I was talking about inbound messages! I find it hits too many ham. Outbound messages can be favoured with AWL and the ALL_TRUSTED SA ruleset. See the spamassassin wiki for details. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From paul.hutchings at mira.co.uk Wed Apr 4 09:23:09 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Apr 4 09:31:26 2007 Subject: Whitelisting certain outbound messages Message-ID: This is genuine curiosity not meant to be a smart-alec remark but why would people want to spam check their outbound mail? I can't get my head around letting a message out that suggests "We think this is spam but we sent it anyway"? Easy for me to say as a Company mail admin vs. say an ISP/Uni, I'm just curious. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: 04 April 2007 09:12 To: MailScanner discussion Subject: Re: Whitelisting certain outbound messages Jay Chandler wrote: > Greg Matthews wrote: >> its pretty obvious that your botnet score is the main cause of the >> spam score. I have had to reduce the botnet score down to 1.0 because >> it is too aggressive for our environment. >> >> GREG > Right-- but it's great for inbound messages. I guess I was hoping there > was some way to apply different metrics to outbound mail than inbound... > I was talking about inbound messages! I find it hits too many ham. Outbound messages can be favoured with AWL and the ALL_TRUSTED SA ruleset. See the spamassassin wiki for details. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From gmatt at nerc.ac.uk Wed Apr 4 09:47:51 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Wed Apr 4 09:56:09 2007 Subject: Whitelisting certain outbound messages In-Reply-To: References: Message-ID: <46136637.90404@nerc.ac.uk> Paul Hutchings wrote: > This is genuine curiosity not meant to be a smart-alec remark but why > would people want to spam check their outbound mail? a number of reasons: - spam being bounced by OoO responders - filtering mail from an internal virus-infected desktop - enforcing content policies - someones brain-dead php webform compromised sending out spam > > I can't get my head around letting a message out that suggests "We think > this is spam but we sent it anyway"? right - so you'd need a filter to determine whether it is spam or not... > > Easy for me to say as a Company mail admin vs. say an ISP/Uni, I'm just > curious. > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From shuttlebox at gmail.com Wed Apr 4 09:58:15 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Apr 4 10:06:24 2007 Subject: Call For Open Source Awards 2007 Nominations In-Reply-To: <56781.200.46.17.228.1175640458.squirrel@nkpanama.com> References: <56781.200.46.17.228.1175640458.squirrel@nkpanama.com> Message-ID: <625385e30704040158k6cf91518vb48076c913e8cc0b@mail.gmail.com> On 4/4/07, Alex Neuman wrote: > Help nominate MailScanner for the Open Source Awards... > > http://radar.oreilly.com/archives/2007/04/call_for_open_s.html I have sent a nomination for Julian. -- /peter From tmartins at gmail.com Wed Apr 4 09:59:00 2007 From: tmartins at gmail.com (Thiago Martins) Date: Wed Apr 4 10:07:10 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: Yes Kevin, I use mailwatch, but as I said, the legacy system needed an admin to manage the quarantine and users were not allowed to manage it. I know mailwatch can be configured to be managed by users, unfortunately they are spoiled people and i'm trying to change that. :) Your approach is what I like to have here in the near future. Thanks everyone. I will try all tips here and will search the list and google for more information on IMF and will conduct some tests. On 4/3/07, Kevin Miller wrote: > Thiago Martins wrote: > > Hi Kevin. > > > > Thanks for the link. I will test spambayes. > > > > I know that changing the subject is the easiest way, but you know, our > > bosses never want the easy way. :) > > Yup. Can't blame them though - it does make the subject line uglier. Especially for false positives. > > > > I have other problems too. Here we don?t allow any mail marked as SPAM > > (high or not) to go to the user. There is a dedicate person to check > > the quarantine and release false positives. Maybe it would be nicer to > > I reject high scoring spam, and quarantine low scoring spam. I don't usually check for false positives though unless someone calls and asks if something got lost. It's pretty infrequent. The quarantined messages live on the MailScanner box and are deleted after a month. I don't think I'd set it up to pass low scoring spam. My users seem pretty happy with things as they are. > > > > let low spam pass and let the user decide. But not a long ago there > > was Lotus Notes + Securiq and this behavior is a legacy from those > > suffering times and it will take some time to change this. > > > > We still have some Notes clients, but in a year they will rest in > > peace ... > > > > The exchange admin told me that it is not possible to create a rule > > from the server to play with the subject and move messages to the spam > > folder in outlook. That?s why I want to play with IMF. This way I can > > store only high spam and let low spam pass to the users. > > I don't know any way to get a server side rule to do that without an addin, but I've never looked into it really either. I think he's right though. Would be nice if there were an easy way. > > > > I have to assume users are very dumb and can?t create a rule by them. > > If this can be done using any kind of GPO or using the exchange server > > or adding headers to be parsed by IMF it will be my choice. > > Most will figure it out, especially if you do up some directions. The rest benefit from some personal attention. Don't know how many users you have; we're running around 400. Most we never hear from. Are you using MailWatch (mailwatch.sourceforge.net)? It can be configured to let your users check for themselves. > > Some months back there was a discussion here about adding headers with MailScanner that the IMF would recognize and act upon. Check the archives for this subject: "RE: Setting Exchange SCL from MailScanner", particularly Brian Duncan's reply on Feb 12, 2007. > > > > I have no experience with exchange. I always used Unix mailers and > > MTAs so I?m a bit lost here. > > HTH... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- []?s Thiago Martins http://tmartins.blogsome.com From dhawal at netmagicsolutions.com Wed Apr 4 10:43:39 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 4 10:52:06 2007 Subject: Adding Signature based on header? In-Reply-To: <4612EA6F.3080403@fsl.com> References: <461252FA.7090503@netmagicsolutions.com> <46125C7D.1010102@fsl.com> <461269EB.9010008@netmagicsolutions.com> <4612EA6F.3080403@fsl.com> Message-ID: <4613734B.9020503@netmagicsolutions.com> Steve Freegard wrote: > Hi Dhawal, > Dhawal Doshy wrote: >> Steve Freegard wrote: >>> Hi Dhawal/Paul, >>> >>> Dhawal Doshy wrote: >>>> Has anyone on the list written a header based custom function that >>>> can be trivially modified for such a purpose? >>> No - but if one of you can mail me some examples - I have some code in >>> MailScanner that does something similar that I should be able to >>> modify and put on the Wiki as this would seem to be pretty useful in a >>> lot of cases. >> Would this be enough?? See the part "(Authenticated sender: >> dhawal@netmagicsolutions.com)" >> >> Return-Path: >> Received: (qmail 2963 invoked from network); 3 Apr 2007 14:47:12 -0000 >> Received: from db.netmagicians.com (202.87.39.111) >> by netmagicsolutions.com with SMTP; 3 Apr 2007 14:47:12 -0000 >> Received: from db.netmagicians.com (db.netmagicians.com [202.87.39.111]) >> (Authenticated sender: dhawal@netmagicsolutions.com) >> by db.netmagicians.com (Postfix) with ESMTP id 0934B40109F >> for ; Tue, 3 Apr 2007 20:15:26 +0530 >> (IST) >> Message-Id: <20070403144528.0934B40109F@db.netmagicians.com> >> Date: Tue, 3 Apr 2007 20:15:26 +0530 (IST) >> From: dhawal@netmagicsolutions.com >> To: undisclosed-recipients:; >> >> Thanks a ton, Steve.. > > I've done an initial version which is attached and that I have done some > basic testing with, it takes a list of trusted IPs and the regexps that > should be checked against the headers from the trusted IPs to see if the > connection is authenticated. > > Any problems - run set my($debug) = 1; and run MailScanner --debug to > see what it is doing. Wow.. i'll be modifying this for "spam checks" as well since i need to skip spam checks on authenticated mail. Will test it completely and let you know.. thanks, - dhawal From paul.hutchings at mira.co.uk Wed Apr 4 10:57:06 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Apr 4 11:05:22 2007 Subject: Adding Signature based on header? Message-ID: Steve, Thanks very much for this! I have to say it'll probably be several days before I get chance to read what I need to do to try it out so I may be back with (dumb) questions, but thank you. cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 04 April 2007 01:00 To: MailScanner discussion Subject: Re: Adding Signature based on header? Hi Dhawal, Dhawal Doshy wrote: > Steve Freegard wrote: >> Hi Dhawal/Paul, >> >> Dhawal Doshy wrote: >>> Paul Hutchings wrote: >>>> I have MailScanner on a Postfix box. >>>> >>>> I run one instance on Postfix and 2 Postfix listeners, normal SMTP, and >>>> a separate Authenticated SMTP listener. >>>> >>>> I have a Signature rule to only sign email from my internal mail >>>> servers >>>> IP address. How would I apply this signature to email sent via the >>>> Authenticated >>>> SMTP listener? >>>> >>>> AIUI Postfix adds some sort of "Authenticated User" header, can I >>>> have a >>>> From: rule based on that? >>> >>> MailScanner doesn't support header based rules, however you can write >>> a custom function to do this.. The headers are >>> available as @{$message->{headers}} in the Message Object, so you can >>> use a Custom Function to get the result of a header check and a >>> yes/no result for a rule. >>> >>> Has anyone on the list written a header based custom function that >>> can be trivially modified for such a purpose? >> >> No - but if one of you can mail me some examples - I have some code in >> MailScanner that does something similar that I should be able to >> modify and put on the Wiki as this would seem to be pretty useful in a >> lot of cases. > > Would this be enough?? See the part "(Authenticated sender: > dhawal@netmagicsolutions.com)" > > Return-Path: > Received: (qmail 2963 invoked from network); 3 Apr 2007 14:47:12 -0000 > Received: from db.netmagicians.com (202.87.39.111) > by netmagicsolutions.com with SMTP; 3 Apr 2007 14:47:12 -0000 > Received: from db.netmagicians.com (db.netmagicians.com [202.87.39.111]) > (Authenticated sender: dhawal@netmagicsolutions.com) > by db.netmagicians.com (Postfix) with ESMTP id 0934B40109F > for ; Tue, 3 Apr 2007 20:15:26 +0530 > (IST) > Message-Id: <20070403144528.0934B40109F@db.netmagicians.com> > Date: Tue, 3 Apr 2007 20:15:26 +0530 (IST) > From: dhawal@netmagicsolutions.com > To: undisclosed-recipients:; > > Thanks a ton, Steve.. > I've done an initial version which is attached and that I have done some basic testing with, it takes a list of trusted IPs and the regexps that should be checked against the headers from the trusted IPs to see if the connection is authenticated. Any problems - run set my($debug) = 1; and run MailScanner --debug to see what it is doing. Cheers, Steve. -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From paul.hutchings at mira.co.uk Wed Apr 4 11:12:07 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Apr 4 11:20:23 2007 Subject: New Server Specs? Message-ID: Folks, Looking for a little feedback. I've been evaluating MailScanner for a couple of weeks now and it seems pretty clear it's more than up to what we want, so I'm looking at replacing our existing relay hardware. Given the MAQ says "A Dual Xeon with 2 GB of RAM and 15K SCSI disks can process up to 1,4 million of messages/day" and we accept and process maybe 30,000 on a busy week I think it's fair to say that pretty much any new server we buy will be more than sufficient. My question is, broadly speaking which would be best to have more of, CPU, ram, or disk subsystem? I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA disks and slower dual-core CPUs but with plenty of memory slots. TIA, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/4d12d7f1/attachment.html From martinh at solidstatelogic.com Wed Apr 4 11:21:00 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 4 11:29:17 2007 Subject: New Server Specs? In-Reply-To: Message-ID: Paul Memory is normally the biggest requirement and easiest to fix...- 1GB per CPU core.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 04 April 2007 11:12 > To: MailScanner discussion > Subject: New Server Specs? > > Folks, > > Looking for a little feedback. > > I've been evaluating MailScanner for a couple of weeks now and it seems > pretty clear it's more than up to what we want, so I'm looking at > replacing our existing relay hardware. > > Given the MAQ says "A Dual Xeon with 2 GB of RAM and 15K SCSI disks can > process up to 1,4 million of messages/day" and we accept and process maybe > 30,000 on a busy week I think it's fair to say that pretty much any new > server we buy will be more than sufficient. > > My question is, broadly speaking which would be best to have more of, CPU, > ram, or disk subsystem? > I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA > disks and slower dual-core CPUs but with plenty of memory slots. > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > > > > ________________________________ > > MIRA Ltd. > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Wed Apr 4 11:26:16 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 11:34:32 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: <1175682376.15563.23.camel@gblades-suse.linguaphone-intranet.co.uk> We get about 20,000 mails a week (about 80% are spam) and a general desktop spec pc with 1GB of ram is proving to be more than ample and we are doing a lot of checks. I would say CPU is probably the limiting factor on our system. The disk IO is not going to have any issue going beyond the 60MB/day we are currently transfering and we currently have 170MB of free memory with 83MB buffers and 140MB cached. On Wed, 2007-04-04 at 11:12, Paul Hutchings wrote: > Folks, > > Looking for a little feedback. > > I've been evaluating MailScanner for a couple of weeks now and it > seems pretty clear it's more than up to what we want, so I'm looking > at replacing our existing relay hardware. > > Given the MAQ says "A Dual Xeon with 2 GB of RAM and 15K SCSI disks > can process up to 1,4 million of messages/day" and we accept and > process maybe 30,000 on a busy week I think it's fair to say that > pretty much any new server we buy will be more than sufficient. > > My question is, broadly speaking which would be best to have more of, > CPU, ram, or disk subsystem? > I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA > disks and slower dual-core CPUs but with plenty of memory slots. > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > > > > > ______________________________________________________________________ > MIRA Ltd. > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the > use of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Wed Apr 4 11:37:01 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Apr 4 11:45:42 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> I have just built a 1U server with two 2.4GHz Opterons and 4GB RAM. We are processing ~30,000 emails per day and have image SPAM recognition running aswell. The load on the server never goes about 1 even when under load. We also put the Postfix and MailScanner queues on a TMPFS for improved performance, hence having quite a large amount of memory. If running image recognition then CPU power will also be important. Regards, UxBoD On Wed, 4 Apr 2007 11:12:07 +0100, "Paul Hutchings" wrote: > Folks, > > Looking for a little feedback. > > I've been evaluating MailScanner for a couple of weeks now and it seems > pretty clear it's more than up to what we want, so I'm looking at > replacing our existing relay hardware. > > Given the MAQ says "A Dual Xeon with 2 GB of RAM and 15K SCSI disks can > process up to 1,4 million of messages/day" and we accept and process > maybe 30,000 on a busy week I think it's fair to say that pretty much > any new server we buy will be more than sufficient. > My question is, broadly speaking which would be best to have more of, > CPU, ram, or disk subsystem? > I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA > disks and slower dual-core CPUs but with plenty of memory slots. > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Wed Apr 4 11:43:54 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Apr 4 11:52:14 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: <4613816A.4040000@fsl.com> Paul Hutchings wrote: > My question is, broadly speaking which would be best to have more of, > CPU, ram, or disk subsystem? > I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA > disks and slower dual-core CPUs but with plenty of memory slots. As Martin mentioned - memory is one key piece, you need to have 1Gb per CPU core, then set Max Children to 5 * CPU Cores for optimum performance. Any form of swapping/paging will quickly kill performance of MailScanner/SpamAssassin. I also always recommend buying a *decent* RAID controller with battery-backed write-back cache as fast disk access is a requirement to cope with busy periods and future growth and. Cheers, Steve. From neilw at dcdata.co.za Wed Apr 4 11:53:08 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Apr 4 12:01:21 2007 Subject: New Server Specs? In-Reply-To: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> References: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> Message-ID: <46138394.9080403@dcdata.co.za> --[ UxBoD ]-- wrote: > I have just built a 1U server with two 2.4GHz Opterons and 4GB RAM. We are processing ~30,000 emails per day and have image SPAM recognition running aswell. Which image Spam recognition are you utilising, I'm currently using Fuzzy OCR and this seems to put quite a load on the system. Thanks. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From list-mailscanner at linguaphone.com Wed Apr 4 11:57:03 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 12:05:20 2007 Subject: New Server Specs? In-Reply-To: <46138394.9080403@dcdata.co.za> References: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> <46138394.9080403@dcdata.co.za> Message-ID: <1175684223.15562.28.camel@gblades-suse.linguaphone-intranet.co.uk> I am running fuzzyocr using ocrad and gocr. The cpu utilisation is fairly low as most of the image spams are caught by bayes and other checks so the score is already over 10 before fuzzyocr runs so it does not bother checking. On Wed, 2007-04-04 at 11:53, Neil Wilson wrote: > --[ UxBoD ]-- wrote: > > I have just built a 1U server with two 2.4GHz Opterons and 4GB RAM. We are processing ~30,000 emails per day and have image SPAM recognition running aswell. > > Which image Spam recognition are you utilising, I'm currently using Fuzzy OCR and this seems > to put quite a load on the system. > > Thanks. > > Neil > > -- > This email and all contents are subject to the following disclaimer: > http://www.dcdata.co.za/emaildisclaimer.html From paul.hutchings at mira.co.uk Wed Apr 4 12:04:31 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Apr 4 12:12:52 2007 Subject: New Server Specs? Message-ID: Thanks all. I'm not desparate to do this on the cheap, but obviously I don't want to be asking for company money for something that is massive, massive overkill even allowing for future growth/changes etc. Currently I'm running on an old Poweredge with a single 2.4ghz Xeon CPU (single core with hyperthreading) with 1gb of RAM and a single 80gb ATA drive (we want something that will be under warranty) I'm running Spamassassin on incoming mail and ClamAV on all mail with no OCR checks though this may be something I'll do in the future via FuzzyOCR. I'm no expert on Linux benchmarking but uptime shows "load average: 1.23, 1.43, 1.20". I was looking at HP originally and then I looked at Sun and noticed their X2100 appear to be very good VFM (and are SLES approved which suggests I should be able to install OpenSuse "out the box"). Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 04 April 2007 11:44 To: MailScanner discussion Subject: Re: New Server Specs? Paul Hutchings wrote: > My question is, broadly speaking which would be best to have more of, > CPU, ram, or disk subsystem? > I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA > disks and slower dual-core CPUs but with plenty of memory slots. As Martin mentioned - memory is one key piece, you need to have 1Gb per CPU core, then set Max Children to 5 * CPU Cores for optimum performance. Any form of swapping/paging will quickly kill performance of MailScanner/SpamAssassin. I also always recommend buying a *decent* RAID controller with battery-backed write-back cache as fast disk access is a requirement to cope with busy periods and future growth and. Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From hvdkooij at vanderkooij.org Wed Apr 4 12:27:53 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 4 12:36:09 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: References: <00b801c7754a$dd9074d0$6501a8c0@zorak> <46125088.2060207@nkpanama.com> Message-ID: On Wed, 4 Apr 2007, Res wrote: > On Tue, 3 Apr 2007, Alex Neuman van der Hans wrote: > >> Res wrote: >> > On Mon, 2 Apr 2007, Jim Coates wrote: >> > >> > > Because of how we track bonded sender info and such, I need to have >> > > both >> > > domains (one for each company) sending outgoing mail on different IPs. >> > >> > Look at Sendmail 8.14.x >> > >> > This will probably mean dumping whatever flavour distros ancient version >> > you have installed and useing the tarball. >> > >> Unless you have a redhat-like distro; if you do, you can find the rpms >> (with source rpms as well) at http://www.city-fan.org/ftp/contrib/mail/ > > The only problem with redhat, is for the same reason I said dump the distro > flavours version... they only back patch for security, they dont include the > patches that are for new features, nor always stay up to date fully current > in releases. There is no argument that the Distro default version is not update the way most would like. But RHEL and Centos allow one to use additional repositories and those tend to be up-to-date. I prefer to use it that way. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From drew at technologytiger.net Wed Apr 4 12:31:37 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 4 12:39:53 2007 Subject: New Server Specs? In-Reply-To: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> References: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> Message-ID: <46353.194.70.180.170.1175686297.squirrel@www.technologytiger.net> On Wed, April 4, 2007 11:37, --[ UxBoD ]-- wrote: > We also put the Postfix > queues on a TMPFS for improved > performance, hence having quite a large amount of memory. I would watch having your main MTA queues in TMPFS, although I am sure you have it covered with multiple redundant power etc. IF the power did die then all the mail in the MTA queues would also go west. Not an issue for MailScanner as that's what it does on start up any way (Flush it's work directories) and then it picks up the messages fresh from the hold queue or incoming process (Depending on MTA). Personally I would have err, upset, users if all the mail that was waiting to be processed in the hold queue or delivered in the ../incoming/ queue went missing due to some unforseen error (Cleaner pulling out power cord, datacenter's diverse power not failing over etc, etc). Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From uxbod at splatnix.net Wed Apr 4 13:12:49 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Apr 4 13:21:12 2007 Subject: New Server Specs? In-Reply-To: <46353.194.70.180.170.1175686297.squirrel@www.technologytiger.net> References: <46353.194.70.180.170.1175686297.squirrel@www.technologytiger.net> Message-ID: Drew, You are absolutely spot on with your observation, and I should take more care when writing emails ;) Yes, the MailScanner queue is on TMPFS, and it is the SpamAssassin cache that I have put on there aswell. Regards, UxBoD On Wed, 4 Apr 2007 12:31:37 +0100 (BST), "Drew Marshall" wrote: > On Wed, April 4, 2007 11:37, --[ UxBoD ]-- wrote: >> We also put the Postfix > >> queues on a TMPFS for improved >> performance, hence having quite a large amount of memory. > > I would watch having your main MTA queues in TMPFS, although I am sure you > have it covered with multiple redundant power etc. IF the power did die > then all the mail in the MTA queues would also go west. Not an issue for > MailScanner as that's what it does on start up any way (Flush it's work > directories) and then it picks up the messages fresh from the hold queue > or incoming process (Depending on MTA). Personally I would have err, > upset, users if all the mail that was waiting to be processed in the hold > queue or delivered in the ../incoming/ queue went missing due to some > unforseen error (Cleaner pulling out power cord, datacenter's diverse > power not failing over etc, etc). > > Drew > > > -- > In line with our policy, this message has been scanned > for viruses and dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Wed Apr 4 14:06:03 2007 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Apr 4 14:14:19 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: References: <46125088.2060207@nkpanama.com> Message-ID: <60D398EB2DB948409CA1F50D8AF122570222109F@exch1.dekalbmemorial.local> Jim Coates wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Alex Neuman van der Hans Sent: Tuesday, April 03, 2007 8:03 AM >> To: MailScanner discussion >> Subject: Re: OT: Multiple Outgoing IPs? >> >> >> Res wrote: >>> On Mon, 2 Apr 2007, Jim Coates wrote: >>> >>>> Because of how we track bonded sender info and such, I need to have >>>> both domains (one for each company) sending outgoing mail on >>>> different IPs. >>> >>> Look at Sendmail 8.14.x >>> >>> This will probably mean dumping whatever flavour distros ancient >>> version you have installed and useing the tarball. >>> >>> >> Unless you have a redhat-like distro; if you do, you can find the >> rpms (with source rpms as well) at >> http://www.city-fan.org/ftp/contrib/mail/ >> > > Well, I talked to my ISP about the "multiple instances of SendMail" > and this was the response they gave me: > > Sendmail by default listens on all avialable ip addresses. Using the > outline you've provided does the following: > > 2 seperate instances of sendmail, 1 listening on the base ip while > the other listens on the second ip. > > One then can be configured to relay all mail received to a smart > host, while the other doesn't. However, the doesn't prevent a user > from using the first instance. (Nor am I actually sure how to split > the configs amongst sendmail instlalations). > > Additionally, /usr/sbin/sendmail only points to the first queue. > There isn't any way for this to selectively point to the second > queue. The only way to get mail injected to the second queue is by > talking to port 25 on the ip address of the second instance. Any > mail generated from scripts will not work as expected. > > Sendmail will always use the base ip address when sending mail. If > there is a way to change this, I haven't been able to find any > information online regarding this. > > Does this sound right? > > Jim You should have a complete config file for each instance of sendmail that you are running. I highly recommend the O'Reilly sendmail books. I've found them invaluable for dealing with sendmail. You might want to take a look at the sections on routing mail in the sendmail Cookbook by Craig Hunt. You can pass a configuration file to sendmail using the -C command line switch. From glancing at some documentation it looks like there can be some limitations when passing it a configuration file. It's covered in section 15.7.17 in the book sendmail by Bryan Costales, Third Edition. Good Luck. Aaron -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From gmatt at nerc.ac.uk Wed Apr 4 14:10:20 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Wed Apr 4 14:18:40 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: <4613A3BC.3090404@nerc.ac.uk> Paul Hutchings wrote: > Thanks all. > > I'm not desparate to do this on the cheap, but obviously I don't want to > be asking for company money for something that is massive, massive > overkill even allowing for future growth/changes etc. > > Currently I'm running on an old Poweredge with a single 2.4ghz Xeon CPU > (single core with hyperthreading) with 1gb of RAM and a single 80gb ATA > drive (we want something that will be under warranty) > > I'm running Spamassassin on incoming mail and ClamAV on all mail with no > OCR checks though this may be something I'll do in the future via > FuzzyOCR. > > I'm no expert on Linux benchmarking but uptime shows "load average: > 1.23, 1.43, 1.20". looks like you are not stretching this box too much. With hyperthreading turned on, a load average of 2 would be a good indication that the processor was never twiddling its metaphorical thumbs. That said, network services are notoriously "bursty" so you need to plan for times of high load. Consider software raid over hardware raid as it can often be faster and provided you take backups, your raid config is archived for disaster recovery. Also nice to have a good size disk area so that both spam and ham can be stored in the short term for learning/reporting. Useful too if you are relaying for other sites/domains and need to queue up mail when their servers are down. Of course, mail doesnt actually take up much space so you dont need a huge array of disks. We have about 5000 active mailboxes and I'd be happy with a 50GB mirror for short term archive/quarantine but I'd probably over-spec by a factor of two. As mentioned previously, buy lots of memory. A dual processor box will happily chew up 3-4GB of ram. Dual/quad core is /probably/ ok given that your processes are likely to be IO bound which should make up for memory controller latencies. Why not ask Sun for a loan of a T1000 machine with 8 cores and 32 threads? I think they are still doing a no-obligation "try and buy" scheme for these. The list would probably be v. interested in your results. > > I was looking at HP originally and then I looked at Sun and noticed > their X2100 appear to be very good VFM (and are SLES approved which > suggests I should be able to install OpenSuse "out the box"). > judging by your existing spec and LA, an X2100 will probably be fine, I'd be tempted to up the spec to a dual processor X2200 to really future-proof yourself. Again, Sun will lend you one for 60 days if you want to try it. GREG > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: 04 April 2007 11:44 > To: MailScanner discussion > Subject: Re: New Server Specs? > > Paul Hutchings wrote: >> My question is, broadly speaking which would be best to have more of, >> CPU, ram, or disk subsystem? >> I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA >> disks and slower dual-core CPUs but with plenty of memory slots. > > As Martin mentioned - memory is one key piece, you need to have 1Gb per > CPU core, then set Max Children to 5 * CPU Cores for optimum > performance. Any form of swapping/paging will quickly kill performance > of MailScanner/SpamAssassin. > > I also always recommend buying a *decent* RAID controller with > battery-backed write-back cache as fast disk access is a requirement to > cope with busy periods and future growth and. > > Cheers, > Steve. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From martinh at solidstatelogic.com Wed Apr 4 15:23:52 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 4 15:32:54 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Jules Welcome back to land of the living....... Take your time, have a good easter..... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 03 April 2007 18:28 > To: MailScanner discussion > Subject: I'm back at home > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From wim at unetix.nl Wed Apr 4 15:35:08 2007 From: wim at unetix.nl (Wim Bakker) Date: Wed Apr 4 15:42:51 2007 Subject: Missing headers in mailscanner Message-ID: <4613B79C.5020601@unetix.nl> Hello, recently I installed mailscanner on a testserver to obtain information on it's behaviour. Setup: postfix-2.3.xx , mailscanner with recommended tarball for clamav and spamassassin. Mailwatch as webfrontend to mailscanner. The machine was then configured to accept mail for and transport mail after scanning to another server for a testmaildomain and after altering the MX records for that testdomain the test begun. Mail directly sent at the accounts in the testmaildomain were processed ok , spamchecking and virus scanning went ok and mail was transported correctly to the destination mailserver. To increase the amount of mail that had to be processed, I made an extra transport entry on another mailserver where I have an account to forward all mail to that account to one of the accounts on the testmaildomain. So : destination@maildomain.nl was transported to destination@testmaildomain.nl and that is where things became annoying. A lot of mail that came in from the transport was stripped from the subject line , the to line and was unreadable. Why would this happen ? Allso I note that mail that is regarded as spam gets a subject rewrite to : { spam? } (with a lot of times the orig_subject disappearing) where does the "{ spam? }" come from, I certainly don't have it in my spam.assassin.prefs.conf because I don't want a subject rewrite. Apart from these not so minor glitches the system works perfect, so I really would like to know why this happens in the case of a transport from another server. Example of headers from a unreadable mail : ------------------------------- Return-Path: Received: from mail.bhagwato.eu ([unix socket]) by www.bhagwato.eu (Cyrus v2.3.3) with LMTPA; Sun, 01 Apr 2007 14:11:11 +0200 X-Sieve: CMU Sieve 2.3 Received: from mx1.unetix.nl (mx1.unetix.nl [194.109.108.70]) by mail.bhagwato.eu (Postfix) with ESMTP id A943424291B4 for ; Sun, 1 Apr 2007 14:11:11 +0200 (CEST) Received: from mailgateway.unetix.nl (unknown [213.84.10.61]) by mx1.unetix.nl (Postfix) with ESMTP id 6096E303F6F7 for ; Sun, 1 Apr 2007 14:11:02 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailgateway.unetix.nl (Postfix) with ESMTP id D64B220DF45; Sun, 1 Apr 2007 14:11:34 +0200 (CEST) Received: from mailgateway.unetix.nl (localhost [127.0.0.1]) by mailgateway.unetix.nl (Postfix) with SMTP id C2D4020DF42; Sun, 1 Apr 2007 14:11:34 +0200 (CEST) Received: from mailgateway.unetix.nl ([127.0.0.1]) by mailgateway.unetix.nl ([192.168.253.1]) with SMTP (gateway) id A05F129EE8C; Sun, 01 Apr 2007 14:11:34 +0200 Received: by mailgateway.unetix.nl (Postfix, from userid 1001) id 950C720DF46; Sun, 1 Apr 2007 14:11:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mailgateway.unetix.nl X-Spam-Level: MIME-Version: 1.0 X-unetix.nl-MailScanner-Information: Please contact the ISP for more information X-unetix.nl-MailScanner: Found to be clean X-unetix.nl-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=9.402, required 3.3, BAYES_99 2.00, BODY_ENHANCEMENT2 0.74, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_47 1.60, J_CHICKENPOX_73 1.60, MISSING_HB_SEP 2.50, MISSING_SUBJECT 0.70, TO_CC_NONE 0.13) X-unetix.nl-MailScanner-SpamScore: sssssssss X-unetix.nl-MailScanner-From: kolab-devel-bounces@kolab.org Subject: {Spam?} X-Spam-MX1: Yes Message-Id: <20070401121111.A943424291B4@mail.bhagwato.eu> Date: Sun, 1 Apr 2007 14:11:11 +0200 (CEST) From: kolab-devel-bounces@kolab.org To: undisclosed-recipients:; ---------------------------------- From martinh at solidstatelogic.com Wed Apr 4 15:41:03 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 4 15:49:24 2007 Subject: Missing headers in mailscanner In-Reply-To: <4613B79C.5020601@unetix.nl> Message-ID: <771bd83a4c120847bc3fb560c787e9c7@solidstatelogic.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wim Bakker > Sent: 04 April 2007 15:35 > To: mailscanner@lists.mailscanner.info > Subject: Missing headers in mailscanner > > > Hello, > > recently I installed mailscanner on a testserver to > obtain information on it's behaviour. > Setup: > > postfix-2.3.xx , mailscanner with recommended tarball > for clamav and spamassassin. > Mailwatch as webfrontend to mailscanner. > The machine was then configured to accept mail for and > transport mail after scanning to another server > for a testmaildomain and after altering the MX records for that > testdomain the test begun. > > Mail directly sent at the accounts in the testmaildomain > were processed ok , spamchecking and virus scanning went > ok and mail was transported correctly to the destination > mailserver. > > To increase the amount of mail that had to be processed, > I made an extra transport entry on another mailserver > where I have an account to forward all mail to that > account to one of the accounts on the testmaildomain. > So : > destination@maildomain.nl was transported to > destination@testmaildomain.nl and that is where things became annoying. > A lot of mail that came in from the transport was > stripped from the subject line , the to line and > was unreadable. Why would this happen ? > Allso I note that mail that is regarded as spam > gets a subject rewrite to : > { spam? } (with a lot of times the orig_subject > disappearing) > where does the "{ spam? }" come from, I certainly don't have it in > my spam.assassin.prefs.conf because I don't want a subject rewrite. > Apart from these not so minor glitches the system works > perfect, so I really would like to know why this happens in the > case of a transport from another server. > Example of headers from a unreadable mail : > ------------------------------- > Return-Path: > Received: from mail.bhagwato.eu ([unix socket]) > by www.bhagwato.eu (Cyrus v2.3.3) with LMTPA; > Sun, 01 Apr 2007 14:11:11 +0200 > X-Sieve: CMU Sieve 2.3 > Received: from mx1.unetix.nl (mx1.unetix.nl [194.109.108.70]) > by mail.bhagwato.eu (Postfix) with ESMTP id A943424291B4 > for ; Sun, 1 Apr 2007 14:11:11 +0200 (CEST) > Received: from mailgateway.unetix.nl (unknown [213.84.10.61]) > by mx1.unetix.nl (Postfix) with ESMTP id 6096E303F6F7 > for ; Sun, 1 Apr 2007 14:11:02 +0200 (CEST) > Received: from localhost (localhost [127.0.0.1]) > by mailgateway.unetix.nl (Postfix) with ESMTP id D64B220DF45; > Sun, 1 Apr 2007 14:11:34 +0200 (CEST) > Received: from mailgateway.unetix.nl (localhost [127.0.0.1]) > by mailgateway.unetix.nl (Postfix) with SMTP id C2D4020DF42; > Sun, 1 Apr 2007 14:11:34 +0200 (CEST) > Received: from mailgateway.unetix.nl ([127.0.0.1]) > by mailgateway.unetix.nl ([192.168.253.1]) > with SMTP (gateway) id A05F129EE8C; Sun, 01 Apr 2007 14:11:34 > +0200 > Received: by mailgateway.unetix.nl (Postfix, from userid 1001) > id 950C720DF46; Sun, 1 Apr 2007 14:11:34 +0200 (CEST) > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on > mailgateway.unetix.nl > X-Spam-Level: > MIME-Version: 1.0 > X-unetix.nl-MailScanner-Information: Please contact the ISP for more > information > X-unetix.nl-MailScanner: Found to be clean > X-unetix.nl-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=9.402, required 3.3, BAYES_99 2.00, BODY_ENHANCEMENT2 0.74, > FORGED_RCVD_HELO 0.14, J_CHICKENPOX_47 1.60, J_CHICKENPOX_73 > 1.60, > MISSING_HB_SEP 2.50, MISSING_SUBJECT 0.70, TO_CC_NONE 0.13) > X-unetix.nl-MailScanner-SpamScore: sssssssss > X-unetix.nl-MailScanner-From: kolab-devel-bounces@kolab.org > Subject: {Spam?} > X-Spam-MX1: Yes > Message-Id: <20070401121111.A943424291B4@mail.bhagwato.eu> > Date: Sun, 1 Apr 2007 14:11:11 +0200 (CEST) > From: kolab-devel-bounces@kolab.org > To: undisclosed-recipients:; Hi Look at the X-unetix.nl-MailScanner: header.... A . in the the X- header can cause a lot of problems and I'm pretty sure it's an illegal character at that point. Remove the . from the %org-name% setting in MailScanner.conf The {Spam?} subject modifier is done by MailScanner - have a search for this in MailScanner.conf and hopefully you'll see where this is done... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From wim at unetix.nl Wed Apr 4 15:51:47 2007 From: wim at unetix.nl (Wim Bakker) Date: Wed Apr 4 15:59:29 2007 Subject: Re. : Missing headers in mailscanner Message-ID: <4613BB83.9020906@unetix.nl> Is it possible that mailscanner gets confused about the added header from the first mailserver that allso checks for spam on incoming mail : ------------------------------- X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mailgateway.unetix.nl X-Spam-Level: --------------------- And then transports a copy of the incoming mail to the testmailserver where mailscanner checks again : ------------------ MIME-Version: 1.0 X-unetix.nl-MailScanner-Information: Please contact the ISP for more information X-unetix.nl-MailScanner: Found to be clean X-unetix.nl-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=9.402, required 3.3, BAYES_99 2.00, BODY_ENHANCEMENT2 0.74, FORGED_RCVD_HELO 0.14, J_CHICKENPOX_47 1.60, J_CHICKENPOX_73 1.60, MISSING_HB_SEP 2.50, MISSING_SUBJECT 0.70, TO_CC_NONE 0.13) X-unetix.nl-MailScanner-SpamScore: sssssssss X-unetix.nl-MailScanner-From: kolab-devel-bounces@kolab.org Subject: {Spam?} X-Spam-MX1: Yes Message-Id: <20070401121111.A943424291B4@mail.bhagwato.eu> Date: Sun, 1 Apr 2007 14:11:11 +0200 (CEST) From: kolab-devel-bounces@kolab.org To: undisclosed-recipients:; ---------------------------------- Because that seems to be the cause of the missing parts of the headers, Wim bakker From list-mailscanner at linguaphone.com Wed Apr 4 15:55:44 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 16:04:01 2007 Subject: stopping clamav detecting encrypted zip files Message-ID: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> I use mailscanner to manage the quaranteen. The problem that I am getting is that clamav is detecting encrypted zip files as a virus. The only config file I can find is in /usr/local/clamd.conf which sais that feature is disabled by default and I have the line commented out. Any ideas? From am.lists at gmail.com Wed Apr 4 16:05:35 2007 From: am.lists at gmail.com (am.lists) Date: Wed Apr 4 16:13:46 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> On 4/4/07, Gareth wrote: > I use mailscanner to manage the quaranteen. > The problem that I am getting is that clamav is detecting encrypted zip > files as a virus. The only config file I can find is in > /usr/local/clamd.conf which sais that feature is disabled by default and > I have the line commented out. > > Any ideas? > Yes. It's in /etc/MailScanner.conf (or wherever your MailScanner.conf is) # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no Angelo From list-mailscanner at linguaphone.com Wed Apr 4 16:09:24 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 16:17:38 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> Message-ID: <1175699364.15557.51.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-04-04 at 16:05, am.lists wrote: > On 4/4/07, Gareth wrote: > > I use mailscanner to manage the quaranteen. > > The problem that I am getting is that clamav is detecting encrypted zip > > files as a virus. The only config file I can find is in > > /usr/local/clamd.conf which sais that feature is disabled by default and > > I have the line commented out. > > > > Any ideas? > > > > Yes. It's in /etc/MailScanner.conf (or wherever your MailScanner.conf is) > > # Should encrypted messages be blocked? > # This is useful if you are wary about your users sending encrypted > # messages to your competition. > # This can be a ruleset so you can block encrypted message to certain domains. > Block Encrypted Messages = no I have that set to yes which is what I want. Mailscanner detects it as a encrypted zip and blocks it. The problem I have is that clamav also detects it as a virus and so I am unable to release the message using mailwatch as it is classed as dangerous content. From jan-peter at koopmann.eu Wed Apr 4 16:12:57 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 4 16:19:07 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Hi Jules, I am very glad your are back under the living. And I am glad your parents successfully convinced you not to start work again right away. :-) Please take all the time you need for a full recovery. You most obviously have done a brilliant job with MailScanner so far since no major bugs or urgent wishes came up during the past weeks. Let's assume this will continue so by all means: There is no reason whatsoever to "come back" too soon. :-) Other than that I agree with most others here: - Get well!!! - We are very glad you are back! - The only real topic was SAV and the religous "war" over it was fun to read but not too important. - Tell your parents we said hi and they are welcome to stop by any time at our places to improve living quality here as well! :-) - Next time you need "Home Improvement" let us know and we will try to collectivly arrange something that does not endanger your health so much. GET WELL! Best wishes, JP From jan-peter at koopmann.eu Wed Apr 4 16:16:35 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 4 16:22:44 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: On Tuesday, April 03, 2007 9:05 PM Thiago Martins wrote: > Is there any possibilities to insert some header or any other way to > make Microsoft Outlook or Exchange know that a message is SPAM? Google for SMTPTracker. It runs on the Exchange server, interprets the Spam-Headers you set with MailScanner and sets the Exchange Spam Confidence Level so Spam will be delivered to Junk-Mail Folder in Outlook. Great tool and cheap! Kind regards Jan-Peter Koopmann From Kevin_Miller at ci.juneau.ak.us Wed Apr 4 16:30:03 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 4 16:37:59 2007 Subject: Call For Open Source Awards 2007 Nominations In-Reply-To: <625385e30704040158k6cf91518vb48076c913e8cc0b@mail.gmail.com> References: <56781.200.46.17.228.1175640458.squirrel@nkpanama.com> <625385e30704040158k6cf91518vb48076c913e8cc0b@mail.gmail.com> Message-ID: shuttlebox wrote: > On 4/4/07, Alex Neuman wrote: >> Help nominate MailScanner for the Open Source Awards... >> >> http://radar.oreilly.com/archives/2007/04/call_for_open_s.html > > I have sent a nomination for Julian. > > -- > /peter Excellent - so does it help if more folks add comments? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From shuttlebox at gmail.com Wed Apr 4 16:42:19 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Apr 4 16:50:34 2007 Subject: Call For Open Source Awards 2007 Nominations In-Reply-To: References: <56781.200.46.17.228.1175640458.squirrel@nkpanama.com> <625385e30704040158k6cf91518vb48076c913e8cc0b@mail.gmail.com> Message-ID: <625385e30704040842i38f638a2s24104b5397f398cf@mail.gmail.com> On 4/4/07, Kevin Miller wrote: > Excellent - so does it help if more folks add comments? Don't comment the announcement - send your nomination to the address mentioned in the announcement. I guess it will help since everyone who nominates Julian will write why they think he deserves it, the more reasons we give the jury the more likely they are to like at least one of them. :-) -- /peter From daniel.maher at ubisoft.com Wed Apr 4 16:42:36 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 4 16:50:48 2007 Subject: [somewhat OT] multiple relayhosts-style behaviour in postfix 2.0.x? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204AEB9B7@UBIMAIL1.ubisoft.org> Hello all, I am curious if anybody knows of a way to have Postfix 2.0.x to exhibit the behaviour of multiple relayhost entries? To explain further: I have been asked by management to test a number of anti-spam tools (including DefenderMX, Barracuda, and so forth) under "real world" conditions. Since I'm not about to replace my existing border-SMTP servers with an untested infrastructure, the only real solution would be to have the Postfix instances split or mirror their SMTP traffic to the test servers (which would, of course, ultimately deliver to /dev/null). Since literally specifying multiple relayhosts is not permitted (since 1.x), can anybody think of a way to force the above noted behaviour in Postfix 2.0.x? And yes, I realise that 2.0.x is very old - this is one of the major reasons we're testing new systems... Thanks! p.s. Though I realise this question is Postfix-specific, please don't get your flame on - we're all friends here. :-) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/81f833cc/attachment.html From rpoe at plattesheriff.org Wed Apr 4 16:50:25 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Apr 4 16:59:00 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461382FC.65ED.00A2.0@plattesheriff.org> It's just GREAT to see that you're doing ok. Just rest, take it easy, enjoy the clean house. Is THAT what I have to do to get my parents to clean my house? Hmmmm.... Maybe I'll just live with the clutter < smile that's supposed to be funny >. Seriously though. Thanks for the update - and you've got some really awesome people you work with, Julian. >>> Julian Field 4/3/2007 12:27 PM >>> >It's going to be a fair while before I'm up to doing anything to do with >MailScanner. From am.lists at gmail.com Wed Apr 4 16:52:27 2007 From: am.lists at gmail.com (am.lists) Date: Wed Apr 4 17:00:37 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <1175699364.15557.51.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <1175699364.15557.51.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <25a66d840704040852k9db4cdei69d0717e5496be7e@mail.gmail.com> On 4/4/07, Gareth wrote: > On Wed, 2007-04-04 at 16:05, am.lists wrote: > > On 4/4/07, Gareth wrote: > > > I use mailscanner to manage the quaranteen. > > > The problem that I am getting is that clamav is detecting encrypted zip > > > files as a virus. The only config file I can find is in > > > /usr/local/clamd.conf which sais that feature is disabled by default and > > > I have the line commented out. > > > > > > Any ideas? > > > > > > > Yes. It's in /etc/MailScanner.conf (or wherever your MailScanner.conf is) > > > > # Should encrypted messages be blocked? > > # This is useful if you are wary about your users sending encrypted > > # messages to your competition. > > # This can be a ruleset so you can block encrypted message to certain domains. > > Block Encrypted Messages = no > > I have that set to yes which is what I want. Mailscanner detects it as a > encrypted zip and blocks it. > The problem I have is that clamav also detects it as a virus and so I am > unable to release the message using mailwatch as it is classed as > dangerous content. > How about setting this to no... I'm not sure about this (others, any help here?) but if MS uses Clam to determine if it's a clean file or not, and if you tell it to block encrypted messages, (your setting of 'yes' above), then the below will say that if clam (or any other a/v) says it's not a clean message, don't bother quarantining the message. # Do you want to stop any virus-infected spam getting into the spam or MCP # archives? If you have a system where users can release messages from the # spam or MCP archives, then you probably want to stop them being able to # release any infected messages, so set this to yes. # It is set to no by default as it causes a small hit in performance, and # many people don't allow users to access the spam quarantine, so don't # need it. # This can also be the filename of a ruleset. Keep Spam And MCP Archive Clean = yes If you turn this setting off, you should be able to release the file. -Angelo From amoore at dekalbmemorial.com Wed Apr 4 17:04:28 2007 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Apr 4 17:12:38 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk><25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> Message-ID: <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> Gareth wrote: > On Wed, 2007-04-04 at 16:05, am.lists wrote: >> On 4/4/07, Gareth wrote: >>> I use mailscanner to manage the quaranteen. >>> The problem that I am getting is that clamav is detecting encrypted >>> zip files as a virus. The only config file I can find is in >>> /usr/local/clamd.conf which sais that feature is disabled by default >>> and I have the line commented out. >>> >>> Any ideas? >>> >> >> Yes. It's in /etc/MailScanner.conf (or wherever your MailScanner.conf >> is) >> >> # Should encrypted messages be blocked? >> # This is useful if you are wary about your users sending encrypted >> # messages to your competition. # This can be a ruleset so you can >> block encrypted message to certain domains. Block Encrypted Messages >> = no > > I have that set to yes which is what I want. Mailscanner detects it > as a encrypted zip and blocks it. > The problem I have is that clamav also detects it as a virus and so I > am unable to release the message using mailwatch as it is classed as > dangerous content. Are you using the clamavmodule? I've had the same problem. There's a commandline switch to turn that notice if when using clamscan, but not with the module. I'd suggested earlier that someone should add code for clamav, like the code for Sophos that allows you to specify messages to ignore. The behaviour in MailWatch is to prevent the release of anything with a virus, which is generally a good thing to do. Especially if you're allowing your users to release their own messages. Since MailScanner thinks and encrypted file warning from ClamAV is a virus and flags the message as such, it can not be released. In order to release it, you'll need to manually modify the entry in the MailWatch database for that message to clear the virusinfected flag. $mysql -u username -p username's password: *********** mysql> use mailscanner; mysql>update maillog set virusinfected=0 where id='xxxxxxxxxxx'; mysql> quit replace xxxxxxxxxxx with the message id. You should now be able to release the message through MailWatch. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From q at snj.ca Wed Apr 4 17:04:16 2007 From: q at snj.ca (Quintin Giesbrecht) Date: Wed Apr 4 17:13:49 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <2BE78592B3B1824F97A2685E96221F627034F4@mail.snj.mb.ca> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, April 03, 2007 12:28 PM To: MailScanner discussion Subject: I'm back at home -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 tubes, a ventilator, 2 nurses and a technician looking after just me, 24 hours a day. They finally brought me round when I was well enough, and I then spent the next 2 weeks learning how breathe, talk, use my hands, walk and all the necessary stuff like that. So I am now back at home, and have my parents living in my house with me helping to look after me. We are all getting on fine, and life would be really hard if they weren't here. They have fixed everything and cleared out all my old junk that I don't want any more, so I now have a nice tidy house again with plenty of spare space. I won't be able to find anything for a while, but it's really nice to have everything neat and tidy again :-) It's going to be a fair while before I'm up to doing anything to do with MailScanner. This note is basically to send a very big thankyou for all the Get Well Soon cards you have sent me from all over the world, along with all the emails sending your best wishes too. They are all very much appreciated and it really brightened up my day every time someone from work called in with some more cards from around the globe. So thank you very much for all of them! So I'm still alive, though it was very touch and go for the first 10 days, and more or less back in the land of the living. Don't expect any more than the odd health update for a while yet though :-) Cheers, Jules. - -- Glad to hear you're home! Sounds like you have great parents who care a lot about you! Cheers to them, and continue to rest and renew your strength! Quintin IT Manager Smith Neufeld Jodoin LLP q@snj.ca From dhawal at netmagicsolutions.com Wed Apr 4 17:37:32 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 4 17:46:05 2007 Subject: Adding Signature based on header? In-Reply-To: <4613734B.9020503@netmagicsolutions.com> References: <461252FA.7090503@netmagicsolutions.com> <46125C7D.1010102@fsl.com> <461269EB.9010008@netmagicsolutions.com> <4612EA6F.3080403@fsl.com> <4613734B.9020503@netmagicsolutions.com> Message-ID: <4613D44C.7030005@netmagicsolutions.com> Dhawal Doshy wrote: > Steve Freegard wrote: >> Hi Dhawal, >> Dhawal Doshy wrote: >>> Steve Freegard wrote: >>>> Hi Dhawal/Paul, >>>> >>>> Dhawal Doshy wrote: >>>>> Has anyone on the list written a header based custom function that >>>>> can be trivially modified for such a purpose? >>>> No - but if one of you can mail me some examples - I have some code in >>>> MailScanner that does something similar that I should be able to >>>> modify and put on the Wiki as this would seem to be pretty useful in a >>>> lot of cases. >>> Would this be enough?? See the part "(Authenticated sender: >>> dhawal@netmagicsolutions.com)" >>> >>> Return-Path: >>> Received: (qmail 2963 invoked from network); 3 Apr 2007 14:47:12 -0000 >>> Received: from db.netmagicians.com (202.87.39.111) >>> by netmagicsolutions.com with SMTP; 3 Apr 2007 14:47:12 -0000 >>> Received: from db.netmagicians.com (db.netmagicians.com [202.87.39.111]) >>> (Authenticated sender: dhawal@netmagicsolutions.com) >>> by db.netmagicians.com (Postfix) with ESMTP id 0934B40109F >>> for ; Tue, 3 Apr 2007 20:15:26 +0530 >>> (IST) >>> Message-Id: <20070403144528.0934B40109F@db.netmagicians.com> >>> Date: Tue, 3 Apr 2007 20:15:26 +0530 (IST) >>> From: dhawal@netmagicsolutions.com >>> To: undisclosed-recipients:; >>> >>> Thanks a ton, Steve.. >> >> I've done an initial version which is attached and that I have done some >> basic testing with, it takes a list of trusted IPs and the regexps that >> should be checked against the headers from the trusted IPs to see if the >> connection is authenticated. >> >> Any problems - run set my($debug) = 1; and run MailScanner --debug to >> see what it is doing. > > Wow.. i'll be modifying this for "spam checks" as well since i need to > skip spam checks on authenticated mail. > > Will test it completely and let you know.. Regex matching for the line "127.0.0.1 = Authenticated Sender: (.+)" in SignCleanMessages.conf is case sensitive, once i lowercased "Sender" to "sender", it appears to work as intended.. will test it out with the newer feature (ruleset evaluation within a Custom Function) and post more details.. thanks a lot, - dhawal From pravin.rane at gmail.com Wed Apr 4 17:41:25 2007 From: pravin.rane at gmail.com (Pravin Rane) Date: Wed Apr 4 17:49:39 2007 Subject: I'm back at home In-Reply-To: <2BE78592B3B1824F97A2685E96221F627034F4@mail.snj.mb.ca> References: <46128E8E.1060508@ecs.soton.ac.uk> <2BE78592B3B1824F97A2685E96221F627034F4@mail.snj.mb.ca> Message-ID: <13c021a90704040941u30ee676dl359bc422edfcd7f@mail.gmail.com> Hi Jules, Glad to hear you are back. On 4/4/07, Quintin Giesbrecht wrote: > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, April 03, 2007 12:28 PM > To: MailScanner discussion > Subject: I'm back at home > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > > Glad to hear you're home! Sounds like you have great parents who care a > lot about you! Cheers to them, and continue to rest and renew your > strength! > > Quintin > IT Manager > Smith Neufeld Jodoin LLP > q@snj.ca > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/eaa213ac/attachment.html From drew at technologytiger.net Wed Apr 4 17:42:13 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 4 17:50:30 2007 Subject: [somewhat OT] multiple relayhosts-style behaviour in postfix 2.0.x? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204AEB9B7@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204AEB9B7@UBIMAIL1.ubisoft.org> Message-ID: <49379.194.70.180.170.1175704933.squirrel@www.technologytiger.net> On Wed, April 4, 2007 16:42, Daniel Maher wrote: > Hello all, > > > > I am curious if anybody knows of a way to have Postfix 2.0.x to exhibit > the behaviour of multiple relayhost entries? Have you considered using always_bcc? All you would need to do is set always_bcc = test@domain Then in your aliases file: test test@box.1 test@box.2 etc then put a transport entry in your transport maps file like: box.1 smtp:ip.add.ress.1 box.2 smtp:ip.add.ress.2 Then all mail coming in will automatically be sent to the test boxes as well as delivered as normal. If you set up all the boxes together you should be able to run some direct comparisons between them all. HTH Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From KGoods at AIAInsurance.com Wed Apr 4 18:45:23 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Wed Apr 4 17:54:25 2007 Subject: Call For Open Source Awards 2007 Nominations Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C292D1@aiainsurance.com> shuttlebox wrote: > On 4/4/07, Kevin Miller wrote: >> Excellent - so does it help if more folks add comments? > > Don't comment the announcement - send your nomination to the address > mentioned in the announcement. > > I guess it will help since everyone who nominates Julian will write > why they think he deserves it, the more reasons we give the jury the > more likely they are to like at least one of them. :-) > > -- > /peter I did both.... didn't think it would hurt. :) On the plus side the search engines will pick up the comments. Ken Goods Network Administrator CropUSA Insurance, Inc. From dhawal at netmagicsolutions.com Wed Apr 4 17:52:07 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 4 18:00:20 2007 Subject: [somewhat OT] multiple relayhosts-style behaviour in postfix 2.0.x? In-Reply-To: <49379.194.70.180.170.1175704933.squirrel@www.technologytiger.net> References: <1E293D3FF63A3740B10AD5AAD88535D204AEB9B7@UBIMAIL1.ubisoft.org> <49379.194.70.180.170.1175704933.squirrel@www.technologytiger.net> Message-ID: <4613D7B7.5080203@netmagicsolutions.com> Drew Marshall wrote: > On Wed, April 4, 2007 16:42, Daniel Maher wrote: >> Hello all, >> >> >> >> I am curious if anybody knows of a way to have Postfix 2.0.x to exhibit >> the behaviour of multiple relayhost entries? > > Have you considered using always_bcc? > > All you would need to do is set always_bcc = test@domain > > Then in your aliases file: > > test test@box.1 test@box.2 etc > > then put a transport entry in your transport maps file like: > > box.1 smtp:ip.add.ress.1 > box.2 smtp:ip.add.ress.2 > > Then all mail coming in will automatically be sent to the test boxes as > well as delivered as normal. If you set up all the boxes together you > should be able to run some direct comparisons between them all. Precisely.. just to add a link to excellent advice http://www.postfix.org/ADDRESS_REWRITING_README.html#auto_bcc Note: sender/recipient_bacc_maps are a postfix 2.1+ feature, in your case you can only use always_bcc From list-mailscanner at linguaphone.com Wed Apr 4 18:21:47 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 18:30:15 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <25a66d840704040852k9db4cdei69d0717e5496be7e@mail.gmail.com> Message-ID: > How about setting this to no... > > I'm not sure about this (others, any help here?) but if MS uses Clam > to determine if it's a clean file or not, and if you tell it to block > encrypted messages, (your setting of 'yes' above), then the below will > say that if clam (or any other a/v) says it's not a clean message, > don't bother quarantining the message. > > # Do you want to stop any virus-infected spam getting into the spam or MCP > # archives? If you have a system where users can release messages from the > # spam or MCP archives, then you probably want to stop them being able to > # release any infected messages, so set this to yes. > # It is set to no by default as it causes a small hit in performance, and > # many people don't allow users to access the spam quarantine, so don't > # need it. > # This can also be the filename of a ruleset. > Keep Spam And MCP Archive Clean = yes > > If you turn this setting off, you should be able to release the file. I already have that set. Thanks for the suggestion though. From ssilva at sgvwater.com Wed Apr 4 18:34:04 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 4 18:43:07 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 4/3/2007 10:27 AM: > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > Did they have the machine that goes "ping"? ;-P Just kidding... Again I'm glad you are getting better. Here is to hoping that they find some way to "fix" things a little better for you so you can have a more comfortable time of things! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From list-mailscanner at linguaphone.com Wed Apr 4 18:38:00 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 18:46:22 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> Message-ID: > Are you using the clamavmodule? I've had the same problem. There's a > commandline switch to turn that notice if when using clamscan, but not > with the module. I'd suggested earlier that someone should add code for > clamav, like the code for Sophos that allows you to specify messages to > ignore. Yes I am. I have the quarantine of silent viruses turned off the the quaranteen basically consists of encrypted zip files and other banned attachments which didn't contain a virus. > The behaviour in MailWatch is to prevent the release of anything with a > virus, which is generally a good thing to do. Especially if you're > allowing your users to release their own messages. Since MailScanner > thinks and encrypted file warning from ClamAV is a virus and flags > the message as such, it can not be released. How do you enable users to release their own messages? Is it just a case if they have an account they can do a release or are there extra priviledges or a setting which needs to be made somewhere? > In order to release it, you'll need to manually modify the entry in the > MailWatch database for that message to clear the virusinfected flag. I'll have a look at the code to mailwatch tomorrow. I might add a bit of code to check to see if the user is an administrator and then allow them to release the message. Or perhaps just look at the name of the virus and if it is encrypted.zip then ignore the virus flag so it can be released. From KGoods at AIAInsurance.com Wed Apr 4 19:53:51 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Wed Apr 4 19:02:57 2007 Subject: I'm back at home Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C292D2@aiainsurance.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, > 24 hours a day. They finally brought me round when I was well enough, > and I then spent the next 2 weeks learning how breathe, talk, use my > hands, walk and all the necessary stuff like that. > Julian, It made my day to hear you were back at home! My positive thoughts and prayers will continue to be with you daily. Take care, take it easy, and take your own sweet time getting well. It's not that we don't miss you, we just want you to be as healthy and happy as possible before you waste your energy on anything but getting well. Hoping you have a speedy, and comfortable recovery! Kind regards, Ken (from beautiful Hells Canyon, Idaho) Ken Goods Network Administrator CropUSA Insurance, Inc. From stork at openenterprise.ca Wed Apr 4 18:55:10 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Wed Apr 4 19:03:39 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> Message-ID: <4613E67E.8080404@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/4ec6eb0c/stork.vcf From dominian at slackadelic.com Wed Apr 4 19:08:31 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Apr 4 19:17:00 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613E67E.8080404@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> Message-ID: <4613E99F.1060306@slackadelic.com> Johnny Stork wrote: > Hmm, truid to send you an email off-list but got this now! What have I > done?? > > > The original message was received at Wed, 4 Apr 2007 10:48:07 -0700 > from johnny.johnnystork.ca [192.168.1.6] > > ----- The following addresses had permanent fatal errors ----- > > (reason: 550 5.7.1 ... Forged hostname for 207.216.240.22) > > ----- Transcript of session follows ----- > ... while talking to valhalla.ausics.net.: > >>>> >>> DATA >>>> > <<< 550 5.7.1 ... Forged hostname for 207.216.240.22 > 550 5.1.1 ... User unknown > <<< 503 5.0.0 Need RCPT (recipient) > > > Johnny, the domain name for 207.216.240.22 does not reverse map back to 207.216.240.22. That's what the issue is. You need to create an A record pointing gateway.johnnystork.ca to 207.216.240.22 -Matt From ssilva at sgvwater.com Wed Apr 4 19:14:03 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 4 19:23:23 2007 Subject: Time to update file command In-Reply-To: References: Message-ID: Res spake the following on 4/3/2007 9:00 PM: > In case you haven't already seen it, and as it is related to MailScanner > and anti virus... > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 > > And CentOS just sent out an update as file v 4.10. But RedHat probably backported the fixes. I hope!!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From stork at openenterprise.ca Wed Apr 4 19:28:58 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Wed Apr 4 19:37:25 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613E99F.1060306@slackadelic.com> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com> Message-ID: <4613EE6A.3090307@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/b61ca685/stork.vcf From dominian at slackadelic.com Wed Apr 4 19:35:04 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Apr 4 19:43:40 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613EE6A.3090307@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com> <4613EE6A.3090307@openenterprise.ca> Message-ID: <4613EFD8.2000801@slackadelic.com> Johnny Stork wrote: > I had actually tried that before, but here is my problem. I run a Scalix > mail server internally and so it is setup to send outgoing mail to > gateway.johnnystork.ca (192.168.1.2) which runs mailscanner and is the > SMTP mail server for my network. But as soon as I ad the A record for > gateway.johnnystork.ca so it resolves to 207.216.240.22, the Scalix > mailserver cannot route/forward all outgoing mail to > gateway.johnnystork.ca. Is there any way I can have the internal > machines resolve/see the servers only with their internal IP's, even if > there is a cooresponding a record and routable ip address? > Well, if it were me, I would configure the server to relay mail to the internal IP rather than a domain name then add the DNS A record for the correct entry. -matt From Kevin_Miller at ci.juneau.ak.us Wed Apr 4 19:48:08 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 4 19:56:09 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613EFD8.2000801@slackadelic.com> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com> Message-ID: Matt Hayes wrote: > Johnny Stork wrote: >> I had actually tried that before, but here is my problem. I run a >> Scalix mail server internally and so it is setup to send outgoing >> mail to gateway.johnnystork.ca (192.168.1.2) which runs mailscanner >> and is the SMTP mail server for my network. But as soon as I ad the >> A record for gateway.johnnystork.ca so it resolves to >> 207.216.240.22, the Scalix mailserver cannot route/forward all >> outgoing mail to gateway.johnnystork.ca. Is there any way I can have >> the internal machines resolve/see the servers only with their >> internal IP's, even if there is a cooresponding a record and >> routable ip address? >> > > Well, if it were me, I would configure the server to relay mail to the > internal IP rather than a domain name then add the DNS A record for > the correct entry. That would work, but another option is to have two records in DNS: int-gateway IN A 192.168.1.2 gateway IN A 207.216.240.22 and point the Scalix box to int-gateway. You retain the benefits of DNS that way. Yet another option is to set up bind to have multiple views. My internal users see one list of records, external users see another. The hostname may be the same, but the address returned by DNS is different depending on whether they're on my internal lan or the internet... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From jaearick at colby.edu Wed Apr 4 19:52:15 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Apr 4 20:00:33 2007 Subject: sendmail 8.14.1 out Message-ID: Available at www.sendmail.org. Welcome back Julian, I hope that you are feeling better. Jeff Earickson Colby College From dominian at slackadelic.com Wed Apr 4 19:58:08 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Apr 4 20:06:33 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com> Message-ID: <4613F540.7010300@slackadelic.com> Kevin Miller wrote: > Matt Hayes wrote: >> Johnny Stork wrote: >>> I had actually tried that before, but here is my problem. I run a >>> Scalix mail server internally and so it is setup to send outgoing >>> mail to gateway.johnnystork.ca (192.168.1.2) which runs mailscanner >>> and is the SMTP mail server for my network. But as soon as I ad the >>> A record for gateway.johnnystork.ca so it resolves to >>> 207.216.240.22, the Scalix mailserver cannot route/forward all >>> outgoing mail to gateway.johnnystork.ca. Is there any way I can have >>> the internal machines resolve/see the servers only with their >>> internal IP's, even if there is a cooresponding a record and >>> routable ip address? >>> >> Well, if it were me, I would configure the server to relay mail to the >> internal IP rather than a domain name then add the DNS A record for >> the correct entry. > > That would work, but another option is to have two records in DNS: > int-gateway IN A 192.168.1.2 > gateway IN A 207.216.240.22 > and point the Scalix box to int-gateway. You retain the benefits of DNS > that way. > > Yet another option is to set up bind to have multiple views. My > internal users see one list of records, external users see another. The > hostname may be the same, but the address returned by DNS is different > depending on whether they're on my internal lan or the internet... > > > ...Kevin Ahhh very nice. I didn't even consider that. :) -Matt From daniel.maher at ubisoft.com Wed Apr 4 20:31:14 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 4 20:39:26 2007 Subject: using mysql w/ spamassassin in a MailScanner stack? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204AEBD5D@UBIMAIL1.ubisoft.org> Hi all, I would like to use MySQL to manage the per-user settings for SpamAssassin (i.e. database replacement for user_prefs), as per the following document: http://wiki.apache.org/spamassassin/UsingSQL Of course, the document assumes that I'm using spamd, which obviously isn't the case on a MailScanner system. Has anybody had any success making this work in a MailScanner setup? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/44643cd2/attachment.html From doc at maddoc.net Wed Apr 4 20:39:11 2007 From: doc at maddoc.net (Doc Schneider) Date: Wed Apr 4 20:47:23 2007 Subject: using mysql w/ spamassassin in a MailScanner stack? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204AEBD5D@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204AEBD5D@UBIMAIL1.ubisoft.org> Message-ID: <4613FEDF.30105@maddoc.net> Daniel Maher wrote: > Hi all, > > > > I would like to use MySQL to manage the per-user settings for > SpamAssassin (i.e. database replacement for user_prefs), as per the > following document: > > http://wiki.apache.org/spamassassin/UsingSQL > > > > Of course, the document assumes that I?m using spamd, which obviously > isn?t the case on a MailScanner system. Has anybody had any success > making this work in a MailScanner setup? > You don't need to use spamd to use MySQL. I've been using it for a long long time without any problems. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From list-mailscanner at linguaphone.com Wed Apr 4 20:40:56 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 4 20:49:10 2007 Subject: using mysql w/ spamassassin in a MailScanner stack? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204AEBD5D@UBIMAIL1.ubisoft.org> Message-ID: I use mailwatch and it has a plugin for Mailscanner to enable it to manage whitelists, blacklists and per user spam thresholds. Perhaps that would be sufficient to do what you want? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Daniel Maher Sent: 04 April 2007 20:31 To: MailScanner discussion Subject: using mysql w/ spamassassin in a MailScanner stack? Hi all, I would like to use MySQL to manage the per-user settings for SpamAssassin (i.e. database replacement for user_prefs), as per the following document: http://wiki.apache.org/spamassassin/UsingSQL Of course, the document assumes that I?m using spamd, which obviously isn? t the case on a MailScanner system. Has anybody had any success making this work in a MailScanner setup? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator ?How can a man choose between Fresh and Fly? And believe me, there IS a difference.? ? Crack Stuntman, 2007. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/6b3df8c7/attachment.html From itdept at fractalweb.com Wed Apr 4 21:23:49 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Apr 4 21:32:08 2007 Subject: extra headers, but only to certain addresses Message-ID: <46140955.8040307@fractalweb.com> Hi everyone, I've discovered something a bit odd, and it's got me stumped. Mail sent to some accounts get some extra headers tacked on to the top that all start with "X-Spam-", yet messages from the same address to other accounts on the same server don't get the headers. I've even tested sending the same message to both users and tailing their mailbox files, and indeed, headers are added in one case, but not another. The extra headers are: X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on test.testserver5.com X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.1.8 Does this mean these messages are being run through spamassassin twice? Or is there a setting in MailScanner that could be doing this? But I still don't understand the inconsistency. Chris From hvdkooij at vanderkooij.org Wed Apr 4 22:21:23 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 4 22:29:44 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613EE6A.3090307@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com> <4613EE6A.3090307@openenterprise.ca> Message-ID: On Wed, 4 Apr 2007, Johnny Stork wrote: > I had actually tried that before, but here is my problem. I run a Scalix mail > server internally and so it is setup to send outgoing mail to > gateway.johnnystork.ca (192.168.1.2) which runs mailscanner and is the SMTP > mail server for my network. But as soon as I ad the A record for > gateway.johnnystork.ca so it resolves to 207.216.240.22, the Scalix > mailserver cannot route/forward all outgoing mail to gateway.johnnystork.ca. > Is there any way I can have the internal machines resolve/see the servers > only with their internal IP's, even if there is a cooresponding a record and > routable ip address? Stupid suggestion which works just about all the time: Overide DNS entries for A records with an entry in the local hosts file. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Thu Apr 5 02:03:06 2007 From: res at ausics.net (Res) Date: Thu Apr 5 02:11:23 2007 Subject: New Server Specs? In-Reply-To: <46353.194.70.180.170.1175686297.squirrel@www.technologytiger.net> References: <438fe811fed68506632f49ffa4fc2edf@62.49.223.244> <46353.194.70.180.170.1175686297.squirrel@www.technologytiger.net> Message-ID: On Wed, 4 Apr 2007, Drew Marshall wrote: > On Wed, April 4, 2007 11:37, --[ UxBoD ]-- wrote: >> We also put the Postfix > >> queues on a TMPFS for improved >> performance, hence having quite a large amount of memory. > > I would watch having your main MTA queues in TMPFS, although I am sure you > have it covered with multiple redundant power etc. IF the power did die > then all the mail in the MTA queues would also go west. Not an issue for > MailScanner as that's what it does on start up any way (Flush it's work I'd agree with Drew, as we had a UPS die yesterday just shutdown for no f#$In reason (only hosting this domain and a few other non critical servers so was not a real loss) and as murphy predicts, the redundancy rail also failed... So it can happen :) If this box used tmpfs for mail queues like you, youd be without about 500 emails, if it was on a key mail server, countless thousands would be lost. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Thu Apr 5 02:06:26 2007 From: res at ausics.net (Res) Date: Thu Apr 5 02:14:46 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: References: <00b801c7754a$dd9074d0$6501a8c0@zorak> <46125088.2060207@nkpanama.com> Message-ID: On Wed, 4 Apr 2007, Hugo van der Kooij wrote: > There is no argument that the Distro default version is not update the way > most would like. Redhat themselves state (and have done so for many many years) backports are security fixes only and wont include new features, afterall to do that they have to up the version to current -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From mike at vesol.com Thu Apr 5 02:17:53 2007 From: mike at vesol.com (Mike Kercher) Date: Thu Apr 5 02:26:53 2007 Subject: I'm back at home In-Reply-To: <60702.200.46.17.228.1175640677.squirrel@nkpanama.com> References: <46128E8E.1060508@ecs.soton.ac.uk><4612A7F9.1090602@marinocrane.com> <60702.200.46.17.228.1175640677.squirrel@nkpanama.com> Message-ID: <6115482898C59848B35DB9D491C9A28E4D19@srv1.home.middlefinger.net> :: Julian Field wrote: ::: Hi folks, : : When that message was delivered, and news of Julian's : recovery reached the list, I felt a disturbance on the Net... : as if millions of spammers suddenly cried out in terror, and : were suddenly silenced... ;-) : : -- The Force is strong with him! :) From gcle at smcaus.com.au Thu Apr 5 02:31:35 2007 From: gcle at smcaus.com.au (Gerard Cleary) Date: Thu Apr 5 02:39:58 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <200704051131.35549.gcle@smcaus.com.au> On Wed, 4 Apr 2007 03:27, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > Welcome back Julian. It was good to see your name in my "Sender" column again. As all the others have said, "MailScanner is fine." Take your time and enjoy life again. All the best, Gerard. -- Gerard Cleary System Administrator SMC Pneumatics Australia Pty Ltd PH: (02) 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From stork at openenterprise.ca Thu Apr 5 07:23:39 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Apr 5 07:32:01 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4613F540.7010300@slackadelic.com> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com> <4613F540.7010300@slackadelic.com> Message-ID: <461495EB.2090406@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070404/fa8783fb/stork.vcf From res at ausics.net Thu Apr 5 08:21:47 2007 From: res at ausics.net (Res) Date: Thu Apr 5 08:30:06 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46125D3C.1010907@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> Message-ID: On Tue, 3 Apr 2007, Rick Chadderdon wrote: > I'm going to give you the benefit of the doubt and simply assume that my > writing style is not clear enough for me to make a point to you. Our Rick you've made your point, you dont like people using it, I dont care if its used, I approve of any method that helps stamp out spam/forgeries. It is a method used and will always be used, and only will become more and more so over time, somthing that those who dont like it will have to get used to. > discussion. If you're being deliberately obtuse for the joy of argument, > please don't bother - I don't enjoy that kind of fight, anymore. (You should No, but you are starting to come accross as one who accuses others of not seeing your point or argueing 'for the sake of it' because we will not turn around and say its a bad thing because some see it as a good thing. We do seem to be going round in circles > have seen me back in the Fidonet days, though... That was I probably did, but thats too many years ago to even bother trying to remember, certainly not on the eve of a 4 days holiday :P -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From list-mailscanner at linguaphone.com Thu Apr 5 09:33:15 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 5 09:41:28 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> Message-ID: <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > Are you using the clamavmodule? I've had the same problem. There's a > commandline switch to turn that notice if when using clamscan, but not > with the module. I'd suggested earlier that someone should add code for > clamav, like the code for Sophos that allows you to specify messages to > ignore. I think its a bug in Mailscanner. There appears to be code in place in the routine which calls clamavmodule which disables blocking of encrypted files if there is a config option 'allowpasszips' set but I cannot find that option. Anyway below is a diff which disables blocking of encrypted archives which is working fine for me. /usr/lib/MailScanner/MailScanner/SweepViruses.pm 1069c1069 < Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() | --- > # Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() | From dhawal at netmagicsolutions.com Thu Apr 5 09:46:54 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Apr 5 09:55:33 2007 Subject: OT: Multiple Outgoing IPs? In-Reply-To: References: <00b801c7754a$dd9074d0$6501a8c0@zorak> <46125088.2060207@nkpanama.com> Message-ID: <4614B77E.7030907@netmagicsolutions.com> Res wrote: > On Wed, 4 Apr 2007, Hugo van der Kooij wrote: > >> There is no argument that the Distro default version is not update the >> way most would like. > > Redhat themselves state (and have done so for many many years) > backports are security fixes only and wont include new features, > afterall to do that they have to up the version to current This statement though true is not really necessarily the case practically.. for instance: spamassassin in rhel4 is 3.1.8 (started at 3.0.2) which is also the latest stable. This was done primarily for security fixes, but features got upgraded in the bargain. I could cite a few more examples if required (postfix 2.1.x to postfix 2.2.x etc). From wim at unetix.nl Thu Apr 5 09:53:52 2007 From: wim at unetix.nl (Wim Bakker) Date: Thu Apr 5 10:01:32 2007 Subject: Missing headers in mailscanner In-Reply-To: <771bd83a4c120847bc3fb560c787e9c7@solidstatelogic.com> References: <771bd83a4c120847bc3fb560c787e9c7@solidstatelogic.com> Message-ID: <4614B920.4080209@unetix.nl> Martin.Hepworth wrote: >> -----Original Message----- [snipped my blah-blah] > > Hi > > Look at the X-unetix.nl-MailScanner: header.... > > > A . in the the X- header can cause a lot of problems and I'm pretty sure > it's an illegal character at that point. > > Remove the . from the %org-name% setting in MailScanner.conf > > The {Spam?} subject modifier is done by MailScanner - have a search for > this in MailScanner.conf and hopefully you'll see where this is done... > Yes I found the location where {Spam?} was added , in the spam.assassin.prefs.conf. I changed the X-unetix.nl etc header , but still the same : ------------------------------------------------------------- Return-Path: Received: from mail.bhagwato.eu ([unix socket]) by www.bhagwato.eu (Cyrus v2.3.3) with LMTPA; Thu, 05 Apr 2007 10:44:06 +0200 X-Sieve: CMU Sieve 2.3 Received: from mx1.unetix.nl (mx1.unetix.nl [194.109.108.70]) by mail.bhagwato.eu (Postfix) with ESMTP id BF55724291B8 for ; Thu, 5 Apr 2007 10:44:06 +0200 (CEST) Received: from mailgateway.unetix.nl (unknown [213.84.10.61]) by mx1.unetix.nl (Postfix) with ESMTP id CBF933051207 for ; Thu, 5 Apr 2007 10:42:45 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailgateway.unetix.nl (Postfix) with ESMTP id 3A08520ED2E; Thu, 5 Apr 2007 10:43:38 +0200 (CEST) Received: from mailgateway.unetix.nl (localhost [127.0.0.1]) by mailgateway.unetix.nl (Postfix) with SMTP id 2665920ED2C; Thu, 5 Apr 2007 10:43:38 +0200 (CEST) Received: from mailgateway.unetix.nl ([127.0.0.1]) by mailgateway.unetix.nl ([192.168.253.1]) with SMTP (gateway) id A0097DEB44D; Thu, 05 Apr 2007 10:43:37 +0200 Received: by mailgateway.unetix.nl (Postfix, from userid 1001) id DCE1E20ED31; Thu, 5 Apr 2007 10:43:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mailgateway.unetix.nl X-Spam-Level: MIME-Version: 1.0 X-Unetix-MailScanner-Information: Please contact the ISP for more information X-Unetix-MailScanner: Found to be clean X-Unetix-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=8.339, required 3.3, BAYES_99 2.00, FORGED_RCVD_HELO 0.14, INFO_TLD 1.27, J_CHICKENPOX_73 1.60, MISSING_HB_SEP 2.50, MISSING_SUBJECT 0.70, TO_CC_NONE 0.13) X-Unetix-MailScanner-SpamScore: ssssssss X-Unetix-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-Unetix-MX1: Yes Message-Id: <20070405084406.BF55724291B8@mail.bhagwato.eu> Date: Thu, 5 Apr 2007 10:44:06 +0200 (CEST) From: mailscanner-bounces@lists.mailscanner.info To: undisclosed-recipients:; ------------------------ Headers are now for the mailscanner machine : X-Unetix-.... but still the subject line and the to line are altered, the subject line is gone alltogether and the To: line is altered to : To: undisclosed-recipients:; This happens with 9 out of 10 mails that originate from the mailserver that transports the mail originally for wim@unetix.nl to wim@bhagwato.eu (the last being my testdomain the first my regular account). The original receiving mailserver: mail.unetix.nl adds spam checker headers to : X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mailgateway.unetix.nl X-Spam-Level: On the mailscanner machine I tried to strip them with remove_header all Level and remove_header all Checker-Version but that didn't work. I still think they are the cause of the trouble , because it only happens with mail that contain X-Spam headers from another mailserver that allso checks for spam. Thanks Wim bakker From dhawal at netmagicsolutions.com Thu Apr 5 10:10:41 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Apr 5 10:19:04 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <4614BD11.6080104@netmagicsolutions.com> Gareth wrote: > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > >> Are you using the clamavmodule? I've had the same problem. There's a >> commandline switch to turn that notice if when using clamscan, but not >> with the module. I'd suggested earlier that someone should add code for >> clamav, like the code for Sophos that allows you to specify messages to >> ignore. > > I think its a bug in Mailscanner. There appears to be code in place in > the routine which calls clamavmodule which disables blocking of > encrypted files if there is a config option 'allowpasszips' set but I > cannot find that option. > > Anyway below is a diff which disables blocking of encrypted archives > which is working fine for me. > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > 1069c1069 > < Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > | > --- >> # Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > | [Quoting Julian from 07/20/2005] If you have MailScanner set to allow password-protected zip and rar archives, then this option is disabled. If you have it set to block password-protected archives, then this option is enabled. [Quoting Julian from 07/20/2005] See this thread: http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 From list-mailscanner at linguaphone.com Thu Apr 5 10:31:09 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 5 10:39:27 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <4614BD11.6080104@netmagicsolutions.com> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> <4614BD11.6080104@netmagicsolutions.com> Message-ID: <1175765469.18300.8.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > Gareth wrote: > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > >> Are you using the clamavmodule? I've had the same problem. There's a > >> commandline switch to turn that notice if when using clamscan, but not > >> with the module. I'd suggested earlier that someone should add code for > >> clamav, like the code for Sophos that allows you to specify messages to > >> ignore. > > > > I think its a bug in Mailscanner. There appears to be code in place in > > the routine which calls clamavmodule which disables blocking of > > encrypted files if there is a config option 'allowpasszips' set but I > > cannot find that option. > > > > Anyway below is a diff which disables blocking of encrypted archives > > which is working fine for me. > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > 1069c1069 > > < Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > | > > --- > >> # Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > | > > [Quoting Julian from 07/20/2005] > If you have MailScanner set to allow password-protected zip and rar > archives, then this option is disabled. If you have it set to block > password-protected archives, then this option is enabled. > [Quoting Julian from 07/20/2005] > > See this thread: http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 Thanks. I wanted Mailscanner to block encrypted archives which it does well by itself but not to tell clamav to identify encrypted archives as viruses. From dhawal at netmagicsolutions.com Thu Apr 5 10:44:59 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Apr 5 10:53:22 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <1175765469.18300.8.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> <4614BD11.6080104@netmagicsolutions.com> <1175765469.18300.8.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <4614C51B.6050405@netmagicsolutions.com> Gareth wrote: > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: >> Gareth wrote: >>> On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: >>> >>>> Are you using the clamavmodule? I've had the same problem. There's a >>>> commandline switch to turn that notice if when using clamscan, but not >>>> with the module. I'd suggested earlier that someone should add code for >>>> clamav, like the code for Sophos that allows you to specify messages to >>>> ignore. >>> I think its a bug in Mailscanner. There appears to be code in place in >>> the routine which calls clamavmodule which disables blocking of >>> encrypted files if there is a config option 'allowpasszips' set but I >>> cannot find that option. >>> >>> Anyway below is a diff which disables blocking of encrypted archives >>> which is working fine for me. >>> >>> /usr/lib/MailScanner/MailScanner/SweepViruses.pm >>> 1069c1069 >>> < Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() >>> | >>> --- >>>> # Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() >>> | >> [Quoting Julian from 07/20/2005] >> If you have MailScanner set to allow password-protected zip and rar >> archives, then this option is disabled. If you have it set to block >> password-protected archives, then this option is enabled. >> [Quoting Julian from 07/20/2005] >> >> See this thread: http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > Thanks. I wanted Mailscanner to block encrypted archives which it does > well by itself but not to tell clamav to identify encrypted archives as > viruses. Of course.. the point i wanted to convey being that it is not a bug, but the intended behavio(u)r. From holger at noefer.org Thu Apr 5 11:06:09 2007 From: holger at noefer.org (=?ISO-8859-1?Q?Holger_N=F6fer?=) Date: Thu Apr 5 11:14:29 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <4614CA11.2070102@noefer.org> Welcome back, nice to hear from you. Get well soon! Holger Julian Field schrieb: > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > From holger at noefer.org Thu Apr 5 11:14:41 2007 From: holger at noefer.org (=?ISO-8859-1?Q?Holger_N=F6fer?=) Date: Thu Apr 5 11:23:00 2007 Subject: Clamav 0.90.1 phishing problem In-Reply-To: <4602DDEC.7074.61F0EAF@H.de.Vries.philos.rug.nl> References: <4602DDEC.7074.61F0EAF@H.de.Vries.philos.rug.nl> Message-ID: <4614CC11.5080008@noefer.org> Hi, since I upgraded clamav to 0.90.x I do not find these messages, too. Did you solve the problem? There are new functions in Mail::ClamAV CL_SCAN_PHISHING_DOMAINLIST Phishing module: restrict URL scanning to domains from .pdf (RECOMMENDED). CL_SCAN_PHISHING_BLOCKSSL Phishing module: always block SSL mismatches in URLs. CL_SCAN_PHISHING_BLOCKCLOAK Phishing module: always block cloaked URLs. Has someone used this in /opt/MailScanner/lib/MailScanner/SweepViruses.pm? Best regards, Holger Hauke de Vries schrieb: > Compiled and installed Clamav, but no more phishing > problems? I used to have average 10/day so I scanned > an old mail. What am I missing? > > clamscan --verbose message > message: HTML.Phishing.Bank-1156 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 101233 > Engine version: 0.90.1 > Scanned files: 1 > Infected files: 1 > > MailScanner -v > > This is Fedora Core release 4 (Stentz) > This is Perl version 5.008006 (5.8.6) > This is MailScanner version 4.56.7 > > Optional module versions are: > 0.20 Mail::ClamAV > 3.001008 Mail::SpamAssassin > From brent.bolin at gmail.com Thu Apr 5 12:06:45 2007 From: brent.bolin at gmail.com (BB) Date: Thu Apr 5 12:14:58 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <787dcac20704050406x49d7ba75sa613c9d42aba9386@mail.gmail.com> Julian, Didn't you know. It's too soon to go. There are more Taxes to pay. Be good, take care of yourself. btb On 4/3/07, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, 24 > hours a day. They finally brought me round when I was well enough, and I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070405/5a362ba0/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Apr 5 16:05:09 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Apr 5 16:13:11 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <461495EB.2090406@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com><4613F540.7010300@slackadelic.com> <461495EB.2090406@openenterprise.ca> Message-ID: They look fine from here Johnny - The relivant one's are below (probably line-wrapped beyond reason): Received: from gateway.johnnystork.ca (gateway.johnnystork.ca [207.216.240.22]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l356Vxcv025979 for ; Thu, 5 Apr 2007 07:31:59 +0100 Received: from [192.168.1.10] (johnny-lt.johnnystork.ca [192.168.1.10]) by gateway.johnnystork.ca (8.13.1/8.13.1) with ESMTP id l356NdHP019098 for ; Wed, 4 Apr 2007 23:23:39 -0700 S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Wednesday, April 04, 2007 10:24 PM To: MailScanner discussion Subject: Re: Bounced Mail - DNS Problems? Ok, maybe I have it right now. I added the following to the local hosts file after creating an A entry for gateway.johnnystork.ca (points to 207.216.240.22) # Edits to /etc/hosts 192.168.1.2 int-gateway.johnnystork.ca int-gateway 207.216.240.22 gateway.johnnystork.ca gateway 207.216.240.22 smtp.johnnystork.ca smtp I then change the sendmail forwarding on the scalix server (penguin.johnnystork.ca, 192.168.1.3) so it points to int-gateway.johnnystork.ca. So take a look at the headers in this reply. Do they look correct now? I "think" so....but am still learning about mail server configurations. And thanks to everyone for all of your helpful suggestions Matt Hayes wrote: Kevin Miller wrote: Matt Hayes wrote: Johnny Stork wrote: I had actually tried that before, but here is my problem. I run a Scalix mail server internally and so it is setup to send outgoing mail to gateway.johnnystork.ca (192.168.1.2) which runs mailscanner and is the SMTP mail server for my network. But as soon as I ad the A record for gateway.johnnystork.ca so it resolves to 207.216.240.22, the Scalix mailserver cannot route/forward all outgoing mail to gateway.johnnystork.ca. Is there any way I can have the internal machines resolve/see the servers only with their internal IP's, even if there is a cooresponding a record and routable ip address? Well, if it were me, I would configure the server to relay mail to the internal IP rather than a domain name then add the DNS A record for the correct entry. That would work, but another option is to have two records in DNS: int-gateway IN A 192.168.1.2 gateway IN A 207.216.240.22 and point the Scalix box to int-gateway. You retain the benefits of DNS that way. Yet another option is to set up bind to have multiple views. My internal users see one list of records, external users see another. The hostname may be the same, but the address returned by DNS is different depending on whether they're on my internal lan or the internet... ...Kevin Ahhh very nice. I didn't even consider that. :) -Matt -- Johnny Stork Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Photography and Multimedia http://www.dreamscapemedia.ca Open Source News http://www.opensourcenews.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070405/62d03faf/attachment.html From brian.duncan at kattenlaw.com Thu Apr 5 16:13:13 2007 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Apr 5 16:21:52 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: References: Message-ID: <65234743FE1555428435CE39E6AC4078B38E00@CHI-US-EXCH-01.us.kmz.com> I have posted this in the past to this mailing list. This is what we use with great results. It would do exactly what you want without the need to change subject lines add additional headers, etc.. http://www.smtptracker.com/ It sits on the Exchange servers and adds the custom MS SCL info to any messages that fail Mailscanner/Spam Assassin. Here is one of my previous replies to this: I don't think that Exchange acts on any X-Header for SCL values (At least nothing that I have tried so far). I tried everything to get messages to wind up in the Junk Mail folder through only X-Header modifications. I had no luck. I finally wound up using http://smtptracker.com It is only 35.00 for an enterprise license and 500.00 for the source code if you need it. The University of Florida has been using it for 2 years now. It is just a transport that sits on an exchange server that adds the SCL onto passing messages going by that have failed your Spam Assassin check. Whatever it adds to force junk mail folder is NOT X-header based. It's some custom exchange attribute I believe. I even opened a call with Microsoft to see if there was some x-header I could add to guarantee a message would wind up in Junk Mail folder. I was told that the SCL value is in some extended attribute in each message. (documented in Exchange 2007 beta as being an x-header, maybe they are changing this moving forward? I don't know) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Thiago Martins > Sent: Tuesday, April 03, 2007 2:05 PM > To: MailScanner discussion > Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? > > Hi folks. > > Is there any possibilities to insert some header or any other > way to make Microsoft Outlook or Exchange know that a message is SPAM? > > There is a folder in Outlook for SPAM and sometimes it flag > some messages as SPAM automatically. I believe this is done > using some header in the mail body. > > Any ideas about that? > > Sorry for my English and thanks in advance. > > -- > []?s > Thiago > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From stork at openenterprise.ca Thu Apr 5 17:36:30 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Apr 5 17:44:59 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com><4613F540.7010300@slackadelic.com> <461495EB.2090406@openenterprise.ca> Message-ID: <4615258E.3040900@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 309 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070405/da2bc857/stork.vcf From Kevin_Miller at ci.juneau.ak.us Thu Apr 5 17:47:56 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Apr 5 17:55:56 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4615258E.3040900@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> <4610B2CE.7090400@openenterprise.ca> <4613E67E.8080404@openenterprise.ca> <4613E99F.1060306@slackadelic.com><4613EE6A.3090307@openenterprise.ca> <4613EFD8.2000801@slackadelic.com><4613F540.7010300@slackadelic.com><461495EB.2090406@openenterprise.ca> <4615258E.3040900@openenterprise.ca> Message-ID: Yup. Every time a message hits a mail server, it tatoos it with it's own info. Your gateway received from your local machine, so added that received header. Read received headers from the bottom to the top. That's the only acceptable instance of 'top posting'. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Thursday, April 05, 2007 8:37 AM To: MailScanner discussion Subject: Re: Bounced Mail - DNS Problems? Well thats encouraging.....so its "normal" for the info on the actual local machine to show up as well...the machine from which the client was running (johnny-lt.johnnystork.ca)? Thanks for the check/feedback... Kevin Miller wrote: They look fine from here Johnny - The relivant one's are below (probably line-wrapped beyond reason): Received: from gateway.johnnystork.ca (gateway.johnnystork.ca [207.216.240.22]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l356Vxcv025979 for ; Thu, 5 Apr 2007 07:31:59 +0100 Received: from [192.168.1.10] (johnny-lt.johnnystork.ca [192.168.1.10]) by gateway.johnnystork.ca (8.13.1/8.13.1) with ESMTP id l356NdHP019098 for ; Wed, 4 Apr 2007 23:23:39 -0700 S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Wednesday, April 04, 2007 10:24 PM To: MailScanner discussion Subject: Re: Bounced Mail - DNS Problems? Ok, maybe I have it right now. I added the following to the local hosts file after creating an A entry for gateway.johnnystork.ca (points to 207.216.240.22) # Edits to /etc/hosts 192.168.1.2 int-gateway.johnnystork.ca int-gateway 207.216.240.22 gateway.johnnystork.ca gateway 207.216.240.22 smtp.johnnystork.ca smtp I then change the sendmail forwarding on the scalix server (penguin.johnnystork.ca, 192.168.1.3) so it points to int-gateway.johnnystork.ca. So take a look at the headers in this reply. Do they look correct now? I "think" so....but am still learning about mail server configurations. And thanks to everyone for all of your helpful suggestions Matt Hayes wrote: Kevin Miller wrote: Matt Hayes wrote: Johnny Stork wrote: I had actually tried that before, but here is my problem. I run a Scalix mail server internally and so it is setup to send outgoing mail to gateway.johnnystork.ca (192.168.1.2) which runs mailscanner and is the SMTP mail server for my network. But as soon as I ad the A record for gateway.johnnystork.ca so it resolves to 207.216.240.22, the Scalix mailserver cannot route/forward all outgoing mail to gateway.johnnystork.ca. Is there any way I can have the internal machines resolve/see the servers only with their internal IP's, even if there is a cooresponding a record and routable ip address? Well, if it were me, I would configure the server to relay mail to the internal IP rather than a domain name then add the DNS A record for the correct entry. That would work, but another option is to have two records in DNS: int-gateway IN A 192.168.1.2 gateway IN A 207.216.240.22 and point the Scalix box to int-gateway. You retain the benefits of DNS that way. Yet another option is to set up bind to have multiple views. My internal users see one list of records, external users see another. The hostname may be the same, but the address returned by DNS is different depending on whether they're on my internal lan or the internet... ...Kevin Ahhh very nice. I didn't even consider that. :) -Matt -- Johnny Stork Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Photography and Multimedia http://www.dreamscapemedia.ca Open Source News http://www.opensourcenews.ca -- Johnny Stork Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Photography and Multimedia http://www.dreamscapemedia.ca Open Source News http://www.opensourcenews.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070405/4a9a96e4/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Apr 5 18:50:31 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Apr 5 18:58:56 2007 Subject: problem with umlauts in signature In-Reply-To: <20070328144958.229210@gmx.net> References: <20070328144958.229210@gmx.net> Message-ID: <461536E7.6000605@USherbrooke.ca> Hans Klose a ?crit : > Hi > > i have a problem with german umlauts like "?" in the singnatures of mails. > my locale settings are > > de_DE.UTF-8 > > What can i make to fix my problem? Sometimes they are ok and sometimes > they are not. It seems to depending on the client who sends the mail but > I'm not sure. > > Who knows the answere? > > Thanks! > > > Hans, Same problem here with French characters. Had to stop using the sig option because of that. The sig is just appended to the email body and thus inherits its encoding. It it happens to be the same as yours, you're OK, otherwise you're not... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070405/af0706fa/smime.bin From Denis.Beauchemin at USherbrooke.ca Thu Apr 5 20:40:20 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Apr 5 20:49:00 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <461550A4.1010308@USherbrooke.ca> Great news! Now don't rush into anything... take your time and you will come out just fine! I was on vacation in Mexico's beautiful Riviera Maya last week and sent you positive thoughts from this really nice place! I wanted to send you a postcard from down there but I forgot your snail mail address... I hope you'll be able to reschedule your world tour and see the wonders of this world with your own eyes! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From mailscanner at yeticomputers.com Thu Apr 5 21:24:15 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Apr 5 21:32:41 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> Message-ID: <46155AEF.4010204@yeticomputers.com> Res wrote: > On Tue, 3 Apr 2007, Rick Chadderdon wrote: > >> I'm going to give you the benefit of the doubt and simply assume that >> my writing style is not clear enough for me to make a point to you. Our > > Rick you've made your point, you dont like people using it, That's *not* my point. That's merely a related fact. The point I was trying to make was *why* I don't like it. And the discussion I was trying to get from you was philosophical. I wanted to know whether you justify all behavior based upon the *amount* of effect it has on others or upon whether it has any unjustified effect at all. Whether a third-party effect is the same as a direct response. I have repeatedly stated that if this was the norm, I'd have no problem with it. It is not. It is an add-on tossed into the war on spam which is so easily circumvented that as soon as it becomes effective for more than a handful of people, the spammers will respond by *using it as a tool to make their spam delivery more efficient*. (Which basically means that if it was the norm, it would be useless.) Again, if effectiveness is the measure of justification for anti-spam tools, then TMDA should be used by everyone, right? It forces spammers to use a server that will be there long enough to respond, and if spammers were to begin using an automatic response system, the same anti-ocr techniques they use in their image spam could be used to defeat the spammers by including obfuscated captcha images in the TMDA challenge message. If you don't care about the impact on innocent third parties, challenge-response is a great tool. The fact that you aren't sitting here advocating the use of TMDA implies that you do justify the use of a tool by the amount of collateral damage rather than the fact that the damage exists at all. If third-party impact doesn't enter into your decision not to advocate challenge-response techniques - say you're going entirely on the impact on speed of delivery - then I'd like to know. I want to know *why we disagree*, not just be told "get used to it 'cause people are going to do it." Oh, and if you *do* advocate challenge-response, I'd kind of like to know that, too, 'cause that would tell me a lot... :) I want to understand how other people think, and, sometimes, whether they think at all. *That* is my point. >> If you're being deliberately obtuse for the joy of argument, please >> don't bother - I don't enjoy that kind of fight, anymore. > > No, but you are starting to come accross as one who accuses others of > not seeing your point or argueing 'for the sake of it' because we will > not turn around and say its a bad thing because some see it as a good > thing. No, I don't expect agreement. I merely want you to explain how you justify the use of one third-party invasive tool over another. I suspect that it's the degree of impact which you use to make your decision. If so, that's fine. We won't agree, but you will at least have been honest with me about why you think it's okay. And I'll know that you "got my point." And, to be honest, I'll get to feel morally superior. :) But how I "feel" shouldn't matter to you, since how I feel about SAV doesn't bother you. I don't think there's much of a "we" thing going on, Res. It's just been you and me for quite a while. Everyone else pretty much admitted that they were being pragmatic about the amount of impact they felt the technique had, versus its effectiveness. It's seemed to me that *you* were the one sidestepping the question and "arguing for the sake of it". Good to know that it was just a difference of perception. Anyway, this is (really!) my last response to this thread. I'll respond to any further discussion with private email, unless requested otherwise. Rick From mailscanner at yeticomputers.com Thu Apr 5 21:31:36 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Apr 5 21:40:04 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <46155CA8.4010808@yeticomputers.com> Glad to hear you're home. :) Wishing you a quick, full recovery! Rick From mkettler at evi-inc.com Thu Apr 5 21:52:33 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Apr 5 22:01:01 2007 Subject: SPF_Fail score too low? In-Reply-To: <45FDE116.4020205@fractalweb.com> References: <45FDE116.4020205@fractalweb.com> Message-ID: <46156191.6030601@evi-inc.com> Chris Yuzik wrote: > Hi everyone, > > I was just going over some stats, and I see a rule called "SPF_FAIL" > with the description, "SPF: sender does not match SPF record (fail)", > which seems like a fairly major violation, yet the score assigned > currently is only 1.14. > > So if I'm clear what this means, I believe this says that the domain > administrator has specified the specific IPs that are allowed to send > email from this domain, and furthermore anything that doesn't come from > the allowed IPs should not be accepted or trusted. Right? This isn't a > soft-fail, but a full fail. > > Seems to me this should be something that should be scored at 5.0 or > higher. Or am I wrong? > > Chris Sorry for the late reply. Real-world testing shows that the SPF_FAIL test is still quite prone to false positives, and is more false-positive prone than the SOFTFAIL rule. In the SpamAssassin 3.1.x mass-checks, SPF_FAIL had 95.5% of its matches being spam, and 4.5% being nonspam. Softfail on the other hand was 99.2% spam and 0.8% nonspam. Personally, I interpret this as: The foolhardy and ambitious admin will recklessly dive right in and create a record which hard-fails. The more diligent admin will audit very carefully, but realize he might have made mistakes and set a soft-fail record. This results in SPF_FAIL presenting more FPs than SOFTFAIL. Never expect rules to behave the way they "should" when they're the result of human decisions. Humans add a whole layer of randomness and nonsense all their own. From itdept at fractalweb.com Thu Apr 5 22:18:13 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Apr 5 22:26:32 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156191.6030601@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> Message-ID: <46156795.7050300@fractalweb.com> Matt Kettler wrote: > Sorry for the late reply. > No worries. > Real-world testing shows that the SPF_FAIL test is still quite prone to false > positives, and is more false-positive prone than the SOFTFAIL rule. > > In the SpamAssassin 3.1.x mass-checks, SPF_FAIL had 95.5% of its matches being > spam, and 4.5% being nonspam. Softfail on the other hand was 99.2% spam and 0.8% > nonspam. > > Personally, I interpret this as: > > The foolhardy and ambitious admin will recklessly dive right in and create a > record which hard-fails. The more diligent admin will audit very carefully, but > realize he might have made mistakes and set a soft-fail record. > > This results in SPF_FAIL presenting more FPs than SOFTFAIL. > > Never expect rules to behave the way they "should" when they're the result of > human decisions. Humans add a whole layer of randomness and nonsense all their own. > Isn't that the truth! So what scoring would you recommend for each of these? Chris From res at ausics.net Thu Apr 5 22:56:32 2007 From: res at ausics.net (Res) Date: Thu Apr 5 23:04:54 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156191.6030601@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> Message-ID: On Thu, 5 Apr 2007, Matt Kettler wrote: > Personally, I interpret this as: > > The foolhardy and ambitious admin will recklessly dive right in and create a > record which hard-fails. Or maybe they are the intelligent admins who are completely sick of the countless lamers getting away with impersonating everybody, but I do agree you must know what you are doing before enabling hardfail, but if you dont know what you are doing with SPF, you shouldn't be useing it anyway. Personally I hardfail *and* I recommend it. However, I recommend using a milter to do SPF checks, and not S.A -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Thu Apr 5 22:59:10 2007 From: res at ausics.net (Res) Date: Thu Apr 5 23:07:30 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156795.7050300@fractalweb.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46156795.7050300@fractalweb.com> Message-ID: On Thu, 5 Apr 2007, Chris Yuzik wrote: > So what scoring would you recommend for each of these? If a network admin decides to hardfail, its because he wants networks employing SPF to reject mail that fails, who are we to decide to do different, we should honour what THEY want done with fake mail. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From mkettler at evi-inc.com Thu Apr 5 23:00:53 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Apr 5 23:09:13 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156795.7050300@fractalweb.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46156795.7050300@fractalweb.com> Message-ID: <46157195.706@evi-inc.com> Chris Yuzik wrote: >> > Isn't that the truth! > > So what scoring would you recommend for each of these? The ones SA comes with. Really, those numbers aren't pulled out of the air. They're not made up. They're evolved out of real-world data using a perceptron. No human can do better, and anyone who thinks they can is likely oversimplifying the problem. From mkettler at evi-inc.com Thu Apr 5 23:06:58 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Apr 5 23:15:16 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> Message-ID: <46157302.9030705@evi-inc.com> Res wrote: > On Thu, 5 Apr 2007, Matt Kettler wrote: > >> Personally, I interpret this as: >> >> The foolhardy and ambitious admin will recklessly dive right in and >> create a >> record which hard-fails. > > Or maybe they are the intelligent admins who are completely sick of the > countless lamers getting away with impersonating everybody, but I do > agree you must know what you are doing before enabling hardfail, but if > you dont know what you are doing with SPF, you shouldn't be useing it > anyway. IMHO 90% of email system admins don't know what they're doing. 90% of admins using SPF, also don't know what they're doing. Unfortunately, less than 1% of admins realize it, which is why we have this problem. > > Personally I hardfail *and* I recommend it. > > However, I recommend using a milter to do SPF checks, and not S.A True, I'm not saying all admins who use hardfail are foolhardy. I'm merely saying the foolhardy admins are likely to jump in and go straight to hardfail without testing. They won't start off with softfail. They're also the ones most likely to have errors or omissions in their config, and also the least likely to detect the problems caused. This phenomenon makes hard-fail less trustworthy than softfail, which isn't how it should be, but is how it ends up. Score one for the clueless. I myself would recomend using hardfail, but I'd test things out starting at neutral and work your way up after you've proven out that it really works. From res at ausics.net Thu Apr 5 23:07:56 2007 From: res at ausics.net (Res) Date: Thu Apr 5 23:16:16 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46156795.7050300@fractalweb.com> Message-ID: On Fri, 6 Apr 2007, Res wrote: > On Thu, 5 Apr 2007, Chris Yuzik wrote: > >> So what scoring would you recommend for each of these? > > If a network admin decides to hardfail, its because he wants networks > employing SPF to reject mail that fails, who are we to decide to do > different, we should honour what THEY want done with fake mail. > Bugger, hit enter too soon. scenario: 1/ you run a network that has thousands of users, abc.com 2/ I have xyz.com, I choose to hardfail 3/ tj on 1.2.3.4 (not my customer) fakes tj@xyz.com 4/ tj sends successfuly sends 5000 emails into abc.com 5/ my staff get bombarded with thousands of your users forwarding to abuse@xyz ... all because we said DROP EM but you decide to SCORE EM 6/ I instruct my staff to block abc.com to abuse@xyz.com removing your ability to complain to us in the case of a genuine issue, you get frustrated at us for ignoreing you......and you'll wonder why :) -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Thu Apr 5 23:13:57 2007 From: res at ausics.net (Res) Date: Thu Apr 5 23:22:17 2007 Subject: SPF_Fail score too low? In-Reply-To: <46157302.9030705@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> Message-ID: On Thu, 5 Apr 2007, Matt Kettler wrote: > hardfail without testing. ^^^^^^^^^^^^^^^^^^^^^^^^^^^ That *IS* the biggest problem. I used softfail for a couple months to ensure it was all good before moving to hardfail. Many people have no clue they get told "You should have an SPF record" so they do a quick google and use the first damned thing they come accross regardless of if its broken example or not. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From Kevin_Miller at ci.juneau.ak.us Thu Apr 5 23:32:07 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Apr 5 23:40:17 2007 Subject: SPF_Fail score too low? In-Reply-To: <46157302.9030705@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> Message-ID: Matt Kettler wrote: > I myself would recomend using hardfail, but I'd test things out > starting at neutral and work your way up after you've proven out that > it really works. You and res both bring up some interesting points. I hardfail, but my system is pretty humble - I an count on one hand every machine that should be allowed to send mail from my domain. The big guys have a lot more 'I's to dot and 't's to cross. One advantage of using a milter, as res recommends, is legitimate users of misconfigured hard-fail servers get a response back. Since bouncing spam is bad, if a message fails on SA scores, the administrator of the sending server never hears about it, even if it's a false positive. I ran softfail for some time initially, but since the failure happens on the far end (someone else's server) I've never understood what folks are monitoring with softfail. None of the feedback concerning my domain came back to me. I've got logs full of info about someone else's domain. Maybe I'm just one of the 90% you mentioned, but what do you use to test softfail? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Fri Apr 6 00:01:21 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 6 00:09:45 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> Message-ID: <46157FC1.7090906@evi-inc.com> Kevin Miller wrote: > Matt Kettler wrote: > >> I myself would recomend using hardfail, but I'd test things out >> starting at neutral and work your way up after you've proven out that >> it really works. > > You and res both bring up some interesting points. I hardfail, but my > system is pretty humble - I an count on one hand every machine that > should be allowed to send mail from my domain. I'm a small shop too. However, my HR department uses several resume services that forge our address as the return path when sending them resumees. While less important, they also use a e-card service to send birthday cards to employees that does the same thing. All of these are "major name" companies you've probably seen at least 50 TV ads for, not small-shop services. And of course the cards we could do without, but the resume services are essentially ones my business unit would fold without, and at that point I'd not have a job anymore. It's gotchas like that which make me suggest starting off at neutral. Even though you can reliably know what machines SHOULD be allowed to send mail from your domain, you might have servers that DO send mail from your domain even though they should not that provide critical business services. From mailscanner at yeticomputers.com Fri Apr 6 02:32:08 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 02:40:36 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> Message-ID: <4615A318.3060408@yeticomputers.com> Res wrote: > On Thu, 5 Apr 2007, Matt Kettler wrote: > > >> hardfail without testing. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ That *IS* the biggest problem. > I used softfail for a couple months to ensure it was all good before > moving to hardfail. > > Many people have no clue they get told "You should have an SPF record" > so they do a quick google and use the first damned thing they come > accross regardless of if its broken example or not. > I'm with Res here... I see no purpose for softfail other than allowing others to use SA for scoring. I don't use SPF on all of my domains because some of them have users that will have issues with it. The domains I use it on, I always hardfail. I suppose I can see softfail as useful if all you *want* to do is help people score mail purporting to be from you, but you'll never know if it's helping. Rick From email at ace.net.au Fri Apr 6 04:22:38 2007 From: email at ace.net.au (Peter Nitschke) Date: Fri Apr 6 04:31:20 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46155AEF.4010204@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> Message-ID: <200704061252380467.039029A0@smtp1.ace.net.au> Perhaps a pity that you didn't take this one to private email? I think most of us are pretty tired of this by now. Peter *********** REPLY SEPARATOR *********** On 5/04/2007 at 4:24 PM Rick Chadderdon wrote: >Res wrote: >> On Tue, 3 Apr 2007, Rick Chadderdon wrote: >> >>> I'm going to give you the benefit of the doubt and simply assume that >>> my writing style is not clear enough for me to make a point to you. Our >> >> Rick you've made your point, you dont like people using it, > > >That's *not* my point. That's merely a related fact. The point I was >trying to make was *why* I don't like it. And the discussion I was >trying to get from you was philosophical. I wanted to know whether you >justify all behavior based upon the *amount* of effect it has on others >or upon whether it has any unjustified effect at all. Whether a >third-party effect is the same as a direct response. I have repeatedly >stated that if this was the norm, I'd have no problem with it. It is >not. It is an add-on tossed into the war on spam which is so easily >circumvented that as soon as it becomes effective for more than a >handful of people, the spammers will respond by *using it as a tool to >make their spam delivery more efficient*. (Which basically means that >if it was the norm, it would be useless.) > >Again, if effectiveness is the measure of justification for anti-spam >tools, then TMDA should be used by everyone, right? It forces spammers >to use a server that will be there long enough to respond, and if >spammers were to begin using an automatic response system, the same >anti-ocr techniques they use in their image spam could be used to defeat >the spammers by including obfuscated captcha images in the TMDA >challenge message. If you don't care about the impact on innocent third >parties, challenge-response is a great tool. The fact that you aren't >sitting here advocating the use of TMDA implies that you do justify the >use of a tool by the amount of collateral damage rather than the fact >that the damage exists at all. If third-party impact doesn't enter into >your decision not to advocate challenge-response techniques - say you're >going entirely on the impact on speed of delivery - then I'd like to >know. I want to know *why we disagree*, not just be told "get used to >it 'cause people are going to do it." Oh, and if you *do* advocate >challenge-response, I'd kind of like to know that, too, 'cause that >would tell me a lot... :) > >I want to understand how other people think, and, sometimes, whether >they think at all. > >*That* is my point. > > >>> If you're being deliberately obtuse for the joy of argument, please >>> don't bother - I don't enjoy that kind of fight, anymore. >> >> No, but you are starting to come accross as one who accuses others of >> not seeing your point or argueing 'for the sake of it' because we will >> not turn around and say its a bad thing because some see it as a good >> thing. > > >No, I don't expect agreement. I merely want you to explain how you >justify the use of one third-party invasive tool over another. I >suspect that it's the degree of impact which you use to make your >decision. If so, that's fine. We won't agree, but you will at least >have been honest with me about why you think it's okay. And I'll know >that you "got my point." And, to be honest, I'll get to feel morally >superior. :) But how I "feel" shouldn't matter to you, since how I >feel about SAV doesn't bother you. > >I don't think there's much of a "we" thing going on, Res. It's just >been you and me for quite a while. Everyone else pretty much admitted >that they were being pragmatic about the amount of impact they felt the >technique had, versus its effectiveness. It's seemed to me that *you* >were the one sidestepping the question and "arguing for the sake of >it". Good to know that it was just a difference of perception. > >Anyway, this is (really!) my last response to this thread. I'll respond >to any further discussion with private email, unless requested otherwise. > >Rick > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From paul.hutchings at mira.co.uk Fri Apr 6 08:34:03 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Fri Apr 6 08:42:28 2007 Subject: New Server Specs? Message-ID: Appreciate the detailed reply Greg. For various reasons (non technical) it looks like Sun are off the menu so we're back to HP. At present I'm looking at 2 boxes. The DL320 G5 and the DL140 G3. Both work out at identical prices. The difference being the DL320 would have a 3050 Xeon and 1gb of RAM and the DL140 would have a 5110 Xeon and 2gb of RAM. I'm leaning towards the DL140 simply because it has more RAM for the money, and I believe it's more of a "proper" server i.e. server optimized chip/chipset (and has a second CPU socket) whilst the DL320 appears to almost be a desktop CPU put into a rackmount? Disk wise I think a pair of 80gb SATA's should be sufficient. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: 04 April 2007 14:10 To: MailScanner discussion Subject: Re: New Server Specs? Paul Hutchings wrote: > Thanks all. > > I'm not desparate to do this on the cheap, but obviously I don't want to > be asking for company money for something that is massive, massive > overkill even allowing for future growth/changes etc. > > Currently I'm running on an old Poweredge with a single 2.4ghz Xeon CPU > (single core with hyperthreading) with 1gb of RAM and a single 80gb ATA > drive (we want something that will be under warranty) > > I'm running Spamassassin on incoming mail and ClamAV on all mail with no > OCR checks though this may be something I'll do in the future via > FuzzyOCR. > > I'm no expert on Linux benchmarking but uptime shows "load average: > 1.23, 1.43, 1.20". looks like you are not stretching this box too much. With hyperthreading turned on, a load average of 2 would be a good indication that the processor was never twiddling its metaphorical thumbs. That said, network services are notoriously "bursty" so you need to plan for times of high load. Consider software raid over hardware raid as it can often be faster and provided you take backups, your raid config is archived for disaster recovery. Also nice to have a good size disk area so that both spam and ham can be stored in the short term for learning/reporting. Useful too if you are relaying for other sites/domains and need to queue up mail when their servers are down. Of course, mail doesnt actually take up much space so you dont need a huge array of disks. We have about 5000 active mailboxes and I'd be happy with a 50GB mirror for short term archive/quarantine but I'd probably over-spec by a factor of two. As mentioned previously, buy lots of memory. A dual processor box will happily chew up 3-4GB of ram. Dual/quad core is /probably/ ok given that your processes are likely to be IO bound which should make up for memory controller latencies. Why not ask Sun for a loan of a T1000 machine with 8 cores and 32 threads? I think they are still doing a no-obligation "try and buy" scheme for these. The list would probably be v. interested in your results. > > I was looking at HP originally and then I looked at Sun and noticed > their X2100 appear to be very good VFM (and are SLES approved which > suggests I should be able to install OpenSuse "out the box"). > judging by your existing spec and LA, an X2100 will probably be fine, I'd be tempted to up the spec to a dual processor X2200 to really future-proof yourself. Again, Sun will lend you one for 60 days if you want to try it. GREG > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: 04 April 2007 11:44 > To: MailScanner discussion > Subject: Re: New Server Specs? > > Paul Hutchings wrote: >> My question is, broadly speaking which would be best to have more of, >> CPU, ram, or disk subsystem? >> I'm looking at the cheapest HP/Sun/Dell servers which tend to be SATA >> disks and slower dual-core CPUs but with plenty of memory slots. > > As Martin mentioned - memory is one key piece, you need to have 1Gb per > CPU core, then set Max Children to 5 * CPU Cores for optimum > performance. Any form of swapping/paging will quickly kill performance > of MailScanner/SpamAssassin. > > I also always recommend buying a *decent* RAID controller with > battery-backed write-back cache as fast disk access is a requirement to > cope with busy periods and future growth and. > > Cheers, > Steve. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From strydom.dave at gmail.com Fri Apr 6 09:15:43 2007 From: strydom.dave at gmail.com (Dave Strydom) Date: Fri Apr 6 09:24:02 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: Currently I'm running 3 MailScanner servers. One is a Dual Xeon CPU, Dual core 2.33Ghz Woodcrest, with 2GB RAM and 2x 250GB SATA HDD. I also use Fuzzy OCR and process around 15 000 email a day, the load of the server never goes above about 1.2 Our other 2 mailscanners are P4 2.4Ghz, with 2GB ram and 1x 120GB SATA HDD. We run Fuzzy OCR and process around 10 000 emails per server, and the load sits between 6.5 Dave From steve.freegard at fsl.com Fri Apr 6 10:40:26 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Apr 6 10:49:00 2007 Subject: SPF_Fail score too low? In-Reply-To: <4615A318.3060408@yeticomputers.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <4615A318.3060408@yeticomputers.com> Message-ID: <4616158A.2000902@fsl.com> Rick Chadderdon wrote: > I don't use SPF on all of my domains because some of them have users that > will have issues with it. SPF is still useful here to you here if you supply a PASS result for everything that you know about, then return NEUTRAL for everything else. This doesn't impact the users in any way but can help people who might want to whitelist your domain. Kind regards, Steve. From res at ausics.net Fri Apr 6 10:50:02 2007 From: res at ausics.net (Res) Date: Fri Apr 6 10:58:25 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200704061252380467.039029A0@smtp1.ace.net.au> References: <4602FAAA.20009@fractalweb.com> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <200704061252380467.039029A0@smtp1.ace.net.au> Message-ID: On Fri, 6 Apr 2007, Peter Nitschke wrote: > Perhaps a pity that you didn't take this one to private email? > > I think most of us are pretty tired of this by now. > > Peter > ace is in south oz right? ill send your ERT, star force they call em isnt it? around to penetrate your location and 'take out' the norti person whos holding the gun at your head making you read the thread. if you dont like it, dont read it additional: I have no problem with anyone wishing to killfile me (hint) and whilst we at the nit picking, how about you use some netiquette and trim your posts to whats in point, learn how to quote. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Apr 6 10:59:17 2007 From: res at ausics.net (Res) Date: Fri Apr 6 11:07:41 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46155AEF.4010204@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> Message-ID: On Thu, 5 Apr 2007, Rick Chadderdon wrote: > Res wrote: >> On Tue, 3 Apr 2007, Rick Chadderdon wrote: >> >>> I'm going to give you the benefit of the doubt and simply assume that my >>> writing style is not clear enough for me to make a point to you. Our >> >> Rick you've made your point, you dont like people using it, > > > That's *not* my point. That's merely a related fact. The point I was trying > to make was *why* I don't like it. And the discussion I was trying to get Much the same thing from where I sit I'm afraid. > from you was philosophical. I wanted to know whether you justify all > behavior based upon the *amount* of effect it has on others or upon whether > it has any unjustified effect at all. Whether a third-party effect is the its based on what affects *us*, no one in their right mind bases decisions on what affects someone elses network, they are not employed to worry about that, they are employed to protect their own network. > Again, if effectiveness is the measure of justification for anti-spam tools, > then TMDA should be used by everyone, right? It forces spammers to use a look at greylisting now, and look where it was a few years ago, the exact same position as SV. The only thing I have against grey-listing is there is it banks up hte outgoing queues, and is only a semi effective anti-spool tool, as spammers are more clueful now and use modified smtp engines in their worms and viruses, that honour teh 4.x.x and retry, sure not all spammers are doing it this way.... yet...it becomes more noticable every month. But I dont go round telling people not to use it despite thinking its the pits, because i know they are doing what they consider to be in their best interest so for that I can not shoot them down. >> No, but you are starting to come accross as one who accuses others of not >> seeing your point or argueing 'for the sake of it' because we will not turn >> around and say its a bad thing because some see it as a good thing. > > > No, I don't expect agreement. I merely want you to explain how you justify > the use of one third-party invasive tool over another. I suspect that it's I think I have, about 30 times already. basically it is tuff luck if it did not emit from your network, but if im asked to let someone in who claims to be from you, i'll ask , like your postoffice master, if this person really lives at that address. ( now i know we are going round in circles) > the degree of impact which you use to make your decision. any positive impact on my network is what counts, and if I deny inbound mail to a customer from someone claiming to be at your palce that is not , even just once, then its worth it. > fine. We won't agree, but you will at least have been honest with me about > why you think it's okay. And I'll know that you "got my point." And, to be I thought i have, 31 times now. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From campbell at cnpapers.com Fri Apr 6 11:05:07 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 6 11:13:46 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> Message-ID: <1175853907.46161b53a11dc@perdition.cnpapers.net> Does this thread cause swapping? Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From norbert.schmidt at interactivedata.com Fri Apr 6 11:53:42 2007 From: norbert.schmidt at interactivedata.com (Norbert Schmidt) Date: Fri Apr 6 12:04:35 2007 Subject: Norbert Schmidt is out of the office Message-ID: I will be out of the office starting 06.04.2007 and will not return until 16.04.2007. I'll answer to your mail, when I get back. If it is an urgent problem, please contact joerg.weiskirch@interactivedata.com Ich werde Deine Mail nach meiner R?ckkehr beantworten... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070406/08a40000/attachment.html From mailscanner at yeticomputers.com Fri Apr 6 15:26:43 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 15:35:10 2007 Subject: SPF_Fail score too low? In-Reply-To: <4616158A.2000902@fsl.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <4615A318.3060408@yeticomputers.com> <4616158A.2000902@fsl.com> Message-ID: <461658A3.4060502@yeticomputers.com> Steve Freegard wrote: > Rick Chadderdon wrote: >> I don't use SPF on all of my domains because some of them have users >> that will have issues with it. > > SPF is still useful here to you here if you supply a PASS result for > everything that you know about, then return NEUTRAL for everything else. > > This doesn't impact the users in any way but can help people who might > want to whitelist your domain. I suppose that's worth consideration, especially if my mailserver's address ever ends up in an RBL. But... I really can't see most admins being willing (or able) to set up a whitelist that only allows a whitelisted domain if it passed SPF. Still, it could be useful in that case, I agree. Rick From mailscanner at yeticomputers.com Fri Apr 6 15:48:48 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 15:57:15 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156191.6030601@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> Message-ID: <46165DD0.7050808@yeticomputers.com> Matt Kettler wrote: > In the SpamAssassin 3.1.x mass-checks, SPF_FAIL had 95.5% of its matches being > spam, and 4.5% being nonspam. Softfail on the other hand was 99.2% spam and 0.8% > nonspam. Was this on your own corpus? If so, how large was it? If not, do you have a reference you can point me at? When I first started doing SPF checks, I used Postfix's "warn_if_reject" feature to test it for a couple of months. My hardfails were 100% spam - not a single exception. I did not examine softfails. (I'm not sure I could have if I'd wanted, since I don't believe they would have been logged, softfail not being a reject.) Of course, my mail flow is pretty low, but it looked pretty safe to me. And, since I'm rejecting it at the MTA, an offending legit message should at least generate notification at their end. If softfails are that high... Hm. I'll have to figure out a way to test that on my own mail flow for a while. Might be worth it to reject on those, too, although I believe I'll have to modify the check. If I recall, it was hardcoded to pass on softfail and reject on hardfail. Been a while since I looked at it. Rick From Kevin_Miller at ci.juneau.ak.us Fri Apr 6 15:54:29 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Apr 6 16:02:42 2007 Subject: SPF_Fail score too low? In-Reply-To: <46157FC1.7090906@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> Message-ID: Matt Kettler wrote: > Kevin Miller wrote: >> Matt Kettler wrote: >> > snip > It's gotchas like that which make me suggest starting off at neutral. > Even though you can reliably know what machines SHOULD be allowed to > send mail from your domain, you might have servers that DO send mail > from your domain even though they should not that provide critical > business services. I understand the problem, but I'm still unclear on how one test for it. If you put up a domain with neutral or softfail, how do you know when a hit occurs? If I spoof your domain and send to a third party, they'll either silently drop the email or send 550 back to me. How do *you* know when it's safe to walk a neutral up to softfail and from there to hardfail? When I first installed spf in my dns I searched all over the spf web site for clues on how folks are doing that. Never found anything... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at yeticomputers.com Fri Apr 6 16:24:17 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 16:32:44 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> Message-ID: <46166621.4090602@yeticomputers.com> Kevin Miller wrote: > Matt Kettler wrote: > >> Kevin Miller wrote: >> >>> Matt Kettler wrote: >>> >>> >> snip >> It's gotchas like that which make me suggest starting off at neutral. >> Even though you can reliably know what machines SHOULD be allowed to >> send mail from your domain, you might have servers that DO send mail >> from your domain even though they should not that provide critical >> business services. >> > > I understand the problem, but I'm still unclear on how one test for it. > If you put up a domain with neutral or softfail, how do you know when a > hit occurs? If I spoof your domain and send to a third party, they'll > either silently drop the email or send 550 back to me. How do *you* > know when it's safe to walk a neutral up to softfail and from there to > hardfail? When I first installed spf in my dns I searched all over the > spf web site for clues on how folks are doing that. Never found > anything... There is no way to test what other users are doing with your SPF info. You can only look at your user complaints about mail they sent that was: 1. undelivered 2. marked as spam by someone else's spam filter And you can look at the number of bogus virus and spam bounces you receive. All of this is unreliable at best. You're relying entirely on a statistical evaluation of your problem reports, trying to determine whether they've changed between your different SPF entries. For most of us, we have nowhere near the volume of mail (or problem reports) that would be necessary to get a meaningful result from such analysis. I suppose that you *could* fire off a few huge spam runs spoofing your domain from a third party server (or a botnet) and see how many of your messages get accepted with each of neutral, softfail and hardfail set. I don't think I'd want to use this test. :) Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070406/16edbb07/attachment.html From email at ace.net.au Fri Apr 6 16:40:19 2007 From: email at ace.net.au (Peter Nitschke) Date: Fri Apr 6 16:48:56 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <200704061252380467.039029A0@smtp1.ace.net.au> Message-ID: <200704070110190260.0633875A@smtp1.ace.net.au> Res, As you yourself said, nobody forced you to read it all, heck, I even top posted so you didn't have to. Personally I don't believe in blocking your or anyone else's posts just because this thread has gotten over done. It is however, just a bit sad that you don't know when to stop or to take an off-topic thread to email just so your ego can have a play. Hint - Sarcasm and nit-picking isn't a substitute for quality posting. Cheers (as you say) Peter *********** REPLY SEPARATOR *********** On 6/04/2007 at 7:50 PM Res wrote: >On Fri, 6 Apr 2007, Peter Nitschke wrote: > >> Perhaps a pity that you didn't take this one to private email? >> >> I think most of us are pretty tired of this by now. >> >> Peter >> > >ace is in south oz right? ill send your ERT, star force they call em isnt >it? around to penetrate your location and 'take out' the norti person >whos holding the gun at your head making you read the thread. > >if you dont like it, dont read it > >additional: I have no problem with anyone wishing to killfile me (hint) > >and whilst we at the nit picking, how about you use some netiquette and >trim your posts to whats in point, learn how to quote. > > > >-- >Cheers >Res > > >Let Novell know what you think of their back door deal with the devil. >Sign the petition today: http://techp.org/p/1/ > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Apr 6 17:07:55 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 6 17:16:19 2007 Subject: SPF_Fail score too low? In-Reply-To: <46165DD0.7050808@yeticomputers.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46165DD0.7050808@yeticomputers.com> Message-ID: <4616705B.1070403@evi-inc.com> Rick Chadderdon wrote: > Matt Kettler wrote: >> In the SpamAssassin 3.1.x mass-checks, SPF_FAIL had 95.5% of its >> matches being >> spam, and 4.5% being nonspam. Softfail on the other hand was 99.2% >> spam and 0.8% >> nonspam. > > Was this on your own corpus? No, this is the OFFICIAL spamassassin 3.1.x mass-check. Not mine. If so, how large was it? I was quoting from set3. The total corpus for that set was 176,869 messages, 123,778 spam 53091 nonspam. If not, do you > have a reference you can point me at? The results come in the SA tarball, you can see them in the rules subdirectory as the STATISTICS-set*.txt files. The relevant bits for the STATISTICS-set3.txt in the SA 3.1.8 tarball (but is the same for all SA versions from 3.1.0-3.1.8): OVERALL% SPAM% HAM% S/O RANK SCORE NAME 176869 123778 53091 0.700 0.00 0.00 (all messages) 100.000 69.9829 30.0171 0.700 0.00 0.00 (all messages as %) 3.437 4.8942 0.0396 0.992 0.80 1.38 SPF_SOFTFAIL 2.550 3.5717 0.1676 0.955 0.53 1.14 SPF_FAIL From mkettler at evi-inc.com Fri Apr 6 17:09:42 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 6 17:18:07 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> Message-ID: <461670C6.3010205@evi-inc.com> Kevin Miller wrote: > Matt Kettler wrote: >> Kevin Miller wrote: >>> Matt Kettler wrote: >>> >> snip >> It's gotchas like that which make me suggest starting off at neutral. >> Even though you can reliably know what machines SHOULD be allowed to >> send mail from your domain, you might have servers that DO send mail >> from your domain even though they should not that provide critical >> business services. > > I understand the problem, but I'm still unclear on how one test for it. The problem I cited would show up in inbound email to my network, so I could very easily detect it. The HR dept only uses the resume service to forward resumes's to managers and other HR staff here. It forges my own domain when sending mail to us. They don't use that service to send mail to other domains. From Kevin_Miller at ci.juneau.ak.us Fri Apr 6 17:13:15 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Apr 6 17:21:27 2007 Subject: SPF_Fail score too low? In-Reply-To: <46166621.4090602@yeticomputers.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> Message-ID: > There is no way to test what other users are doing with your SPF info. You can only look at your user complaints about mail they sent that was: >1. undelivered >2. marked as spam by someone else's spam filter And that's the rub. People say test, but there's no *real* way to test that I can see. One has to think carefully about how mail is sent from their domain or they inflict problems like Matt described on themselves. I've been spending the last hour and a half going through my mail logs looking at spf hardfails. There's a couple in there that I'll have to whitelist. Guess I'll fire off a notice to the postmaster of the domain letting them know they need to update their records as a courtesy. I had been of the mind that a softfail was more or less useless, but it occurred to me this morning that it can be an asset in that it increments the spam score. I'd prefer to reject at MTA but it's nice that sa can use it as well. It's just not much of a test tool... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From JeremyBlonde at grant.k12.ca.us Fri Apr 6 17:22:54 2007 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Fri Apr 6 17:31:11 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: We're running MailScanner on a HP DL320 (G4, I believe), it's a dual proc Pentium 4 3.40. I process a little less than 10,000 a day with bayes, FuzzyOCR, and MySQL logging and the load average hovers around 2. I've not had a problem with the box or performance (aside from my initial tuning of MailScanner). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union High School District > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dave Strydom > Sent: Friday, April 06, 2007 1:16 AM > To: MailScanner discussion > Subject: Re: New Server Specs? > > Currently I'm running 3 MailScanner servers. > > One is a Dual Xeon CPU, Dual core 2.33Ghz Woodcrest, with 2GB RAM and > 2x 250GB SATA HDD. > I also use Fuzzy OCR and process around 15 000 email a day, the load > of the server never goes above about 1.2 > > Our other 2 mailscanners are P4 2.4Ghz, with 2GB ram and 1x > 120GB SATA HDD. > We run Fuzzy OCR and process around 10 000 emails per server, and the > load sits between 6.5 > > Dave > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mailscanner at yeticomputers.com Fri Apr 6 18:01:14 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 18:10:25 2007 Subject: SPF_Fail score too low? In-Reply-To: <4616705B.1070403@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46165DD0.7050808@yeticomputers.com> <4616705B.1070403@evi-inc.com> Message-ID: <46167CDA.4050409@yeticomputers.com> Matt Kettler wrote: > Rick Chadderdon wrote: > >> Was this on your own corpus? >> > > No, this is the OFFICIAL spamassassin 3.1.x mass-check. Not mine. > Thanks! I found it. My own results differ quite significantly. Rick From steve.freegard at fsl.com Fri Apr 6 18:03:03 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Apr 6 18:11:37 2007 Subject: SPF_Fail score too low? In-Reply-To: <461658A3.4060502@yeticomputers.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <4615A318.3060408@yeticomputers.com> <4616158A.2000902@fsl.com> <461658A3.4060502@yeticomputers.com> Message-ID: <46167D47.6010709@fsl.com> Rick Chadderdon wrote: > Steve Freegard wrote: >> Rick Chadderdon wrote: >>> I don't use SPF on all of my domains because some of them have users >>> that will have issues with it. >> >> SPF is still useful here to you here if you supply a PASS result for >> everything that you know about, then return NEUTRAL for everything else. >> >> This doesn't impact the users in any way but can help people who might >> want to whitelist your domain. > > I suppose that's worth consideration, especially if my mailserver's > address ever ends up in an RBL. But... I really can't see most admins > being willing (or able) to set up a whitelist that only allows a > whitelisted domain if it passed SPF. Still, it could be useful in that > case, I agree. This is precisely how much of the whitelisting is done in SpamAssassin, see Mail::SpamAssassin::Plugin::SPF and have a look at the whitelist_from_spf directive. Kind regards, Steve. From mailscanner at yeticomputers.com Fri Apr 6 19:32:35 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Apr 6 19:41:03 2007 Subject: SPF_Fail score too low? In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> Message-ID: <46169243.4050907@yeticomputers.com> Kevin Miller wrote: > I've been spending the last hour and a half going through my mail logs > looking at spf hardfails. There's a couple in there that I'll have to > whitelist. Guess I'll fire off a notice to the postmaster of the domain > letting them know they need to update their records as a courtesy. > A quick grep of my logs shows 394 hardfails in the last 30 days. Looking through it, I notice no domains that look like they need to send us anything. I could be wrong, but my users are quite vocal. I doubt any of them are missing email - I'd have heard about it by now. :) In the same period, SA scored 6 spam messages with SPF_HELO_SOFTFAIL, 1209 spam messages with SPF_HELO_PASS and 1779 spams with no SPF_* entry in the report. No spam messages fired any of the other SPF rules. I'm not logging the SA report for "not spam" messages, so I have no idea of how those did on the SPF tests. An SPF_PASS doesn't subtract much from the score, but it might have made a difference in close calls. > I had been of the mind that a softfail was more or less useless, but it > occurred to me this morning that it can be an asset in that it > increments the spam score. Yep, although my own stats don't show it as helping very much. Those 6 spam messages that had a SOFTFAIL all would have been marked as spam, even without the SPF check. The lowest scoring one was 12.029. Rick From res at ausics.net Sat Apr 7 00:33:18 2007 From: res at ausics.net (Res) Date: Sat Apr 7 00:41:45 2007 Subject: IP address reputation, BorderWare In-Reply-To: <1175853907.46161b53a11dc@perdition.cnpapers.net> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <1175853907.46161b53a11dc@perdition.cnpapers.net> Message-ID: On Fri, 6 Apr 2007, Steve Campbell wrote: > Does this thread cause swapping? only on Peters system :) -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Apr 7 00:36:36 2007 From: res at ausics.net (Res) Date: Sat Apr 7 00:45:00 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200704070110190260.0633875A@smtp1.ace.net.au> References: <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <200704061252380467.039029A0@smtp1.ace.net.au> <200704070110190260.0633875A@smtp1.ace.net.au> Message-ID: On Sat, 7 Apr 2007, Peter Nitschke wrote: > Res, > > As you yourself said, nobody forced you to read it all, heck, I even top > posted so you didn't have to. > > Personally I don't believe in blocking your or anyone else's posts just > because this thread has gotten over done. > > It is however, just a bit sad that you don't know when to stop or to take > an off-topic thread to email just so your ego can have a play. nothing to do with ego, theres only one person on this list who has any right to basically end a thread by demand, i dont take requests from any self appointed list-cop, i have ignored them for over 10 years and will do so for the over next 10 years. theres been no more crap in this thread, than in many other threads, take your selective rose coloured glasses off and you might realise that. > -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From uxbod at splatnix.net Sat Apr 7 08:18:37 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Apr 7 08:26:04 2007 Subject: New Server Specs? In-Reply-To: References: Message-ID: <20070407081837.145d7b03@uxbod.splatnix.net> DL365s are really nice unless you prefer Intel ;) On Fri, 6 Apr 2007 08:34:03 +0100 "Paul Hutchings" wrote: > Appreciate the detailed reply Greg. > > For various reasons (non technical) it looks like Sun are off the menu > so we're back to HP. > > At present I'm looking at 2 boxes. The DL320 G5 and the DL140 G3. > > Both work out at identical prices. > > The difference being the DL320 would have a 3050 Xeon and 1gb of RAM > and the DL140 would have a 5110 Xeon and 2gb of RAM. > > I'm leaning towards the DL140 simply because it has more RAM for the > money, and I believe it's more of a "proper" server i.e. server > optimized chip/chipset (and has a second CPU socket) whilst the DL320 > appears to almost be a desktop CPU put into a rackmount? > > Disk wise I think a pair of 80gb SATA's should be sufficient. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg > Matthews > Sent: 04 April 2007 14:10 > To: MailScanner discussion > Subject: Re: New Server Specs? > > Paul Hutchings wrote: > > Thanks all. > > > > I'm not desparate to do this on the cheap, but obviously I don't > > want > to > > be asking for company money for something that is massive, massive > > overkill even allowing for future growth/changes etc. > > > > Currently I'm running on an old Poweredge with a single 2.4ghz Xeon > CPU > > (single core with hyperthreading) with 1gb of RAM and a single 80gb > ATA > > drive (we want something that will be under warranty) > > > > I'm running Spamassassin on incoming mail and ClamAV on all mail > > with > no > > OCR checks though this may be something I'll do in the future via > > FuzzyOCR. > > > > I'm no expert on Linux benchmarking but uptime shows "load average: > > 1.23, 1.43, 1.20". > > looks like you are not stretching this box too much. With > hyperthreading > > turned on, a load average of 2 would be a good indication that the > processor was never twiddling its metaphorical thumbs. That said, > network services are notoriously "bursty" so you need to plan for > times of high load. > > Consider software raid over hardware raid as it can often be faster > and provided you take backups, your raid config is archived for > disaster recovery. Also nice to have a good size disk area so that > both spam and ham can be stored in the short term for > learning/reporting. Useful too if you are relaying for other > sites/domains and need to queue up mail when their servers are down. > Of course, mail doesnt actually take up much space so you dont need a > huge array of disks. We have about 5000 active mailboxes and I'd be > happy with a 50GB mirror for short term archive/quarantine but I'd > probably over-spec by a factor of two. > > As mentioned previously, buy lots of memory. A dual processor box > will happily chew up 3-4GB of ram. Dual/quad core is /probably/ ok > given that > > your processes are likely to be IO bound which should make up for > memory > > controller latencies. Why not ask Sun for a loan of a T1000 machine > with > > 8 cores and 32 threads? I think they are still doing a no-obligation > "try and buy" scheme for these. The list would probably be v. > interested > > in your results. > > > > > I was looking at HP originally and then I looked at Sun and noticed > > their X2100 appear to be very good VFM (and are SLES approved which > > suggests I should be able to install OpenSuse "out the box"). > > > > judging by your existing spec and LA, an X2100 will probably be fine, > I'd be tempted to up the spec to a dual processor X2200 to really > future-proof yourself. Again, Sun will lend you one for 60 days if > you want to try it. > > GREG > > > Paul Hutchings > > Network Administrator, MIRA Ltd. > > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > > mailto:paul.hutchings@mira.co.uk > > > > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Steve Freegard > > Sent: 04 April 2007 11:44 > > To: MailScanner discussion > > Subject: Re: New Server Specs? > > > > Paul Hutchings wrote: > >> My question is, broadly speaking which would be best to have more > >> of, > > >> CPU, ram, or disk subsystem? > >> I'm looking at the cheapest HP/Sun/Dell servers which tend to be > >> SATA > > >> disks and slower dual-core CPUs but with plenty of memory slots. > > > > As Martin mentioned - memory is one key piece, you need to have 1Gb > per > > CPU core, then set Max Children to 5 * CPU Cores for optimum > > performance. Any form of swapping/paging will quickly kill > performance > > of MailScanner/SpamAssassin. > > > > I also always recommend buying a *decent* RAID controller with > > battery-backed write-back cache as fast disk access is a requirement > to > > cope with busy periods and future growth and. > > > > Cheers, > > Steve. > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From email at ace.net.au Sat Apr 7 11:41:35 2007 From: email at ace.net.au (Peter Nitschke) Date: Sat Apr 7 11:51:40 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <1175853907.46161b53a11dc@perdition.cnpapers.net> Message-ID: <200704072011350835.0A4865F8@smtp1.ace.net.au> Yep, I had the sense and courtesy to members on the list to swap it to private email. How about you? Peter *********** REPLY SEPARATOR *********** On 7/04/2007 at 9:33 AM Res wrote: >On Fri, 6 Apr 2007, Steve Campbell wrote: > >> Does this thread cause swapping? > >only on Peters system :) > > > >-- >Cheers >Res From res at ausics.net Sat Apr 7 12:02:07 2007 From: res at ausics.net (Res) Date: Sat Apr 7 12:10:35 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200704072011350835.0A4865F8@smtp1.ace.net.au> References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <1175853907.46161b53a11dc@perdition.cnpapers.net> <200704072011350835.0A4865F8@smtp1.ace.net.au> Message-ID: didnt see it, i dont get pvt mail to this address, its a list/nntp address, if procmail doesnt sort it into a folder, its dev nulled. On Sat, 7 Apr 2007, Peter Nitschke wrote: > Yep, I had the sense and courtesy to members on the list to swap it to > private email. > > How about you? > > Peter > > > > *********** REPLY SEPARATOR *********** > > On 7/04/2007 at 9:33 AM Res wrote: > >> On Fri, 6 Apr 2007, Steve Campbell wrote: >> >>> Does this thread cause swapping? >> >> only on Peters system :) >> >> >> >> -- >> Cheers >> Res > > > -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From email at ace.net.au Sat Apr 7 12:24:28 2007 From: email at ace.net.au (Peter Nitschke) Date: Sat Apr 7 12:35:08 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <1175853907.46161b53a11dc@perdition.cnpapers.net> <200704072011350835.0A4865F8@smtp1.ace.net.au> Message-ID: <200704072054280344.0A6FA6D5@smtp1.ace.net.au> I don't have a need to hide, both my real name and a working email address are available to the list. Peter *********** REPLY SEPARATOR *********** On 7/04/2007 at 9:02 PM Res wrote: >didnt see it, i dont get pvt mail to this address, its a list/nntp >address, if procmail doesnt sort it into a folder, its dev nulled. > > >On Sat, 7 Apr 2007, Peter Nitschke wrote: > >> Yep, I had the sense and courtesy to members on the list to swap it to >> private email. >> >> How about you? >> >> Peter From res at ausics.net Sat Apr 7 16:11:25 2007 From: res at ausics.net (Res) Date: Sat Apr 7 16:19:55 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200704072054280344.0A6FA6D5@smtp1.ace.net.au> References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> <460BF764.3040105@yeticomputers.com> <4611419D.7060505@yeticomputers.com> <46125D3C.1010907@yeticomputers.com> <46155AEF.4010204@yeticomputers.com> <1175853907.46161b53a11dc@perdition.cnpapers.net> <200704072011350835.0A4865F8@smtp1.ace.net.au> <200704072054280344.0A6FA6D5@smtp1.ace.net.au> Message-ID: On Sat, 7 Apr 2007, Peter Nitschke wrote: > > > I don't have a need to hide, both my real name and a working email address > are available to the list. > errr so what? i was not and have no intention or need to email you. YAWN... this account is used in 27 mailing lists, and 19 newsgroups and has been for sometime, therefore it is most likely in just about every spam list known to man, accepting email to this email address by only the lists, ensures I pretty much dont see any spam that gets past SA etc. I dont have to hide, those on this list for several years know me and who i am. those like you who dont are completely immaterial to me, and your opinion means absolutely nothing to me. > Peter > > > *********** REPLY SEPARATOR *********** > > On 7/04/2007 at 9:02 PM Res wrote: > >> didnt see it, i dont get pvt mail to this address, its a list/nntp >> address, if procmail doesnt sort it into a folder, its dev nulled. >> >> >> On Sat, 7 Apr 2007, Peter Nitschke wrote: >> >>> Yep, I had the sense and courtesy to members on the list to swap it to >>> private email. >>> >>> How about you? >>> >>> Peter > > > -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From MailScanner at ecs.soton.ac.uk Sat Apr 7 19:18:05 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Apr 7 19:28:02 2007 Subject: I'm back at home In-Reply-To: <46155CA8.4010808@yeticomputers.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <46155CA8.4010808@yeticomputers.com> Message-ID: <4617E05D.7010901@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many thanks to all of you for your kind words. I had a count up this morning and I have 60 Get Well cards from 15 different countries! If you want to help relieve my growing boredom at home, I have added a few DVD's to my Amazon wish list, which you can get to from the link on http://www.mailscanner.info/donate.html So if you are feeling generous... :-) Thank you again for all your support and kind wishes. Regards, Jules. Rick Chadderdon wrote: > Glad to hear you're home. :) Wishing you a quick, full recovery! > > Rick Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGF+CbEfZZRxQVtlQRAsXHAKD0Hv/LI0X7gN+9Upj+dF2Oap+FGwCfS/yt knCmckM90ojneIJcV8JrfUA= =4Bn9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From chris at bluecobras.com Sun Apr 8 01:33:11 2007 From: chris at bluecobras.com (Chris Hammond) Date: Sun Apr 8 01:42:46 2007 Subject: I'm back at home In-Reply-To: <4617E05D.7010901@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> <46155CA8.4010808@yeticomputers.com> <4617E05D.7010901@ecs.soton.ac.uk> Message-ID: <46183847.8030905@bluecobras.com> Julian Field wrote: > Many thanks to all of you for your kind words. I had a count up this > morning and I have 60 Get Well cards from 15 different countries! > > If you want to help relieve my growing boredom at home, I have added a > few DVD's to my Amazon wish list, which you can get to from the link on > http://www.mailscanner.info/donate.html > > So if you are feeling generous... :-) > > Thank you again for all your support and kind wishes. > > Regards, > Jules. > > Rick Chadderdon wrote: >> Glad to hear you're home. :) Wishing you a quick, full recovery! > >> Rick > > Jules > From jan-peter at koopmann.eu Sat Apr 7 16:31:20 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sun Apr 8 06:26:34 2007 Subject: How to flag SPAM in MS Exchange/Outlook using Mailscanner? In-Reply-To: <2023D81BC0235143A46589958FF543F502F5DDCE@bigbird.columbiafuels.com> References: <2023D81BC0235143A46589958FF543F502F5DDCE@bigbird.columbiafuels.com> Message-ID: On mailscanner-bounces@lists.mailscanner.info wrote: > Then create a custom rule to recognize the subject line that has been > modified by MS and max the IMF score based on that. > > I've been using MS with Exchange and IMF for quite some time now and > it works like a hot damn. I am pretty sure this will not work or header lines. You can only do custom weighting on subject line and the mail body. Am I wrong? If so please tell me since I could really use it on header lines as well. :-) Regards, JP From asurfer at iinet.net.au Mon Apr 9 11:55:03 2007 From: asurfer at iinet.net.au (Mick) Date: Mon Apr 9 12:03:02 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: <46169243.4050907@yeticomputers.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> Message-ID: <461A1B87.6050907@iinet.net.au> Hello. I am currently running MailScanner which uses the clamavmodule. The other day, I received 4 emails from ad-noreply@google.com and each of these emails has a )non-password protected) zip file and contained within each zip file was a file called report.csv. However, MailScanner quarantined them even though clamscan reports that none of the zip files are infected. Placing ad-no-reply@google.com in /etc/MailScanner/rules/virus-scan.rules results in those zip files as sent from ad-noreply@google.com now passing through unscanned but why were the files quarantined in the first place when clamscan says that they're uninfected? Thanks, Mick. From ssilva at sgvwater.com Mon Apr 9 16:04:12 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 9 16:13:06 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: <461A1B87.6050907@iinet.net.au> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> <461A1B87.6050907@iinet.net.au> Message-ID: Mick spake the following on 4/9/2007 3:55 AM: > Hello. > > I am currently running MailScanner which uses the clamavmodule. The > other day, I received 4 emails from ad-noreply@google.com and each of > these emails has a )non-password protected) zip file and contained > within each zip file was a file called report.csv. However, MailScanner > quarantined them even though clamscan reports that none of the zip files > are infected. Placing ad-no-reply@google.com in > /etc/MailScanner/rules/virus-scan.rules results in those zip files as > sent from ad-noreply@google.com now passing through unscanned but why > were the files quarantined in the first place when clamscan says that > they're uninfected? > > Thanks, > Mick. Did it say that they were password protected? Clamavmodule can also choke if they are over it's stated limit on how compressed the file is. Look in this area of conf; # ClamAVModule only: set limits when scanning for viruses. # # The maximum recursion level of archives, # The maximum number of files per batch, # The maximum file of each file, # The maximum compression ratio of archive. # These settings *cannot* be the filename of a ruleset, only a simple number. ClamAVmodule Maximum Recursion Level = 10 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 950 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dnsadmin at 1bigthink.com Mon Apr 9 19:41:22 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Mon Apr 9 19:50:08 2007 Subject: I'm back at home In-Reply-To: <4617E05D.7010901@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> <46155CA8.4010808@yeticomputers.com> <4617E05D.7010901@ecs.soton.ac.uk> Message-ID: <200704091841.l39IfbN0023611@mxt.1bigthink.com> At 02:18 PM 4/7/2007, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Many thanks to all of you for your kind words. I had a count up this >morning and I have 60 Get Well cards from 15 different countries! > >If you want to help relieve my growing boredom at home, I have added a >few DVD's to my Amazon wish list, which you can get to from the link on >http://www.mailscanner.info/donate.html > >So if you are feeling generous... :-) > >Thank you again for all your support and kind wishes. > >Regards, >Jules. Cool! Glad to see you're still about and not really working! I felt generous. So enjoy! From pete at enitech.com.au Mon Apr 9 23:39:20 2007 From: pete at enitech.com.au (Peter Russell) Date: Mon Apr 9 23:48:02 2007 Subject: Postfix HOLD method In-Reply-To: <46132586.1050301@enitech.com.au> References: <46132586.1050301@enitech.com.au> Message-ID: <461AC098.70007@enitech.com.au> no one? anyone? Peter Russell wrote: > Hello, could anyone offer me some tips on improving the HOLD method for > postfix? > > my header_checks file contains > ]# vi /etc/postfix/header_checks > # For MailScanner > /^from userid 0/ OK > /^from userid 89/ OK > /^Received/ HOLD > > Some one suggested this a while ago as a way to hold messages for > checking that are inbound but not ones released from quarantine via > mailwatch. > > For some reason it doesnt work anymore and i have changed anything. > > Whats the best way to achieve this? > > Thanks in advance > Pete From mikael at syska.dk Tue Apr 10 01:29:39 2007 From: mikael at syska.dk (Mikael Syska) Date: Tue Apr 10 01:38:35 2007 Subject: Postfix HOLD method In-Reply-To: <461AC098.70007@enitech.com.au> References: <46132586.1050301@enitech.com.au> <461AC098.70007@enitech.com.au> Message-ID: <461ADA73.4070007@syska.dk> Hey, Think you should try the mailwatch list ... but this should help: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq&s=release Or search the archive at the mailwatch list ... I know its there ... in the past 4 weeks it has been there 3 times // ouT Peter Russell wrote: > no one? anyone? > > Peter Russell wrote: >> Hello, could anyone offer me some tips on improving the HOLD method >> for postfix? >> >> my header_checks file contains >> ]# vi /etc/postfix/header_checks >> # For MailScanner >> /^from userid 0/ OK >> /^from userid 89/ OK >> /^Received/ HOLD >> >> Some one suggested this a while ago as a way to hold messages for >> checking that are inbound but not ones released from quarantine via >> mailwatch. >> >> For some reason it doesnt work anymore and i have changed anything. >> >> Whats the best way to achieve this? >> >> Thanks in advance >> Pete From philip at hux.co.za Tue Apr 10 08:46:38 2007 From: philip at hux.co.za (Philip Csaplar) Date: Tue Apr 10 08:55:02 2007 Subject: MailArch Message-ID: <002301c77b44$606b0f10$4f05a8c0@huxgroup.local> Skipped content of type multipart/related-------------- next part -------------- A non-text attachment was scrubbed... Name: mailarc.zip Type: application/octet-stream Size: 4786 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070410/96b42070/mailarc.obj From list-mailscanner at linguaphone.com Tue Apr 10 08:53:14 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 10 09:02:02 2007 Subject: Postfix HOLD method In-Reply-To: <461AC098.70007@enitech.com.au> References: <46132586.1050301@enitech.com.au> <461AC098.70007@enitech.com.au> Message-ID: <1176191593.29062.6.camel@gblades-suse.linguaphone-intranet.co.uk> In my header_checks file I just have the following:- /^Received:/ HOLD Then in /etc/Mailscanner/rules/scan.messages.rules I have :- From: 127.0.0.1 no FromOrTo: default yes Then in the mailscanner config file :- Scan Messages = %rules-dir%/scan.messages.rules On Mon, 2007-04-09 at 23:39, Peter Russell wrote: > no one? anyone? > > Peter Russell wrote: > > Hello, could anyone offer me some tips on improving the HOLD method for > > postfix? > > > > my header_checks file contains > > ]# vi /etc/postfix/header_checks > > # For MailScanner > > /^from userid 0/ OK > > /^from userid 89/ OK > > /^Received/ HOLD > > > > Some one suggested this a while ago as a way to hold messages for > > checking that are inbound but not ones released from quarantine via > > mailwatch. > > > > For some reason it doesnt work anymore and i have changed anything. > > > > Whats the best way to achieve this? > > > > Thanks in advance > > Pete From craig at csfs.co.za Tue Apr 10 09:11:09 2007 From: craig at csfs.co.za (Craig Retief) Date: Tue Apr 10 09:19:59 2007 Subject: I'm back at home In-Reply-To: <46128E8E.1060508@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: Woot its Julian, Welcome back man. Hope you feel your old self very soon. All the best Craig > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 03 April 2007 07:28 PM > To: MailScanner discussion > Subject: I'm back at home > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I spent 2 1/2 weeks unconscious in intensive care with 10 monitors, 9 > tubes, a ventilator, 2 nurses and a technician looking after just me, > 24 > hours a day. They finally brought me round when I was well enough, and > I > then spent the next 2 weeks learning how breathe, talk, use my hands, > walk and all the necessary stuff like that. > > So I am now back at home, and have my parents living in my house with > me > helping to look after me. We are all getting on fine, and life would be > really hard if they weren't here. They have fixed everything and > cleared > out all my old junk that I don't want any more, so I now have a nice > tidy house again with plenty of spare space. I won't be able to find > anything for a while, but it's really nice to have everything neat and > tidy again :-) > > It's going to be a fair while before I'm up to doing anything to do > with > MailScanner. > > This note is basically to send a very big thankyou for all the Get Well > Soon cards you have sent me from all over the world, along with all the > emails sending your best wishes too. They are all very much appreciated > and it really brightened up my day every time someone from work called > in with some more cards from around the globe. So thank you very much > for all of them! > > So I'm still alive, though it was very touch and go for the first 10 > days, and more or less back in the land of the living. Don't expect any > more than the odd health update for a while yet though :-) > > Cheers, > Jules. > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGEo8XEfZZRxQVtlQRArNXAJ0R2tBhKwf19xmeH1ss0jU27x8JnwCfdQuG > A51NIGqJNFlMF/fWrHVR4Jo= > =cjkn > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From gen2lists at paulbaily.com Tue Apr 10 09:29:27 2007 From: gen2lists at paulbaily.com (Paul Baily) Date: Tue Apr 10 09:38:15 2007 Subject: MailScanner gateway stats In-Reply-To: <945492.55056.qm@web33308.mail.mud.yahoo.com> References: <945492.55056.qm@web33308.mail.mud.yahoo.com> Message-ID: Hi Michael, Sorry for the delay, got distracted by something shiny. :-) On 02/04/2007, at 4:23 pm, Michael Mansour wrote: > Could you explain what you did? did you just continue to use > Mailgraph? and if so, what did you need to change to get the stats > you wanted for mailscanner/sendmail? Yes, continued to use Mailgraph but went through and adjusted the regexes of strings it was looking for. I have smf-sav installed (sorry Rick, it's got a really big cache, and I'm definitely taking what you said on board, honest :-) so some log entries are different from usual. What I found really helpful was grabbing the logs of a non-production MailScanner box that included single (artificial) instances of each case, then trying various grep strings against that log to pick up only the actions I was looking for, e.g. good mail site-in, good mail site-out, bounces, rejects etc. Then I plugged those into the perl script with the appropriate counter words. I've still some fine- tuning to do like getting send and receive (from a site context) properly nailed down, but it's a finite problem. If you like I can send you a copy of the file as it stands offlist. cheers, Paul. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070410/5783ec12/attachment.html From asurfer at iinet.net.au Tue Apr 10 10:21:11 2007 From: asurfer at iinet.net.au (Mick) Date: Tue Apr 10 10:29:11 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> <461A1B87.6050907@iinet.net.au> Message-ID: <461B5707.2020800@iinet.net.au> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070410/8a7d9746/attachment.html From sujithem at cdacb.ernet.in Tue Apr 10 13:32:12 2007 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Tue Apr 10 13:40:56 2007 Subject: TNEF loops Message-ID: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> Dear all, I am seeing TNEF loops in my mail gateway today, [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat Apr 10 17:59:11 mailscan MailScanner[4809]: Message l39LTsWf020664 added TNEF contents outf1,msg-4809-31.txt,msg-4809-21.txt Apr 10 17:59:11 mailscan MailScanner[4809]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:14 mailscan MailScanner[4870]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:15 mailscan MailScanner[4870]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4870/l39LTsWf020664/winmail.dat Apr 10 17:59:15 mailscan MailScanner[4870]: Message l39LTsWf020664 added TNEF contents outf1,msg-4870-31.txt,msg-4870-21.txt Apr 10 17:59:15 mailscan MailScanner[4870]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:21 mailscan MailScanner[4743]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:21 mailscan MailScanner[4743]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4743/l39LTsWf020664/winmail.dat Apr 10 17:59:21 mailscan MailScanner[4743]: Message l39LTsWf020664 added TNEF contents outf1,msg-4743-31.txt,msg-4743-21.txt Apr 10 17:59:21 mailscan MailScanner[4743]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:25 mailscan MailScanner[4905]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:25 mailscan MailScanner[4905]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4905/l39LTsWf020664/winmail.dat Apr 10 17:59:25 mailscan MailScanner[4905]: Message l39LTsWf020664 added TNEF contents outf1,msg-4905-31.txt,msg-4905-21.txt Apr 10 17:59:25 mailscan MailScanner[4905]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:28 mailscan MailScanner[4832]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:28 mailscan MailScanner[4832]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4832/l39LTsWf020664/winmail.dat Apr 10 17:59:28 mailscan MailScanner[4832]: Message l39LTsWf020664 added TNEF contents outf1,msg-4832-31.txt,msg-4832-21.txt Apr 10 17:59:28 mailscan MailScanner[4832]: Message l39LTsWf020664 has had TNEF winmail.dat removed Apr 10 17:59:29 mailscan MailScanner[4935]: SpamAssassin cache hit for message l39LTsWf020664 Apr 10 17:59:30 mailscan MailScanner[4935]: Expanding TNEF archive at /var/spool/MailScanner/incoming/4935/l39LTsWf020664/winmail.dat Apr 10 17:59:30 mailscan MailScanner[4935]: Message l39LTsWf020664 added TNEF contents outf1,msg-4935-31.txt,msg-4935-21.txt Apr 10 17:59:30 mailscan MailScanner[4935]: Message l39LTsWf020664 has had TNEF winmail.dat removed Does anyone have any clues on what could be the problem? Thanks and Regards Sujith Emmanuel From vosburgh at dalsemi.com Tue Apr 10 15:37:04 2007 From: vosburgh at dalsemi.com (David Vosburgh) Date: Tue Apr 10 15:45:59 2007 Subject: TNEF loops In-Reply-To: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> Message-ID: <461BA110.6020308@dalsemi.com> Sujith Emmanuel wrote: > Dear all, > > I am seeing TNEF loops in my mail gateway today, > > [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 > [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 > Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has > had TNEF winmail.dat removed > Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for > message l39LTsWf020664 > Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat > > Does anyone have any clues on what could be the problem? > > Thanks and Regards > Sujith Emmanuel I ran into the same problem a few times when using the TNEF expander program. I posted essentially the same question as you, and there was a consensus to switch to the internal expander. After making the switch, I haven't noticed the problem again. In my MailScanner.conf, I now have the following: TNEF Expander = internal #TNEF Expander = /usr/bin/tnef --maxsize=100000000 -- Dave Vosburgh From MailScanner at ecs.soton.ac.uk Tue Apr 10 16:23:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 10 16:33:33 2007 Subject: TNEF loops In-Reply-To: <461BA110.6020308@dalsemi.com> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> Message-ID: <461BAC0C.8010207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You might also want to make sure you have the latest TNEF program, in case your one is an older more buggy release. It's on sourceforge.net. MailScanner ships with the latest version available at the time of release. David Vosburgh wrote: > Sujith Emmanuel wrote: >> Dear all, >> >> I am seeing TNEF loops in my mail gateway today, >> >> [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 >> [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 >> Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has >> had TNEF winmail.dat removed >> Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for >> message l39LTsWf020664 >> Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at >> /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat > >> >> Does anyone have any clues on what could be the problem? >> >> Thanks and Regards >> Sujith Emmanuel > I ran into the same problem a few times when using the TNEF expander > program. I posted essentially the same question as you, and there was > a consensus to switch to the internal expander. After making the > switch, I haven't noticed the problem again. > > In my MailScanner.conf, I now have the following: > > TNEF Expander = internal > #TNEF Expander = /usr/bin/tnef --maxsize=100000000 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGG6wUEfZZRxQVtlQRAu6mAJ9MZZLQJPeZFOB4ts3BJRcL/YcTZACfZ6b3 ED6L1yHuQDn394/d+f5atpY= =8kq9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From clacroix at cegep-ste-foy.qc.ca Tue Apr 10 16:28:05 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Tue Apr 10 16:36:48 2007 Subject: TNEF loops In-Reply-To: <461BAC0C.8010207@ecs.soton.ac.uk> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> Message-ID: <200704101128.05362.clacroix@cegep-ste-foy.qc.ca> Woooah, take it easy Jules .. On Tuesday 10 April 2007 11:23, Julian Field wrote: > You might also want to make sure you have the latest TNEF program, in > case your one is an older more buggy release. It's on sourceforge.net. > MailScanner ships with the latest version available at the time of release. > > David Vosburgh wrote: > > Sujith Emmanuel wrote: > >> Dear all, > >> > >> I am seeing TNEF loops in my mail gateway today, > >> > >> [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 > >> [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 > >> Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has > >> had TNEF winmail.dat removed > >> Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for > >> message l39LTsWf020664 > >> Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at > >> /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat > > > > > > > >> Does anyone have any clues on what could be the problem? > >> > >> Thanks and Regards > >> Sujith Emmanuel > > > > I ran into the same problem a few times when using the TNEF expander > > program. I posted essentially the same question as you, and there was > > a consensus to switch to the internal expander. After making the > > switch, I haven't noticed the problem again. > > > > In my MailScanner.conf, I now have the following: > > > > TNEF Expander = internal > > #TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From dyioulos at firstbhph.com Tue Apr 10 16:49:53 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Apr 10 16:58:08 2007 Subject: TNEF loops In-Reply-To: <461BAC0C.8010207@ecs.soton.ac.uk> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> Message-ID: <200704101149.53343.dyioulos@firstbhph.com> On Tuesday 10 April 2007 11:23 am, Julian Field wrote: > You might also want to make sure you have the latest TNEF program, in > case your one is an older more buggy release. It's on sourceforge.net. > MailScanner ships with the latest version available at the time of release. > > David Vosburgh wrote: > > Sujith Emmanuel wrote: > >> Dear all, > >> > >> I am seeing TNEF loops in my mail gateway today, > >> > >> [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 > >> [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 > >> Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has > >> had TNEF winmail.dat removed > >> Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for > >> message l39LTsWf020664 > >> Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at > >> /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat > > > > > > > >> Does anyone have any clues on what could be the problem? > >> > >> Thanks and Regards > >> Sujith Emmanuel > > > > I ran into the same problem a few times when using the TNEF expander > > program. I posted essentially the same question as you, and there was > > a consensus to switch to the internal expander. After making the > > switch, I haven't noticed the problem again. > > > > In my MailScanner.conf, I now have the following: > > > > TNEF Expander = internal > > #TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > OT, I know, but uh, Jules, aren't you supposed to be taking it easy (or is this your idea of r 'n' r?). Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From vosburgh at dalsemi.com Tue Apr 10 16:54:06 2007 From: vosburgh at dalsemi.com (David Vosburgh) Date: Tue Apr 10 17:03:28 2007 Subject: blacklists and archiving Message-ID: <461BB31E.7060500@dalsemi.com> I have setup mail archiving to both a file and another email address for all mail from a particular domain. That much has worked fine for some time now. I recently got a request to blacklist one address in that domain, so I put an entry in the spam.blacklists.rules file. The next time a message came through from that address, rather than being blacklisted, the message was delivered and archived as normal (and yes I did restart MailScanner). Is this a matter of precedence? That is, does archiving take precedence over blacklisting? Or is this a misconfiguration on my part, or a bug? Here's the MailScanner -v output: # MailScanner -v Running on Linux artesia 2.6.9-42.0.3.ELsmp #1 SMP Fri Oct 6 06:21:39 CDT 2006 i686 i686 i386 GNU/Linux This is CentOS release 4.4 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.55.10 Module versions are: 1.00 AnyDBM_File 1.14 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 1.4 Sys::Hostname::Long 0.17 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.12 DBD::SQLite 1.50 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 0.44 Inline 0.17 Mail::ClamAV 3.001004 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.57 Net::DNS 0.31 Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.56 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI Dave -- Dave Vosburgh From chris at bluecobras.com Tue Apr 10 18:02:40 2007 From: chris at bluecobras.com (chris@bluecobras.com) Date: Tue Apr 10 18:17:10 2007 Subject: TNEF loops In-Reply-To: <461BAC0C.8010207@ecs.soton.ac.uk> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> Message-ID: <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> Quoting Julian Field : Uh, Julian, aren't you supposed to be watching alot of West Wing! :) Chris > You might also want to make sure you have the latest TNEF program, in > case your one is an older more buggy release. It's on sourceforge.net. > MailScanner ships with the latest version available at the time of release. > > David Vosburgh wrote: >> Sujith Emmanuel wrote: >>> Dear all, >>> >>> I am seeing TNEF loops in my mail gateway today, >>> >>> [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 >>> [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 >>> Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has >>> had TNEF winmail.dat removed >>> Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for >>> message l39LTsWf020664 >>> Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at >>> /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat >> >>> >>> Does anyone have any clues on what could be the problem? >>> >>> Thanks and Regards >>> Sujith Emmanuel >> I ran into the same problem a few times when using the TNEF expander >> program. I posted essentially the same question as you, and there was >> a consensus to switch to the internal expander. After making the >> switch, I haven't noticed the problem again. >> >> In my MailScanner.conf, I now have the following: >> >> TNEF Expander = internal >> #TNEF Expander = /usr/bin/tnef --maxsize=100000000 >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGG6wUEfZZRxQVtlQRAu6mAJ9MZZLQJPeZFOB4ts3BJRcL/YcTZACfZ6b3 > ED6L1yHuQDn394/d+f5atpY= > =8kq9 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From dnsadmin at 1bigthink.com Tue Apr 10 20:43:23 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Apr 10 20:52:16 2007 Subject: TNEF loops In-Reply-To: <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> Message-ID: <200704101943.l3AJhbIo030155@mxt.1bigthink.com> I got him a couple of movies off his list, but they probably haven't made it there, yet. ;^) Just a couple 'o days Julian..! At 01:02 PM 4/10/2007, you wrote: >Quoting Julian Field : > >Uh, Julian, aren't you supposed to be watching alot of West Wing! :) > >Chris > >>You might also want to make sure you have the latest TNEF program, in >>case your one is an older more buggy release. It's on sourceforge.net. >>MailScanner ships with the latest version available at the time of release. >> >>David Vosburgh wrote: >>>Sujith Emmanuel wrote: >>>>Dear all, >>>> >>>> I am seeing TNEF loops in my mail gateway today, >>>> >>>>[root@mailscan mqueue]# rm -rf dfl39LTsWf020664 >>>>[root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 >>>>Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has >>>>had TNEF winmail.dat removed >>>>Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for >>>>message l39LTsWf020664 >>>>Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at >>>>/var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat >>> >>>> >>>>Does anyone have any clues on what could be the problem? >>>> >>>>Thanks and Regards >>>>Sujith Emmanuel >>>I ran into the same problem a few times when using the TNEF expander >>>program. I posted essentially the same question as you, and there was >>>a consensus to switch to the internal expander. After making the >>>switch, I haven't noticed the problem again. >>> >>>In my MailScanner.conf, I now have the following: >>> >>>TNEF Expander = internal >>>#TNEF Expander = /usr/bin/tnef --maxsize=100000000 >> >>Jules >> >>- -- >>Julian Field MEng CITP >>www.MailScanner.info >>Buy the MailScanner book at www.MailScanner.info/store >> >>MailScanner customisation, or any advanced system administration help? >>Contact me at Jules@Jules.FM >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>For all your IT requirements visit www.transtec.co.uk >> >> >> >>-----BEGIN PGP SIGNATURE----- >>Version: PGP Desktop 9.6.0 (Build 214) >>Charset: ISO-8859-1 >> >>wj8DBQFGG6wUEfZZRxQVtlQRAu6mAJ9MZZLQJPeZFOB4ts3BJRcL/YcTZACfZ6b3 >>ED6L1yHuQDn394/d+f5atpY= >>=8kq9 >>-----END PGP SIGNATURE----- >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >>For all your IT requirements visit www.transtec.co.uk >> >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >> > > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From chris at bluecobras.com Tue Apr 10 21:41:06 2007 From: chris at bluecobras.com (chris@bluecobras.com) Date: Tue Apr 10 21:53:36 2007 Subject: TNEF loops In-Reply-To: <200704101943.l3AJhbIo030155@mxt.1bigthink.com> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> <200704101943.l3AJhbIo030155@mxt.1bigthink.com> Message-ID: <20070410164106.dvoysrpd4gscsokg@www.bluecobras.com> I sent him Seasons 1, 2 and 3 of West Wing and he should get them today or tomorrow. That should give him something to do and relax. Chris > I got him a couple of movies off his list, but they probably haven't > made it there, yet. ;^) > > Just a couple 'o days Julian..! > > At 01:02 PM 4/10/2007, you wrote: > >> Quoting Julian Field : >> >> Uh, Julian, aren't you supposed to be watching alot of West Wing! :) >> >> Chris >> >>> You might also want to make sure you have the latest TNEF program, in >>> case your one is an older more buggy release. It's on sourceforge.net. >>> MailScanner ships with the latest version available at the time of release. >>> >>> David Vosburgh wrote: >>>> Sujith Emmanuel wrote: >>>>> Dear all, >>>>> >>>>> I am seeing TNEF loops in my mail gateway today, >>>>> >>>>> [root@mailscan mqueue]# rm -rf dfl39LTsWf020664 >>>>> [root@mailscan mqueue]# tail -f /var/log/maillog | grep l39LTsWf020664 >>>>> Apr 10 17:59:09 mailscan MailScanner[4473]: Message l39LTsWf020664 has >>>>> had TNEF winmail.dat removed >>>>> Apr 10 17:59:11 mailscan MailScanner[4809]: SpamAssassin cache hit for >>>>> message l39LTsWf020664 >>>>> Apr 10 17:59:11 mailscan MailScanner[4809]: Expanding TNEF archive at >>>>> /var/spool/MailScanner/incoming/4809/l39LTsWf020664/winmail.dat >>>> >>>>> >>>>> Does anyone have any clues on what could be the problem? >>>>> >>>>> Thanks and Regards >>>>> Sujith Emmanuel >>>> I ran into the same problem a few times when using the TNEF expander >>>> program. I posted essentially the same question as you, and there was >>>> a consensus to switch to the internal expander. After making the >>>> switch, I haven't noticed the problem again. >>>> >>>> In my MailScanner.conf, I now have the following: >>>> >>>> TNEF Expander = internal >>>> #TNEF Expander = /usr/bin/tnef --maxsize=100000000 >>> >>> Jules >>> >>> - -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> MailScanner customisation, or any advanced system administration help? >>> Contact me at Jules@Jules.FM >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> For all your IT requirements visit www.transtec.co.uk >>> >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: PGP Desktop 9.6.0 (Build 214) >>> Charset: ISO-8859-1 >>> >>> wj8DBQFGG6wUEfZZRxQVtlQRAu6mAJ9MZZLQJPeZFOB4ts3BJRcL/YcTZACfZ6b3 >>> ED6L1yHuQDn394/d+f5atpY= >>> =8kq9 >>> -----END PGP SIGNATURE----- >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This > message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From ssilva at sgvwater.com Tue Apr 10 23:39:30 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 10 23:48:14 2007 Subject: This list and Gmane Message-ID: IS any one else reading this list through Gmane and experiencing things like seeing replies before the original message shows up? Or is my PC stuck in a temporal rift? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From seamus at rheelweb.co.nz Tue Apr 10 23:50:55 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Tue Apr 10 23:58:22 2007 Subject: This list and Gmane In-Reply-To: Message-ID: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> I use Outlook and simply get the messages in the wrong order. Could be related? S Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Wednesday, 11 April 2007 10:40 a.m. To: mailscanner@lists.mailscanner.info Subject: This list and Gmane IS any one else reading this list through Gmane and experiencing things like seeing replies before the original message shows up? Or is my PC stuck in a temporal rift? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From drew at technologytiger.net Wed Apr 11 00:00:21 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 00:09:02 2007 Subject: This list and Gmane In-Reply-To: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> Message-ID: On 10 Apr 2007, at 23:50, Seamus Allan wrote: > I use Outlook and simply get the messages in the wrong order. Could be > related? I have to admit to thinking only last week that the list seemed to be running a little slow. Perhaps this is related? It can take from 10 - 20 minutes to get posts. Paul, Michele any ideas? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From paul at blacknight.ie Wed Apr 11 00:05:13 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Wed Apr 11 00:12:08 2007 Subject: This list and Gmane In-Reply-To: References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> Message-ID: <461C1829.80904@blacknight.ie> Drew Marshall wrote: > On 10 Apr 2007, at 23:50, Seamus Allan wrote: > >> I use Outlook and simply get the messages in the wrong order. Could be >> related? > > I have to admit to thinking only last week that the list seemed to be > running a little slow. Perhaps this is related? It can take from 10 - 20 > minutes to get posts. > > Paul, Michele any ideas? Um. Last week the server was restarted and mailman didn't come up automatically. Or maybe that was the week before ... *thinks hard* Sending this reply at 12:05am IST > > Drew > > --In line with our policy, this message has been scannedfor viruses and > dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From paul at blacknight.ie Wed Apr 11 00:07:30 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Wed Apr 11 00:14:22 2007 Subject: This list and Gmane In-Reply-To: <461C1829.80904@blacknight.ie> References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> <461C1829.80904@blacknight.ie> Message-ID: <461C18B2.8090601@blacknight.ie> > > Um. Last week the server was restarted and mailman didn't come up > automatically. Or maybe that was the week before ... *thinks hard* > > Sending this reply at 12:05am IST >> Arrived in my inbox in less than a minute there guys .. >> Drew >> >> --In line with our policy, this message has been scannedfor viruses >> and dangerous content by the Technology Tiger MailScanner. >> Further information can be found at www.technologytiger.net/policy >> >> Technology Tiger Limited is registered in Scotland with registration >> number: 310997 >> Registered Office 55-57 West High Street Inverurie AB51 3QQ >> >> --MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From hvdkooij at vanderkooij.org Wed Apr 11 00:11:17 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 11 00:20:09 2007 Subject: This list and Gmane In-Reply-To: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> Message-ID: On Wed, 11 Apr 2007, Seamus Allan wrote: > I use Outlook and simply get the messages in the wrong order. Could be > related? I think one can argue that Outlook is a temporal rift in itself. Why the timecops have not yet done any intervention and prevented Outlook to exist at all is beyond me. Hugo. PS: I seem to get the messages from this mailinglist in the proper order. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Wed Apr 11 00:35:04 2007 From: res at ausics.net (Res) Date: Wed Apr 11 00:43:50 2007 Subject: This list and Gmane In-Reply-To: References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> Message-ID: On Wed, 11 Apr 2007, Hugo van der Kooij wrote: > > PS: I seem to get the messages from this mailinglist in the proper order. Likewise. However the OP was asking about through gmane... -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From jon at radel.com Wed Apr 11 00:52:30 2007 From: jon at radel.com (Jon Radel) Date: Wed Apr 11 01:01:28 2007 Subject: This list and Gmane In-Reply-To: References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> Message-ID: <461C233E.2060608@radel.com> Res wrote: > > On Wed, 11 Apr 2007, Hugo van der Kooij wrote: > >> >> PS: I seem to get the messages from this mailinglist in the proper order. > > Likewise. However the OP was asking about through gmane... > > Some MUAs sort the display by time of arrival. Some by the timestamp put in the header by the original sender. Some give you a choice. Some give the sending time in the mailbox list display, some give the arrival time. Worrying about this without first determining what YOUR MUA does does not strike me as a likely path to enlightenment. In a perfect world, every sender would have the computer their MUA runs on set with accurate time and time zone, and all mailing lists would redistribute mail in the order in which it was received very, very quickly. In which case, all of the above would be pretty much equivalent. In the real world, not so much. --Jon Radel P.S. Now if all of you would just please set the time and timezone properly on your workstations, I'd be happy. :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2890 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070410/cb046548/smime.bin From drew at technologytiger.net Wed Apr 11 00:57:52 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 01:06:34 2007 Subject: This list and Gmane In-Reply-To: <461C18B2.8090601@blacknight.ie> References: <002501c77bc2$b2eeba10$5e01a8c0@seamoose> <461C1829.80904@blacknight.ie> <461C18B2.8090601@blacknight.ie> Message-ID: <067544EE-5A95-458E-A77C-C2F38A13030C@technologytiger.net> On 11 Apr 2007, at 00:07, Paul Kelly :: Blacknight wrote: > >> Um. Last week the server was restarted and mailman didn't come up >> automatically. Or maybe that was the week before ... *thinks hard* >> Sending this reply at 12:05am IST >>> > > Arrived in my inbox in less than a minute there guys .. Think I managed better than that Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.technologytiger.net (Postfix) with ESMTP id A226D33C27 for ; Wed, 11 Apr 2007 00:04:07 +0100 (BST) Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l3AN923G031543; Wed, 11 Apr 2007 00:09:07 +0100 Received: from mx1.technologytiger.net (mx1.technologytiger.net [80.77.252.44]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l3AN90AY031538 for ; Wed, 11 Apr 2007 00:09:00 +0100 Received: from [192.168.135.254] (drew-imac.themarshalls.internal [192.168.135.254]) by mx1.technologytiger.net (Postfix) with ESMTP id C715833C27 for ; Wed, 11 Apr 2007 00:00:21 +0100 (BST) So taking a view that it seems to have taken 9 minutes to go from my MX to the list server, the list was exploded in 7 seconds and then took -5 minutes to be delivered. I think NTP is still accurate on my box but perhaps that blue police box in the corner is causing some interference :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From raymond at prolocation.net Wed Apr 11 01:53:07 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Apr 11 02:01:39 2007 Subject: Clam module broken after main.cvd update Message-ID: Hi! We have seen several servers barfing due to a broken clamlib after a update of freshclam. Tonight clamav released a new main.cvd, when this happened the update files were placed inside subdirs, this is part of the new clamav update scheme. Mailscanner however dont take this and will report: Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! This will give defuncts on all your MS processes. The behaviour is only with 0.9x so be aware you will for sure see your incomming queue raise till you manually fix this. On my system clam created dirs like: /usr/local/share/clamav/daily.inc I removed all inside /usr/local/share/clamav/ (all subdirs also) and did a freshclam. Now the main.cvd remains in the main dir again and its going again. This is most likely a temp fix till someone fixes MS to detect this. ;) If you see the above behaviour, or wonder why your MS is defuncting all off the sudden, you know what to do.... Bye, Raymond. From mgt at stellarcore.net Wed Apr 11 04:15:43 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Wed Apr 11 04:24:41 2007 Subject: heads up for clamavmodule users Message-ID: <461C52DF.7000201@stellarcore.net> Just a heads up the ClamAV mirrors are slow today and it seems to have caused some partial downloads which seems to have confused the MailScanner -> clamavmodule monitor process. If your MailScanner stack stops processing mail and spits out None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Then you need to either cleanup the problem or just switch to clamav instead of clamvmodule for now and it should be fine. -Mike From ka at pacific.net Wed Apr 11 04:32:25 2007 From: ka at pacific.net (Ken) Date: Wed Apr 11 04:41:06 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <461C56C9.5070006@pacific.net> Raymond Dijkxhoorn wrote: > Hi! > > We have seen several servers barfing due to a broken clamlib after a > update of freshclam. > > Tonight clamav released a new main.cvd, when this happened the update > files were placed inside subdirs, this is part of the new clamav > update scheme. > > Mailscanner however dont take this and will report: > > Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > This will give defuncts on all your MS processes. > > The behaviour is only with 0.9x so be aware you will for sure see your > incomming queue raise till you manually fix this. > > On my system clam created dirs like: > > /usr/local/share/clamav/daily.inc > > I removed all inside /usr/local/share/clamav/ (all subdirs also) and > did a freshclam. Now the main.cvd remains in the main dir again and > its going again. > > This is most likely a temp fix till someone fixes MS to detect this. ;) > > If you see the above behaviour, or wonder why your MS is defuncting > all off the sudden, you know what to do.... > > Bye, > Raymond. Raymond, THANKS! You saved me some work in the morning figuring out why "clamav-milter[27727]: Database error - clamav-milter is stopping " was filling my maillogs on a mail hub and another outgoing server. My MS instances are very patiently waiting for some official work on clamav .9x integration. Ken Anderson Pacific.Net From mgt at stellarcore.net Wed Apr 11 04:38:49 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Wed Apr 11 04:47:42 2007 Subject: heads up for clamavmodule users In-Reply-To: <461C52DF.7000201@stellarcore.net> References: <461C52DF.7000201@stellarcore.net> Message-ID: <461C5849.2090709@stellarcore.net> Mike Tremaine wrote: > > None of the files matched by the "Monitors For ClamAV Updates" patterns > exist! > > Then you need to either cleanup the problem or just switch to clamav > instead of clamvmodule for now and it should be fine. > > -Mike > After reading Raymond Dijkxhoorn post above I understand the problem.. The MailScanner.conf setting Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd Controls this and acutally globs everything out so it may be possible to change this to /usr/local/share/clamav/*.inc/* And have it watch all the files in both daily.inc/ and main.inc/ Having already reset 5 servers I'm not going to muck with it tonight but for anyone else that gets a panic call it might be worth trying. -Mike From sujithem at cdacb.ernet.in Wed Apr 11 04:56:17 2007 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Wed Apr 11 05:04:59 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Message-ID: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> Dear all, I have another problem on hand today which is causing all the mails to stay in the incoming queue. Apr 11 09:18:43 mailscan MailScanner[11671]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 11 09:18:43 mailscan MailScanner[11671]: Read 764 hostnames from the phishing whitelist Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom init function SQLBlacklist Apr 11 09:18:43 mailscan MailScanner[11671]: Starting up SQL Blacklist Apr 11 09:18:43 mailscan MailScanner[11671]: Read 3 blacklist entries Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom init function MailWatchLogging Apr 11 09:18:43 mailscan MailScanner[11671]: Started SQL Logging child Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom init function SQLWhitelist Apr 11 09:18:43 mailscan MailScanner[11671]: Starting up SQL Whitelist Apr 11 09:18:43 mailscan MailScanner[11671]: Read 11 whitelist entries Apr 11 09:18:43 mailscan MailScanner[11671]: Using SpamAssassin results cache Apr 11 09:18:43 mailscan MailScanner[11671]: Connected to SpamAssassin cache database Apr 11 09:18:43 mailscan MailScanner[11671]: Enabling SpamAssassin auto-whitelist functionality... Apr 11 09:18:45 mailscan MailScanner[11671]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! The last line is causing MailScanner to go into some sort of infinite loop of restarting. If this a ClamAV problem? If i run freshclam, [root@mailscan MailScanner]# freshclam ClamAV update process started at Wed Apr 11 09:24:01 2007 Connecting via 192.168.65.253 main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) Connecting via 192.168.65.253 daily.inc is up to date (version: 3065, sigs: 3293, f-level: 14, builder: sven) Please let me know if you have any pointers for me. Thanks and Regards Sujith Emmanuel From sujithem at cdacb.ernet.in Wed Apr 11 05:32:40 2007 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Wed Apr 11 05:41:23 2007 Subject: TNEF loops In-Reply-To: <461BAC0C.8010207@ecs.soton.ac.uk> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> Message-ID: <1d1e72700704102132p57bfc8eas369affb29ebf372f@mail.gmail.com> Thank you everyone, i am going for the "TNEF Expander = internal" option. Thanks and Regards Sujith Emmanuel And Julian, you are the best. On 4/10/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You might also want to make sure you have the latest TNEF program, in > case your one is an older more buggy release. It's on sourceforge.net. > MailScanner ships with the latest version available at the time of release. > > David Vosburgh wrote: > > Sujith Emmanuel wrote: > >> Dear all, > >> > >> Thanks and Regards > >> Sujith Emmanuel > > I ran into the same problem a few times when using the TNEF expander > > program. I posted essentially the same question as you, and there was > > a consensus to switch to the internal expander. After making the > > switch, I haven't noticed the problem again. > > > > In my MailScanner.conf, I now have the following: > > > > TNEF Expander = internal > > #TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > > > Jules > > - -- > Julian Field MEng CITP From ms-list at alexb.ch Wed Apr 11 06:57:30 2007 From: ms-list at alexb.ch (Alex Broens) Date: Wed Apr 11 07:06:18 2007 Subject: heads up for clamavmodule users In-Reply-To: <461C5849.2090709@stellarcore.net> References: <461C52DF.7000201@stellarcore.net> <461C5849.2090709@stellarcore.net> Message-ID: <461C78CA.1040304@alexb.ch> On 4/11/2007 5:38 AM, Mike Tremaine wrote: > Mike Tremaine wrote: >> >> None of the files matched by the "Monitors For ClamAV Updates" >> patterns exist! >> >> Then you need to either cleanup the problem or just switch to clamav >> instead of clamvmodule for now and it should be fine. >> >> -Mike >> > > After reading Raymond Dijkxhoorn post above I understand the problem.. > > The MailScanner.conf setting > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd > > Controls this and acutally globs everything out so it may be possible to > change this to > > /usr/local/share/clamav/*.inc/* > > And have it watch all the files in both daily.inc/ and main.inc/ > > Having already reset 5 servers I'm not going to muck with it tonight but > for anyone else that gets a panic call it might be worth trying. Just tried this on test box, works. Now the question is.. after following Raymond's emergency fix.. how do we revert to the dir old structure? backups!!! Alex From r.berber at computer.org Wed Apr 11 07:05:18 2007 From: r.berber at computer.org (=?UTF-8?B?UmVuw6kgQmVyYmVy?=) Date: Wed Apr 11 07:14:36 2007 Subject: This list and Gmane In-Reply-To: References: Message-ID: Scott Silva wrote: > IS any one else reading this list through Gmane and experiencing things like > seeing replies before the original message shows up? Yes. -- Ren? Berber From deanm at ispone.com.au Wed Apr 11 07:29:08 2007 From: deanm at ispone.com.au (Dean Manners) Date: Wed Apr 11 07:39:07 2007 Subject: TNEF strangeness Message-ID: <200704110630.l3B6UNun013841@relay01.ispone.net.au> On the topic of TNEF, I have noticed a strange qwerk with my setup. When the Rcpt To: contains a realname/quotes the message is tinkered with by MS-TNEF and the message (if HTML) is converted to plain text. When the Rcpt To: doesn't contain a realname/quotes the message is delivered as it was sent. When using the external TNEF expander the message content is attached in a txt file; eg msg-29134-17091.txt. When using the internal TNEF expander the message is not attached, but still converted to plain text. Trimmed headers of two html test messages are included below; the first with a realname/quotes in the Rcpt To that was converted to plain text, the second without realname/quotes that delivered as it was sent. From: "Dean Manners" To: "'Dean Manners'" Subject: Testing Date: Wed, 11 Apr 2007 16:00:22 +1000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0129_01C77C52.83889F80" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: Acd7/rEkYnyKy5NeQRydFNjHxvGjcA== X-MS-TNEF-Correlator: 00000000DBC6EFA4DA772F4AA13C77E17968CFDB04B5B900 X-Mailfilter-VirusStatus: Clean X-Mailfilter-SpamChecks: not spam, SpamAssassin (not cached, score=-2.42, required 6, AWL 0.18, BAYES_00 -2.60) X-Mailfilter-SpamStatus: Hammy From: "Dean Manners" To: Subject: Testingggg Date: Wed, 11 Apr 2007 16:04:32 +1000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_012E_01C77C53.18501620" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: Acd7/0XuJxlsfmTDQiGXiN1qUy3txg== X-Mailfilter-VirusStatus: Clean X-Mailfilter-SpamChecks: not spam, SpamAssassin (not cached, score=-2.436, required 6, AWL 0.16, BAYES_00 -2.60, HTML_MESSAGE 0.00) X-Mailfilter-SpamStatus: Hammy # /usr/bin/tnef --version tnef 1.2.3 # MailScanner --version This is Perl version 5.008004 (5.8.4) This is MailScanner version 4.57.6 Whats interesting is, looking at the SpamAssassin header, the first message is converted to plain text prior to going to SA. Any ideas on how/why this happens ? Regards __________________________________________ Dean Manners From holger at gebhardweb.de Wed Apr 11 08:08:53 2007 From: holger at gebhardweb.de (Holger Gebhard) Date: Wed Apr 11 08:17:38 2007 Subject: heads up for clamavmodule users References: <461C52DF.7000201@stellarcore.net><461C5849.2090709@stellarcore.net> <461C78CA.1040304@alexb.ch> Message-ID: <006301c77c08$439354a0$0164320a@pcconhg203> Hi all, it is very simple to monitor the old structure ;-) SweepViruses.pm split the monitoring files separatet with space... In Debian and other Debian Based Distributions: Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* /var/lib/clamav/*.cvd In other Linux Distributions?: Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Regards Holger ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Wednesday, April 11, 2007 7:57 AM Subject: Re: heads up for clamavmodule users > On 4/11/2007 5:38 AM, Mike Tremaine wrote: >> Mike Tremaine wrote: >>> >>> None of the files matched by the "Monitors For ClamAV Updates" patterns >>> exist! >>> >>> Then you need to either cleanup the problem or just switch to clamav >>> instead of clamvmodule for now and it should be fine. >>> >>> -Mike >>> >> >> After reading Raymond Dijkxhoorn post above I understand the problem.. >> >> The MailScanner.conf setting >> >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> >> Controls this and acutally globs everything out so it may be possible to >> change this to >> >> /usr/local/share/clamav/*.inc/* >> >> And have it watch all the files in both daily.inc/ and main.inc/ >> >> Having already reset 5 servers I'm not going to muck with it tonight but >> for anyone else that gets a panic call it might be worth trying. > > Just tried this on test box, works. > > Now the question is.. after following Raymond's emergency fix.. how do we > revert to the dir old structure? backups!!! > > Alex > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From drew at technologytiger.net Wed Apr 11 08:13:35 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 08:22:20 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! In-Reply-To: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> References: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> Message-ID: <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> On 11 Apr 2007, at 04:56, Sujith Emmanuel wrote: > Dear all, > > I have another problem on hand today which is causing all the > mails to stay in the incoming queue. > > Apr 11 09:18:43 mailscan MailScanner[11671]: MailScanner E-Mail Virus > Scanner version 4.58.9 starting... > Apr 11 09:18:43 mailscan MailScanner[11671]: Read 764 hostnames from > the phishing whitelist > Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom > init function SQLBlacklist > Apr 11 09:18:43 mailscan MailScanner[11671]: Starting up SQL Blacklist > Apr 11 09:18:43 mailscan MailScanner[11671]: Read 3 blacklist entries > Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom > init function MailWatchLogging > Apr 11 09:18:43 mailscan MailScanner[11671]: Started SQL Logging child > Apr 11 09:18:43 mailscan MailScanner[11671]: Config: calling custom > init function SQLWhitelist > Apr 11 09:18:43 mailscan MailScanner[11671]: Starting up SQL Whitelist > Apr 11 09:18:43 mailscan MailScanner[11671]: Read 11 whitelist entries > Apr 11 09:18:43 mailscan MailScanner[11671]: Using SpamAssassin > results cache > Apr 11 09:18:43 mailscan MailScanner[11671]: Connected to SpamAssassin > cache database > Apr 11 09:18:43 mailscan MailScanner[11671]: Enabling SpamAssassin > auto-whitelist functionality... > Apr 11 09:18:45 mailscan MailScanner[11671]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > > The last line is causing MailScanner to go into some sort of infinite > loop of restarting. > > If this a ClamAV problem? If i run freshclam, > > [root@mailscan MailScanner]# freshclam > ClamAV update process started at Wed Apr 11 09:24:01 2007 > Connecting via 192.168.65.253 > main.inc is up to date (version: 43, sigs: 104500, f-level: 14, > builder: sven) > Connecting via 192.168.65.253 > daily.inc is up to date (version: 3065, sigs: 3293, f-level: 14, > builder: sven) > > > Please let me know if you have any pointers for me. Yup, just got bitten by this myself. In MailScanner.conf there is a line that says Monitors for ClamAV Updates = make sure this ends / *.inc not /*.csd It would appear that Clam has changed the extension that it uses for definitions. MailScanner will be quite happy after then. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From drew at technologytiger.net Wed Apr 11 08:22:35 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 08:31:19 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! In-Reply-To: <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> References: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> Message-ID: <59B5E110-B915-45F7-A722-178F792CE4BB@technologytiger.net> On 11 Apr 2007, at 08:13, Drew Marshall wrote: > On 11 Apr 2007, at 04:56, Sujith Emmanuel wrote: > > Yup, just got bitten by this myself. In MailScanner.conf there is a > line that says Monitors for ClamAV Updates = make sure this ends / > *.inc not /*.csd > > It would appear that Clam has changed the extension that it uses > for definitions. MailScanner will be quite happy after then. OK well in true Postfix tradition I am replying to myself ;-) DON'T follow the above as it's a fine example of when to read more before leaping straight in. Better to follow Raymond's excellent advice and do some cleaning up and reload the signatures. I did this and all was restored to normal! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From drew at technologytiger.net Wed Apr 11 08:45:14 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 08:45:26 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <6F2FF239-2D68-42BB-B1B4-80C39DCB6062@technologytiger.net> On 11 Apr 2007, at 01:53, Raymond Dijkxhoorn wrote: > Hi! > > We have seen several servers barfing due to a broken clamlib after > a update of freshclam. > > Tonight clamav released a new main.cvd, when this happened the > update files were placed inside subdirs, this is part of the new > clamav update scheme. > > Mailscanner however dont take this and will report: > > Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched > by the "Monitors For ClamAV Updates" patterns exist! > > This will give defuncts on all your MS processes. > > The behaviour is only with 0.9x so be aware you will for sure see > your incomming queue raise till you manually fix this. > > On my system clam created dirs like: > > /usr/local/share/clamav/daily.inc > > I removed all inside /usr/local/share/clamav/ (all subdirs also) > and did a freshclam. Now the main.cvd remains in the main dir again > and its going again. > > This is most likely a temp fix till someone fixes MS to detect > this. ;) > > If you see the above behaviour, or wonder why your MS is defuncting > all off the sudden, you know what to do.... I found this which might be of interest... http://wiki.clamav.net/ Main/ScriptedUpdates I have also put the following into MailScanner.conf Monitors for ClamAV Updates = /var/db/clamav/*.inc/* /var/db/clamav/ *.cvd Your path to the update files may be different than the FreeBSD ones but the principle remains. MailScanner seems quite happy having two paths to check specified in the .conf file. I have only been running this for 30 minutes or so and you can never get an update when you want one so I can't tell you how it performs when the incremental db does update but I can see no reason for it not to work. Certainly if I corrupt the files in main.inc then freshclam Clam removes the incremental directory, installs the complete new .cvd and MailScanner restarts to pick up the new file so it seems happy enough... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From tpickhan at sks-systeme.de Wed Apr 11 08:39:29 2007 From: tpickhan at sks-systeme.de (tpickhan@sks-systeme.de) Date: Wed Apr 11 08:50:02 2007 Subject: Problems with Calamvmodule Message-ID: Hello Mailinglist! My English is not so well, but I hope you will understand me and hopefully have an answer to my question ;-) We have a mailscanner server on debian with mailscanner version 4.54.6, bitdefender and clamav in version 0.90.1. Normally the server works with the clamav perl modul, but as I came today in the office, I've registered that the server doesn't work still 2 AM. I've controlled the mailscanner logfiles and found the entry "none of the files matchd by the "monitors for clamav updates" patterns exist!". So I change the mailscanner config to work temporarily only with the bitdefender engine and restart the mailscanner process. I've controlled the logfiles and saw, that the queued mails were properly scanned and deliver to our exchange server. After that, I've changed the mailscanner config one more time to use the normal clamav modul. And with this engine, mailscanner works too. But with the perl module from clamav it doesn't. It appears every minute the above entry. I hope somebody can help me to solve the problem, so I can use the clamav perl modul. Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/3897f5db/attachment.html From raymond at prolocation.net Wed Apr 11 08:53:29 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Apr 11 08:53:30 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! In-Reply-To: <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> References: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> Message-ID: Hi! >> Please let me know if you have any pointers for me. > > Yup, just got bitten by this myself. In MailScanner.conf there is a line that > says Monitors for ClamAV Updates = make sure this ends /*.inc not /*.csd > > It would appear that Clam has changed the extension that it uses for > definitions. MailScanner will be quite happy after then. Uhm no! This is definately not true. Delete all files inside this dir, and do a freshclam, what do you got now? Again .cs* files... I warned for this when Clam 0.9x hit the streets. See my older posting on this some months ago, But nobody took it seriously. I warned the update procedure of clam was changing. But some users reported no it will work (now). Obviously those same users will see it needs to be fixed. Either in the config or in the code. ;) My older posting can be found on : http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070474.html Oh well... Bye, Raymond. From asurfer at iinet.net.au Wed Apr 11 09:26:20 2007 From: asurfer at iinet.net.au (Mick) Date: Wed Apr 11 09:25:56 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: <461B5707.2020800@iinet.net.au> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> <461A1B87.6050907@iinet.net.au> <461B5707.2020800@iinet.net.au> Message-ID: <461C9BAC.4040200@iinet.net.au> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/8b770d96/attachment.html From martinh at solidstatelogic.com Wed Apr 11 09:44:05 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 11 09:44:36 2007 Subject: Missing headers in mailscanner In-Reply-To: <4614B920.4080209@unetix.nl> Message-ID: Wim (been on holidays for a bit, and some public holidays as well so excuse the delay). Err no, the spam.assassin.prefs.conf file is purely for Spamassassin. It's MailScanner doing this modification not Spamassassin.You need to look in the MailScanner.conf for "Spam Subject Text" and "High Scoring Spam Subject Text". Also 3.3 seems a little low for spam marking in my experience. What score have you got for high spam and what do you do with this??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wim Bakker > Sent: 05 April 2007 09:54 > To: MailScanner discussion > Subject: Re: Missing headers in mailscanner > > > Martin.Hepworth wrote: > >> -----Original Message----- > [snipped my blah-blah] > > > > > Hi > > > > Look at the X-unetix.nl-MailScanner: header.... > > > > > > A . in the the X- header can cause a lot of problems and I'm pretty sure > > it's an illegal character at that point. > > > > Remove the . from the %org-name% setting in MailScanner.conf > > > > The {Spam?} subject modifier is done by MailScanner - have a search for > > this in MailScanner.conf and hopefully you'll see where this is done... > > > > Yes I found the location where {Spam?} was added , in the > spam.assassin.prefs.conf. > > I changed the X-unetix.nl etc header , but still the same : > ------------------------------------------------------------- > Return-Path: > Received: from mail.bhagwato.eu ([unix socket]) > by www.bhagwato.eu (Cyrus v2.3.3) with LMTPA; > Thu, 05 Apr 2007 10:44:06 +0200 > X-Sieve: CMU Sieve 2.3 > Received: from mx1.unetix.nl (mx1.unetix.nl [194.109.108.70]) > by mail.bhagwato.eu (Postfix) with ESMTP id BF55724291B8 > for ; Thu, 5 Apr 2007 10:44:06 +0200 (CEST) > Received: from mailgateway.unetix.nl (unknown [213.84.10.61]) > by mx1.unetix.nl (Postfix) with ESMTP id CBF933051207 > for ; Thu, 5 Apr 2007 10:42:45 +0200 (CEST) > Received: from localhost (localhost [127.0.0.1]) > by mailgateway.unetix.nl (Postfix) with ESMTP id 3A08520ED2E; > Thu, 5 Apr 2007 10:43:38 +0200 (CEST) > Received: from mailgateway.unetix.nl (localhost [127.0.0.1]) > by mailgateway.unetix.nl (Postfix) with SMTP id 2665920ED2C; > Thu, 5 Apr 2007 10:43:38 +0200 (CEST) > Received: from mailgateway.unetix.nl ([127.0.0.1]) > by mailgateway.unetix.nl ([192.168.253.1]) > with SMTP (gateway) id A0097DEB44D; Thu, 05 Apr 2007 10:43:37 +0200 > Received: by mailgateway.unetix.nl (Postfix, from userid 1001) > id DCE1E20ED31; Thu, 5 Apr 2007 10:43:37 +0200 (CEST) > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on > mailgateway.unetix.nl > X-Spam-Level: > MIME-Version: 1.0 > X-Unetix-MailScanner-Information: Please contact the ISP for more > information > X-Unetix-MailScanner: Found to be clean > X-Unetix-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=8.339, > required 3.3, BAYES_99 2.00, FORGED_RCVD_HELO 0.14, INFO_TLD 1.27, > J_CHICKENPOX_73 1.60, MISSING_HB_SEP 2.50, MISSING_SUBJECT 0.70, > TO_CC_NONE 0.13) > X-Unetix-MailScanner-SpamScore: ssssssss > X-Unetix-MailScanner-From: mailscanner-bounces@lists.mailscanner.info > X-Unetix-MX1: Yes > Message-Id: <20070405084406.BF55724291B8@mail.bhagwato.eu> > Date: Thu, 5 Apr 2007 10:44:06 +0200 (CEST) > From: mailscanner-bounces@lists.mailscanner.info > To: undisclosed-recipients:; > > ------------------------ > > Headers are now for the mailscanner machine : X-Unetix-.... > > but still the subject line and the to line are altered, the > subject line is gone alltogether and the To: line > is altered to : To: undisclosed-recipients:; > This happens with 9 out of 10 mails that originate from the > mailserver that transports the mail originally for > wim@unetix.nl to wim@bhagwato.eu (the last being my testdomain > the first my regular account). The original receiving mailserver: > mail.unetix.nl adds spam checker headers to : > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on > mailgateway.unetix.nl > X-Spam-Level: > > On the mailscanner machine I tried to strip them with > remove_header all Level > and > remove_header all Checker-Version > but that didn't work. I still think they are the > cause of the trouble , because it only happens with mail > that contain X-Spam headers from another mailserver that > allso checks for spam. > > Thanks > > Wim bakker > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Wed Apr 11 10:16:23 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Apr 11 10:16:49 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> In /etc/MailScanner/MailScanner.conf: Monitors for ClamAV Updates = /usr/local/share/clamav/main.inc/*.?db /usr/local/share/clamav/daily.inc/*.?db /usr/local/share/clamav/*.?db Unfortunately the monitoring is looking for filesize changes, not datestamps, so it's more complicated than it need be. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Raymond Dijkxhoorn > Sent: 11 April 2007 01:53 > To: mailscanner@lists.mailscanner.info > Subject: Clam module broken after main.cvd update > > Hi! > > We have seen several servers barfing due to a broken clamlib after a > update of freshclam. > > Tonight clamav released a new main.cvd, when this happened the update > files were placed inside subdirs, this is part of the new > clamav update > scheme. > > Mailscanner however dont take this and will report: > > Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files > matched by the > "Monitors For ClamAV Updates" patterns exist! > > This will give defuncts on all your MS processes. > > The behaviour is only with 0.9x so be aware you will for sure > see your > incomming queue raise till you manually fix this. > > On my system clam created dirs like: > > /usr/local/share/clamav/daily.inc > > I removed all inside /usr/local/share/clamav/ (all subdirs > also) and did a > freshclam. Now the main.cvd remains in the main dir again and > its going > again. > > This is most likely a temp fix till someone fixes MS to > detect this. ;) > > If you see the above behaviour, or wonder why your MS is > defuncting all > off the sudden, you know what to do.... > > Bye, > Raymond. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From raymond at prolocation.net Wed Apr 11 10:39:14 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Apr 11 10:39:13 2007 Subject: Clam module broken after main.cvd update In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> Message-ID: Hi! > > Monitors for ClamAV Updates = /usr/local/share/clamav/main.inc/*.?db > /usr/local/share/clamav/daily.inc/*.?db /usr/local/share/clamav/*.?db > > Unfortunately the monitoring is looking for filesize changes, not > datestamps, so it's more complicated than it need be. > And besides that you still need to monitor for the old files also. Bye, Raymond. From drew at technologytiger.net Wed Apr 11 10:49:21 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 11 10:49:32 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! In-Reply-To: References: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> Message-ID: <59876.194.70.180.170.1176284961.squirrel@www.technologytiger.net> On Wed, April 11, 2007 08:53, Raymond Dijkxhoorn wrote: > Uhm no! This is definately not true. Delete all files inside this dir, and > do a freshclam, what do you got now? Again .cs* files... Agreed. I did repost to the same thread correcting my error :-) > > I warned for this when Clam 0.9x hit the streets. See my older posting on > this some months ago, But nobody took it seriously. I warned the update > procedure of clam was changing. But some users reported no it will work > (now). Obviously those same users will see it needs to be fixed. Either in > the config or in the code. ;) > > My older posting can be found on : > > http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070474.html Ok, hands up I missed that too. The config seems the obvious place. You option will work for the first time until freshclam runs and updates then it will want to run incremental updates so you will need to be manually clearing up the database directory every other update. I still haven't seen any problem listing both the main directory and the incremental 'de-compressed' directories for MailScanner to monitor in the MailScanner.conf file but equally I am still awaiting an incremental update :-) Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From francois.cid at hevs.ch Wed Apr 11 10:57:19 2007 From: francois.cid at hevs.ch (Francois-Joseph Cid) Date: Wed Apr 11 10:57:31 2007 Subject: =?iso-8859-1?q?R=E9p=2E_=3A_RE=3A_Clam_module_broken_after_main?= =?iso-8859-1?q?=2Ecvd_update?= In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> Message-ID: <461CCD1E.4A2F.005E.0@hevs.ch> Hi, I have the same issue. All incomming mail are in hold folder. When I launch Mailscanner in debug mode the message below is displayed : None of the files matched by the "Monitors For ClamAV Updates" patterns exist! at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 485 Since 8hours, no messages are delivered. Any idea ? Thanks. >>> Raymond Dijkxhoorn 11:39 11.04.2007 >>> Hi! > > Monitors for ClamAV Updates = /usr/local/share/clamav/main.inc/*.?db > /usr/local/share/clamav/daily.inc/*.?db /usr/local/share/clamav/*.?db > > Unfortunately the monitoring is looking for filesize changes, not > datestamps, so it's more complicated than it need be. > And besides that you still need to monitor for the old files also. Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Wed Apr 11 11:11:26 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 11 11:11:43 2007 Subject: TNEF strangeness In-Reply-To: <200704110630.l3B6UNun013841@relay01.ispone.net.au> References: <200704110630.l3B6UNun013841@relay01.ispone.net.au> Message-ID: On Wed, 11 Apr 2007, Dean Manners wrote: > On the topic of TNEF, I have noticed a strange qwerk with my setup. When the > Rcpt To: contains a realname/quotes the message is tinkered with by MS-TNEF > and the message (if HTML) is converted to plain text. When the Rcpt To: > doesn't contain a realname/quotes the message is delivered as it was sent. It seems the sender sends it in different formats. Note the MIME headers: > From: "Dean Manners" > To: "'Dean Manners'" > Subject: Testing > Date: Wed, 11 Apr 2007 16:00:22 +1000 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0129_01C77C52.83889F80" MIMETYPE: multipart/mixed (One needs the other.) > From: "Dean Manners" > To: > Subject: Testingggg > Date: Wed, 11 Apr 2007 16:04:32 +1000 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_012E_01C77C53.18501620" MIMETYPE: multipart/alternative (Pick the variant you like best to view the message.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From raymond at prolocation.net Wed Apr 11 11:14:36 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Apr 11 11:14:36 2007 Subject: =?iso-8859-1?q?R=E9p=2E_=3A_RE=3A_Clam_module_broken_after_ma?= =?iso-8859-1?q?in=2Ecvd_update?= In-Reply-To: <461CCD1E.4A2F.005E.0@hevs.ch> References: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> <461CCD1E.4A2F.005E.0@hevs.ch> Message-ID: Hi! > None of the files matched by the "Monitors For ClamAV Updates" patterns > exist! at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 485 > > Since 8hours, no messages are delivered. > > Any idea ? I posted the solution for that in a previous post. Bye, Raymond. From francois.cid at hevs.ch Wed Apr 11 11:39:14 2007 From: francois.cid at hevs.ch (Francois-Joseph Cid) Date: Wed Apr 11 11:39:25 2007 Subject: =?iso-8859-1?q?Re=3A_R=E9p=2E_=3A_RE=3A_Clam_module_broken_after?= =?iso-8859-1?q?_main=2Ecvd_update?= In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA43E3A6@HC-MBX02.herefordshire.gov.uk> <461CCD1E.4A2F.005E.0@hevs.ch> Message-ID: <461CD6F1.4A2F.005E.0@hevs.ch> Sorry... Thanks for this fix ;-) It works ! Bye, Fran?ois >>> Raymond Dijkxhoorn 12:14 11.04.2007 >>> Hi! > None of the files matched by the "Monitors For ClamAV Updates" patterns > exist! at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 485 > > Since 8hours, no messages are delivered. > > Any idea ? I posted the solution for that in a previous post. Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Wed Apr 11 11:42:41 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Apr 11 11:42:47 2007 Subject: Whitelist based on Subject Message-ID: <99bde00edcb020f84db4b0856ddfae9f@62.49.223.244> Hi, Is it possible to whitelist based on Subject ? I am pretty sure you cannot so I tried a workaround of using MCP. I created a rule with a score of -99 for a certain subject which hits okay, but as the SA score is still above our SPAM threshold it still gets quarantined. Any way to stop this ? TIA -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Wed Apr 11 11:48:37 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 11 11:48:43 2007 Subject: Whitelist based on Subject In-Reply-To: <99bde00edcb020f84db4b0856ddfae9f@62.49.223.244> References: <99bde00edcb020f84db4b0856ddfae9f@62.49.223.244> Message-ID: <1176288517.31881.4.camel@gblades-suse.linguaphone-intranet.co.uk> You could always write a custom spamassassin rule. For examples see http://johnbokma.com/spam/spamassassin-cookbook.html On Wed, 2007-04-11 at 11:42, --[ UxBoD ]-- wrote: > Hi, > > Is it possible to whitelist based on Subject ? I am pretty sure you cannot so I tried a workaround of using MCP. I created a rule with a score of -99 for a certain subject which hits okay, but as the SA score is still above our SPAM threshold it still gets quarantined. Any way to stop this ? > > TIA > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is > believed to be clean. From dhawal at netmagicsolutions.com Wed Apr 11 12:00:39 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 11 12:00:59 2007 Subject: Whitelist based on Subject In-Reply-To: <99bde00edcb020f84db4b0856ddfae9f@62.49.223.244> References: <99bde00edcb020f84db4b0856ddfae9f@62.49.223.244> Message-ID: <461CBFD7.5090600@netmagicsolutions.com> --[ UxBoD ]-- wrote: > Hi, > > Is it possible to whitelist based on Subject ? I am pretty sure you cannot so I tried a workaround of using MCP. I created a rule with a score of -99 for a certain subject which hits okay, but as the SA score is still above our SPAM threshold it still gets quarantined. Any way to stop this ? See http://wiki.apache.org/spamassassin/WhiteListSubjectPlugin it is now a part of the SA distro, so you'll only need to uncomment it in one of the v*.pre files (v310.pre in my case) loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject From dhawal at netmagicsolutions.com Wed Apr 11 12:03:06 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 11 12:03:12 2007 Subject: This list and Gmane In-Reply-To: References: Message-ID: <461CC06A.2040602@netmagicsolutions.com> Scott Silva wrote: > IS any one else reading this list through Gmane and experiencing things like > seeing replies before the original message shows up? > > Or is my PC stuck in a temporal rift? Surely a problem with gmane, i can confirm this behaviour with multiple lists. They also had some xfs related problems last week. From list-mailscanner at linguaphone.com Wed Apr 11 12:07:30 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 11 12:07:38 2007 Subject: None of the files matched by the "Monitors For ClamAV Updates" patterns exist None of the files matched by the "Monitors For ClamAV Updates" patterns exist! In-Reply-To: <59876.194.70.180.170.1176284961.squirrel@www.technologytiger.net> References: <1d1e72700704102056w759c3292y3ead03545ca909c6@mail.gmail.com> <08506E2A-6400-4FBF-9E86-181CA482A70D@technologytiger.net> <59876.194.70.180.170.1176284961.squirrel@www.technologytiger.net> Message-ID: <1176289650.31881.10.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-04-11 at 10:49, Drew Marshall wrote: > I still haven't seen any problem listing both the main directory and the > incremental 'de-compressed' directories for MailScanner to monitor in the > MailScanner.conf file but equally I am still awaiting an incremental > update :-) There has been an incremental update. The daily.inc directory is now present again but as there has not been another update for the main file the main.cvd still exists. From Denis.Beauchemin at USherbrooke.ca Wed Apr 11 14:40:44 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 11 14:41:03 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: <461C9BAC.4040200@iinet.net.au> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> <461A1B87.6050907@iinet.net.au> <461B5707.2020800@iinet.net.au> <461C9BAC.4040200@iinet.net.au> Message-ID: <461CE55C.3050200@USherbrooke.ca> Mick a ?crit : > Mick wrote: >> Scott Silva wrote: >>> Mick spake the following on 4/9/2007 3:55 AM: >>> >>>> Hello. >>>> >>>> I am currently running MailScanner which uses the clamavmodule. The >>>> other day, I received 4 emails from ad-noreply@google.com and each of >>>> these emails has a )non-password protected) zip file and contained >>>> within each zip file was a file called report.csv. However, MailScanner >>>> quarantined them even though clamscan reports that none of the zip files >>>> are infected. Placing ad-no-reply@google.com in >>>> /etc/MailScanner/rules/virus-scan.rules results in those zip files as >>>> sent from ad-noreply@google.com now passing through unscanned but why >>>> were the files quarantined in the first place when clamscan says that >>>> they're uninfected? >>>> >>>> Thanks, >>>> Mick. >>>> >>> Did it say that they were password protected? >>> Clamavmodule can also choke if they are over it's stated limit on how >>> compressed the file is. >>> Look in this area of conf; >>> >>> # ClamAVModule only: set limits when scanning for viruses. >>> # >>> # The maximum recursion level of archives, >>> # The maximum number of files per batch, >>> # The maximum file of each file, >>> # The maximum compression ratio of archive. >>> # These settings *cannot* be the filename of a ruleset, only a simple number. >>> ClamAVmodule Maximum Recursion Level = 10 >>> ClamAVmodule Maximum Files = 1000 >>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>> ClamAVmodule Maximum Compression Ratio = 950 >>> >>> >> Hi Scott. >> >> Thanks for the reply. >> >> >>> Did it say that they were password protected? >> >> No. They weren't password protected and they weren't reported by >> clamscan as being protected. >> >> >> I actually work for a Web Hosting company and the control panel we >> use (much to my dismay) is Ensim and the version of MailScanner that >> is installed is the one that gets installed when Ensim is installed. >> As such, the version of MailScanner that we are currently using is >> 4.31.6-1 (and ClamAV 0.88.7) and so it does not have any of those >> ClamAVModule directives that you have mentioned (I'll be upgrading >> both within the next week or so). >> >> Anyway, the compression ratio is approximately 80%, with the archive >> being just a bit smaller than what (Linux) zip 2.3 can do with zip -9. >> >> >> Cheers. >> > Ok. A bit more info on this. This is in MailScanner.conf: > > Maximum Archive Depth = 0 > Find Archives By Content = no > Virus Scanners = clamavmodule > Allow Password-Protected Archives = no > > and seeing as clamscan determined that the zip files contained no > viruses, I was curious to see if clamavmodule detected any viruses in > the zip files. > So pinching the code snippet from `perldoc Mail::ClamAV' and replacing > > > my $c = new Mail::ClamAV("/path/to/directory/or/file") > > with > > my $c = new Mail::ClamAV("/var/clamav/main.cvd") > > > (and afterwards, trying again replacing main.cvd with daily.cvd), > > > and also replacing > > my $status = $c->scan(FH, CL_SCAN_ARCHIVE|CL_SCAN_MAIL); > > with > > my $status = $c->scan("/tmp/report-csv.zip", 0); > > > upon running the perl script, clamavmodule returns: > > No virus found! > > > So why is MailScanner detecting them as being viruses and quarantining > them (unless I place the sender's address in virus-scan.rules as > previously described)? > > Cheers. > In SweepViruses.pm, you will see that MS calls Mail::ClamAV with the following options: Mail::ClamAV::CL_SCAN_STDOPT() | Mail::ClamAV::CL_SCAN_ARCHIVE() | Mail::ClamAV::CL_SCAN_PE() | Mail::ClamAV::CL_SCAN_BLOCKBROKEN() | Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() | Mail::ClamAV::CL_SCAN_OLE2()); Retry your scan with: my $status = $c->scan("/tmp/report-csv.zip", CL_SCAN_STDOPT | CL_SCAN_ARCHIVE | CL_SCAN_PE | CL_SCAN_BLOCKBROKEN | CL_SCAN_BLOCKENCRYPTED | CL_SCAN_OLE2); and you should see the virus detected. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/3eb16ce7/smime.bin From rpoe at plattesheriff.org Wed Apr 11 15:53:25 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Apr 11 15:53:56 2007 Subject: Thoughts for quicker installation Message-ID: <461CB01F.65ED.00A2.0@plattesheriff.org> Having several boxes (that are mostly the same config / version / patch level of everything), wouldn't it be possible to install the RPMs that MailScanner rebuilds and tries to install each time -- i.e. copy the RPMS over to the new box and just rpm -Uhv * type of a thing? Some of the boxes are real screamers, and some of them really make one scream (with slowness).. From jfagan at firstlightnetworks.com Wed Apr 11 17:15:50 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Wed Apr 11 17:14:43 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <59E4A3A1069C2640959AD0F7518C4812052CAC@FLN1.fln.local> Just saw this myself will try your fix. Thanks. Hi! We have seen several servers barfing due to a broken clamlib after a update of freshclam. Tonight clamav released a new main.cvd, when this happened the update files were placed inside subdirs, this is part of the new clamav update scheme. Mailscanner however dont take this and will report: Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! This will give defuncts on all your MS processes. The behaviour is only with 0.9x so be aware you will for sure see your incomming queue raise till you manually fix this. On my system clam created dirs like: /usr/local/share/clamav/daily.inc I removed all inside /usr/local/share/clamav/ (all subdirs also) and did a freshclam. Now the main.cvd remains in the main dir again and its going again. This is most likely a temp fix till someone fixes MS to detect this. ;) If you see the above behaviour, or wonder why your MS is defuncting all off the sudden, you know what to do.... Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Apr 11 17:17:22 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 11 17:17:31 2007 Subject: This list and Gmane In-Reply-To: <461CC06A.2040602@netmagicsolutions.com> References: <461CC06A.2040602@netmagicsolutions.com> Message-ID: Dhawal Doshy spake the following on 4/11/2007 4:03 AM: > Scott Silva wrote: >> IS any one else reading this list through Gmane and experiencing >> things like >> seeing replies before the original message shows up? >> >> Or is my PC stuck in a temporal rift? > > Surely a problem with gmane, i can confirm this behaviour with multiple > lists. They also had some xfs related problems last week. I saw Gmane go down last week. I have never had this problem until this week, but was just curious if I needed to beat on something, or if it might just go away. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jfagan at firstlightnetworks.com Wed Apr 11 17:19:15 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Wed Apr 11 17:18:07 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <59E4A3A1069C2640959AD0F7518C4812052CAD@FLN1.fln.local> Here was the output from running in debug if this helps. MailScanner: commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93. Raymond, That fixed it - thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: Tuesday, April 10, 2007 5:53 PM To: mailscanner@lists.mailscanner.info Subject: Clam module broken after main.cvd update Hi! We have seen several servers barfing due to a broken clamlib after a update of freshclam. Tonight clamav released a new main.cvd, when this happened the update files were placed inside subdirs, this is part of the new clamav update scheme. Mailscanner however dont take this and will report: Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! This will give defuncts on all your MS processes. The behaviour is only with 0.9x so be aware you will for sure see your incomming queue raise till you manually fix this. On my system clam created dirs like: /usr/local/share/clamav/daily.inc I removed all inside /usr/local/share/clamav/ (all subdirs also) and did a freshclam. Now the main.cvd remains in the main dir again and its going again. This is most likely a temp fix till someone fixes MS to detect this. ;) If you see the above behaviour, or wonder why your MS is defuncting all off the sudden, you know what to do.... Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Wed Apr 11 17:42:24 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 11 17:42:43 2007 Subject: Thoughts for quicker installation In-Reply-To: <461CB01F.65ED.00A2.0@plattesheriff.org> References: <461CB01F.65ED.00A2.0@plattesheriff.org> Message-ID: On Wed, 11 Apr 2007, Rob Poe wrote: > Having several boxes (that are mostly the same config / version / patch level of everything), wouldn't it be possible to install the RPMs that MailScanner rebuilds and tries to install each time -- i.e. copy the RPMS over to the new box and just rpm -Uhv * type of a thing? > > Some of the boxes are real screamers, and some of them really make one scream (with slowness).. If you have a bunch of them I would setup a test machine and test your own RPM's there. Propably rebuild them for your specific distribution. After testing you move them to your own repository and let the production servers pick up their updates from their. It would scale pretty much for any number of servers you wish to maintain. I have a thought of doing this myself for Centos 4 and Centos 5 and perhaps make the repositories public. But this may take a few months. I have yet to receive my new rackserver. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Wed Apr 11 17:59:18 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 11 17:59:46 2007 Subject: Thoughts for quicker installation In-Reply-To: References: <461CB01F.65ED.00A2.0@plattesheriff.org> Message-ID: Hugo van der Kooij spake the following on 4/11/2007 9:42 AM: > On Wed, 11 Apr 2007, Rob Poe wrote: > >> Having several boxes (that are mostly the same config / version / >> patch level of everything), wouldn't it be possible to install the >> RPMs that MailScanner rebuilds and tries to install each time -- i.e. >> copy the RPMS over to the new box and just rpm -Uhv * type of a thing? >> >> Some of the boxes are real screamers, and some of them really make one >> scream (with slowness).. The beauty of Linux and the BSD's ... Hardware has a much longer useful life. Maybe out V.P./Treasurer might just get his 10 year depreciation on servers! Or at least 5 years! > > If you have a bunch of them I would setup a test machine and test your > own RPM's there. Propably rebuild them for your specific distribution. > > After testing you move them to your own repository and let the > production servers pick up their updates from their. > > It would scale pretty much for any number of servers you wish to maintain. > > I have a thought of doing this myself for Centos 4 and Centos 5 and > perhaps make the repositories public. But this may take a few months. I > have yet to receive my new rackserver. > > Hugo. > Just imagine! ... yum install MailScanner... :-) Happy thoughts! Then if you could yum install mailwatch, the world could be that much safer again! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rpoe at plattesheriff.org Wed Apr 11 19:11:40 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Apr 11 19:13:13 2007 Subject: Thoughts for quicker installation In-Reply-To: References: <461CB01F.65ED.00A2.0@plattesheriff.org> Message-ID: <461CDE97.65ED.00A2.0@plattesheriff.org> >>> Scott Silva 4/11/2007 11:59 AM >>> Hugo van der Kooij spake the following on 4/11/2007 9:42 AM: > On Wed, 11 Apr 2007, Rob Poe wrote: > >> Having several boxes (that are mostly the same config / version / >> patch level of everything), wouldn't it be possible to install the >> RPMs that MailScanner rebuilds and tries to install each time -- i.e. >> copy the RPMS over to the new box and just rpm -Uhv * type of a thing? > After testing you move them to your own repository and let the > production servers pick up their updates from their. > > >Just imagine! ... yum install MailScanner... :-) >Happy thoughts! >Then if you could yum install mailwatch, the world could be that much safer again! Hmm .. the possibilities :) From mikael.kermorgant at gmail.com Wed Apr 11 21:01:23 2007 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Wed Apr 11 21:01:26 2007 Subject: OT : alternative to postfix hold queue as it's used by mailscanner Message-ID: <9711147e0704111301r73e83014x9595feecd3e3f791@mail.gmail.com> Hello, I posted this question a week ago on postfix's newsgroup alt.comp.mail.postfix but got no answer. I apologize for being a bit off topic but I thought maybe someone would be able to help me on this list as my need is a bit related with mailscanner works with postfix. Here's what I sent : I'm using postfix associated with mailscanner. When a mail arrives, postfix puts it in the hold queue, then mailscanner takes it, scans it and moves it the incoming queue. Now, I'm planning to migrate the imap backend to another, beginning with some users (there will be a transport table to handle presence of both imap servers). I'd like to run this process : 1) Put mails for user foo in some hold queue 2) use imapsync to transfer imap data to the new backend 3) set up a transport table with special mention for user foo 4) release mails from the hold queue for user foo Mailscanner using postfix's hold queue, I'm affraid I won't be able to use it? Do you know an alternative I could use ? Thanks in advance, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/34a1af4f/attachment.html From list-mailscanner at linguaphone.com Wed Apr 11 21:22:24 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 11 21:22:33 2007 Subject: OT : alternative to postfix hold queue as it's used by mailscanner In-Reply-To: <9711147e0704111301r73e83014x9595feecd3e3f791@mail.gmail.com> Message-ID: Can you elaborate a bit more on exactly what you want to do. It sounds like you are currently using mailscanner and postfix in a hold queue configuration with imap on the local server? You want to move some users one at a time so in order to move the data you want to :- 1) for a particular user halt mail delivery. 2) Sync the mail to the new imap server. 3) Configure postfix to deliver to the new imap server for the migrated user only. 4) Start releasing the users mail. I cant see the fact that you are using a hold queue being a problem. Once the mail has been requeued back into the normal incoming queue then postfix should follow its normal delivery methods including transport maps if you have them defined. I dont know how you would stop mail for a particular user though. Perhaps you can configure a seaprate hold queue and move mails from there to the regular hold queue when you want them scanned and released? I dont know if this is possible. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Mikael Kermorgant Sent: 11 April 2007 21:01 To: MailScanner discussion Subject: OT : alternative to postfix hold queue as it's used by mailscanner Hello, I posted this question a week ago on postfix's newsgroup alt.comp.mail.postfix but got no answer. I apologize for being a bit off topic but I thought maybe someone would be able to help me on this list as my need is a bit related with mailscanner works with postfix. Here's what I sent : I'm using postfix associated with mailscanner. When a mail arrives, postfix puts it in the hold queue, then mailscanner takes it, scans it and moves it the incoming queue. Now, I'm planning to migrate the imap backend to another, beginning with some users (there will be a transport table to handle presence of both imap servers). I'd like to run this process : 1) Put mails for user foo in some hold queue 2) use imapsync to transfer imap data to the new backend 3) set up a transport table with special mention for user foo 4) release mails from the hold queue for user foo Mailscanner using postfix's hold queue, I'm affraid I won't be able to use it? Do you know an alternative I could use ? Thanks in advance, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070411/8c74b2fe/attachment.html From chandler.lists at chapman.edu Thu Apr 12 00:11:36 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Thu Apr 12 00:11:42 2007 Subject: Feature Request Message-ID: <461D6B28.5090800@chapman.edu> Recently had a user account become compromised and start spewing spam. Is there any functionality within MailScanner that can alert me once one user sends more than a predefined number of messages in a given time period? If not, I'd dearly love to see this implemented... -- Jay Chandler Network Administrator Chapman University From ssilva at sgvwater.com Thu Apr 12 00:33:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 12 00:33:43 2007 Subject: Feature Request In-Reply-To: <461D6B28.5090800@chapman.edu> References: <461D6B28.5090800@chapman.edu> Message-ID: Jay Chandler spake the following on 4/11/2007 4:11 PM: > Recently had a user account become compromised and start spewing spam. > > Is there any functionality within MailScanner that can alert me once one > user sends more than a predefined number of messages in a given time > period? If not, I'd dearly love to see this implemented... > Yes... scan incoming and outgoing messages! This is the precise reason I do this. Scan everything, and allow no smtp traffic to leave the site except from the MX's. The little bit of overhead to scan the traffic is better than the blacklisting you might get from spewing spam. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Apr 12 00:44:23 2007 From: ka at pacific.net (Ken A) Date: Thu Apr 12 00:44:21 2007 Subject: Feature Request In-Reply-To: <461D6B28.5090800@chapman.edu> References: <461D6B28.5090800@chapman.edu> Message-ID: <461D72D7.402@pacific.net> Jay Chandler wrote: > Recently had a user account become compromised and start spewing spam. > > Is there any functionality within MailScanner that can alert me once one > user sends more than a predefined number of messages in a given time > period? If not, I'd dearly love to see this implemented... > IF you know what relay or relays you want to watch, this might help a bit. We watch webserver relays on mailscanner boxes with cheap little shell scripts that run from cron frequently like this: RELAY='your_relay' cd /var/log/ for i in `tail -1000 maillog | \ grep "relay=$RELAY" | \ grep -v "STARTTLS" | \ awk '{print $6}'`; \ do grep $i maillog | \ grep "is spam\|black.uribl.com\|surbl.org"; \ done; It mostly reports on form & forum php-spam pushing pills with links to uribl or surbl listed sites (milter-link). Once in a while it catches a false positive or an exploited script, which looks quite similar to a compromised account.. thousands of messages to hotmail and aol addresses, lots of spooled mail to delete, etc.. ymmv. -- Ken Anderson Pacific.Net From taz at taz-mania.com Thu Apr 12 00:52:10 2007 From: taz at taz-mania.com (Dennis Willson) Date: Thu Apr 12 00:52:09 2007 Subject: Feature Request In-Reply-To: Message-ID: Hmmmmm... How does scanning the outgoing messages generate an "Alert"? While it is in fact good to scan outgoing messages, I believe he wants notification that a client is comprimised or a Spammer, not just filtering. Personally I use a different outgoing server with different rule sets than the MX. You can then set the rules to notify the sender that they have sent Spam/Virus, etc... and copy the postmaster (you). On Wed, 11 Apr 2007 16:33:27 -0700 Scott Silva wrote: >Jay Chandler spake the following on 4/11/2007 4:11 PM: >> Recently had a user account become compromised and start spewing >>spam. >> >> Is there any functionality within MailScanner that can alert me once >>one >> user sends more than a predefined number of messages in a given time >> period? If not, I'd dearly love to see this implemented... >> >Yes... scan incoming and outgoing messages! >This is the precise reason I do this. Scan everything, and allow no >smtp >traffic to leave the site except from the MX's. >The little bit of overhead to scan the traffic is better than the >blacklisting >you might get from spewing spam. > >-- > >MailScanner is like deodorant... >You hope everybody uses it, and >you notice quickly if they don't!!!! > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class w/code): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From deanm at ispone.com.au Thu Apr 12 01:39:00 2007 From: deanm at ispone.com.au (Dean Manners) Date: Thu Apr 12 01:40:22 2007 Subject: TNEF strangeness In-Reply-To: Message-ID: <200704120040.l3C0eF0a005680@relay01.ispone.net.au> Thanks Hugo, well spotted. > > On the topic of TNEF, I have noticed a strange qwerk with my setup. > > When the Rcpt To: contains a realname/quotes the message is > tinkered > > with by MS-TNEF and the message (if HTML) is converted to > plain text. When the Rcpt To: > > doesn't contain a realname/quotes the message is delivered > as it was sent. > > It seems the sender sends it in different formats. > From am.lists at gmail.com Thu Apr 12 02:34:40 2007 From: am.lists at gmail.com (am.lists) Date: Thu Apr 12 02:34:43 2007 Subject: Feature Request In-Reply-To: References: Message-ID: <25a66d840704111834x53f686aal215e145a7044b5fd@mail.gmail.com> On 4/11/07, Dennis Willson wrote: > > Hmmmmm... How does scanning the outgoing messages generate an "Alert"? > While it is in fact good to scan outgoing messages, I believe he wants > notification that a client is comprimised or a Spammer, not just > filtering. > > Personally I use a different outgoing server with different rule sets > than the MX. You can then set the rules to notify the sender that they > have sent Spam/Virus, etc... and copy the postmaster (you). > > > On Wed, 11 Apr 2007 16:33:27 -0700 > Scott Silva wrote: > >Jay Chandler spake the following on 4/11/2007 4:11 PM: > >> Recently had a user account become compromised and start spewing > >>spam. > >> > >> Is there any functionality within MailScanner that can alert me once > >>one > >> user sends more than a predefined number of messages in a given time > >> period? If not, I'd dearly love to see this implemented... > >> > >Yes... scan incoming and outgoing messages! > >This is the precise reason I do this. Scan everything, and allow no > >smtp > >traffic to leave the site except from the MX's. > >The little bit of overhead to scan the traffic is better than the > >blacklisting > >you might get from spewing spam. > > Although you didn't say which MTA is in use, if I may offer a postfix-oriented suggestion: Take a look at policyd -- it is a policy plug-in for postfix and can reject based on certain throttle thresholds. Although seemingly designed for use in a gateway setup, it could be used on your postfix server to check outbound against the policyd service. Angelo From jaearick at colby.edu Thu Apr 12 02:50:47 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Apr 12 02:50:56 2007 Subject: Feature Request In-Reply-To: <461D6B28.5090800@chapman.edu> References: <461D6B28.5090800@chapman.edu> Message-ID: On Wed, 11 Apr 2007, Jay Chandler wrote: > Date: Wed, 11 Apr 2007 16:11:36 -0700 > From: Jay Chandler > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Feature Request > > Recently had a user account become compromised and start spewing spam. > > Is there any functionality within MailScanner that can alert me once one user > sends more than a predefined number of messages in a given time period? If > not, I'd dearly love to see this implemented... This might not be quite what you are looking for, but check out the IPBlock feature of MailScanner. You can set it up to block email from a certain IP after a set amount per hour, configurable by CIDR netblocks. I use IPBlock for both external large IP netblocks (eg, APNIC) and for netblocks in our own class-B domain. For instance, I have the allowed number of messages per hour coming out of our public wireless subnets cranked down to a low number. I don't want some spambot from god-knows-where coming into one of these wireless subnets and then spewing. They get 20 messages out then get shut down automagically. Scan the list archives for IPBlock. Jeff Earickson Colby College From hvdkooij at vanderkooij.org Thu Apr 12 06:38:30 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 12 06:38:47 2007 Subject: Feature Request In-Reply-To: <461D6B28.5090800@chapman.edu> References: <461D6B28.5090800@chapman.edu> Message-ID: On Wed, 11 Apr 2007, Jay Chandler wrote: > Recently had a user account become compromised and start spewing spam. > > Is there any functionality within MailScanner that can alert me once one user > sends more than a predefined number of messages in a given time period? If > not, I'd dearly love to see this implemented... >From my observation it seems that infested machines do the SMTP bit themselves. So they will not bother to use your SMTP server. You need to block SMTP from anyone but acknowledged and well controlled servers in your network. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From uxbod at splatnix.net Thu Apr 12 08:27:09 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 12 08:27:21 2007 Subject: Whitelisting Problem Message-ID: I am having a problem with Whitelisting our internal emails that pass through MailScanner. The configuration of MailScanner is Postfix MTA on Port 25 performing numerous SPAM checks, the emails are then passed through to a second Postfix instance on port 10026 which performs the hold operation so that MailScanner can process the emails. I have added our internal IP addresses to spam.whitelist.rules but when a internal email is relayed through it does not get W/L. I believe that this is because MailScanner looks at the final relay IP which will be 127.0.0.1 which is the second Postfix instance. If I W/L everything from 127.0.0.1 then all the SPAM will get through aswell :( Any ideas ? -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikael.kermorgant at gmail.com Thu Apr 12 08:55:06 2007 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu Apr 12 08:55:09 2007 Subject: OT : alternative to postfix hold queue as it's used by mailscanner In-Reply-To: References: <9711147e0704111301r73e83014x9595feecd3e3f791@mail.gmail.com> Message-ID: <9711147e0704120055j46a9f4b4l9b75dc7ac816480f@mail.gmail.com> 2007/4/11, Gareth : > > Can you elaborate a bit more on exactly what you want to do. > It sounds like you are currently using mailscanner and postfix in a hold > queue configuration with imap on the local server? > You want to move some users one at a time so in order to move the data you > want to :- > 1) for a particular user halt mail delivery. > 2) Sync the mail to the new imap server. > 3) Configure postfix to deliver to the new imap server for the migrated > user only. > 4) Start releasing the users mail. > This is exactly what I intend to do if possible. I'm not a postfix expert but if I just knew that a solution exist, that would be a starting point. Thanks, Mikael > I cant see the fact that you are using a hold queue being a problem. Once > the mail has been requeued back into the normal incoming queue then postfix > should follow its normal delivery methods including transport maps if you > have them defined. > > I dont know how you would stop mail for a particular user though. Perhaps > you can configure a seaprate hold queue and move mails from there to the > regular hold queue when you want them scanned and released? I dont know if > this is possible. > > > -----Original Message----- > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info]*On Behalf Of *Mikael > Kermorgant > *Sent:* 11 April 2007 21:01 > *To:* MailScanner discussion > *Subject:* OT : alternative to postfix hold queue as it's used by > mailscanner > > Hello, > > I posted this question a week ago on postfix's newsgroup > alt.comp.mail.postfix but got no answer. I apologize for being a bit off > topic but I thought maybe someone would be able to help me on this list as > my need is a bit related with mailscanner works with postfix. > > Here's what I sent : > > I'm using postfix associated with mailscanner. When a mail arrives, > postfix puts it in the hold queue, then mailscanner takes it, scans it and > moves it the incoming queue. > > Now, I'm planning to migrate the imap backend to another, beginning with > some users (there will be a transport table to handle presence of both imap > servers). > > I'd like to run this process : > > 1) Put mails for user foo in some hold queue > 2) use imapsync to transfer imap data to the new backend > 3) set up a transport table with special mention for user foo > 4) release mails from the hold queue for user foo > > Mailscanner using postfix's hold queue, I'm affraid I won't be able to use > it? Do you know an alternative I could use ? > > Thanks in advance, > > -- > Mikael Kermorgant > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/f3b718b3/attachment.html From uxbod at splatnix.net Thu Apr 12 09:02:48 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 12 09:02:57 2007 Subject: OT : alternative to postfix hold queue as it's used bymailscanner In-Reply-To: <9711147e0704120055j46a9f4b4l9b75dc7ac816480f@mail.gmail.com> References: <9711147e0704120055j46a9f4b4l9b75dc7ac816480f@mail.gmail.com> Message-ID: <0d70f42bfb3f8de25a214fb5d424b637@62.49.223.244> Why can't you just change the transport for the designated users to go too the new IMAP server, and then just sync their old mail to the new server? I presume it is so that they see all their mail straight away, but if informed there will be a slight day is that a issue ? On Thu, 12 Apr 2007 09:55:06 +0200, "Mikael Kermorgant" wrote: > 2007/4/11, Gareth : >> >> Can you elaborate a bit more on exactly what you want to do. >> It sounds like you are currently using mailscanner and postfix in a hold >> queue configuration with imap on the local server? >> You want to move some users one at a time so in order to move the data > you >> want to :- >> 1) for a particular user halt mail delivery. >> 2) Sync the mail to the new imap server. >> 3) Configure postfix to deliver to the new imap server for the migrated >> user only. >> 4) Start releasing the users mail. >> > > This is exactly what I intend to do if possible. I'm not a postfix expert > but if I just knew that a solution exist, that would be a starting point. > > Thanks, > Mikael > > >> I cant see the fact that you are using a hold queue being a problem. > Once >> the mail has been requeued back into the normal incoming queue then > postfix >> should follow its normal delivery methods including transport maps if > you >> have them defined. >> >> I dont know how you would stop mail for a particular user though. > Perhaps >> you can configure a seaprate hold queue and move mails from there to the >> regular hold queue when you want them scanned and released? I dont know > if >> this is possible. >> >> >> -----Original Message----- >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> mailscanner-bounces@lists.mailscanner.info]*On Behalf Of *Mikael >> Kermorgant >> *Sent:* 11 April 2007 21:01 >> *To:* MailScanner discussion >> *Subject:* OT : alternative to postfix hold queue as it's used by >> mailscanner >> >> Hello, >> >> I posted this question a week ago on postfix's newsgroup >> alt.comp.mail.postfix but got no answer. I apologize for being a bit > off >> topic but I thought maybe someone would be able to help me on this list > as >> my need is a bit related with mailscanner works with postfix. >> >> Here's what I sent : >> >> I'm using postfix associated with mailscanner. When a mail arrives, >> postfix puts it in the hold queue, then mailscanner takes it, scans it > and >> moves it the incoming queue. >> >> Now, I'm planning to migrate the imap backend to another, beginning with >> some users (there will be a transport table to handle presence of both > imap >> servers). >> >> I'd like to run this process : >> >> 1) Put mails for user foo in some hold queue >> 2) use imapsync to transfer imap data to the new backend >> 3) set up a transport table with special mention for user foo >> 4) release mails from the hold queue for user foo >> >> Mailscanner using postfix's hold queue, I'm affraid I won't be able to > use >> it? Do you know an alternative I could use ? >> >> Thanks in advance, >> >> -- >> Mikael Kermorgant >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > Mikael Kermorgant > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Thu Apr 12 09:19:23 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 12 09:20:05 2007 Subject: Whitelisting Problem In-Reply-To: Message-ID: <36e1b0ac7d456f43bcbb2dfe67231baf@solidstatelogic.com> Silly question - why two postfix layers??? I guess the postfix spam checks are things like greylisting/ RBLs etc..??? Can';t you do all this on the main postfix instance??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: 12 April 2007 08:27 > To: mailscanner@lists.mailscanner.info > Subject: Whitelisting Problem > > I am having a problem with Whitelisting our internal emails that pass > through MailScanner. The configuration of MailScanner is Postfix MTA on > Port 25 performing numerous SPAM checks, the emails are then passed > through to a second Postfix instance on port 10026 which performs the hold > operation so that MailScanner can process the emails. I have added our > internal IP addresses to spam.whitelist.rules but when a internal email is > relayed through it does not get W/L. I believe that this is because > MailScanner looks at the final relay IP which will be 127.0.0.1 which is > the second Postfix instance. If I W/L everything from 127.0.0.1 then all > the SPAM will get through aswell :( Any ideas ? > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Thu Apr 12 09:27:34 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 12 09:27:42 2007 Subject: Whitelisting Problem In-Reply-To: <36e1b0ac7d456f43bcbb2dfe67231baf@solidstatelogic.com> References: <36e1b0ac7d456f43bcbb2dfe67231baf@solidstatelogic.com> Message-ID: <1e4afa399b47b5d05e59e8c0d14da7c3@62.49.223.244> Hi Martin, Yeah I guess so, only reason why I set it up this way was that it was discussed elsewhere as the best way to do it. Will look at my configs and see if I can run just one instance. Regards, On Thu, 12 Apr 2007 09:19:23 +0100, "Martin.Hepworth" wrote: > Silly question - why two postfix layers??? > > I guess the postfix spam checks are things like greylisting/ RBLs > etc..??? > > Can';t you do all this on the main postfix instance??? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- >> Sent: 12 April 2007 08:27 >> To: mailscanner@lists.mailscanner.info >> Subject: Whitelisting Problem >> >> I am having a problem with Whitelisting our internal emails that pass >> through MailScanner. The configuration of MailScanner is Postfix MTA > on >> Port 25 performing numerous SPAM checks, the emails are then passed >> through to a second Postfix instance on port 10026 which performs the > hold >> operation so that MailScanner can process the emails. I have added our >> internal IP addresses to spam.whitelist.rules but when a internal > email is >> relayed through it does not get W/L. I believe that this is because >> MailScanner looks at the final relay IP which will be 127.0.0.1 which > is >> the second Postfix instance. If I W/L everything from 127.0.0.1 then > all >> the SPAM will get through aswell :( Any ideas ? >> -- >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ram at netcore.co.in Thu Apr 12 10:31:58 2007 From: ram at netcore.co.in (ram) Date: Thu Apr 12 10:32:18 2007 Subject: Problems with Calamvmodule In-Reply-To: References: Message-ID: <1176370318.12539.161.camel@localhost.localdomain> On Wed, 2007-04-11 at 09:39 +0200, tpickhan@sks-systeme.de wrote: > Hello Mailinglist! > > > > My English is not so well, but I hope you will understand me and > hopefully have an answer to my question ;-) > > We have a mailscanner server on debian with mailscanner version > 4.54.6, bitdefender and clamav in version 0.90.1. > > Normally the server works with the clamav perl modul, but as I came > today in the office, I?ve registered that the server doesn?t work > still 2 AM. I?ve controlled the mailscanner logfiles and found the > entry ?none of the files matchd by the "monitors for clamav updates" > patterns exist!?. > > > > So I change the mailscanner config to work temporarily only with the > bitdefender engine and restart the mailscanner process. I?ve > controlled the logfiles and saw, that the queued mails were properly > scanned and deliver to our exchange server. > > After that, I?ve changed the mailscanner config one more time to use > the normal clamav modul. And with this engine, mailscanner works too. > But with the perl module from clamav it doesn?t. It appears every > minute the above entry. > Same problem here. I changed my MailScanner.conf line to Monitors for ClamAV Updates = /var/lib/clamav/daily.inc/* Just check the directory in freshclam.conf and update your mailscanner I still dont know if this is the right thing to do Thanks Ram From mikael.kermorgant at gmail.com Thu Apr 12 10:36:14 2007 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu Apr 12 10:36:17 2007 Subject: OT : alternative to postfix hold queue as it's used bymailscanner In-Reply-To: <0d70f42bfb3f8de25a214fb5d424b637@62.49.223.244> References: <9711147e0704120055j46a9f4b4l9b75dc7ac816480f@mail.gmail.com> <0d70f42bfb3f8de25a214fb5d424b637@62.49.223.244> Message-ID: <9711147e0704120236u40de6438s8bd67024f4ef4029@mail.gmail.com> Good idea, I have to check if that works. Regards, Mikael 2007/4/12, --[ UxBoD ]-- : > > Why can't you just change the transport for the designated users to go too > the new IMAP server, and then just sync their old mail to the new server? I > presume it is so that they see all their mail straight away, but if informed > there will be a slight day is that a issue ? > > On Thu, 12 Apr 2007 09:55:06 +0200, "Mikael Kermorgant" < > mikael.kermorgant@gmail.com> wrote: > > 2007/4/11, Gareth : > >> > >> Can you elaborate a bit more on exactly what you want to do. > >> It sounds like you are currently using mailscanner and postfix in a > hold > >> queue configuration with imap on the local server? > >> You want to move some users one at a time so in order to move the data > > you > >> want to :- > >> 1) for a particular user halt mail delivery. > >> 2) Sync the mail to the new imap server. > >> 3) Configure postfix to deliver to the new imap server for the migrated > >> user only. > >> 4) Start releasing the users mail. > >> > > > > This is exactly what I intend to do if possible. I'm not a postfix > expert > > but if I just knew that a solution exist, that would be a starting > point. > > > > Thanks, > > Mikael > > > > > >> I cant see the fact that you are using a hold queue being a problem. > > Once > >> the mail has been requeued back into the normal incoming queue then > > postfix > >> should follow its normal delivery methods including transport maps if > > you > >> have them defined. > >> > >> I dont know how you would stop mail for a particular user though. > > Perhaps > >> you can configure a seaprate hold queue and move mails from there to > the > >> regular hold queue when you want them scanned and released? I dont know > > if > >> this is possible. > >> > >> > >> -----Original Message----- > >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > >> mailscanner-bounces@lists.mailscanner.info]*On Behalf Of *Mikael > >> Kermorgant > >> *Sent:* 11 April 2007 21:01 > >> *To:* MailScanner discussion > >> *Subject:* OT : alternative to postfix hold queue as it's used by > >> mailscanner > >> > >> Hello, > >> > >> I posted this question a week ago on postfix's newsgroup > >> alt.comp.mail.postfix but got no answer. I apologize for being a bit > > off > >> topic but I thought maybe someone would be able to help me on this list > > as > >> my need is a bit related with mailscanner works with postfix. > >> > >> Here's what I sent : > >> > >> I'm using postfix associated with mailscanner. When a mail arrives, > >> postfix puts it in the hold queue, then mailscanner takes it, scans it > > and > >> moves it the incoming queue. > >> > >> Now, I'm planning to migrate the imap backend to another, beginning > with > >> some users (there will be a transport table to handle presence of both > > imap > >> servers). > >> > >> I'd like to run this process : > >> > >> 1) Put mails for user foo in some hold queue > >> 2) use imapsync to transfer imap data to the new backend > >> 3) set up a transport table with special mention for user foo > >> 4) release mails from the hold queue for user foo > >> > >> Mailscanner using postfix's hold queue, I'm affraid I won't be able to > > use > >> it? Do you know an alternative I could use ? > >> > >> Thanks in advance, > >> > >> -- > >> Mikael Kermorgant > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > > > -- > > Mikael Kermorgant > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is > > believed to be clean. > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/872f4999/attachment.html From gerard at seibercom.net Thu Apr 12 10:53:15 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Apr 12 10:52:24 2007 Subject: Whitelisting Problem In-Reply-To: References: Message-ID: <20070412055002.FE1E.GERARD@seibercom.net> On Thursday April 12, 2007 at 03:27:09 (AM) --[ UxBoD ]-- wrote: > I am having a problem with Whitelisting our internal emails that pass > through MailScanner. The configuration of MailScanner is Postfix MTA on > Port 25 performing numerous SPAM checks, the emails are then passed > through to a second Postfix instance on port 10026 which performs the > hold operation so that MailScanner can process the emails. I have added > our internal IP addresses to spam.whitelist.rules but when a internal > email is relayed through it does not get W/L. I believe that this is > because MailScanner looks at the final relay IP which will be 127.0.0.1 > which is the second Postfix instance. If I W/L everything from 127.0.0.1 > then all the SPAM will get through aswell :( Any ideas ? Why are you using two instances of Postfix? That seems excessive from what you have described. In any case, you should not attempt to bounce any mail from the second instance of postfix since it has all ready been accepted by the first instance. All scanning of mail should be performed by the primary MTA. -- Gerard From uxbod at splatnix.net Thu Apr 12 11:03:18 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 12 11:03:51 2007 Subject: Whitelisting Problem In-Reply-To: <20070412055002.FE1E.GERARD@seibercom.net> References: <20070412055002.FE1E.GERARD@seibercom.net> Message-ID: Yup. I have already slapped myself around the face with a wet fish ! ;) I have merged the two configs and running just one instance now. Many thanks, On Thu, 12 Apr 2007 05:53:15 -0400, Gerard Seibert wrote: > On Thursday April 12, 2007 at 03:27:09 (AM) --[ UxBoD ]-- wrote: > >> I am having a problem with Whitelisting our internal emails that pass >> through MailScanner. The configuration of MailScanner is Postfix MTA on >> Port 25 performing numerous SPAM checks, the emails are then passed >> through to a second Postfix instance on port 10026 which performs the >> hold operation so that MailScanner can process the emails. I have added >> our internal IP addresses to spam.whitelist.rules but when a internal >> email is relayed through it does not get W/L. I believe that this is >> because MailScanner looks at the final relay IP which will be 127.0.0.1 >> which is the second Postfix instance. If I W/L everything from 127.0.0.1 >> then all the SPAM will get through aswell :( Any ideas ? > > Why are you using two instances of Postfix? That seems excessive from > what you have described. In any case, you should not attempt to bounce > any mail from the second instance of postfix since it has all ready been > accepted by the first instance. All scanning of mail should be performed > by the primary MTA. > > -- > Gerard > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Thu Apr 12 11:46:16 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Apr 12 11:46:25 2007 Subject: Problems with Calamvmodule In-Reply-To: <1176370318.12539.161.camel@localhost.localdomain> References: <1176370318.12539.161.camel@localhost.localdomain> Message-ID: <63949.194.70.180.170.1176374776.squirrel@www.technologytiger.net> On Thu, April 12, 2007 10:31, ram wrote: > Same problem here. > I changed my MailScanner.conf line to > > Monitors for ClamAV Updates = /var/lib/clamav/daily.inc/* > Just check the directory in freshclam.conf and update your mailscanner > > I still dont know if this is the right thing to do That's fine except that if any of the files in *.inc become corrupt then freshclam will download a complete .cvd file into /var/lib/clamav and delete the corrupt *.inc directory and MS will complain again. Just add along side that entry above /var/lib/clamav/*.cvd with a space between the two lines and it should work fine. Mine has been ok now for ~30 hours now and has restarted the MS children on update with no problem. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From edward.prendergast at netring.co.uk Thu Apr 12 12:01:07 2007 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Thu Apr 12 12:00:44 2007 Subject: Continuing saga of ClamAV module Message-ID: <200704121100.l3CB0hWX016891@safir.blacknight.ie> With the recurring clamavmodule problems of late, has anybody started just using clamav direct rather than the module? Is there a huge speed increase to be gained in using the module, or a big saving on resources? Edward The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. From asurfer at iinet.net.au Thu Apr 12 12:46:17 2007 From: asurfer at iinet.net.au (Mick) Date: Thu Apr 12 12:45:40 2007 Subject: ClamAVModule and csv files in zip files In-Reply-To: <461CE55C.3050200@USherbrooke.ca> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> <46157302.9030705@evi-inc.com> <46157FC1.7090906@evi-inc.com> <46166621.4090602@yeticomputers.com> <46169243.4050907@yeticomputers.com> <461A1B87.6050907@iinet.net.au> <461B5707.2020800@iinet.net.au> <461C9BAC.4040200@iinet.net.au> <461CE55C.3050200@USherbrooke.ca> Message-ID: <461E1C09.3060803@iinet.net.au> Denis Beauchemin wrote: > Mick a ?crit : >> Mick wrote: >>> Scott Silva wrote: >>>> Mick spake the following on 4/9/2007 3:55 AM: >>>> >>>>> Hello. >>>>> >>>>> I am currently running MailScanner which uses the clamavmodule. The >>>>> other day, I received 4 emails from ad-noreply@google.com and each of >>>>> these emails has a )non-password protected) zip file and contained >>>>> within each zip file was a file called report.csv. However, >>>>> MailScanner >>>>> quarantined them even though clamscan reports that none of the zip >>>>> files >>>>> are infected. Placing ad-no-reply@google.com in >>>>> /etc/MailScanner/rules/virus-scan.rules results in those zip files as >>>>> sent from ad-noreply@google.com now passing through unscanned but why >>>>> were the files quarantined in the first place when clamscan says that >>>>> they're uninfected? >>>>> >>>>> Thanks, >>>>> Mick. >>>>> >>>> Did it say that they were password protected? >>>> Clamavmodule can also choke if they are over it's stated limit on how >>>> compressed the file is. >>>> Look in this area of conf; >>>> >>>> # ClamAVModule only: set limits when scanning for viruses. >>>> # >>>> # The maximum recursion level of archives, >>>> # The maximum number of files per batch, >>>> # The maximum file of each file, >>>> # The maximum compression ratio of archive. >>>> # These settings *cannot* be the filename of a ruleset, only a >>>> simple number. >>>> ClamAVmodule Maximum Recursion Level = 10 >>>> ClamAVmodule Maximum Files = 1000 >>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>> ClamAVmodule Maximum Compression Ratio = 950 >>>> >>>> >>> Hi Scott. >>> >>> Thanks for the reply. >>> >>> >>>> Did it say that they were password protected? >>> >>> No. They weren't password protected and they weren't reported by >>> clamscan as being protected. >>> >>> >>> I actually work for a Web Hosting company and the control panel we >>> use (much to my dismay) is Ensim and the version of MailScanner that >>> is installed is the one that gets installed when Ensim is >>> installed. As such, the version of MailScanner that we are >>> currently using is 4.31.6-1 (and ClamAV 0.88.7) and so it does not >>> have any of those ClamAVModule directives that you have mentioned >>> (I'll be upgrading both within the next week or so). >>> >>> Anyway, the compression ratio is approximately 80%, with the archive >>> being just a bit smaller than what (Linux) zip 2.3 can do with zip -9. >>> >>> >>> Cheers. >>> >> Ok. A bit more info on this. This is in MailScanner.conf: >> >> Maximum Archive Depth = 0 >> Find Archives By Content = no >> Virus Scanners = clamavmodule >> Allow Password-Protected Archives = no >> >> and seeing as clamscan determined that the zip files contained no >> viruses, I was curious to see if clamavmodule detected any viruses in >> the zip files. >> So pinching the code snippet from `perldoc Mail::ClamAV' and replacing >> >> >> my $c = new Mail::ClamAV("/path/to/directory/or/file") >> >> with >> >> my $c = new Mail::ClamAV("/var/clamav/main.cvd") >> >> >> (and afterwards, trying again replacing main.cvd with daily.cvd), >> >> >> and also replacing >> >> my $status = $c->scan(FH, CL_SCAN_ARCHIVE|CL_SCAN_MAIL); >> >> with >> >> my $status = $c->scan("/tmp/report-csv.zip", 0); >> >> >> upon running the perl script, clamavmodule returns: >> >> No virus found! >> >> >> So why is MailScanner detecting them as being viruses and >> quarantining them (unless I place the sender's address in >> virus-scan.rules as previously described)? >> >> Cheers. >> > In SweepViruses.pm, you will see that MS calls Mail::ClamAV with the > following options: > Mail::ClamAV::CL_SCAN_STDOPT() | > Mail::ClamAV::CL_SCAN_ARCHIVE() | > Mail::ClamAV::CL_SCAN_PE() | > Mail::ClamAV::CL_SCAN_BLOCKBROKEN() | > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() | > Mail::ClamAV::CL_SCAN_OLE2()); > > Retry your scan with: > my $status = $c->scan("/tmp/report-csv.zip", CL_SCAN_STDOPT | > CL_SCAN_ARCHIVE | CL_SCAN_PE | CL_SCAN_BLOCKBROKEN | > CL_SCAN_BLOCKENCRYPTED | CL_SCAN_OLE2); > and you should see the virus detected. > > Denis > Hi Dennis. Thanks for your reply. I actually thought of this as well a short while after I sent in my last post i.e. seeing what parameters MS passed to the clamavmodule and using those in my code snippet. However, I then came up with an even more brilliant idea: Look in the mail logs ;P Anyway, clamavmodule reckons that the zips were Oversized. So Google must squash the bejesus out of them (more than zip -9 does obviously). As such, I'll install the latest version of MS and remember to also increase the compression ratio threshold :) Cheers. From rowan at rownetco.com Thu Apr 12 14:33:05 2007 From: rowan at rownetco.com (John Rowan) Date: Thu Apr 12 14:33:54 2007 Subject: Bouncing to spoofed domain name Message-ID: <461E3511.301@rownetco.com> Is there any way to configure MailScanner to bounce mail to the abuse contact of an IP Netblock rather than what happened below. The sender was falsified and MailScanner sent it to the non existent person at watermaster.org. Watermaster.org rejected the bounce since ktf doesn't exist. I'm dealing with the same problem on several servers where garbage is being sent out saying it is from domains I support and then it's bounced to me but my /etc/mail/virtusertable is similarly configured to that mail to non existent users is not accepted. In the example below the mail came from 219.134.77.247 which is in China inetnum: 219.128.0.0 - 219.137.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network descr: Data Communication Division descr: China Telecom country: CN I would want to bounce to the correct: abuse@gddc.com.cn -------- Original Message -------- Subject: Bad Filename Detected Date: Thu, 12 Apr 2007 04:20:57 -0400 From: MailScanner To: postmaster@corvette.deleted.com The following e-mails were found to have: Bad Filename Detected Sender: ktf@watermaster.org IP Address: 219.134.77.247 Recipient: username@deleted.com Subject: I Love You Because MessageID: l3C8KHHg013901 Report: MailScanner: Executable DOS/Windows programs are dangerous in email (greeting card.exe) -- MailScanner Email Virus Scanner www.mailscanner.info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/fae9af87/attachment.html From list-mailscanner at linguaphone.com Thu Apr 12 14:41:18 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 12 14:41:29 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <461E3511.301@rownetco.com> References: <461E3511.301@rownetco.com> Message-ID: <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> You can get Postfix to verify that the sender address exists. It does this by connecting to the mail server for the domain and checks to see if the server accepts the senders email address. For more information see http://www.postfix.org/ADDRESS_VERIFICATION_README.html The downside of this is that your mail server pauses while it checks the address so if it takes a while the sender may time out. This is rare though as most timeouts are quite long. All check results are cached. I use this myself but on the destination address so Postfix rejects mail to users who dont exist at our domains. On Thu, 2007-04-12 at 14:33, John Rowan wrote: > Is there any way to configure MailScanner to bounce mail to the abuse > contact of an IP Netblock rather than what happened below. > The sender was falsified and MailScanner sent it to the non existent > person at watermaster.org. Watermaster.org rejected the bounce > since ktf doesn't exist. I'm dealing with the same problem on several > servers where garbage is being sent out saying it is from domains > I support and then it's bounced to me but my /etc/mail/virtusertable > is similarly configured to that mail to non existent users is not > accepted. > > In the example below the mail came from 219.134.77.247 which is in > China > > inetnum: 219.128.0.0 - 219.137.255.255 > netname: CHINANET-GD > descr: CHINANET Guangdong province network > descr: Data Communication Division > descr: China Telecom > country: CN > I would want to bounce to the correct: abuse@gddc.com.cn > > -------- Original Message -------- > Subject: > Bad Filename Detected > Date: > Thu, 12 Apr 2007 04:20:57 -0400 > From: > MailScanner > > To: > postmaster@corvette.deleted.com > > The following e-mails were found to have: Bad Filename Detected > > Sender: ktf@watermaster.org > IP Address: 219.134.77.247 > Recipient: username@deleted.com > Subject: I Love You Because > MessageID: l3C8KHHg013901 > Report: MailScanner: Executable DOS/Windows programs are dangerous in email (greeting card.exe) From rowan at rownetco.com Thu Apr 12 15:01:29 2007 From: rowan at rownetco.com (John Rowan) Date: Thu Apr 12 15:02:20 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> References: <461E3511.301@rownetco.com> <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <461E3BB9.6050602@rownetco.com> Gareth, thanks for the quick reply. I do not use Postfix and don't know anything about it. I read the ADDRESS_VERIFICATION_README.html. Does Postfix replace Sendmail as the MTA or does it work in conjunction with it? I have two months worth of projects in my queue and don't have time right now to reconfigure and test email server configurations if Postfix needs to replace Sendmail as the MTA. From what I see Googling Postfix it is a replacement for Sendmail. I'll have to revisit this when I close out some of the projects I'm working on. Thanks. Gareth wrote: > You can get Postfix to verify that the sender address exists. It does > this by connecting to the mail server for the domain and checks to see > if the server accepts the senders email address. For more information > see http://www.postfix.org/ADDRESS_VERIFICATION_README.html > > The downside of this is that your mail server pauses while it checks the > address so if it takes a while the sender may time out. This is rare > though as most timeouts are quite long. All check results are cached. > > I use this myself but on the destination address so Postfix rejects mail > to users who dont exist at our domains. > > On Thu, 2007-04-12 at 14:33, John Rowan wrote: > >> Is there any way to configure MailScanner to bounce mail to the abuse >> contact of an IP Netblock rather than what happened below. >> The sender was falsified and MailScanner sent it to the non existent >> person at watermaster.org. Watermaster.org rejected the bounce >> since ktf doesn't exist. I'm dealing with the same problem on several >> servers where garbage is being sent out saying it is from domains >> I support and then it's bounced to me but my /etc/mail/virtusertable >> is similarly configured to that mail to non existent users is not >> accepted. >> >> In the example below the mail came from 219.134.77.247 which is in >> China >> >> inetnum: 219.128.0.0 - 219.137.255.255 >> netname: CHINANET-GD >> descr: CHINANET Guangdong province network >> descr: Data Communication Division >> descr: China Telecom >> country: CN >> I would want to bounce to the correct: abuse@gddc.com.cn >> >> -------- Original Message -------- >> Subject: >> Bad Filename Detected >> Date: >> Thu, 12 Apr 2007 04:20:57 -0400 >> From: >> MailScanner >> >> To: >> postmaster@corvette.deleted.com >> >> The following e-mails were found to have: Bad Filename Detected >> >> Sender: ktf@watermaster.org >> IP Address: 219.134.77.247 >> Recipient: username@deleted.com >> Subject: I Love You Because >> MessageID: l3C8KHHg013901 >> Report: MailScanner: Executable DOS/Windows programs are dangerous in email (greeting card.exe) >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/46d9cc90/attachment.html From list-mailscanner at linguaphone.com Thu Apr 12 15:16:15 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 12 15:16:22 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <461E3BB9.6050602@rownetco.com> References: <461E3511.301@rownetco.com> <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> <461E3BB9.6050602@rownetco.com> Message-ID: <1176387375.1895.19.camel@gblades-suse.linguaphone-intranet.co.uk> Yes sorry for some reason I thought you were running Postfix. Yes it is a replacement for Sendmail. Personally I have used Sendmail, Exim and Postfix and I much prefer Postfix as it seems very easy to configure and is highly customisable. Its hold queue is very usefull for Mailscanner as you only need a single instance running. I dont know what platform you are running but on the Fedora system I use there is just a single command to switch everything over from using sendmail to postfix and then you just have to make the simple configuration to get Postfix working. On Thu, 2007-04-12 at 15:01, John Rowan wrote: > Gareth, thanks for the quick reply. I do not use Postfix and don't > know anything about it. > I read the ADDRESS_VERIFICATION_README.html. Does Postfix replace > Sendmail > as the MTA or does it work in conjunction with it? I have two months > worth of projects > in my queue and don't have time right now to reconfigure and test > email server configurations > if Postfix needs to replace Sendmail as the MTA. From what I see > Googling Postfix it is a replacement > for Sendmail. I'll have to revisit this when I close out some of the > projects I'm working on. > > Thanks. > > > Gareth wrote: > > You can get Postfix to verify that the sender address exists. It does > > this by connecting to the mail server for the domain and checks to see > > if the server accepts the senders email address. For more information > > see http://www.postfix.org/ADDRESS_VERIFICATION_README.html > > > > The downside of this is that your mail server pauses while it checks the > > address so if it takes a while the sender may time out. This is rare > > though as most timeouts are quite long. All check results are cached. > > > > I use this myself but on the destination address so Postfix rejects mail > > to users who dont exist at our domains. > > > > On Thu, 2007-04-12 at 14:33, John Rowan wrote: > > > > > Is there any way to configure MailScanner to bounce mail to the abuse > > > contact of an IP Netblock rather than what happened below. > > > The sender was falsified and MailScanner sent it to the non existent > > > person at watermaster.org. Watermaster.org rejected the bounce > > > since ktf doesn't exist. I'm dealing with the same problem on several > > > servers where garbage is being sent out saying it is from domains > > > I support and then it's bounced to me but my /etc/mail/virtusertable > > > is similarly configured to that mail to non existent users is not > > > accepted. > > > > > > In the example below the mail came from 219.134.77.247 which is in > > > China > > > > > > inetnum: 219.128.0.0 - 219.137.255.255 > > > netname: CHINANET-GD > > > descr: CHINANET Guangdong province network > > > descr: Data Communication Division > > > descr: China Telecom > > > country: CN > > > I would want to bounce to the correct: abuse@gddc.com.cn > > > > > > -------- Original Message -------- > > > Subject: > > > Bad Filename Detected > > > Date: > > > Thu, 12 Apr 2007 04:20:57 -0400 > > > From: > > > MailScanner > > > > > > To: > > > postmaster@corvette.deleted.com > > > > > > The following e-mails were found to have: Bad Filename Detected > > > > > > Sender: ktf@watermaster.org > > > IP Address: 219.134.77.247 > > > Recipient: username@deleted.com > > > Subject: I Love You Because > > > MessageID: l3C8KHHg013901 > > > Report: MailScanner: Executable DOS/Windows programs are dangerous in email (greeting card.exe) > > > > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Thu Apr 12 15:34:57 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Apr 12 15:35:39 2007 Subject: Feature Request In-Reply-To: References: <461D6B28.5090800@chapman.edu> Message-ID: <461E4391.9050801@USherbrooke.ca> Jeff A. Earickson a ?crit : > On Wed, 11 Apr 2007, Jay Chandler wrote: > >> Date: Wed, 11 Apr 2007 16:11:36 -0700 >> From: Jay Chandler >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Feature Request >> >> Recently had a user account become compromised and start spewing spam. >> >> Is there any functionality within MailScanner that can alert me once >> one user sends more than a predefined number of messages in a given >> time period? If not, I'd dearly love to see this implemented... > > This might not be quite what you are looking for, but check out the > IPBlock > feature of MailScanner. You can set it up to block email from a certain > IP after a set amount per hour, configurable by CIDR netblocks. I use > IPBlock for both external large IP netblocks (eg, APNIC) and for > netblocks > in our own class-B domain. For instance, I have the allowed number of > messages per hour coming out of our public wireless subnets cranked down > to a low number. I don't want some spambot from god-knows-where coming > into one of these wireless subnets and then spewing. They get 20 > messages > out then get shut down automagically. Scan the list archives for > IPBlock. > > Jeff Earickson > Colby College I used to use IPBlock but found it didn't perform well enough when many emails come in real fast and pile up in the inqueue before MS can take a look at them. I now use milter-limit (with sendmail) and have eliminated the pile ups in the inqueue. Check http://www.snertsoft.com/sendmail/milter-limit/. It's free. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/dcc1ec80/smime.bin From gerard at seibercom.net Thu Apr 12 15:58:12 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Apr 12 15:57:19 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <461E3BB9.6050602@rownetco.com> References: <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> <461E3BB9.6050602@rownetco.com> Message-ID: <20070412105300.B6E6.GERARD@seibercom.net> On Thursday April 12, 2007 at 10:01:29 (AM) John Rowan wrote: > Gareth, thanks for the quick reply. I do not use Postfix and don't know > anything about it. > I read the ADDRESS_VERIFICATION_README.html. Does Postfix replace Sendmail > as the MTA or does it work in conjunction with it? I have two months > worth of projects > in my queue and don't have time right now to reconfigure and test email > server configurations > if Postfix needs to replace Sendmail as the MTA. From what I see > Googling Postfix it is a replacement > for Sendmail. I'll have to revisit this when I close out some of the > projects I'm working on. Please don't top post. If you don't know what that means, Google for it. Yes, Postfix is a replacement for Sendmail. You might want to rethink this bounce procedure that you are employing. You are effectively creating 'backscatter' which will eventually get you blacklisted. You are better off silently dropping those message. It has been ages since I employed Sendmail. I thought though that there was a way to create a list of valid users and discard the rest. -- Gerard From ssilva at sgvwater.com Thu Apr 12 16:54:32 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 12 16:55:13 2007 Subject: Feature Request In-Reply-To: References: Message-ID: Dennis Willson spake the following on 4/11/2007 4:52 PM: > > Hmmmmm... How does scanning the outgoing messages generate an "Alert"? > While it is in fact good to scan outgoing messages, I believe he wants > notification that a client is comprimised or a Spammer, not just filtering. > > Personally I use a different outgoing server with different rule sets > than the MX. You can then set the rules to notify the sender that they > have sent Spam/Virus, etc... and copy the postmaster (you). I just notify postmaster, and kill the machine remotely or remove it from the network until I can fix it. A few years ago I had someone bring in their personal laptop and connect it to the network without permission. It had sasser or something like it, and brought that network segment to its knees until I found it and pulled the plug. I never thought one machine could flood that much traffic! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Apr 12 17:09:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 12 17:10:31 2007 Subject: Continuing saga of ClamAV module In-Reply-To: <200704121100.l3CB0hWX016891@safir.blacknight.ie> References: <200704121100.l3CB0hWX016891@safir.blacknight.ie> Message-ID: Edward Prendergast spake the following on 4/12/2007 4:01 AM: > With the recurring clamavmodule problems of late, has anybody started just > using clamav direct rather than the module? > Is there a huge speed increase to be gained in using the module, or a big > saving on resources? > > Edward > > > > > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee. Access to this email by anyone else > is unauthorised. If you are not the intended recipient, any action taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please notify > us immediately. Please also destroy and delete the message from your > computer. > I can't answer your request because your disclaimer says I am unauthorized! I am notifying you that I must have received this e-mail in error. When will the corporate PHB's realize that these disclaimers are a joke? Now to answer your question just in case you are forced to have this disclaimer; The module does save some resources because the system doesn't have to fork a clamd run. If you get a fair amount of mail on your system, you will notice the difference. But if you are using other command-line scanners, which you should be using more than one, I think your return will be less. Every processor cycle you can save is available to be used elsewhere. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From list-mailscanner at linguaphone.com Thu Apr 12 18:34:28 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 12 18:34:33 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <20070412105300.B6E6.GERARD@seibercom.net> Message-ID: > Please don't top post. If you don't know what that means, Google for it. If you dont want me and probably others to top post then dont post the original email in HTML form. Evolution doesn't edit html well so I cannot simple quote and answer particular questions. Unlike Outlook it does not allow me to edit and convert a mail to plain text either. Plain text is fine and much easier to quote. From gerard at seibercom.net Thu Apr 12 18:51:00 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Apr 12 18:50:03 2007 Subject: Bouncing to spoofed domain name In-Reply-To: References: <20070412105300.B6E6.GERARD@seibercom.net> Message-ID: <20070412134825.CE29.GERARD@seibercom.net> On Thursday April 12, 2007 at 01:34:28 (PM) Gareth wrote: > > Please don't top post. If you don't know what that means, Google for it. > > If you dont want me and probably others to top post then dont post the > original email in HTML form. > Evolution doesn't edit html well so I cannot simple quote and answer > particular questions. Unlike Outlook it does not allow me to edit and > convert a mail to plain text either. > > Plain text is fine and much easier to quote. I totally agree. HTML mail on a forum like this is ridiculous. I have never used 'mailman' myself; however, I thought there was a setting in the program to convert HTML mail to 'plain text' before relaying it. It there is, it would be nice if the owner would turn it on. Ciao! -- Gerard From res at ausics.net Thu Apr 12 23:58:02 2007 From: res at ausics.net (Res) Date: Thu Apr 12 23:58:11 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> References: <461E3511.301@rownetco.com> <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: On Thu, 12 Apr 2007, Gareth wrote: > You can get Postfix to verify that the sender address exists. It does > this by connecting to the mail server for the domain and checks to see > if the server accepts the senders email address. For more information > see http://www.postfix.org/ADDRESS_VERIFICATION_README.html Oh dear.. dont bring that back up again :) its the same as sendmail/qmail SV, which there was a lengthy thread on, but hell yeah, do it :) -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Apr 13 00:02:11 2007 From: res at ausics.net (Res) Date: Fri Apr 13 00:02:22 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <461E3BB9.6050602@rownetco.com> References: <461E3511.301@rownetco.com> <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> <461E3BB9.6050602@rownetco.com> Message-ID: John, As you use Sendmail, take a look at smf-sav, http://smfs.sourceforge.net On Thu, 12 Apr 2007, John Rowan wrote: > Gareth, thanks for the quick reply. I do not use Postfix and don't know > anything about it. > I read the ADDRESS_VERIFICATION_README.html. Does Postfix replace Sendmail -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Apr 13 00:06:08 2007 From: res at ausics.net (Res) Date: Fri Apr 13 00:06:16 2007 Subject: Bouncing to spoofed domain name In-Reply-To: References: Message-ID: Gareth, Ignore the self appointed net-cop (this list has at least 2 of em), there's only one person around here who has any right to ask you to post in a way he doesn't like, his name is Julian :) no-one elses opinion matters. On Thu, 12 Apr 2007, Gareth wrote: >> Please don't top post. If you don't know what that means, Google for it. > > If you dont want me and probably others to top post then dont post the > original email in HTML form. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From taz at taz-mania.com Fri Apr 13 00:22:17 2007 From: taz at taz-mania.com (Dennis Willson) Date: Fri Apr 13 00:22:17 2007 Subject: Bouncing to spoofed domain name In-Reply-To: <1176385278.1895.5.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: I use sendmail and it will REJECT (not bounce, bouncing to anything spoofed is bad) Domains that don't really exist. If you want to REJECT on a spoofed eMail address then you should use sender address verification. The one I use is smf-sav. It works very well. (I use sendmail) I absolutely hate eMail providers that accept eMail THEN check to see if the sender exists and bounces it back to the spoofed "From:" address if not. This should be done during the SMTP phase and REJECT so only the spoofing sender is bothered. Most of these servers wind up on my blacklist wind up on my blacklist. On Thu, 12 Apr 2007 14:41:18 +0100 Gareth wrote: >You can get Postfix to verify that the sender address exists. It does >this by connecting to the mail server for the domain and checks to >see >if the server accepts the senders email address. For more information >see http://www.postfix.org/ADDRESS_VERIFICATION_README.html > >The downside of this is that your mail server pauses while it checks >the >address so if it takes a while the sender may time out. This is rare >though as most timeouts are quite long. All check results are cached. > >I use this myself but on the destination address so Postfix rejects >mail >to users who dont exist at our domains. > >On Thu, 2007-04-12 at 14:33, John Rowan wrote: >> Is there any way to configure MailScanner to bounce mail to the >>abuse >> contact of an IP Netblock rather than what happened below. >> The sender was falsified and MailScanner sent it to the non existent >> person at watermaster.org. Watermaster.org rejected the bounce >> since ktf doesn't exist. I'm dealing with the same problem on >>several >> servers where garbage is being sent out saying it is from domains >> I support and then it's bounced to me but my /etc/mail/virtusertable >> is similarly configured to that mail to non existent users is not >> accepted. >> >> In the example below the mail came from 219.134.77.247 which is in >> China >> >> inetnum: 219.128.0.0 - 219.137.255.255 >> netname: CHINANET-GD >> descr: CHINANET Guangdong province network >> descr: Data Communication Division >> descr: China Telecom >> country: CN >> I would want to bounce to the correct: abuse@gddc.com.cn >> >> -------- Original Message -------- >> Subject: >> Bad Filename Detected >> Date: >> Thu, 12 Apr 2007 04:20:57 -0400 >> From: >> MailScanner >> >> To: >> postmaster@corvette.deleted.com >> >> The following e-mails were found to have: Bad Filename Detected >> >> Sender: ktf@watermaster.org >> IP Address: 219.134.77.247 >> Recipient: username@deleted.com >> Subject: I Love You Because >> MessageID: l3C8KHHg013901 >> Report: MailScanner: Executable DOS/Windows programs are >>dangerous in email (greeting card.exe) > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class w/code): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From chandler.lists at chapman.edu Fri Apr 13 02:30:26 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Fri Apr 13 02:30:34 2007 Subject: Feature Request In-Reply-To: References: <461D6B28.5090800@chapman.edu> Message-ID: <461EDD32.1010006@chapman.edu> Hugo van der Kooij wrote: > You need to block SMTP from anyone but acknowledged and well > controlled servers in your network. Ya think? :-) This has been done. Note that the way this particular instance took place was a user had a weak or leaked password, so the spammer came in through our webmail gateway. Flow control won't work on that machine, as it services hundreds of users. Neither will IP based restrictions. The only think I can think of that would have caught this would have been measuring the volume-- they're forced to use their own email address, so after the first dozen messages, I'd have loved for something to have said "Wait a damned second here..." -- Jay Chandler Network Administrator Chapman University From v at vladville.com Fri Apr 13 02:51:34 2007 From: v at vladville.com (Vlad Mazek) Date: Fri Apr 13 02:51:38 2007 Subject: ArchiveNonSpam Message-ID: Last year Julian posted a sample function to help archive non-spam instead of everything. http://lists.mailscanner.info/pipermail/mailscanner/2006-March/059280.html Any ideas on how this is implemented, in CustomFunctions and in MailScanner.conf; Any help would be really appreciated. -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070412/f858f098/attachment.html From pete at enitech.com.au Fri Apr 13 02:52:59 2007 From: pete at enitech.com.au (Peter Russell) Date: Fri Apr 13 02:53:06 2007 Subject: Time Spent on Spam Message-ID: <461EE27B.3010005@enitech.com.au> We are reviewing our spam defences. A review in the sense of our polices, should we store low scoring spam and send reports, or forward to modded subjects and config outlook rules etc Part of this is documented what we currently do and i am trying to work out how much time i spend on mailscanner, responding to queries about spam, explaining spam to people - with a view to addressing some of the more problematic aspects with stuff like explanations on our intranet about why people get spam, where it comes from, what we are doing and some stats. Inc comparisons between the effort we make and the effort other companies make. So, i was wondering if anyone could offer some thoughts on what sort of time they spend combating mail/virus/phishing etc From res at ausics.net Fri Apr 13 03:21:07 2007 From: res at ausics.net (Res) Date: Fri Apr 13 03:21:16 2007 Subject: Time Spent on Spam In-Reply-To: <461EE27B.3010005@enitech.com.au> References: <461EE27B.3010005@enitech.com.au> Message-ID: On Fri, 13 Apr 2007, Peter Russell wrote: > We are reviewing our spam defences. A review in the sense of our polices, > should we store low scoring spam and send reports, or forward to modded > subjects and config outlook rules etc You could mark low score spam as attachment. In your rules dir find the respective message, and edit it, explaining to all what how why, since I did this, I have had NO querries about why MailScanner is blocking/refusing X, Y or Z. However, the first few lines should be a brief explanation, because lets face it, no user wants to read a 200 line email in entirety, it's like us expecting them to read the terms and conditions, they say they do, but we know they don't :) Then under, give a full and detailed explanation, DO NOT let legals write it, get ur juniors to do it, then find the most computer illiterate person in your company and get them to read it and see if they understand it, if they do, your home and hosed. -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From ka at pacific.net Fri Apr 13 05:24:01 2007 From: ka at pacific.net (Ken Anderson) Date: Fri Apr 13 05:24:16 2007 Subject: Feature Request In-Reply-To: <461EDD32.1010006@chapman.edu> References: <461D6B28.5090800@chapman.edu> <461EDD32.1010006@chapman.edu> Message-ID: <461F05E1.9050306@pacific.net> Jay Chandler wrote: > Hugo van der Kooij wrote: >> You need to block SMTP from anyone but acknowledged and well >> controlled servers in your network. > Ya think? :-) > > This has been done. Note that the way this particular instance took > place was a user had a weak or leaked password, so the spammer came in > through our webmail gateway. Flow control won't work on that machine, > as it services hundreds of users. Neither will IP based restrictions. > The only think I can think of that would have caught this would have > been measuring the volume-- they're forced to use their own email > address, so after the first dozen messages, I'd have loved for something > to have said "Wait a damned second here..." > tail the log, watch the "relay=" and instead of the IP, capture the "from=" if a message "is spam" from your webmail box and put that into either an access "From:baduser@here.net Error 450 hold that spam" entry, or a MailScanner rule that quarantines mail from that user and then reloads MailScanner. ossec (ossec.net) has 'active response' and might help with automating this if you want something more robust and faster than a cron job running a shell script. It's quite good, and it's response is within seconds, not minutes, but does need some tweaking for your needs. Ken Anderson Pacific.Net From seamus at rheelweb.co.nz Fri Apr 13 05:35:36 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Fri Apr 13 05:34:41 2007 Subject: Mailscanner Conf In-Reply-To: Message-ID: <002601c77d85$2e8307d0$5e01a8c0@seamoose> Hi guys, been lurking for the last while, and now I have a question. We are running MailScanner with Postfix and all the jazz quite successfully for over a year now. After a while I have noticed that some very spammy messages are getting through with quite low spam scores. Intrigued, I placed some of these messages where I could get to them, and ran (as root) spamassassin -t < messagefile, and I get a good score (well over the threshold). So then I sudo'd the spamassassin command as the postfix user, and I got the low score - bingo. However, I am not sure which config is user dependent, and where to shift it to such that it gets used by spamassassin when run by the postfix user. It's probably a pretty simple solution, but I just can't find it. Cheers Seamus. Seamus Allan Network Engineer Rheel Electronics Ltd From a.peacock at chime.ucl.ac.uk Fri Apr 13 08:40:01 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Apr 13 08:40:37 2007 Subject: Mailscanner Conf In-Reply-To: <002601c77d85$2e8307d0$5e01a8c0@seamoose> References: <002601c77d85$2e8307d0$5e01a8c0@seamoose> Message-ID: <461F33D1.3060104@chime.ucl.ac.uk> Hi, Seamus Allan wrote: > Hi guys, been lurking for the last while, and now I have a question. > We are running MailScanner with Postfix and all the jazz quite successfully > for over a year now. After a while I have noticed that some very spammy > messages are getting through with quite low spam scores. Intrigued, I placed > some of these messages where I could get to them, and ran (as root) > spamassassin -t < messagefile, and I get a good score (well over the > threshold). So then I sudo'd the spamassassin command as the postfix user, > and I got the low score - bingo. > However, I am not sure which config is user dependent, and where to shift it > to such that it gets used by spamassassin when run by the postfix user. > > It's probably a pretty simple solution, but I just can't find it. Can you supply us with the list of SpamAssassin rules that are hit for each user? My initial guess is that you have been training the Bayes database as root, which creates a database that only root uses. But without seeing the scores that is purely a guess. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From list-mailscanner at linguaphone.com Fri Apr 13 08:53:27 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 13 08:53:36 2007 Subject: Mailscanner Conf In-Reply-To: <461F33D1.3060104@chime.ucl.ac.uk> References: <002601c77d85$2e8307d0$5e01a8c0@seamoose> <461F33D1.3060104@chime.ucl.ac.uk> Message-ID: <1176450807.4176.3.camel@gblades-suse.linguaphone-intranet.co.uk> On Fri, 2007-04-13 at 08:40, Anthony Peacock wrote: > Hi, > > Seamus Allan wrote: > > Hi guys, been lurking for the last while, and now I have a question. > > We are running MailScanner with Postfix and all the jazz quite successfully > > for over a year now. After a while I have noticed that some very spammy > > messages are getting through with quite low spam scores. Intrigued, I placed > > some of these messages where I could get to them, and ran (as root) > > spamassassin -t < messagefile, and I get a good score (well over the > > threshold). So then I sudo'd the spamassassin command as the postfix user, > > and I got the low score - bingo. > > However, I am not sure which config is user dependent, and where to shift it > > to such that it gets used by spamassassin when run by the postfix user. > > > > It's probably a pretty simple solution, but I just can't find it. > > Can you supply us with the list of SpamAssassin rules that are hit for > each user? > > My initial guess is that you have been training the Bayes database as > root, which creates a database that only root uses. But without seeing > the scores that is purely a guess. Or another possibility is that the config points to a specific bayes database but the permissions are set so that only root can read it. When Mailscanner runs spamassassin as postfix it cannot read the database. Personally I use a mysql database as the backend for the bayes database. I run mailwatch aswell so need a database for it and moving bayes over to use a database is very little extra work and had the benefit that it makes it easier to add additional mailscanner boxes in the future. From martinh at solidstatelogic.com Fri Apr 13 09:00:22 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 13 09:00:37 2007 Subject: ArchiveNonSpam In-Reply-To: Message-ID: <71d795fdd3f5054fa19063a6b8f2de3a@solidstatelogic.com> Vlad I "think" you put this as the option for the Archive setting in MailScanner.conf.. Archive Mail = &ArchiveNonSpam -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek > Sent: 13 April 2007 02:52 > To: mailscanner@lists.mailscanner.info > Subject: ArchiveNonSpam > > Last year Julian posted a sample function to help archive non-spam instead > of everything. > http://lists.mailscanner.info/pipermail/mailscanner/2006-March/059280.ht ml > > Any ideas on how this is implemented, in CustomFunctions and in > MailScanner.conf; Any help would be really appreciated. > > -- > -Vlad ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Fri Apr 13 09:01:18 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 13 09:01:44 2007 Subject: Mailscanner Conf In-Reply-To: <002601c77d85$2e8307d0$5e01a8c0@seamoose> Message-ID: <246fa6da500a114bb7ffa3778266c693@solidstatelogic.com> Seanus What happens if you run the spamassassin -t < messsagefile as the postfix user????? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Seamus Allan > Sent: 13 April 2007 05:36 > To: MailScanner discussion > Subject: Mailscanner Conf > > Hi guys, been lurking for the last while, and now I have a question. > We are running MailScanner with Postfix and all the jazz quite > successfully > for over a year now. After a while I have noticed that some very spammy > messages are getting through with quite low spam scores. Intrigued, I > placed > some of these messages where I could get to them, and ran (as root) > spamassassin -t < messagefile, and I get a good score (well over the > threshold). So then I sudo'd the spamassassin command as the postfix user, > and I got the low score - bingo. > However, I am not sure which config is user dependent, and where to shift > it > to such that it gets used by spamassassin when run by the postfix user. > > It's probably a pretty simple solution, but I just can't find it. > > Cheers > > Seamus. > > Seamus Allan > Network Engineer > Rheel Electronics Ltd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From a.peacock at chime.ucl.ac.uk Fri Apr 13 09:07:33 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Apr 13 09:07:55 2007 Subject: Mailscanner Conf In-Reply-To: <1176450807.4176.3.camel@gblades-suse.linguaphone-intranet.co.uk> References: <002601c77d85$2e8307d0$5e01a8c0@seamoose> <461F33D1.3060104@chime.ucl.ac.uk> <1176450807.4176.3.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <461F3A45.2020509@chime.ucl.ac.uk> Gareth wrote: > On Fri, 2007-04-13 at 08:40, Anthony Peacock wrote: >> Hi, >> >> Seamus Allan wrote: >>> Hi guys, been lurking for the last while, and now I have a question. >>> We are running MailScanner with Postfix and all the jazz quite successfully >>> for over a year now. After a while I have noticed that some very spammy >>> messages are getting through with quite low spam scores. Intrigued, I placed >>> some of these messages where I could get to them, and ran (as root) >>> spamassassin -t < messagefile, and I get a good score (well over the >>> threshold). So then I sudo'd the spamassassin command as the postfix user, >>> and I got the low score - bingo. >>> However, I am not sure which config is user dependent, and where to shift it >>> to such that it gets used by spamassassin when run by the postfix user. >>> >>> It's probably a pretty simple solution, but I just can't find it. >> Can you supply us with the list of SpamAssassin rules that are hit for >> each user? >> >> My initial guess is that you have been training the Bayes database as >> root, which creates a database that only root uses. But without seeing >> the scores that is purely a guess. > > Or another possibility is that the config points to a specific bayes > database but the permissions are set so that only root can read it. When > Mailscanner runs spamassassin as postfix it cannot read the database. > > Personally I use a mysql database as the backend for the bayes database. > I run mailwatch aswell so need a database for it and moving bayes over > to use a database is very little extra work and had the benefit that it > makes it easier to add additional mailscanner boxes in the future. So do I. It makes life a lot easier in the long run. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From holger at noefer.org Fri Apr 13 09:44:45 2007 From: holger at noefer.org (Holger =?iso-8859-1?b?TvZmZXI=?=) Date: Fri Apr 13 09:44:49 2007 Subject: New ClamAV version Message-ID: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> Hi, a new ClamAV version is released, 0.90.2 http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html Best regards, Holger From list-mailscanner at linguaphone.com Fri Apr 13 11:05:39 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 13 11:05:47 2007 Subject: New ClamAV version In-Reply-To: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> References: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> Message-ID: <1176458739.4180.14.camel@gblades-suse.linguaphone-intranet.co.uk> On Fri, 2007-04-13 at 09:44, Holger N?fer wrote: > Hi, > > a new ClamAV version is released, 0.90.2 > > http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html > > Best regards, > Holger I have just upgraded from 0.90.1 and now clamavmodule also identifies phishing attacks as viruses. I am not sure if I like this idea. One one hand it is better to block them and not rely on the backend mailserver (also running clamav) to identify and block them there but on the other hand I would like the reports when they mention the number of viruses to actually be the number of viruses and not phishing emails aswell. From uxbod at splatnix.net Fri Apr 13 11:21:28 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Apr 13 11:21:38 2007 Subject: New ClamAV version In-Reply-To: <1176458739.4180.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1176458739.4180.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: I agree. It would be nice if it at least said Phishing instead of Virus. On Fri, 13 Apr 2007 11:05:39 +0100, Gareth wrote: > On Fri, 2007-04-13 at 09:44, Holger N?fer wrote: >> Hi, >> >> a new ClamAV version is released, 0.90.2 >> >> http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html >> >> Best regards, >> Holger > > I have just upgraded from 0.90.1 and now clamavmodule also identifies > phishing attacks as viruses. > I am not sure if I like this idea. One one hand it is better to block > them and not rely on the backend mailserver (also running clamav) to > identify and block them there but on the other hand I would like the > reports when they mention the number of viruses to actually be the > number of viruses and not phishing emails aswell. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From daniel at danielf.ch Fri Apr 13 11:38:05 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Fri Apr 13 11:38:11 2007 Subject: MCP rules Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> Hi all How can I create the following mcp rule. * Subject starts with: RE: SPAM: * The IP Address from the sending server is xxx.xxx.xxx.xxx * The sender email dress starts with support@ Thanks for your help in advance Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070413/32ef5042/attachment.html From micoots at yahoo.com Fri Apr 13 12:28:48 2007 From: micoots at yahoo.com (Michael Mansour) Date: Fri Apr 13 12:28:51 2007 Subject: Feature Request In-Reply-To: <461F05E1.9050306@pacific.net> Message-ID: <90360.78173.qm@web33309.mail.mud.yahoo.com> Hi, Ken Anderson wrote: Jay Chandler wrote: > Hugo van der Kooij wrote: >> You need to block SMTP from anyone but acknowledged and well >> controlled servers in your network. > Ya think? :-) > > This has been done. Note that the way this particular instance took > place was a user had a weak or leaked password, so the spammer came in > through our webmail gateway. Flow control won't work on that machine, > as it services hundreds of users. Neither will IP based restrictions. > The only think I can think of that would have caught this would have > been measuring the volume-- they're forced to use their own email > address, so after the first dozen messages, I'd have loved for something > to have said "Wait a damned second here..." This is exactly what you can dowith sendmail (if you're using it). Look here: http://www.technoids.org/dossed.html for how you can rate throttle and protect your SMTP from attacks from spammers. Michael. tail the log, watch the "relay=" and instead of the IP, capture the "from=" if a message "is spam" from your webmail box and put that into either an access "From:baduser@here.net Error 450 hold that spam" entry, or a MailScanner rule that quarantines mail from that user and then reloads MailScanner. ossec (ossec.net) has 'active response' and might help with automating this if you want something more robust and faster than a cron job running a shell script. It's quite good, and it's response is within seconds, not minutes, but does need some tweaking for your needs. Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070413/876838e9/attachment.html From daniel.maher at ubisoft.com Fri Apr 13 13:43:28 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Apr 13 13:43:31 2007 Subject: Time Spent on Spam In-Reply-To: <461EE27B.3010005@enitech.com.au> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204B9541C@UBIMAIL1.ubisoft.org> > -----Original Message----- > > So, i was wondering if anyone could offer some thoughts on what sort of > time they spend combating mail/virus/phishing etc I generally spend about 10 of my 40 hours per week on border-mail related issues (i.e. the mailscanner stack, responding to new types of spam, adjusting for false positives, etc..). YMMV. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From mgt at stellarcore.net Fri Apr 13 14:50:31 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Apr 13 14:50:52 2007 Subject: Continuing saga of ClamAV module In-Reply-To: <200704130755.l3D7stHI024326@safir.blacknight.ie> References: <200704130755.l3D7stHI024326@safir.blacknight.ie> Message-ID: <461F8AA7.2090008@stellarcore.net> > With the recurring clamavmodule problems of late, has anybody started just > using clamav direct rather than the module? > Is there a huge speed increase to be gained in using the module, or a big > saving on resources? > > Edward > > Yes my solution to the last problem was to swtich to clamav only because it was the fix that worked before I really understood the problem. But clamav is using commandling line clamscan which is much slower then clamavmodule. The problem is everytime you call [fork] a new clamscan it has to load the virus database which is over 100,000 records. One possible solution that it might time to revisit is making a new wrapper for clamdscan and starting the clamd daemon. I know this has been mentioned before but I forgot what the issue was with it. I know that Mail::ClamAV aka clamavmodule was a nicely intergrated solution for MailScanner but as you mentioned we keeping seeing it as the weakest link. If clamdscan + clamd allow more stability during upgrades [both of the sig database and the engine] then maybe it is time to switch. [I know it would be pretty easy to copy the clamav.wrapper and change to use clamdscan, I might test this out soon.] -Mike From ka at pacific.net Fri Apr 13 16:35:42 2007 From: ka at pacific.net (Ken Anderson) Date: Fri Apr 13 16:35:59 2007 Subject: Feature Request In-Reply-To: <90360.78173.qm@web33309.mail.mud.yahoo.com> References: <90360.78173.qm@web33309.mail.mud.yahoo.com> Message-ID: <461FA34E.5080101@pacific.net> Michael Mansour wrote: > Hi, > > Ken Anderson wrote: Jay Chandler wrote: >> Hugo van der Kooij wrote: >>> You need to block SMTP from anyone but acknowledged and well >>> controlled servers in your network. >> Ya think? :-) >> >> This has been done. Note that the way this particular instance took >> place was a user had a weak or leaked password, so the spammer came in >> through our webmail gateway. Flow control won't work on that machine, >> as it services hundreds of users. Neither will IP based restrictions. >> The only think I can think of that would have caught this would have >> been measuring the volume-- they're forced to use their own email >> address, so after the first dozen messages, I'd have loved for something >> to have said "Wait a damned second here..." > This is exactly what you can dowith sendmail (if you're using it). > > Look here: > > http://www.technoids.org/dossed.html > > for how you can rate throttle and protect your SMTP from attacks from spammers. That's a good link to block incoming spam by IP, but sendmail's built in automatic protection doesn't look at the "envelope from" address, which is what's needed here. Of course spammers usually fake the from address, so what works for incoming spam, wouldn't work here. Ken Anderson Pacific.Net > > Michael. From alex at nkpanama.com Fri Apr 13 17:35:55 2007 From: alex at nkpanama.com (Alex Neuman) Date: Fri Apr 13 17:36:37 2007 Subject: Bouncing to spoofed domain name In-Reply-To: References: Message-ID: <0C9FE473-94A1-4DE8-96E4-3B3F6B5445B7@nkpanama.com> On Apr 12, 2007, at 6:06 PM, Res wrote: > Gareth, > Ignore the self appointed net-cop (this list has at least 2 of em), > there's only one person around here who has any right to ask you to > post in a way he doesn't like, his name is Julian :) no-one elses > opinion matters. I agree with you on that point; however, it helps if you cater to the tastes of those who may be able to help you. As someone else pointed out, replying to someone asking for help is easy, but if the message becomes difficult or inconvenient to reply to, someone who would otherwise be willing and able to help might not be so willing (or able) to help. Hope this helps... From gdoris at rogers.com Fri Apr 13 18:35:47 2007 From: gdoris at rogers.com (Gerry Doris) Date: Fri Apr 13 18:38:10 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: Message-ID: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> > Hi! > > We have seen several servers barfing due to a broken clamlib after a > update of freshclam. > > Tonight clamav released a new main.cvd, when this happened the update > files were placed inside subdirs, this is part of the new clamav update > scheme. > > Mailscanner however dont take this and will report: > > Apr 11 02:37:25 vmx120 MailScanner[1011]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:30 vmx120 MailScanner[1013]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:35 vmx120 MailScanner[1016]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:40 vmx120 MailScanner[1018]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:45 vmx120 MailScanner[1023]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:50 vmx120 MailScanner[1029]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:37:55 vmx120 MailScanner[1035]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by the > "Monitors For ClamAV Updates" patterns exist! > > This will give defuncts on all your MS processes. > > The behaviour is only with 0.9x so be aware you will for sure see your > incomming queue raise till you manually fix this. > > On my system clam created dirs like: > > /usr/local/share/clamav/daily.inc > > I removed all inside /usr/local/share/clamav/ (all subdirs also) and did a > freshclam. Now the main.cvd remains in the main dir again and its going > again. > > This is most likely a temp fix till someone fixes MS to detect this. ;) > > If you see the above behaviour, or wonder why your MS is defuncting all > off the sudden, you know what to do.... > > Bye, > Raymond. I've been waiting for the same behaviour but the clamav updates have been failing all week. Did your clamav autoupdate install the update or did you do it manually? From raymond at prolocation.net Fri Apr 13 19:57:57 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Apr 13 19:57:55 2007 Subject: Clam module broken after main.cvd update In-Reply-To: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> References: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> Message-ID: Hi! >> Apr 11 02:38:00 vmx120 MailScanner[1037]: None of the files matched by the >> "Monitors For ClamAV Updates" patterns exist! >> Apr 11 02:38:05 vmx120 MailScanner[1040]: None of the files matched by the >> "Monitors For ClamAV Updates" patterns exist! >> Apr 11 02:38:10 vmx120 MailScanner[1062]: None of the files matched by the >> "Monitors For ClamAV Updates" patterns exist! >> >> This will give defuncts on all your MS processes. >> >> The behaviour is only with 0.9x so be aware you will for sure see your >> incomming queue raise till you manually fix this. >> >> On my system clam created dirs like: >> >> /usr/local/share/clamav/daily.inc >> >> I removed all inside /usr/local/share/clamav/ (all subdirs also) and did a >> freshclam. Now the main.cvd remains in the main dir again and its going >> again. >> >> This is most likely a temp fix till someone fixes MS to detect this. ;) >> >> If you see the above behaviour, or wonder why your MS is defuncting all >> off the sudden, you know what to do.... > I've been waiting for the same behaviour but the clamav updates have been > failing all week. Did your clamav autoupdate install the update or did > you do it manually? You can wait a few MONTHS after the new main update will be released... This aint happening with daily updates. It wont auto fix itself or something.... its broken. Bye, Raymond. From derek at csolve.net Fri Apr 13 20:09:51 2007 From: derek at csolve.net (Derek Buttineau) Date: Fri Apr 13 20:10:42 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> Message-ID: <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> On 2007-Apr-13, at 2:57 PM, Raymond Dijkxhoorn wrote: > > It wont auto fix itself or something.... its broken. You can re-enable the .cvd download by editing freshclam.conf and setting ScriptedUpdates to no. Hopefully at some point the Clam Module / MailScanner will work better with ScriptedUpdates, but that quick fix with freshclam.conf works well in the interim :) -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: derek@csolve.net From raymond at prolocation.net Fri Apr 13 20:16:45 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Apr 13 20:16:42 2007 Subject: Clam module broken after main.cvd update In-Reply-To: <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> References: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> Message-ID: Hi! >> It wont auto fix itself or something.... its broken. > You can re-enable the .cvd download by editing freshclam.conf and setting > ScriptedUpdates to no. > > Hopefully at some point the Clam Module / MailScanner will work better with > ScriptedUpdates, but that quick fix with freshclam.conf works well in the > interim :) Do this if you want to miss updates. Disabeling the scripted update will turn out you will be missing updates, in time. Bye, Raymond. From derek at csolve.net Fri Apr 13 20:30:28 2007 From: derek at csolve.net (Derek Buttineau) Date: Fri Apr 13 20:31:16 2007 Subject: Clam module broken after main.cvd update In-Reply-To: References: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> Message-ID: <8CC8BFE9-B50D-4235-9A98-790B32FEA46B@csolve.net> On 2007-Apr-13, at 3:16 PM, Raymond Dijkxhoorn wrote: > Do this if you want to miss updates. Disabeling the scripted update > will turn out you will be missing updates, in time. Perhaps once they stop providing the cvds. Currently as far as I'm aware they're still maintaining and updating the cvd downloads especially for backwards compatibility for older versions. Setting ScriptedUpdates to no will force freshclam to download the cvds rather than updating daily.inc and main.inc. It's not the ideal setup as it's more expensive in terms of resources, but you should still get all your updates until the clamav module / mailscanner is updated. -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: derek@csolve.net From ugob at lubik.ca Fri Apr 13 20:48:49 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Apr 13 21:09:26 2007 Subject: New ClamAV version In-Reply-To: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> References: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> Message-ID: Holger N?fer wrote: > Hi, > > a new ClamAV version is released, 0.90.2 > > http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html **Important note**: on April 16th CHM, CAB and PDF handlers will be disabled for 0.90 and 0.90.1 users through the dynamic engine configuration module (DCONF). Please upgrade to 0.90.2 immediately. From holger at noefer.org Fri Apr 13 21:16:47 2007 From: holger at noefer.org (=?UTF-8?B?SG9sZ2VyIE7DtmZlcg==?=) Date: Fri Apr 13 21:16:58 2007 Subject: New ClamAV version In-Reply-To: <1176458739.4180.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <20070413104445.hwilh1vxm35qsoss@www.noefer.org> <1176458739.4180.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <461FE52F.6060401@noefer.org> The ClamAV versions before 0.90 recognized phishing attacks. The versions 0.90 and 0.90.1 does not recognized them, but the new version 0.90.2 does. I think it is a nice feature and I do not want to miss it. Gareth schrieb: > On Fri, 2007-04-13 at 09:44, Holger N?fer wrote: >> Hi, >> >> a new ClamAV version is released, 0.90.2 >> >> http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html >> >> Best regards, >> Holger > > I have just upgraded from 0.90.1 and now clamavmodule also identifies > phishing attacks as viruses. > I am not sure if I like this idea. One one hand it is better to block > them and not rely on the backend mailserver (also running clamav) to > identify and block them there but on the other hand I would like the > reports when they mention the number of viruses to actually be the > number of viruses and not phishing emails aswell. > > From ssilva at sgvwater.com Fri Apr 13 22:19:15 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 13 22:19:38 2007 Subject: Time Spent on Spam In-Reply-To: <461EE27B.3010005@enitech.com.au> References: <461EE27B.3010005@enitech.com.au> Message-ID: Peter Russell spake the following on 4/12/2007 6:52 PM: > We are reviewing our spam defences. A review in the sense of our > polices, should we store low scoring spam and send reports, or forward > to modded subjects and config outlook rules etc > > Part of this is documented what we currently do and i am trying to work > out how much time i spend on mailscanner, responding to queries about > spam, explaining spam to people - with a view to addressing some of the > more problematic aspects with stuff like explanations on our intranet > about why people get spam, where it comes from, what we are doing and > some stats. Inc comparisons between the effort we make and the effort > other companies make. > > So, i was wondering if anyone could offer some thoughts on what sort of > time they spend combating mail/virus/phishing etc > > I mark and forward low-scoring as an attachment. That way it is somewhat disarmed in the preview window of the Microsoft clients. The subject is modded with {Spam Score x.x} and the users can decide if they want to risk it. If you also make sure the message ID is in the report, it makes it real easy to whitelist the chronic stuff in Mailwatch. I don't get any complaints, and I have some exec's that are picky. They can open the attachment and have an unmolested message to print, read, or ??? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ugob at lubik.ca Sat Apr 14 05:22:09 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Sat Apr 14 05:22:34 2007 Subject: Archiving with MailScanner Message-ID: Hi, Is anyone using MailScanner's archiving feature? If not, is someone using Non-Spam Action = store deliver to achieve a similar result? Anyone using a third-party software to do archiving? Regards, Ugo From doc at maddoc.net Sat Apr 14 05:39:27 2007 From: doc at maddoc.net (Doc Schneider) Date: Sat Apr 14 05:39:32 2007 Subject: Archiving with MailScanner In-Reply-To: References: Message-ID: <46205AFF.7040400@maddoc.net> Ugo Bellavance wrote: > Hi, > > Is anyone using MailScanner's archiving feature? If not, is someone > using Non-Spam Action = store deliver to achieve a similar result? > Anyone using a third-party software to do archiving? > > Regards, > > Ugo > Hi Ugo, I archive all incoming mail to my MailScanner and use the Non-Spam Action = store deliver functions. Was at one time thinking of doing something with it but never got a round tuit. 8*)) -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From steve.swaney at fsl.com Sat Apr 14 13:47:01 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Sat Apr 14 13:47:20 2007 Subject: Archiving with MailScanner In-Reply-To: References: Message-ID: <041201c77e92$ff4ed570$fdec8050$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: Saturday, April 14, 2007 12:22 AM > To: mailscanner@lists.mailscanner.info > Subject: Archiving with MailScanner > > Hi, > > Is anyone using MailScanner's archiving feature? If not, is > someone > using Non-Spam Action = store deliver to achieve a similar result? > Anyone using a third-party software to do archiving? > > Regards, > > Ugo > Not MailScanner but open source: http://www.mailarchiva.com/ I've tested mailarchiva and it appears to work. It indexes messages and can be used with removable drives and very large storage devices. A short review of the product can be found at: http://www.linuxsecurity.com/content/view/121268 Best regards, Steve Steve Swaney steve@fsl.com From vanhorn at whidbey.com Sun Apr 15 00:04:23 2007 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Sun Apr 15 00:04:47 2007 Subject: Consistent errors in log In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> Message-ID: <46215DF7.8030501@whidbey.com> Greetings: I'm getting constant entries like this in maillog. Apr 14 17:58:33 vanguard sendmail[6944]: l3EMwNgX006935: SYSERR(root): header syntax error, line "X-Domain Van Horn-MailScanner-Information: Please contact the ISP for more information" Apr 14 17:58:33 vanguard sendmail[6944]: l3EMwNgX006935: SYSERR(root): header syntax error, line "X-Domain Van Horn-MailScanner at vanguard: Found to be clean" Apr 14 17:58:33 vanguard sendmail[6944]: l3EMwNgX006935: SYSERR(root): header syntax error, line "X-Domain Van Horn-MailScanner-From: srs0+7dv/+27+bar.baen.com=honorverse.listmanager@webwrights.com" I'm not sure if I get it from every message, but certainly from a lot of them. It's always the same set of three lines. It doesn't seem to interfere with the flow of mail, but I'd rather not to have to wade through them and if it means I've configured something wrong I'd prefer to fix it. But what is it? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From matt at coders.co.uk Sun Apr 15 00:37:34 2007 From: matt at coders.co.uk (Matt Hampton) Date: Sun Apr 15 00:38:00 2007 Subject: Consistent errors in log In-Reply-To: <46215DF7.8030501@whidbey.com> References: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> <46215DF7.8030501@whidbey.com> Message-ID: <462165BE.20804@coders.co.uk> G. Armour Van Horn wrote: > Apr 14 17:58:33 vanguard sendmail[6944]: l3EMwNgX006935: SYSERR(root): > header syntax error, line "X-Domain Van Horn-MailScanner-Information: > Please contact the ISP for more information" Header names cannot have spaces in them: X-Domain-Van-Horn-MailScanner-Information: Would be fine.... matt From vanhorn at whidbey.com Sun Apr 15 01:23:57 2007 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Sun Apr 15 01:24:20 2007 Subject: Long gaps? In-Reply-To: <46215DF7.8030501@whidbey.com> References: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> <46215DF7.8030501@whidbey.com> Message-ID: <4621709D.3080208@whidbey.com> Greetings: A file attachment was blocked recently with the following report: Report: MailScanner: A long gap in a name is often used to hide part of it (Amanda Dukehar.pdf) That seems odd, I wouldn't normally regard one space as a "long gap". I checked in filename.rules.conf and found this rule: # Deny filenames with lots of contiguous white space in them. deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part $ I'm regex-illiterate, but that suggests to me that the intent is to block anything with a run of ten spaces in it. Lots of folks use spaces in filenames, and I really don't like the idea of needing to fish all of them out of quarantine manually. Is there something wrong with that rule, or do I have to just abandon that test? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From vanhorn at whidbey.com Sun Apr 15 01:26:45 2007 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Sun Apr 15 01:27:08 2007 Subject: Consistent errors in log In-Reply-To: <462165BE.20804@coders.co.uk> References: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> <46215DF7.8030501@whidbey.com> <462165BE.20804@coders.co.uk> Message-ID: <46217145.1040804@whidbey.com> That's easy enough! And when I opened MailScanner.conf and found the entry, it had a big flag on the line above to not include any spaces. The kind of dumb error I'm prone to when I'm doing something for the umpteenth time, I no longer am reading the comments. I thank you, and my logfiles thank you! Van Matt Hampton wrote: > G. Armour Van Horn wrote: > >> Apr 14 17:58:33 vanguard sendmail[6944]: l3EMwNgX006935: >> SYSERR(root): header syntax error, line "X-Domain Van >> Horn-MailScanner-Information: Please contact the ISP for more >> information" > > > Header names cannot have spaces in them: > > X-Domain-Van-Horn-MailScanner-Information: > > Would be fine.... > > matt -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From james at gray.net.au Sun Apr 15 03:15:01 2007 From: james at gray.net.au (James Gray) Date: Sun Apr 15 03:15:03 2007 Subject: MCP rules In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446BA@idefix.danielf.local> Message-ID: On 13/04/2007, at 8:38 PM, Daniel Fuhrer wrote: > How can I create the following mcp rule. > > ? Subject starts with: RE: SPAM: > > ? The IP Address from the sending server is xxx.xxx.xxx.xxx > > ? The sender email dress starts with support@ > > Thanks for your help in advance How about something like this: header __MCP_SPAM_SUBJ Subject=~/^re\:\s+spam\:/i header __MCP_SRCIP_1 Received=~/xxx\.xxx\.xxx\.xxx/ header __MCP_FROM_SUPPORT From=~/^support\@/i meta MCP_MY_RULE __MCP_SPAM_SUBJ && __MCP_SRCIP_1 && __MCP_FROM_SUPPORT describe MCP_MY_RULE Something descriptive about this rule score MCP_MY_RULE 1.234 This rule is totally untested and I make no guarantees if it will work as you want...but it's a start :) Have fun. James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070415/299073d0/smime.bin From list-mailscanner at linguaphone.com Sun Apr 15 09:32:11 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Sun Apr 15 09:32:28 2007 Subject: Long gaps? In-Reply-To: <4621709D.3080208@whidbey.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of G. > Armour Van Horn > Sent: 15 April 2007 01:24 > To: MailScanner discussion > Subject: Long gaps? > > > Greetings: > > A file attachment was blocked recently with the following report: > > Report: MailScanner: A long gap in a name is often used to hide part of > it (Amanda Dukehar.pdf) > > That seems odd, I wouldn't normally regard one space as a "long gap". I > checked in filename.rules.conf and found this rule: > > # Deny filenames with lots of contiguous white space in them. > deny \s{10,} Filename contains lots of white > space A long gap in a name is > often used to hide part $ > > I'm regex-illiterate, but that suggests to me that the intent is to > block anything with a run of ten spaces in it. > > Lots of folks use spaces in filenames, and I really don't like the idea > of needing to fish all of them out of quarantine manually. Is there > something wrong with that rule, or do I have to just abandon that test? > > Van \s{10,} matches a sequence of at least 10 spaces one directly after the other. From matt at coders.co.uk Sun Apr 15 09:51:15 2007 From: matt at coders.co.uk (Matt Hampton) Date: Sun Apr 15 09:51:35 2007 Subject: Long gaps? In-Reply-To: References: Message-ID: <4621E783.3060401@coders.co.uk> Gareth wrote: >> Report: MailScanner: A long gap in a name is often used to hide part of >> it (Amanda Dukehar.pdf) >> >> That seems odd, I wouldn't normally regard one space as a "long gap". I >> checked in filename.rules.conf and found this rule: The file name in the reports is the "safe" filename which will have had the additional spaces removed. This is to protect the filesystem when the files are expanded. matt From prandal at herefordshire.gov.uk Sun Apr 15 10:49:09 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Apr 15 10:49:14 2007 Subject: Clam module broken after main.cvd update In-Reply-To: <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> References: <50438.199.198.254.100.1176485747.squirrel@tiger.dorfam.ca> <265B08E1-2A76-408F-A11F-DBB67C4C7AB7@csolve.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CECC@HC-MBX02.herefordshire.gov.uk> Check the archives. The solution has been posted several times. The only thing which needs to be fixed is your MailScanner.conf file. Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek Buttineau Sent: 13 April 2007 20:10 To: MailScanner discussion Subject: Re: Clam module broken after main.cvd update On 2007-Apr-13, at 2:57 PM, Raymond Dijkxhoorn wrote: > > It wont auto fix itself or something.... its broken. You can re-enable the .cvd download by editing freshclam.conf and setting ScriptedUpdates to no. Hopefully at some point the Clam Module / MailScanner will work better with ScriptedUpdates, but that quick fix with freshclam.conf works well in the interim :) -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: derek@csolve.net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mgt at stellarcore.net Sun Apr 15 15:37:33 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Sun Apr 15 15:37:51 2007 Subject: Clamd as scan option [patches included] Message-ID: <462238AD.6000509@stellarcore.net> Overview: So I starting thinking about what it would take to get clamdscan working with MailScanner. The results are included below. First and foremost you must have clamd running, if you run as root then you don't have to worry about any permission problems. If you run clamd as "clamav" then you need to set ###### IF YOU ARE RUNNING MAILSCANNER AS ROOT ###### # You need to set the following in MailScanner.conf so that external # unpackers can be used... # Incoming Work Group = clamav # Incoming Work Permissions = 0640 So that clamd can scan in the directories. Otherwise here goes. Steps: 1) Install clamd-wrapper in your MailScanner/lib/ directory 2) Patch MailScanner/lib/MailScanner/SweepViruses.pm 3) In MailScanner.conf set Virus Scanners = clamd 4) In virus.scanners.conf set [This is on a Solaris 10 host so do the right thing with your OWN PATH Options!] clamd /opt/MailScanner/lib/clamd-wrapper /usr/local Notes: Internally this approach uses most of the clamav [aka clamscan] options, if it turns out there are major differences then a new parse function can easily be added to SweepViruses.pm, otherwise my biggest concern would be what happens if clamd dies, perhaps the clamd-wrapper can have some processes/error checking that can restart clamd. I only tested this out on a development box but it did scan txt zip and tar.gz as attachments with no problem. The speed difference is pretty good here is an example on my spoolfile [1.77MB] [root@neutron ~]# clamscan /var/mail/mgt /var/mail/mgt: OK ----------- SCAN SUMMARY ----------- Known viruses: 108394 Engine version: 0.90.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.77 MB Time: 25.755 sec (0 m 25 s) [root@neutron ~]# clamdscan /var/mail/mgt /var/mail/mgt: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 10.260 sec (0 m 10 s) -Mike -------------- next part -------------- #!/bin/sh # clamd-wrapper -- invoke ClamAV for use with mailscanner # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # $Id: clamd-wrapper 3184 2005-09-28 11:13:40Z jkf $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # ###### IF YOU ARE RUNNING MAILSCANNER AS ROOT ###### # You need to set the following in MailScanner.conf so that external # unpackers can be used... # Incoming Work Group = clamav # Incoming Work Permissions = 0640 #ClamUser="clamav" #ClamGroup="clamav" ScanOptions="" ClamdScan=$1/bin/clamdscan shift if [ ! -x $ClamdScan ]; then ClamdScan=/usr/bin/clamdscan fi if [ "x$1" = "x-IsItInstalled" ]; then [ -x $ClamdScan ] && exit 0 exit 1 fi # Add this for Solaris users so they can find whoami PATH=$PATH:/usr/ucb export PATH $ClamdScan $ScanOptions "$@" retval=$? exit $retval -------------- next part -------------- A non-text attachment was scrubbed... Name: sweepviruses.patch Type: text/x-patch Size: 784 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070415/c08c4190/sweepviruses.bin From hden at kcbbs.gen.nz Sun Apr 15 22:05:16 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Sun Apr 15 21:45:45 2007 Subject: smf milter Message-ID: <20070415210516.GA22186@mew.kcbbs.gen.nz> Gidday We're considering installing the smf-sav milter. In the Readme it warns.. ' make sure that libmilter is compiled with BROKEN_PTHREAD_SLEEP defined' How can I find out if this symbol is defined? System in Centos 3.4, sendmail 8.12.11-4 Help/Advice appreciated... Cheers! Dave From micoots at yahoo.com Sun Apr 15 22:58:43 2007 From: micoots at yahoo.com (Michael Mansour) Date: Sun Apr 15 22:58:47 2007 Subject: Reports for different domains Message-ID: <900570.90945.qm@web33305.mail.mud.yahoo.com> Hi, I'm trying to setup different reports for different domains. Looking in MailScanenr.conf I see: # Set where to find the message text sent to users when one of their # attachments has been deleted from a message. # These can also be the filenames of rulesets. Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt so it seems with rulesets I may be able to do what I want. I use many rulesets and have been for years, so understanding them is not a problem, I'm just trying to figure out how I could setup a ruleset for the above to use one report file for one domain and another report file for another domain. Then of course, the default report files to use when not specifically defined. Thankyou. Thanks. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070416/bbbfbff3/attachment.html From hden at kcbbs.gen.nz Sun Apr 15 23:29:14 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Sun Apr 15 23:09:42 2007 Subject: smf milter In-Reply-To: <20070415210516.GA22186@mew.kcbbs.gen.nz> References: <20070415210516.GA22186@mew.kcbbs.gen.nz> Message-ID: <20070415222914.GA22220@mew.kcbbs.gen.nz> I should add, we are considering using the smf-sav *in conjuction with* mailscanner, which we have used here at school for student accounts for several years, i.e. we're part of the maiscanner community, hence the seeking advice from this group. Cheers! On Mon, Apr 16, 2007 at 09:05:16AM +1200, Hendrik den Hartog wrote: > Gidday > > We're considering installing the smf-sav milter. In the Readme it warns.. > ' make sure that libmilter is compiled with BROKEN_PTHREAD_SLEEP > defined' > > How can I find out if this symbol is defined? > > System in Centos 3.4, sendmail 8.12.11-4 > > Help/Advice appreciated... > > Cheers! > Dave > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From seamus at rheelweb.co.nz Mon Apr 16 02:56:12 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Mon Apr 16 02:55:22 2007 Subject: Mailscanner Conf In-Reply-To: <246fa6da500a114bb7ffa3778266c693@solidstatelogic.com> Message-ID: <008e01c77fca$68d17fb0$5e01a8c0@seamoose> Heres the output from the sudo'd spamassassin test. I have tried almost everything in my power to make the /root/.spamassassin folder writable to no avail, so will need to shift the config elsewhere, and somehow point spamassassin to it?? [8189] warn: config: cannot write to /root/.spamassassin/user_prefs: Permission denied [8189] warn: config: failed to create default user preference file /root/.spamassassin/user_prefs Spam message in question Content analysis details: (5.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.5 MISSING_HB_SEP Missing blank line between message header and body 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.2 MISSING_HEADERS Missing To: header 0.1 TO_CC_NONE No To: or Cc: header 1.3 MISSING_SUBJECT Missing Subject: header 1.5 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text I tried testing the Bayesian theory too, and I think that you're right: all of the bayes learning scripts that I have written run as root (through cron) so it will be learning to the wrong bayes database. So the question is where do I most the files (namely bayes files) from /root/.spamassassin to? Thanks Seamus Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Friday, 13 April 2007 8:01 p.m. To: MailScanner discussion Subject: RE: Mailscanner Conf Seanus What happens if you run the spamassassin -t < messsagefile as the postfix user????? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Seamus Allan > Sent: 13 April 2007 05:36 > To: MailScanner discussion > Subject: Mailscanner Conf > > Hi guys, been lurking for the last while, and now I have a question. > We are running MailScanner with Postfix and all the jazz quite > successfully > for over a year now. After a while I have noticed that some very spammy > messages are getting through with quite low spam scores. Intrigued, I > placed > some of these messages where I could get to them, and ran (as root) > spamassassin -t < messagefile, and I get a good score (well over the > threshold). So then I sudo'd the spamassassin command as the postfix user, > and I got the low score - bingo. > However, I am not sure which config is user dependent, and where to shift > it > to such that it gets used by spamassassin when run by the postfix user. > > It's probably a pretty simple solution, but I just can't find it. > > Cheers > > Seamus. > > Seamus Allan > Network Engineer > Rheel Electronics Ltd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jim.barber at ddihealth.com Mon Apr 16 06:07:52 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Apr 16 06:08:20 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. Message-ID: <462304A8.6030103@ddihealth.com> Hi all. I've gone through the mailing list archives and I've seen this question posted a few times but not answered in a way that works for me. I have MailScanner running with an Exim set up. There is an incoming Exim queue which MailScanner then works from and places scanned messages into an outgoing Exim queue. I can't use Exim rules to skip MailScanner tests since Exim is unaware of MailScanner's involvement with email delivery. I want a way to completely skip the MailScanner spam checks for messages that have been sent via authenticated users. All of the answers I have seen, talk about writing SpamAssassin rules to change the score. However I have the following options set in my MailScanner.conf file: Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 2 I don't want to slacken these off since I have found them to be very effective so far at blocking spam. The checks above are independent of the SpamAssassin scores, so even if a low score comes out of SpamAssassin, if the message was on a DNS block list, it'll be tagged as Spam, and if it's on two or more it will be quarantined. So SpamAssassin rules aren't useful in this scenario. For an authenticated user that has connected from a Dynamic IP address assigned by an ISP, I don't want these DNS block list checks to be performed. Is there a way? Regards, -- ---------- Jim Barber DDI Health From hvdkooij at vanderkooij.org Mon Apr 16 06:34:36 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 16 06:34:49 2007 Subject: smf milter In-Reply-To: <20070415222914.GA22220@mew.kcbbs.gen.nz> References: <20070415210516.GA22186@mew.kcbbs.gen.nz> <20070415222914.GA22220@mew.kcbbs.gen.nz> Message-ID: On Mon, 16 Apr 2007, Hendrik den Hartog wrote: > I should add, we are considering using the smf-sav *in conjuction with* > mailscanner, which we have used here at school for student accounts for > several years, i.e. we're part of the maiscanner community, hence the > seeking advice from this group. I can't recall milters having anything to do with MailScanner nescessarily. They are a sendmail thing. So for those down there that like to hunt on anything purely MTA on the list: Happy hunting this one is relative close to your skippies. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Mon Apr 16 06:41:46 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 16 06:41:57 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <462304A8.6030103@ddihealth.com> References: <462304A8.6030103@ddihealth.com> Message-ID: On Mon, 16 Apr 2007, Jim Barber wrote: > I've gone through the mailing list archives and I've seen this question > posted a few times but not answered in a way that works for me. > I have MailScanner running with an Exim set up. > There is an incoming Exim queue which MailScanner then works from and places > scanned messages into an outgoing Exim queue. > I can't use Exim rules to skip MailScanner tests since Exim is unaware of > MailScanner's involvement with email delivery. Well now. I do not think exim is doing the blocking. So how can you make authenticated clients distinguish themselves so they get their own header added? If you cracked that bit of Exim configuration you can start acting upon that header line in MailScanner and fix pretty much anything you want. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jim.barber at ddihealth.com Mon Apr 16 06:50:36 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Apr 16 06:51:30 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: References: <462304A8.6030103@ddihealth.com> Message-ID: <46230EAC.5070600@ddihealth.com> Hugo van der Kooij wrote: > > Well now. I do not think exim is doing the blocking. So how can you make > authenticated clients distinguish themselves so they get their own > header added? If you cracked that bit of Exim configuration you can > start acting upon that header line in MailScanner and fix pretty much > anything you want. > > Hugo. Thanks for the response. I'm pretty sure I could work out how to get Exim to add a header for the authenticated users... But how do I get MailScanner to skip its Spam checks assuming a particular header exists? All I can see, are the rule files support the From:, To:, FromOrTo: type declarations. I can't see anything for checking the existence of, or for the content of particular mail headers. ---------- Jim Barber DDI Health From dhawal at netmagicsolutions.com Mon Apr 16 07:41:02 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Apr 16 07:41:22 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <46230EAC.5070600@ddihealth.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> Message-ID: <46231A7E.4080003@netmagicsolutions.com> Jim Barber wrote: > Hugo van der Kooij wrote: >> >> Well now. I do not think exim is doing the blocking. So how can you >> make authenticated clients distinguish themselves so they get their >> own header added? If you cracked that bit of Exim configuration you >> can start acting upon that header line in MailScanner and fix pretty >> much anything you want. >> >> Hugo. > > Thanks for the response. > > I'm pretty sure I could work out how to get Exim to add a header for the > authenticated users... > > But how do I get MailScanner to skip its Spam checks assuming a > particular header exists? > All I can see, are the rule files support the From:, To:, FromOrTo: type > declarations. > I can't see anything for checking the existence of, or for the content > of particular mail headers. Search the list archives for a recent thread "Adding Signature based on header?". Steve Freegard of FSL was generous to contribute a "Custom Function" to something similar (which can be trivially modified for your use). I am still testing it out, once done i'll add it to the wiki for Steve's review. From dhawal at netmagicsolutions.com Mon Apr 16 07:45:43 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Apr 16 07:45:48 2007 Subject: Reports for different domains In-Reply-To: <900570.90945.qm@web33305.mail.mud.yahoo.com> References: <900570.90945.qm@web33305.mail.mud.yahoo.com> Message-ID: <46231B97.5000006@netmagicsolutions.com> Michael Mansour wrote: > Hi, > > I'm trying to setup different reports for different domains. > > Looking in MailScanenr.conf I see: > > # Set where to find the message text sent to users when one of their > # attachments has been deleted from a message. > # These can also be the filenames of rulesets. > Deleted Bad Content Message Report = > %report-dir%/deleted.content.message.txt > Deleted Bad Filename Message Report = > %report-dir%/deleted.filename.message.txt > Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt > Deleted Size Message Report = %report-dir%/deleted.size.message.txt > > so it seems with rulesets I may be able to do what I want. > > I use many rulesets and have been for years, so understanding them is > not a problem, I'm just trying to figure out how I could setup a ruleset > for the above to use one report file for one domain and another report > file for another domain. > > Then of course, the default report files to use when not specifically > defined. on these lines.. in MailScanner.conf Deleted Bad Content Message Report = %rules-dir%/deleted.bad.content.message.report.rules In %rules-dir%/deleted.bad.content.message.report.rules FromOrTo: domain1.tld %report-dir%/deleted.bad.content.message.report.domain1.tld.txt FromOrTo: domain2.tld %report-dir%/deleted.bad.content.message.report.domain2.tld.txt . . FromOrTO: default %report-dir%/deleted.content.message.txt From nug_hoho8 at yahoo.com.sg Mon Apr 16 08:16:34 2007 From: nug_hoho8 at yahoo.com.sg (Yuniarto Nugroho) Date: Mon Apr 16 08:16:37 2007 Subject: How to released quarantined mail in mailscanner Message-ID: <618246.21148.qm@web43137.mail.sp1.yahoo.com> Hi, my name is Nugroho. Right now, I just start to learn mail filtering using MailScanner (using postfix as MTA). When I send an email with attachment (for example cmd.exe), it will be quarantined. And the recipient will receive warning and attachment that tells about the name fie which is quarantined, e.g Note to Help Desk: Look on the testing.labtest.co.id () MailScanner in /var/spool/MailScanner/quarantine/20070416 (message 38BF94F15A.2CA1B). I've read this documentation: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail but when execute the command: cp -p 38BF94F15A /var/spool/postfix/incoming there is an error: cp: cannot stat `38BF94F15A': No such file or directory Or when I try to execute this command : cp -p 38BF94F15A.2CA1B /var/spool/postfix/incoming/ there is an error: cp: omitting directory `38BF94F15A.2CA1B' So, the quarantined mail cannot be released. Any body can help me to solve this problem? Thanks, Nugroho --------------------------------- Real people. Real questions. Real answers. Share what you know. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070416/1e5d319d/attachment.html From jim.barber at ddihealth.com Mon Apr 16 08:17:28 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Apr 16 08:17:54 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <46231A7E.4080003@netmagicsolutions.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> Message-ID: <46232308.9030903@ddihealth.com> Dhawal Doshy wrote: > Search the list archives for a recent thread "Adding Signature based on > header?". Steve Freegard of FSL was generous to contribute a "Custom > Function" to something similar (which can be trivially modified for your > use). I am still testing it out, once done i'll add it to the wiki for > Steve's review. Thanks. I've found the thread and downloaded the code posted by Steve Freegard. I've also seen Ken A's code snippet to prevent SA caching if particular headers exist. From those I think I should be able to write a perl routine to detect the headers I need. BUT it's not clear to me how these custom functions are used. Obviously you place them in the /etc/MailScanner/CustumFunctions area, but how are they called, triggered, etc? How do I stop spam checks from happening by using these functions? Can you tie the function to the "Spam Checks" setting in the MailScanner.conf file somehow? I've got the logic, but I haven't got the glue :) If I get something going, I'll post it back against this thread as quick mini-howto I guess. Regards, ---------- Jim Barber DDI Health From jim.barber at ddihealth.com Mon Apr 16 08:19:46 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Apr 16 08:20:50 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <46231A7E.4080003@netmagicsolutions.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> Message-ID: <46232392.5090102@ddihealth.com> Sorry. Nevermind. I think I can work it out from here. I'll post results if I get it going otherwise there will be more dumb questions. Jim. Dhawal Doshy wrote: > Search the list archives for a recent thread "Adding Signature based on > header?". Steve Freegard of FSL was generous to contribute a "Custom > Function" to something similar (which can be trivially modified for your > use). I am still testing it out, once done i'll add it to the wiki for > Steve's review. Thanks. I've found the thread and downloaded the code posted by Steve Freegard. I've also seen Ken A's code snippet to prevent SA caching if particular headers exist. From those I think I should be able to write a perl routine to detect the headers I need. BUT it's not clear to me how these custom functions are used. Obviously you place them in the /etc/MailScanner/CustumFunctions area, but how are they called, triggered, etc? How do I stop spam checks from happening by using these functions? Can you tie the function to the "Spam Checks" setting in the MailScanner.conf file somehow? I've got the logic, but I haven't got the glue :) If I get something going, I'll post it back against this thread as quick mini-howto I guess. From martinh at solidstatelogic.com Mon Apr 16 09:15:06 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 16 09:15:48 2007 Subject: Mailscanner Conf In-Reply-To: <008e01c77fca$68d17fb0$5e01a8c0@seamoose> Message-ID: Seamus In the spam.assassin.prefs.conf you need a line like... bayes_path /usr/local/var/spamassassin/bayes and this force the bayes DB into that dir... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Seamus Allan > Sent: 16 April 2007 02:56 > To: MailScanner discussion > Subject: RE: Mailscanner Conf > > Heres the output from the sudo'd spamassassin test. I have tried almost > everything in my power to make the /root/.spamassassin folder writable to > no > avail, so will need to shift the config elsewhere, and somehow point > spamassassin to it?? > > [8189] warn: config: cannot write to /root/.spamassassin/user_prefs: > Permission denied > [8189] warn: config: failed to create default user preference file > /root/.spamassassin/user_prefs > Spam message in question > Content analysis details: (5.7 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 2.5 MISSING_HB_SEP Missing blank line between message header and > body > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay > lines > 0.2 MISSING_HEADERS Missing To: header > 0.1 TO_CC_NONE No To: or Cc: header > 1.3 MISSING_SUBJECT Missing Subject: header > 1.5 EMPTY_MESSAGE Message appears to have no textual parts and > no > Subject: text > > > I tried testing the Bayesian theory too, and I think that you're right: > all > of the bayes learning scripts that I have written run as root (through > cron) > so it will be learning to the wrong bayes database. > > So the question is where do I most the files (namely bayes files) from > /root/.spamassassin to? > > Thanks > > Seamus > > > Seamus Allan > Network Engineer > Rheel Electronics Ltd > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Martin.Hepworth > Sent: Friday, 13 April 2007 8:01 p.m. > To: MailScanner discussion > Subject: RE: Mailscanner Conf > > Seanus > > What happens if you run the spamassassin -t < messsagefile as the > postfix user????? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Seamus Allan > > Sent: 13 April 2007 05:36 > > To: MailScanner discussion > > Subject: Mailscanner Conf > > > > Hi guys, been lurking for the last while, and now I have a question. > > We are running MailScanner with Postfix and all the jazz quite > > successfully > > for over a year now. After a while I have noticed that some very > spammy > > messages are getting through with quite low spam scores. Intrigued, I > > placed > > some of these messages where I could get to them, and ran (as root) > > spamassassin -t < messagefile, and I get a good score (well over the > > threshold). So then I sudo'd the spamassassin command as the postfix > user, > > and I got the low score - bingo. > > However, I am not sure which config is user dependent, and where to > shift > > it > > to such that it gets used by spamassassin when run by the postfix > user. > > > > It's probably a pretty simple solution, but I just can't find it. > > > > Cheers > > > > Seamus. > > > > Seamus Allan > > Network Engineer > > Rheel Electronics Ltd > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From a.peacock at chime.ucl.ac.uk Mon Apr 16 09:15:55 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Apr 16 09:16:18 2007 Subject: Mailscanner Conf In-Reply-To: <008e01c77fca$68d17fb0$5e01a8c0@seamoose> References: <008e01c77fca$68d17fb0$5e01a8c0@seamoose> Message-ID: <462330BB.9010501@chime.ucl.ac.uk> Hi, Seamus Allan wrote: > Heres the output from the sudo'd spamassassin test. I have tried almost > everything in my power to make the /root/.spamassassin folder writable to no > avail, so will need to shift the config elsewhere, and somehow point > spamassassin to it?? > > [8189] warn: config: cannot write to /root/.spamassassin/user_prefs: > Permission denied > [8189] warn: config: failed to create default user preference file > /root/.spamassassin/user_prefs > Spam message in question > Content analysis details: (5.7 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 2.5 MISSING_HB_SEP Missing blank line between message header and > body > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay > lines > 0.2 MISSING_HEADERS Missing To: header > 0.1 TO_CC_NONE No To: or Cc: header > 1.3 MISSING_SUBJECT Missing Subject: header > 1.5 EMPTY_MESSAGE Message appears to have no textual parts and no > Subject: text > > > I tried testing the Bayesian theory too, and I think that you're right: all > of the bayes learning scripts that I have written run as root (through cron) > so it will be learning to the wrong bayes database. > > So the question is where do I most the files (namely bayes files) from > /root/.spamassassin to? To the home directory of the postfix user. You should then run all of the learning scripts as the postfix user as well. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From list-mailscanner at linguaphone.com Mon Apr 16 09:22:40 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 16 09:22:45 2007 Subject: Mailscanner Conf In-Reply-To: References: Message-ID: <1176711760.10847.0.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-04-16 at 09:15, Martin.Hepworth wrote: > Seamus > > In the spam.assassin.prefs.conf you need a line like... > > bayes_path /usr/local/var/spamassassin/bayes > > and this force the bayes DB into that dir... Or you could configure spamassassin to use a database for bayes. From nug_hoho8 at yahoo.com.sg Mon Apr 16 09:36:23 2007 From: nug_hoho8 at yahoo.com.sg (Yuniarto Nugroho) Date: Mon Apr 16 09:36:26 2007 Subject: How to released quarantined mail in mailscanner In-Reply-To: <618246.21148.qm@web43137.mail.sp1.yahoo.com> Message-ID: <290527.11752.qm@web43146.mail.sp1.yahoo.com> Hi, I am so stressfull so I missed one option in MailScanner.conf. After I make a change in the configuration and restart the service, the quarantined mail can be released. That documentation is very helpful. Thanks, Nugroho --------------------------------- Real people. Real questions. Real answers. Share what you know. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070416/4f25d3b8/attachment.html From a.peacock at chime.ucl.ac.uk Mon Apr 16 09:37:30 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Apr 16 09:37:53 2007 Subject: Mailscanner Conf In-Reply-To: References: Message-ID: <462335CA.60602@chime.ucl.ac.uk> Hi, Martin.Hepworth wrote: > Seamus > > In the spam.assassin.prefs.conf you need a line like... > > bayes_path /usr/local/var/spamassassin/bayes > > and this force the bayes DB into that dir... This is what I started off doing. I now use a mySQL database for a site wide configuration. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Mon Apr 16 09:40:46 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 16 09:41:19 2007 Subject: Archiving with MailScanner In-Reply-To: Message-ID: Ugo Yeah I use this feature..... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: 14 April 2007 05:22 > To: mailscanner@lists.mailscanner.info > Subject: Archiving with MailScanner > > Hi, > > Is anyone using MailScanner's archiving feature? If not, is someone > using Non-Spam Action = store deliver to achieve a similar result? > Anyone using a third-party software to do archiving? > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From nwp at nz.lemon-computing.com Mon Apr 16 11:16:41 2007 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Mon Apr 16 11:18:43 2007 Subject: SPF_Fail score too low? In-Reply-To: <46156191.6030601@evi-inc.com> References: <45FDE116.4020205@fractalweb.com> <46156191.6030601@evi-inc.com> Message-ID: <46234D09.7040308@nz.lemon-computing.com> Matt Kettler wrote: > Sorry for the late reply. > > Real-world testing shows that the SPF_FAIL test is still quite prone to false > positives, and is more false-positive prone than the SOFTFAIL rule. > Never expect rules to behave the way they "should" when they're the result of > human decisions. Humans add a whole layer of randomness and nonsense all their own. Problem is that by deciding not to take the SPF_FAIL at face value, *you* are the one adding yet another layer of human randomness - and this one will make it less likely that the system will ever work "properly" -- admins whose sites are causing the false positives will be less likely to ever find out and do something about it etc. Really. If they say it's a fail, reject it. That's what they're (politely) asking you to do. Cheers, Nick From mailscanner at lists.com.ar Mon Apr 16 13:45:21 2007 From: mailscanner at lists.com.ar (Leonardo Helman) Date: Mon Apr 16 13:47:55 2007 Subject: Continuing saga of ClamAV module In-Reply-To: <461F8AA7.2090008@stellarcore.net> References: <200704130755.l3D7stHI024326@safir.blacknight.ie> <461F8AA7.2090008@stellarcore.net> Message-ID: <20070416124521.GA26565@pert.com.ar> Yes, that's a possible solution, but why don't you change the MailScanner.conf as someone posted something like Monitor For Clam... = /path/to/clamfiles/main.inc/* /path/.../daily.inc/* /path/to.../*.cvd There must be at least one file to watch (with file lenght not 0), and MS "reloads" the files (not exactly) if the existing files (at start) had changed in the meantime Here is the code from SweepViruses.pm (for the nonveryperl "-s" returns the size of the archive) # Build the hash of the size of all the watch files my(@watchglobs, $glob, @filelist, $file, $filecount); @watchglobs = split(" ", MailScanner::Config::Value('clamwatchfiles')); $filecount = 0; foreach $glob (@watchglobs) { @filelist = glob($glob); foreach $file (@filelist) { $Clamwatchfiles{$file} = -s $file; $filecount++; } } MailScanner::Log::DieLog("None of the files matched by the \"Monitors " . "For ClamAV Updates\" patterns exist!") unless $filecount>0; And then # Have the ClamAV database files been modified? (changed size) # If so, abandon this child process altogether and start again. # This is called from the main WorkForHours() loop # sub ClamUpgraded { my($watch, $size); return 0 unless $Claminuse; while (($watch, $size) = each %Clamwatchfiles) { if ($size != -s $watch) { MailScanner::Log::InfoLog("ClamAV update of $watch detected, " . "resetting ClamAV Module"); return 1; } } # No update detected return 0; } On Fri, Apr 13, 2007 at 06:50:09AM -0700, Mike Tremaine wrote: > > >With the recurring clamavmodule problems of late, has anybody started just > >using clamav direct rather than the module? > >Is there a huge speed increase to be gained in using the module, or a big > >saving on resources? > > > >Edward > > > > > > Yes my solution to the last problem was to swtich to clamav only because > it was the fix that worked before I really understood the problem. But > clamav is using commandling line clamscan which is much slower then > clamavmodule. The problem is everytime you call [fork] a new clamscan it > has to load the virus database which is over 100,000 records. > > One possible solution that it might time to revisit is making a new > wrapper for clamdscan and starting the clamd daemon. I know this has > been mentioned before but I forgot what the issue was with it. I know > that Mail::ClamAV aka clamavmodule was a nicely intergrated solution for > MailScanner but as you mentioned we keeping seeing it as the weakest > link. If clamdscan + clamd allow more stability during upgrades [both of > the sig database and the engine] then maybe it is time to switch. > > [I know it would be pretty easy to copy the clamav.wrapper and change to > use clamdscan, I might test this out soon.] > > -Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From am.lists at gmail.com Mon Apr 16 15:05:51 2007 From: am.lists at gmail.com (am.lists) Date: Mon Apr 16 15:05:54 2007 Subject: Archiving with MailScanner In-Reply-To: References: Message-ID: <25a66d840704160705t484fe163k5049d114a4724807@mail.gmail.com> On 4/13/07, Ugo Bellavance wrote: > Hi, > > Is anyone using MailScanner's archiving feature? If not, is someone > using Non-Spam Action = store deliver to achieve a similar result? > Anyone using a third-party software to do archiving? > > Regards, > > Ugo I've used Archive Mail = a ruleset and the forwarding option. What is the end game? A From edwardbruce at sbcglobal.net Mon Apr 16 15:17:11 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Apr 16 15:17:44 2007 Subject: I'm back at home In-Reply-To: <4617E05D.7010901@ecs.soton.ac.uk> References: <46128E8E.1060508@ecs.soton.ac.uk> <46155CA8.4010808@yeticomputers.com> <4617E05D.7010901@ecs.soton.ac.uk> Message-ID: <46238567.1040901@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > Many thanks to all of you for your kind words. I had a count up this > morning and I have 60 Get Well cards from 15 different countries! > > If you want to help relieve my growing boredom at home, I have added a > few DVD's to my Amazon wish list, which you can get to from the link on > http://www.mailscanner.info/donate.html > > So if you are feeling generous... :-) > > Thank you again for all your support and kind wishes. > > Regards, > Jules. > > Rick Chadderdon wrote: >> Glad to hear you're home. :) Wishing you a quick, full recovery! > >> Rick > > Jules > Glad to oblige. I would have helped with the other items on your wish list, but they were a little out of my budget. Enjoy. later, Ed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGI4VmpdNaP9x3McgRAspCAJ4j5YvsdMieR4M04Kck95lg96e1pQCgr6Vs tZjv4sYJPFbxDH7px3jFS1E= =w+Lo -----END PGP SIGNATURE----- From edwardbruce at sbcglobal.net Mon Apr 16 15:31:45 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Apr 16 15:31:49 2007 Subject: TNEF loops In-Reply-To: <20070410164106.dvoysrpd4gscsokg@www.bluecobras.com> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> <200704101943.l3AJhbIo030155@mxt.1bigthink.com> <20070410164106.dvoysrpd4gscsokg@www.bluecobras.com> Message-ID: <462388D1.1070001@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 chris@bluecobras.com wrote: > I sent him Seasons 1, 2 and 3 of West Wing and he should get them today > or tomorrow. That should give him something to do and relax. > > Chris Well I hope he can exchange season 3, because it was still listed on his wish list, so I just ordered it a few minutes ago??? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGI4jRpdNaP9x3McgRAuIIAJ43XCQ7LINRWOuDjf9wRnTVpm7ALACcCNSI eTSEQiitnoC+jaHG8VmzKYQ= =WRLR -----END PGP SIGNATURE----- From bamcomp at yahoo.com Mon Apr 16 17:15:25 2007 From: bamcomp at yahoo.com (Brett Moss) Date: Mon Apr 16 17:15:29 2007 Subject: smf milter In-Reply-To: <20070415210516.GA22186@mew.kcbbs.gen.nz> Message-ID: <548006.86675.qm@web30013.mail.mud.yahoo.com> --- Hendrik den Hartog wrote: > Gidday > > We're considering installing the smf-sav milter. In > the Readme it warns.. > ' make sure that libmilter is compiled with > BROKEN_PTHREAD_SLEEP > defined' > > How can I find out if this symbol is defined? > > System in Centos 3.4, sendmail 8.12.11-4 > > Help/Advice appreciated... > > Cheers! > Dave hello, i believe that installing the sendmail-devel rpm will give you what you need. brett __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ugob at lubik.ca Mon Apr 16 23:07:44 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Apr 16 23:08:10 2007 Subject: Archiving with MailScanner In-Reply-To: <25a66d840704160705t484fe163k5049d114a4724807@mail.gmail.com> References: <25a66d840704160705t484fe163k5049d114a4724807@mail.gmail.com> Message-ID: am.lists wrote: > On 4/13/07, Ugo Bellavance wrote: >> Hi, >> >> Is anyone using MailScanner's archiving feature? If not, is >> someone >> using Non-Spam Action = store deliver to achieve a similar result? >> Anyone using a third-party software to do archiving? >> >> Regards, >> >> Ugo > > I've used Archive Mail = a ruleset and the forwarding option. > > What is the end game? > > A I was wondering how one could archive e-mails by domain, then make it possible for a non-admin to browse and "release" email. The store option seems to be nice, but I think it would increase the size of the MailWatch DB so much if we want to keep archives for a year for example... Thanks, Ugo From seamus at rheelweb.co.nz Tue Apr 17 00:31:50 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Tue Apr 17 00:30:40 2007 Subject: Mailscanner Conf In-Reply-To: <462335CA.60602@chime.ucl.ac.uk> Message-ID: <002401c7807f$685a0380$5e01a8c0@seamoose> Right-o. So I have two locations with Bayes Databases. /root/.spamassassin which is presumably the one that is being updated with my update scripts, and /var/spool/MailScanner/spamassassin which I think is being updated by MailScanner itself with the auto bayes learning functions. Now I need to merge these two databases to save the good work of the bayes system for the last year (albeit a bit messed up). I could shift my bayes db to our mysql server, and reading from the docs I think I could populate the sql database with the data in both of my databases - is this correct? Otherwise I would like to merge my two databases and keep the database as a file based schema. Can I actually do this? Short of spamassassin clustering, are there any good reasons as to keeping the bayes DB on our sql server. Is it faster? Is it more reliable? Thanks, Seamus Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anthony Peacock Sent: Monday, 16 April 2007 8:38 p.m. To: MailScanner discussion Subject: Re: Mailscanner Conf Hi, Martin.Hepworth wrote: > Seamus > > In the spam.assassin.prefs.conf you need a line like... > > bayes_path /usr/local/var/spamassassin/bayes > > and this force the bayes DB into that dir... This is what I started off doing. I now use a mySQL database for a site wide configuration. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From chris at bluecobras.com Tue Apr 17 01:50:35 2007 From: chris at bluecobras.com (Chris Hammond) Date: Tue Apr 17 01:50:40 2007 Subject: TNEF loops In-Reply-To: <462388D1.1070001@sbcglobal.net> References: <1d1e72700704100532s6521cfdeuf00a5b94db61f03d@mail.gmail.com> <461BA110.6020308@dalsemi.com> <461BAC0C.8010207@ecs.soton.ac.uk> <20070410130240.e5kzbfks0sc44wgc@www.bluecobras.com> <200704101943.l3AJhbIo030155@mxt.1bigthink.com> <20070410164106.dvoysrpd4gscsokg@www.bluecobras.com> <462388D1.1070001@sbcglobal.net> Message-ID: <462419DB.8020306@bluecobras.com> Ed Bruce wrote: > chris@bluecobras.com wrote: >> I sent him Seasons 1, 2 and 3 of West Wing and he should get them today >> or tomorrow. That should give him something to do and relax. > >> Chris > > Well I hope he can exchange season 3, because it was still listed on his > wish list, so I just ordered it a few minutes ago??? I just looked at the list and noticed they list both season and series. I wonder if there is any difference. Oh well. I wonder if he has got the ones I sent as Amazon's site does not say if the were delivered just that they were dispatched and an estimated delivery date of the 10th or 11th. Julian, let me know if you have not received them so I can get on Amazon's case. Chris From chandler.lists at chapman.edu Tue Apr 17 02:23:45 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Tue Apr 17 02:23:54 2007 Subject: Mailscanner Conf In-Reply-To: <002401c7807f$685a0380$5e01a8c0@seamoose> References: <002401c7807f$685a0380$5e01a8c0@seamoose> Message-ID: <462421A1.7000002@chapman.edu> Seamus Allan wrote: > I could shift my bayes db > to our mysql server, and reading from the docs I think I could populate the > sql database with the data in both of my databases - is this correct? > Yup-- though I'm not opposed to an occasional Bayes rebuild. > Short of spamassassin clustering, are there any good reasons as to keeping > the bayes DB on our sql server. Is it faster? Is it more reliable? > > A crapton faster-- force-expire takes 45 seconds instead of ten minutes, for starters... -- Jay Chandler Network Administrator Chapman University From seamus at rheelweb.co.nz Tue Apr 17 02:35:58 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Tue Apr 17 02:34:49 2007 Subject: Mailscanner Conf In-Reply-To: <462421A1.7000002@chapman.edu> Message-ID: <006701c78090$c0164780$5e01a8c0@seamoose> http://www.urbandictionary.com/define.php?term=crapton Wow, look's like I will be migrating my Bayes DB over to mysql ASAP. Thanks for the heads up (and great new word). Cheers Seamus. Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Tuesday, 17 April 2007 1:24 p.m. To: MailScanner discussion Subject: Re: Mailscanner Conf Seamus Allan wrote: > I could shift my bayes db > to our mysql server, and reading from the docs I think I could populate the > sql database with the data in both of my databases - is this correct? > Yup-- though I'm not opposed to an occasional Bayes rebuild. > Short of spamassassin clustering, are there any good reasons as to keeping > the bayes DB on our sql server. Is it faster? Is it more reliable? > > A crapton faster-- force-expire takes 45 seconds instead of ten minutes, for starters... -- Jay Chandler Network Administrator Chapman University -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From seamus at rheelweb.co.nz Tue Apr 17 06:34:54 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Tue Apr 17 06:33:59 2007 Subject: Mailscanner Conf In-Reply-To: <006701c78090$c0164780$5e01a8c0@seamoose> Message-ID: <00aa01c780b2$208d8cb0$5e01a8c0@seamoose> Hmm, looks like I have issues Heres what happens when I try to import the bayes database into mysql. I suspect it's a DBD::MySQL issue (argh). Anyone seen this undefined symbol error before? Can anyone point me in a useful direction (google Perl_sv_2iv_flags is NOT useful). debug output from sa-learn [27403] dbg: bayes: using username: root [27403] dbg: bayes: database connection established [27403] dbg: bayes: found bayes db version 3 [27403] dbg: bayes: unable to initialize database for root user, aborting! [27403] dbg: config: score set 1 chosen. [27403] dbg: bayes: database connection established [27403] dbg: bayes: found bayes db version 3 [27403] dbg: bayes: unable to initialize database for root user, aborting! [27403] dbg: bayes: database connection established [27403] dbg: bayes: found bayes db version 3 [27403] dbg: bayes: using userid: 5 /usr/bin/perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/DBD/mysql/mysq l.so: undefined symbol: Perl_sv_2iv_flags Cheers Seamus Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Seamus Allan Sent: Tuesday, 17 April 2007 1:36 p.m. To: 'MailScanner discussion' Subject: RE: Mailscanner Conf http://www.urbandictionary.com/define.php?term=crapton Wow, look's like I will be migrating my Bayes DB over to mysql ASAP. Thanks for the heads up (and great new word). Cheers Seamus. Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Tuesday, 17 April 2007 1:24 p.m. To: MailScanner discussion Subject: Re: Mailscanner Conf Seamus Allan wrote: > I could shift my bayes db > to our mysql server, and reading from the docs I think I could populate the > sql database with the data in both of my databases - is this correct? > Yup-- though I'm not opposed to an occasional Bayes rebuild. > Short of spamassassin clustering, are there any good reasons as to keeping > the bayes DB on our sql server. Is it faster? Is it more reliable? > > A crapton faster-- force-expire takes 45 seconds instead of ten minutes, for starters... -- Jay Chandler Network Administrator Chapman University -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jim.barber at ddihealth.com Tue Apr 17 10:51:34 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Apr 17 10:51:48 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <46231A7E.4080003@netmagicsolutions.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> Message-ID: <462498A6.2020507@ddihealth.com> Thanks everyone for your help. The following works as a solution for me. First of all the exim config file needs to be set up to add a header for authenticated users. Within the 'acl_check_rcpt:' section of the config file I added something like: accept authenticated = * add_header = X-SMTP-Auth: Yes control = submission/sender_retain You also of course have to have SMTP authentication setup for Exim as well. Then inside /etc/MailScanner/CustomFunctions/ I created a file called CheckSMTPAuth.pm with the following contents: package MailScanner::CustomConfig; use strict; sub InitCheckSMTPAuth { # Empty } sub EndCheckSMTPAuth { # Empty } sub CheckSMTPAuth { my ($message) = @_; return 1 unless $message; foreach (@{$message->{headers}}) { if (/X-SMTP-Auth: Yes/) { MailScanner::Log::InfoLog("Message %s from (%s) is authenticated", $message->{id}, $message->{fromuser}); return 0; } } return 1; } 1; Then in the /etc/MailScanner/MailScanner.conf file I have the following setting: Spam Checks = &CheckSMTPAuth I've restarted MailScanner and everything seems to be working as I want. Regards, ---------- Jim Barber DDI Health From jim.barber at ddihealth.com Tue Apr 17 11:25:12 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Apr 17 11:25:24 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <46231A7E.4080003@netmagicsolutions.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> Message-ID: <4624A088.1020402@ddihealth.com> Further to my post below you probably also want to strip out the added header when sending the messages out externally from your email server. For my example below, in my exim configuration file I have the following added to my "remote_smtp:" transport. Add it to any transport that you deem necessary. headers_remove = X-SMTP-Auth Regards, ---------- Jim Barber DDI Health Thanks everyone for your help. The following works as a solution for me. First of all the exim config file needs to be set up to add a header for authenticated users. Within the 'acl_check_rcpt:' section of the config file I added something like: accept authenticated = * add_header = X-SMTP-Auth: Yes control = submission/sender_retain You also of course have to have SMTP authentication setup for Exim as well. Then inside /etc/MailScanner/CustomFunctions/ I created a file called CheckSMTPAuth.pm with the following contents: package MailScanner::CustomConfig; use strict; sub InitCheckSMTPAuth { # Empty } sub EndCheckSMTPAuth { # Empty } sub CheckSMTPAuth { my ($message) = @_; return 1 unless $message; foreach (@{$message->{headers}}) { if (/X-SMTP-Auth: Yes/) { MailScanner::Log::InfoLog("Message %s from (%s) is authenticated", $message->{id}, $message->{fromuser}); return 0; } } return 1; } 1; Then in the /etc/MailScanner/MailScanner.conf file I have the following setting: Spam Checks = &CheckSMTPAuth I've restarted MailScanner and everything seems to be working as I want. Regards, ---------- Jim Barber DDI Health From dhawal at netmagicsolutions.com Tue Apr 17 11:37:12 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Apr 17 11:37:33 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <4624A088.1020402@ddihealth.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> <4624A088.1020402@ddihealth.com> Message-ID: <4624A358.1080702@netmagicsolutions.com> Jim Barber wrote: > Further to my post below you probably also want to strip out the added > header when sending the messages out externally from your email server. > > For my example below, in my exim configuration file I have the following > added to my "remote_smtp:" transport. > Add it to any transport that you deem necessary. > > headers_remove = X-SMTP-Auth You also want to do this only for outgoing mail from trusted IPs.. if you have incoming spam with these headers then SA will be skipped for them as well. > Regards, > > ---------- > Jim Barber > DDI Health > > > Thanks everyone for your help. > The following works as a solution for me. > > First of all the exim config file needs to be set up to add a header for > authenticated users. > Within the 'acl_check_rcpt:' section of the config file I added > something like: > > accept > authenticated = * > add_header = X-SMTP-Auth: Yes > control = submission/sender_retain > > You also of course have to have SMTP authentication setup for Exim as well. > > Then inside /etc/MailScanner/CustomFunctions/ I created a file called > CheckSMTPAuth.pm with the following contents: > > package MailScanner::CustomConfig; > > use strict; > > sub InitCheckSMTPAuth > { > # Empty > } > > sub EndCheckSMTPAuth > { > # Empty > } > > sub CheckSMTPAuth > { > my ($message) = @_; > return 1 unless $message; > > foreach (@{$message->{headers}}) > { > if (/X-SMTP-Auth: Yes/) > { > MailScanner::Log::InfoLog("Message %s from (%s) > is authenticated", $message->{id}, $message->{fromuser}); > return 0; > } > } > return 1; > } > > 1; > > Then in the /etc/MailScanner/MailScanner.conf file I have the following > setting: > > Spam Checks = &CheckSMTPAuth > > I've restarted MailScanner and everything seems to be working as I want. > > Regards, > > ---------- > Jim Barber > DDI Health From jim.barber at ddihealth.com Tue Apr 17 11:40:55 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Apr 17 11:41:09 2007 Subject: SMTP AUTH and skipping MailScanner Spam checks. In-Reply-To: <4624A358.1080702@netmagicsolutions.com> References: <462304A8.6030103@ddihealth.com> <46230EAC.5070600@ddihealth.com> <46231A7E.4080003@netmagicsolutions.com> <4624A088.1020402@ddihealth.com> <4624A358.1080702@netmagicsolutions.com> Message-ID: <4624A437.9010002@ddihealth.com> Dhawal Doshy wrote: > Jim Barber wrote: >> Further to my post below you probably also want to strip out the added >> header when sending the messages out externally from your email server. >> >> For my example below, in my exim configuration file I have the >> following added to my "remote_smtp:" transport. >> Add it to any transport that you deem necessary. >> >> headers_remove = X-SMTP-Auth > > You also want to do this only for outgoing mail from trusted IPs.. if > you have incoming spam with these headers then SA will be skipped for > them as well. Thanks for clarifying that. The remote_smtp transport in my configuration can only be used for outgoing emails. So therefore only via trusted sources and relays can use it. Regards, ---------- Jim Barber DDI Health From root at doctor.nl2k.ab.ca Tue Apr 17 11:51:17 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 17 11:47:42 2007 Subject: Problems receiving E-mail Message-ID: <20070417105116.GE5164@doctor.nl2k.ab.ca> Please read: http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f294390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl=en#698e952299c301cf I was wondering what am I missing. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Apr 17 11:55:27 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Apr 17 11:55:38 2007 Subject: Problems receiving E-mail In-Reply-To: <20070417105116.GE5164@doctor.nl2k.ab.ca> Message-ID: <3cc9c83bb8826743b6087a3b8a706e63@solidstatelogic.com> Dave Sorry, can you let you know what the problem is and where email is 'sticking'/getting lost... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > System Administrator a.k.a. The Root of the Problem > Sent: 17 April 2007 11:51 > To: mailscanner@lists.mailscanner.info > Subject: Problems receiving E-mail > > Please read: > > http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f 29 > 4390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl= en > #698e952299c301cf > > I was wondering what am I missing. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Tue Apr 17 11:56:39 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Apr 17 11:57:30 2007 Subject: Problems receiving E-mail In-Reply-To: <20070417105116.GE5164@doctor.nl2k.ab.ca> Message-ID: <3b13a2d1d9b1df4499a529d97e64379c@solidstatelogic.com> Dave Hmm why are you calling clamav from sendmail, spamassassin from promail AND also using MailScanner?????? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > System Administrator a.k.a. The Root of the Problem > Sent: 17 April 2007 11:51 > To: mailscanner@lists.mailscanner.info > Subject: Problems receiving E-mail > > Please read: > > http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f 29 > 4390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl= en > #698e952299c301cf > > I was wondering what am I missing. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From root at doctor.nl2k.ab.ca Tue Apr 17 12:50:02 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 17 12:46:29 2007 Subject: Problems receiving E-mail In-Reply-To: <3cc9c83bb8826743b6087a3b8a706e63@solidstatelogic.com> References: <20070417105116.GE5164@doctor.nl2k.ab.ca> <3cc9c83bb8826743b6087a3b8a706e63@solidstatelogic.com> Message-ID: <20070417115001.GB5543@doctor.nl2k.ab.ca> On Tue, Apr 17, 2007 at 11:55:27AM +0100, Martin.Hepworth wrote: > Dave > > Sorry, can you let you know what the problem is and where email is > 'sticking'/getting lost... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > > System Administrator a.k.a. The Root of the Problem > > Sent: 17 April 2007 11:51 > > To: mailscanner@lists.mailscanner.info > > Subject: Problems receiving E-mail > > > > Please read: > > > > > http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f > 29 > > > 4390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl= > en > > #698e952299c301cf > > > > I was wondering what am I missing. > > We are having problems receiving mail from large e-mail hosting companies such as Yahoo, Hotmail, Bell Canada, Telus , Shaw and maybe other. I hae used sendmail 8.13.8 and 8.14.1 and the problem is ever-present. Here is a snippet from my logs of an e-mail that was supposed to go to me and never got to me: Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: from=<>, size=5575, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=incomingmailserver [IP of incoming Mail Server] Apr 6 20:02:00 doctor clamav-milter[805]: l3721wnV001728: clean message from <> Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on doctor.nl2k.ab.ca Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: X-Virus-Status: Clean What is needed to resolve the problem so that all mail can make it through? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Tue Apr 17 12:57:26 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 17 12:53:53 2007 Subject: Problems receiving E-mail In-Reply-To: <3b13a2d1d9b1df4499a529d97e64379c@solidstatelogic.com> References: <20070417105116.GE5164@doctor.nl2k.ab.ca> <3b13a2d1d9b1df4499a529d97e64379c@solidstatelogic.com> Message-ID: <20070417115726.GC5543@doctor.nl2k.ab.ca> On Tue, Apr 17, 2007 at 11:56:39AM +0100, Martin.Hepworth wrote: > Dave > > Hmm why are you calling clamav from sendmail, spamassassin from promail > AND also using MailScanner?????? > I can drop the sendmail clamav milter, it is a hog. As for the procmail, I can remove the spamassassin reference. > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > > System Administrator a.k.a. The Root of the Problem > > Sent: 17 April 2007 11:51 > > To: mailscanner@lists.mailscanner.info > > Subject: Problems receiving E-mail > > > > Please read: > > > > > http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f > 29 > > > 4390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl= > en > > #698e952299c301cf > > > > I was wondering what am I missing. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Apr 17 13:53:01 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Apr 17 13:53:21 2007 Subject: Problems receiving E-mail In-Reply-To: <20070417115001.GB5543@doctor.nl2k.ab.ca> Message-ID: Dave Thankyou.... So where's the email getting stuck/disappearing? What version of MailScanner? Has this ever worked or is this a fresh install>? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > System Administrator a.k.a. The Root of the Problem > Sent: 17 April 2007 12:50 > To: MailScanner discussion > Subject: Re: Problems receiving E-mail > > On Tue, Apr 17, 2007 at 11:55:27AM +0100, Martin.Hepworth wrote: > > Dave > > > > Sorry, can you let you know what the problem is and where email is > > 'sticking'/getting lost... > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - > > > System Administrator a.k.a. The Root of the Problem > > > Sent: 17 April 2007 11:51 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Problems receiving E-mail > > > > > > Please read: > > > > > > > > http://groups.google.ca/group/comp.mail.sendmail/browse_thread/thread/1f > > 29 > > > > > 4390eef16830/698e952299c301cf?lnk=st&q=Dropenvelope+0x4604042&rnum=1&hl= > > en > > > #698e952299c301cf > > > > > > I was wondering what am I missing. > > > > > We are having problems receiving mail from large e-mail hosting companies > such as Yahoo, Hotmail, Bell Canada, Telus , Shaw and maybe other. > > I hae used sendmail 8.13.8 and 8.14.1 and the problem is > ever-present. > > Here is a snippet from my logs of an e-mail > that was supposed to go to me and never got to me: > > Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: from=<>, size=5575, > class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, > relay=incomingmailserver [IP of incoming Mail Server] > Apr 6 20:02:00 doctor clamav-milter[805]: l3721wnV001728: clean message > from <> > Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: > X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on > doctor.nl2k.ab.ca > Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: > X-Virus-Status: Clean > > What is needed to resolve the problem so that all mail can make it > through? > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From bpumphrey at woodmclaw.com Tue Apr 17 16:44:44 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Apr 17 16:44:47 2007 Subject: Archiving with MailScanner In-Reply-To: <041201c77e92$ff4ed570$fdec8050$@swaney@fsl.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502715FB4@woodenex.woodmaclaw.local> > Not MailScanner but open source: http://www.mailarchiva.com/ > > I've tested mailarchiva and it appears to work. It indexes messages and > can > be used with removable drives and very large storage devices. > > A short review of the product can be found at: > http://www.linuxsecurity.com/content/view/121268 > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > > -- I used your link and set this up. Seems to be a very nice piece. The reason for me to use this is that we are a law firm and would be needed for electronic discovery. This program is limited to where you cannot export the emails to a file or something. Do you know of another open source product that works as well as this one but has some more functionality to it? Thank you Billy Pumphrey http://www.billypumphrey.com From Denis.Beauchemin at USherbrooke.ca Tue Apr 17 16:44:40 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Apr 17 16:44:50 2007 Subject: FuzzyOcr 3.5.1 not seeing my images Message-ID: <4624EB68.6000802@USherbrooke.ca> Hello, I am experimenting with FuzzyOcr on a new server and my image spams are printing the following messages while MS is being run with debug on: [14793] dbg: FuzzyOcr: Starting FuzzyOcr... [14793] info: FuzzyOcr: Processing Message with ID "<4624E33B.7050701@USherbrooke.ca>" (A B -> A B ) [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" [14793] dbg: message: decoding base64 [14793] info: FuzzyOcr: Skipping file with content-type="image/gif" name="spam13.gif" [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. if I save the same message to disk and scan it with SA (spamassassin -D <13.eml) I get: * 10 FUZZY_OCR BODY: Mail contains an image with common spam text inside * Words found: "buy" in 1 lines "symbol" in 1 lines "price" in 1 lines * "trade" in 1 lines "recommendation" in 1 lines (7.5 word * occurrences found) According to sendmail, the email's size is just size=6649 bytes. I'm running everything as root. Any ideas what I could have done wrong? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From list-mailscanner at linguaphone.com Tue Apr 17 18:04:27 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 17 18:04:43 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: <4624EB68.6000802@USherbrooke.ca> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis > Beauchemin > Sent: 17 April 2007 16:45 > To: MailScanner > Subject: FuzzyOcr 3.5.1 not seeing my images > > > Hello, > > I am experimenting with FuzzyOcr on a new server and my image spams are > printing the following messages while MS is being run with debug on: > > [14793] dbg: FuzzyOcr: Starting FuzzyOcr... > [14793] info: FuzzyOcr: Processing Message with ID > "<4624E33B.7050701@USherbrooke.ca>" (A B -> > A B ) > [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" > [14793] dbg: message: decoding base64 > [14793] info: FuzzyOcr: Skipping file with > content-type="image/gif" name="spam13.gif" > [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... > [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. This is a section of the perl code that is causing the problem :- my $filename = $fname; $filename =~ tr{a-zA-Z0-9\-.}{_}cs; debuglog("fname: \"$fname\" => \"$filename\""); my $pdata = $p->decode(); my $pdatalen = length($pdata); my $w = 0; my $h = 0; if ( substr($pdata,0,3) eq "\x47\x49\x46" ) { ## GIF File $imgfiles{$filename}{ftype} = 1; ($w,$h) = unpack("vv",substr($pdata,6,4)); infolog("GIF: [${h}x${w}] $filename ($pdatalen)"); $imgfiles{$filename}{width} = $w; $imgfiles{$filename}{height} = $h; It is getting to the 2nd line ok but it appears that the decoded file is not recognised as a valid gif file (the if command is failing). The 'skipping ocr' message is triggered when there are no '$imgfiles{$filename}{ftype}' being set. From list-mailscanner at linguaphone.com Tue Apr 17 18:15:30 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 17 18:15:44 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Gareth > Sent: 17 April 2007 18:04 > To: MailScanner discussion > Subject: RE: FuzzyOcr 3.5.1 not seeing my images > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis > > Beauchemin > > Sent: 17 April 2007 16:45 > > To: MailScanner > > Subject: FuzzyOcr 3.5.1 not seeing my images > > > > > > Hello, > > > > I am experimenting with FuzzyOcr on a new server and my image spams are > > printing the following messages while MS is being run with debug on: > > > > [14793] dbg: FuzzyOcr: Starting FuzzyOcr... > > [14793] info: FuzzyOcr: Processing Message with ID > > "<4624E33B.7050701@USherbrooke.ca>" (A B -> > > A B ) > > [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" > > [14793] dbg: message: decoding base64 > > [14793] info: FuzzyOcr: Skipping file with > > content-type="image/gif" name="spam13.gif" > > [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... > > [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. > > > This is a section of the perl code that is causing the problem :- > > my $filename = $fname; $filename =~ tr{a-zA-Z0-9\-.}{_}cs; > debuglog("fname: \"$fname\" => \"$filename\""); > my $pdata = $p->decode(); > my $pdatalen = length($pdata); > my $w = 0; my $h = 0; > > if ( substr($pdata,0,3) eq "\x47\x49\x46" ) { > ## GIF File > $imgfiles{$filename}{ftype} = 1; > ($w,$h) = unpack("vv",substr($pdata,6,4)); > infolog("GIF: [${h}x${w}] $filename ($pdatalen)"); > $imgfiles{$filename}{width} = $w; > $imgfiles{$filename}{height} = $h; > > It is getting to the 2nd line ok but it appears that the decoded > file is not > recognised as a valid gif file (the if command is failing). > The 'skipping ocr' message is triggered when there are no > '$imgfiles{$filename}{ftype}' being set. The people here might be able to help aswell. http://www.freespamfilter.org/forum/viewforum.php?f=25 From claude.gagne at multitech.qc.ca Tue Apr 17 19:49:41 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Tue Apr 17 19:47:52 2007 Subject: Wich POP3 server Message-ID: <462516C5.3010306@multitech.qc.ca> Hi, I'm currently searching for a good POP3. I heard that dovecot is pretty good. What do you think ? -- * Claude Gagn?* / Technicien informatique/ claude.gagne@multitech.qc.ca 226-A, chemin des Poirier Montmagny (Qc) G5V 3X8 T?l. : (418) 248-2247 T?l?c. : (418) 248-2230 *8, rue du Domaine Rivi?re-du-Loup (Qc) G5R 2P5 T?l. : (418) 867-3355 T?l?c. : (418) 867-2775 * -------------- next part -------------- Skipped content of type multipart/related From dominian at slackadelic.com Tue Apr 17 19:52:38 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 17 19:52:50 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: <46251776.1070005@slackadelic.com> Claude Gagn? wrote: > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is pretty > good. > > What do you think ? I use dovecot for IMAP/POP3 and I really like it. Easy to install/configure. -Matt From ssilva at sgvwater.com Tue Apr 17 20:18:06 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 17 20:20:15 2007 Subject: Wich POP3 server In-Reply-To: <46251776.1070005@slackadelic.com> References: <462516C5.3010306@multitech.qc.ca> <46251776.1070005@slackadelic.com> Message-ID: Matt Hayes spake the following on 4/17/2007 11:52 AM: > Claude Gagn? wrote: >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is >> pretty good. >> >> What do you think ? > > > I use dovecot for IMAP/POP3 and I really like it. Easy to > install/configure. > > -Matt > > And Dovecot just went to 1.0 stable, so no reason to hold out because it is a beta or RC. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From list-mailscanner at linguaphone.com Tue Apr 17 20:20:29 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 17 20:20:36 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Claude > Gagn? > Sent: 17 April 2007 19:50 > To: mailscanner@lists.mailscanner.info > Subject: Wich POP3 server > > > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is > pretty good. > > What do you think ? Dovecot is very good but is there a specific reason why you wish to go with POP3 and not IMAP? IMAP has a number of advantages such as :- * Email stored on the server so it can be backup up and accessible from many machines. * Can have shared folders. * Can use procmail to filter identified spam into a subfolder automatically. From claude.gagne at multitech.qc.ca Tue Apr 17 20:31:06 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Tue Apr 17 20:29:15 2007 Subject: Wich POP3 server In-Reply-To: References: Message-ID: <4625207A.9020801@multitech.qc.ca> We are still using POP3 because we don't have the enough storage on our servers to keep all emails. Also we don't have good backup solution to support that. Gareth a ?crit : >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Claude >> Gagn? >> Sent: 17 April 2007 19:50 >> To: mailscanner@lists.mailscanner.info >> Subject: Wich POP3 server >> >> >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is >> pretty good. >> >> What do you think ? >> > > Dovecot is very good but is there a specific reason why you wish to go with > POP3 and not IMAP? > > IMAP has a number of advantages such as :- > * Email stored on the server so it can be backup up and accessible from many > machines. > * Can have shared folders. > * Can use procmail to filter identified spam into a subfolder automatically. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070417/1b291e55/attachment.html From amoore at dekalbmemorial.com Tue Apr 17 20:50:30 2007 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Tue Apr 17 20:50:34 2007 Subject: Problems receiving E-mail In-Reply-To: References: <20070417105116.GE5164@doctor.nl2k.ab.ca><3cc9c83bb8826743b6087a3b8a706e63@solidstatelogic.com> Message-ID: <60D398EB2DB948409CA1F50D8AF122570230D798@exch1.dekalbmemorial.local> > We are having problems receiving mail from large e-mail hosting > companies such as Yahoo, Hotmail, Bell Canada, Telus , Shaw and maybe > other. Are you using any RBLs within sendmail or any other milters? I've had problems with some of the less reliable RBLs adding ISP mail servers. > I hae used sendmail 8.13.8 and 8.14.1 and the problem is ever-present. > > Here is a snippet from my logs of an e-mail that was supposed to go > to me and never got to me: > > Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: from=<>, > size=5575, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, > relay=incomingmailserver [IP of incoming Mail Server] Apr 6 20:02:00 > doctor clamav-milter[805]: l3721wnV001728: clean message from <> Apr > 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: > X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 > on doctor.nl2k.ab.ca Apr 6 20:02:00 doctor sendmail[1728]: > l3721wnV001728: Milter add: header: X-Virus-Status: Clean > > What is needed to resolve the problem so that all mail can make it > through? -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From PaulC at Car-Part.com Tue Apr 17 20:51:01 2007 From: PaulC at Car-Part.com (Paul Cahill) Date: Tue Apr 17 20:51:14 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: <288501c78129$bb26c170$06fea8c0@pauldell> I've had @Mail (www.atmail.com) recommended to out company by a couple people related to mailscanner. From the look of the features and the price it really looks great. I haven't installed it, only played with the demo a bit. I did email the developers about some conversion info and they were really quick to get back to me and knowledgeable. Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? Sent: Tuesday, April 17, 2007 2:50 PM To: mailscanner@lists.mailscanner.info Subject: Wich POP3 server Hi, I'm currently searching for a good POP3. I heard that dovecot is pretty good. What do you think ? -- Claude Gagn? Technicien informatique claude.gagne@multitech.qc.ca 226-A, chemin des Poirier Montmagny (Qc) G5V 3X8 T?l. : (418) 248-2247 T?l?c. : (418) 248-2230 8, rue du Domaine Rivi?re-du-Loup (Qc) G5R 2P5 T?l. : (418) 867-3355 T?l?c. : (418) 867-2775 From rabellino at di.unito.it Tue Apr 17 23:50:49 2007 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Apr 17 23:50:59 2007 Subject: Wich POP3 server References: <462516C5.3010306@multitech.qc.ca><46251776.1070005@slackadelic.com> Message-ID: <004801c78142$d8ee9ed0$6689a8c0@di.unito.it> I'm using Washington University (WU) server POP/IMAP without serious troubles since '98. I don't know which OS you have on your system, as this application is unix-oriented. Bye. ----- Original Message ----- From: "Scott Silva" To: Sent: Tuesday, April 17, 2007 9:18 PM Subject: Re: Wich POP3 server Matt Hayes spake the following on 4/17/2007 11:52 AM: > Claude Gagn? wrote: >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is >> pretty good. >> >> What do you think ? > > > I use dovecot for IMAP/POP3 and I really like it. Easy to > install/configure. > > -Matt > > And Dovecot just went to 1.0 stable, so no reason to hold out because it is a beta or RC. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Apr 18 00:06:50 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 18 00:07:10 2007 Subject: Wich POP3 server In-Reply-To: <004801c78142$d8ee9ed0$6689a8c0@di.unito.it> References: <462516C5.3010306@multitech.qc.ca><46251776.1070005@slackadelic.com> <004801c78142$d8ee9ed0$6689a8c0@di.unito.it> Message-ID: Sergio Rabellino spake the following on 4/17/2007 3:50 PM: > I'm using Washington University (WU) server POP/IMAP without serious > troubles since '98. > I don't know which OS you have on your system, as this application is > unix-oriented. wuimap is getting some bad press when it comes to large mbox files. It seems to index them in memory, and can bring a server to its knees if you don't limit mail storage quotas. That is one reason that some of the major distros went with dovecot. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Wed Apr 18 00:25:31 2007 From: ka at pacific.net (Ken A) Date: Wed Apr 18 00:25:31 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca><46251776.1070005@slackadelic.com> <004801c78142$d8ee9ed0$6689a8c0@di.unito.it> Message-ID: <4625576B.3040102@pacific.net> Scott Silva wrote: > Sergio Rabellino spake the following on 4/17/2007 3:50 PM: >> I'm using Washington University (WU) server POP/IMAP without serious >> troubles since '98. >> I don't know which OS you have on your system, as this application is >> unix-oriented. > wuimap is getting some bad press when it comes to large mbox files. It seems > to index them in memory, and can bring a server to its knees if you don't > limit mail storage quotas. > That is one reason that some of the major distros went with dovecot. > qpopper is solid also, but doesn't use indexes at all, so it's quite a bit slower than dovecot or wu pop3d. -- Ken Anderson Pacific.Net From ssilva at sgvwater.com Wed Apr 18 00:38:46 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 18 00:39:04 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: Claude Gagn? spake the following on 4/17/2007 11:49 AM: > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is pretty > good. > > What do you think ? I just had to say this at the top of the thread. Use what comes with the version of linux you install. Pop3 is less intensive on a server because the mail is pulled to the client and deleted. If you might want IMAP for some clients, then you want to look for performance. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Wed Apr 18 01:03:56 2007 From: res at ausics.net (Res) Date: Wed Apr 18 01:04:09 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Apr 2007, Claude Gagné wrote: > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is pretty good. > > What do you think ? > Dovecot is OK, its pretty fast, but buggy, it had 31 or so release candicates before 1.0, and a bug was found the same day it was released (under a week ago), it reminds me of gaim, and how holey that is, the only difference is, on dedicated sendmail boxes I will use Dovecot (and never touch gaim despite its recent name change to try avoid the stigma), as we use squirrelmail and its nice features, if you dont need imap, try popa3d, very small, very fast. If you use Qmail, then use vpopmail, if you want a good webmail with it, instlal courier-imap and squirrelmail, useing mysql to hold user prefs/address books etc. If you use postmix and Maildir, who knows, probably Dovecot. - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJWBxsWhAmSIQh7MRAgleAJ9vF+yjnL9uqmoruKW+OLxfX6gxWACfTBMY H2fESJPCCrzU1ZcicgRHmSo= =Xb9f -----END PGP SIGNATURE----- From res at ausics.net Wed Apr 18 01:05:49 2007 From: res at ausics.net (Res) Date: Wed Apr 18 01:06:00 2007 Subject: Wich POP3 server In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Apr 2007, Gareth wrote: > * Can have shared folders. This can be a pain in large environments, too many clowns putting confidential mail in wrong places :) - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJWDfsWhAmSIQh7MRAtO4AJ9Khjz1piHo/pT1VJRT6IcePgCrhwCgk2R9 /Syn71pSVosqVZjUioK31tw= =wdtg -----END PGP SIGNATURE----- From res at ausics.net Wed Apr 18 01:12:57 2007 From: res at ausics.net (Res) Date: Wed Apr 18 01:13:07 2007 Subject: Wich POP3 server In-Reply-To: <4625207A.9020801@multitech.qc.ca> References: <4625207A.9020801@multitech.qc.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Apr 2007, Claude Gagné wrote: > We are still using POP3 because we don't have the enough storage on our > servers to keep all emails. Also we don't have good backup solution to > support that. Nothing wrong with that ,POP3 is preferred here, we deny access to imap servers (they only installed on local webmail servers). If you offer imap and advertise this as 'your mail on our boxes' the onus is on you legally, if something should ever happen and you cant recover someones important mail, you could be screwed legally (after all who backs up entire mail arrays even every hour), not likey the netapp filers will ever have catastrophic failure that causes no mail to be recovered, but if you say "it'll never happen to me" your the first person it will likely happen to :) - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJWKMsWhAmSIQh7MRAlzAAJ4yZRJnywADypv0Xqzmk6EMZ6Gj5gCfXyzR IJfYEBOZdKQQ5Xw9Qjvz8dc= =OxIp -----END PGP SIGNATURE----- From lists at jfworks.net Thu Apr 19 04:04:11 2007 From: lists at jfworks.net (James) Date: Wed Apr 18 04:04:39 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: <4626DC2B.90001@jfworks.net> Claude Gagn? wrote: > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is > pretty good. > > What do you think ? > -- > * Claude Gagn?* > / Technicien informatique/ > > claude.gagne@multitech.qc.ca > 226-A, chemin des Poirier > Montmagny (Qc) > G5V 3X8 > > T?l. : (418) 248-2247 > T?l?c. : (418) 248-2230 > > *8, rue du Domaine > Rivi?re-du-Loup (Qc) > G5R 2P5 > > T?l. : (418) 867-3355 > T?l?c. : (418) 867-2775 > * > > I use popa3d but only for a handful - maybe 30 people. It seems to work well and there didn't seem to be anything too tricky about it. Perhaps take the suggested daemons and give em all a test drive for a week or two and see. From drew at technologytiger.net Wed Apr 18 08:06:10 2007 From: drew at technologytiger.net (Drew Marshall) Date: Wed Apr 18 08:06:18 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: On 18 Apr 2007, at 01:03, Res wrote: > Dovecot is OK, its pretty fast, but buggy, it had 31 or so release > candicates before 1.0, and a bug was found the same day it was > released > (under a week ago), it reminds me of gaim, and how holey that is, > the only difference is, on dedicated sendmail boxes I will use > Dovecot (and never touch gaim despite its recent name change to try > avoid the stigma), as we use squirrelmail and its nice features, if > you dont need imap, try popa3d, very small, very fast. > > If you use Qmail, then use vpopmail, if you want a good webmail > with it, instlal courier-imap and squirrelmail, useing mysql to > hold user prefs/address books etc. > > If you use postmix and Maildir, who knows, probably Dovecot. Or indeed any of the above! As you will remember oh Evil Bunny, Postmix, the flexibility of that 'aged monolithic software' you like with the performance of that 'patched to death to bring it close to modern' MTA :-) Personally, I use maildir with Courier-IMAP, Squirrelmail (For webmail) and all tied together with MySQL userdb (And managed through Postfix-Admin, which is nice and simple and you can delegate mailbox control to 'domain admins', which saves loads of support time when users want another alias or mailbox set up). Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From s.oreilly at linnovations.co.uk Wed Apr 18 08:11:32 2007 From: s.oreilly at linnovations.co.uk (Sean O'Reilly) Date: Wed Apr 18 08:32:22 2007 Subject: Anti Spoofing Ruleset Message-ID: <1176880293.9030.4.camel@localhost.localdomain> Hi Guys, Am fairly new to MailScanner and would like a little help with writing a ruleset that will stop internal mail (mail coming from our domain) coming from an external address. Is it possible to do something along the lines of >From 'our domain' !localnet no or have i misunderstood how rulesets work Best regards Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/5e472180/attachment.html From arto.saraniva at artio.net Wed Apr 18 08:29:28 2007 From: arto.saraniva at artio.net (Arto) Date: Wed Apr 18 09:30:14 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 17 Apr 2007, Claude Gagn? wrote: > >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is >> pretty good. >> >> What do you think ? >> > > Dovecot is OK, its pretty fast, but buggy, it had 31 or so release > candicates before 1.0, and a bug was found the same day it was released > (under a week ago), it reminds me of gaim, and how holey that is, the > only difference is, on dedicated sendmail boxes I will use Dovecot (and > never touch gaim despite its recent name change to try avoid the > stigma), as we use squirrelmail and its nice features, if you dont need > imap, try popa3d, very small, very fast. I have to disagree. I have followed the development of dovecot and I must say Timo's principles to implement it are really demanding. The amount of release candidates does not tell the truth. Already the first of them were used in demanding production. -arto From lhaig at haigmail.com Wed Apr 18 09:40:22 2007 From: lhaig at haigmail.com (Lance Haig) Date: Wed Apr 18 09:40:24 2007 Subject: Best method of backing up postfix Message-ID: <4625D976.6050609@haigmail.com> Hi, What would be the best method of backing up a postfix configuration? I have several smtp systems that I need to DR protect and I was just wondering if I just need to tar the /etc directory of the systems Thanks Lance From paul.hutchings at mira.co.uk Wed Apr 18 09:49:33 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Apr 18 09:50:00 2007 Subject: Best method of backing up postfix Message-ID: I guess it depends a little on the architecture of your distribution, but all I do is a weekly tar/email of the /etc/postfix folder as it's the only place that my postfix config files live. There are a few odds and sods outside of that folder but they're related to policy servers that can be added at leisure if I ever lost the box and had to rebuild. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance Haig Sent: 18 April 2007 09:40 To: MailScanner discussion Subject: Best method of backing up postfix Hi, What would be the best method of backing up a postfix configuration? I have several smtp systems that I need to DR protect and I was just wondering if I just need to tar the /etc directory of the systems Thanks Lance -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From list-mailscanner at linguaphone.com Wed Apr 18 09:50:52 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 18 09:50:57 2007 Subject: Best method of backing up postfix In-Reply-To: <4625D976.6050609@haigmail.com> References: <4625D976.6050609@haigmail.com> Message-ID: <1176886252.16168.0.camel@gblades-suse.linguaphone-intranet.co.uk> Creating a tar archive of the /etc/postfix directory would be sufficient for backing up the postfix configuration. On Wed, 2007-04-18 at 09:40, Lance Haig wrote: > Hi, > > What would be the best method of backing up a postfix configuration? > > I have several smtp systems that I need to DR protect and I was just > wondering if I just need to tar the /etc directory of the systems > > Thanks > > Lance From nauman at worldcall.net.pk Wed Apr 18 10:02:44 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Wed Apr 18 10:02:41 2007 Subject: Wich POP3 server References: <462516C5.3010306@multitech.qc.ca> Message-ID: <00d801c78198$5404c7c0$23c051cb@ictnoc> Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > On Tue, 17 Apr 2007, Claude Gagn? wrote: > >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is pretty >> good. > never touch gaim despite its recent name change to try avoid the stigma), > as we use squirrelmail and its nice features, if you dont need imap, try > popa3d, very small, very fast. >I have to disagree. I have followed the development of dovecot and I must >say Timo's principles to implement it are really demanding. The amount of >release candidates does not tell the truth. Already the first of them were >used in demanding production. One Good Option is QPOPPER ! i m using this ROBUST Popper for the last 3 years . I have installed this on 4 running servers with almost 1000 users on each and it works fine. Just at time it Raises the level of CPU utlization for user having HUGE Mail box size. Other wise it works preety cool Thanks and Regards, M.Nauman Habib Network Engineer ICT Department WorldCALL Multimedia Pvt Ltd 16-S Gulberg II Lahore, Pakistan From lhaig at haigmail.com Wed Apr 18 10:39:14 2007 From: lhaig at haigmail.com (Lance Haig) Date: Wed Apr 18 10:39:18 2007 Subject: Best method of backing up postfix In-Reply-To: References: Message-ID: <4625E742.5090406@haigmail.com> Thanks Paul/Gareth I will get this running asap Lance Paul Hutchings wrote: > I guess it depends a little on the architecture of your distribution, > but all I do is a weekly tar/email of the /etc/postfix folder as it's > the only place that my postfix config files live. > > There are a few odds and sods outside of that folder but they're related > to policy servers that can be added at leisure if I ever lost the box > and had to rebuild. > > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance > Haig > Sent: 18 April 2007 09:40 > To: MailScanner discussion > Subject: Best method of backing up postfix > > Hi, > > What would be the best method of backing up a postfix configuration? > > I have several smtp systems that I need to DR protect and I was just > wondering if I just need to tar the /etc directory of the systems > > Thanks > > Lance > > From dward at nccumc.org Wed Apr 18 11:38:32 2007 From: dward at nccumc.org (Douglas Ward) Date: Wed Apr 18 11:38:35 2007 Subject: Best method of backing up postfix In-Reply-To: <4625D976.6050609@haigmail.com> References: <4625D976.6050609@haigmail.com> Message-ID: I have a linux server with very large hard drives that I back everything up to remotely. Look into a program called rsync. It works great! On 4/18/07, Lance Haig wrote: > > Hi, > > What would be the best method of backing up a postfix configuration? > > I have several smtp systems that I need to DR protect and I was just > wondering if I just need to tar the /etc directory of the systems > > Thanks > > Lance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/70ea98ea/attachment.html From am.lists at gmail.com Wed Apr 18 11:45:31 2007 From: am.lists at gmail.com (am.lists) Date: Wed Apr 18 11:45:35 2007 Subject: Anti Spoofing Ruleset In-Reply-To: <1176880293.9030.4.camel@localhost.localdomain> References: <1176880293.9030.4.camel@localhost.localdomain> Message-ID: <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> On 4/18/07, Sean O'Reilly wrote: > > Hi Guys, > > Am fairly new to MailScanner and would like a little help with writing a > ruleset that will stop internal mail (mail coming from our domain) coming > from an external address. > > Is it possible to do something along the lines of > > From 'our domain' !localnet no > > or have i misunderstood how rulesets work You could create a spamassassin meta rule to accomplish this. I think I know why you want this but here's the kicker... any time one of your users (HR departments are famous for this) use some sort of third party program that sends mail, even for official purposes, will sometimes violate the laws of spoofing. A typical example is the HR Jobs/Recruiting application, where it sends mail as the logged-in HR user. Also if you read back a few days/weeks, this was discussed here as well how an HR group also used a (gasp...) e-card service that spoofed the company's real email address as the from header. Also, many websites that have a "send this page to a friend" functionality also misbehave in this same way. So in short, yes, it can be done... but step carefully. As an alternative, you might find out why these are getting through your filters as they are now and just tweak the ones you have. If you haven't already, take a look at RDJ (Rules du Jour) and the Botnet script. There are plenty of extra non-default rules there that score the spoofed stuff pretty well (because they come from dial-up addresses, for example). Regards, Angelo From s.oreilly at linnovations.co.uk Wed Apr 18 11:50:02 2007 From: s.oreilly at linnovations.co.uk (Sean O'Reilly) Date: Wed Apr 18 11:55:43 2007 Subject: Anti Spoofing Ruleset In-Reply-To: <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> References: <1176880293.9030.4.camel@localhost.localdomain> <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> Message-ID: <1176893402.9505.30.camel@localhost.localdomain> Basically all i want to say is if the mail is from anyone@ourdomain it has got to originate from our network or networks. Will RDJ do this for me ? On Wed, 2007-04-18 at 06:45 -0400, am.lists wrote: > On 4/18/07, Sean O'Reilly wrote: > > > > Hi Guys, > > > > Am fairly new to MailScanner and would like a little help with writing a > > ruleset that will stop internal mail (mail coming from our domain) coming > > from an external address. > > > > Is it possible to do something along the lines of > > > > From 'our domain' !localnet no > > > > or have i misunderstood how rulesets work > > You could create a spamassassin meta rule to accomplish this. I think > I know why you want this but here's the kicker... any time one of your > users (HR departments are famous for this) use some sort of third > party program that sends mail, even for official purposes, will > sometimes violate the laws of spoofing. A typical example is the HR > Jobs/Recruiting application, where it sends mail as the logged-in HR > user. Also if you read back a few days/weeks, this was discussed here > as well how an HR group also used a (gasp...) e-card service that > spoofed the company's real email address as the from header. Also, > many websites that have a "send this page to a friend" functionality > also misbehave in this same way. > > So in short, yes, it can be done... but step carefully. As an > alternative, you might find out why these are getting through your > filters as they are now and just tweak the ones you have. If you > haven't already, take a look at RDJ (Rules du Jour) and the Botnet > script. There are plenty of extra non-default rules there that score > the spoofed stuff pretty well (because they come from dial-up > addresses, for example). > > Regards, > Angelo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/9c3b0a12/attachment.html From jaearick at colby.edu Wed Apr 18 12:29:37 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Apr 18 12:29:49 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: On Wed, 18 Apr 2007, Arto wrote: >> On Tue, 17 Apr 2007, Claude Gagn wrote: >> >>> Hi, >>> >>> I'm currently searching for a good POP3. I heard that dovecot is pretty >>> good. >>> >>> What do you think ? >>> >> >> Dovecot is OK, its pretty fast, but buggy, it had 31 or so release >> candicates before 1.0, and a bug was found the same day it was released >> (under a week ago), it reminds me of gaim, and how holey that is, the only >> difference is, on dedicated sendmail boxes I will use Dovecot (and never >> touch gaim despite its recent name change to try avoid the stigma), as we >> use squirrelmail and its nice features, if you dont need imap, try popa3d, >> very small, very fast. > > I have to disagree. I have followed the development of dovecot and I must say > Timo's principles to implement it are really demanding. The amount of release > candidates does not tell the truth. Already the first of them were used in > demanding production. I second Arto's disagreement. In fact, calling dovecot buggy is really unfair. I have been using dovecot *in production* since beta9 (about 1.5 years and about 40 releases ago). Even at beta9, it blew the doors off of UW IMAP. It has just gotten better, faster, more features since then. The only rc that ever blew up on me was rc27. I dropped back to rc26, and Timo had rc28 released within two hours to fix the problem. Dovecot is rock solid code now at 1.0. Disclaimer: I only use dovecot for IMAP, not POP. I use qpopper for that (different machine). I should switch... Jeff Earickson Colby College From lhaig at haigmail.co.uk Wed Apr 18 12:52:13 2007 From: lhaig at haigmail.co.uk (Lance Haig) Date: Wed Apr 18 12:52:17 2007 Subject: Best method of backing up postfix In-Reply-To: References: <4625D976.6050609@haigmail.com> Message-ID: <4626066D.8020106@haigmail.co.uk> Douglas, Thanks I Will be using rsync to move the tar files to a central server for manual CD backup Thanks Lance Douglas Ward wrote: > I have a linux server with very large hard drives that I back > everything up to remotely. Look into a program called rsync. It > works great! > > On 4/18/07, *Lance Haig * > wrote: > > Hi, > > What would be the best method of backing up a postfix configuration? > > I have several smtp systems that I need to DR protect and I was just > wondering if I just need to tar the /etc directory of the systems > > Thanks > > Lance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > This message has been scanned for viruses and > dangerous content by *Red Armour MailScanner* > , and is > believed to be clean. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/b837a5da/attachment.html From steve.swaney at fsl.com Wed Apr 18 12:55:10 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Apr 18 12:55:30 2007 Subject: Anti Spoofing Ruleset In-Reply-To: <1176893402.9505.30.camel@localhost.localdomain> References: <1176880293.9030.4.camel@localhost.localdomain> <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> <1176893402.9505.30.camel@localhost.localdomain> Message-ID: <07f101c781b0$6aada2e0$4008e8a0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Sean O'Reilly > Sent: Wednesday, April 18, 2007 6:50 AM > To: MailScanner discussion > Subject: Re: Anti Spoofing Ruleset > > Basically all i want to say is if the mail is from anyone@ourdomain it > has got to originate from our network or networks. Will RDJ do this for > me ? > > No Rules du Jour adds and maintains a set of SARE rule sets for SpamAssassin to use but I definitely recommend using RDJ. Steve Steve Swaney steve@fsl.com From Denis.Beauchemin at USherbrooke.ca Wed Apr 18 13:33:15 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 18 13:33:23 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: References: Message-ID: <4626100B.8030801@USherbrooke.ca> Gareth a ?crit : >> -----Original Message----- >> >> I am experimenting with FuzzyOcr on a new server and my image spams are >> printing the following messages while MS is being run with debug on: >> >> [14793] dbg: FuzzyOcr: Starting FuzzyOcr... >> [14793] info: FuzzyOcr: Processing Message with ID >> "<4624E33B.7050701@USherbrooke.ca>" (A B -> >> A B ) >> [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" >> [14793] dbg: message: decoding base64 >> [14793] info: FuzzyOcr: Skipping file with >> content-type="image/gif" name="spam13.gif" >> [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... >> [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. >> > > > This is a section of the perl code that is causing the problem :- > > my $filename = $fname; $filename =~ tr{a-zA-Z0-9\-.}{_}cs; > debuglog("fname: \"$fname\" => \"$filename\""); > my $pdata = $p->decode(); > my $pdatalen = length($pdata); > my $w = 0; my $h = 0; > > if ( substr($pdata,0,3) eq "\x47\x49\x46" ) { > ## GIF File > $imgfiles{$filename}{ftype} = 1; > ($w,$h) = unpack("vv",substr($pdata,6,4)); > infolog("GIF: [${h}x${w}] $filename ($pdatalen)"); > $imgfiles{$filename}{width} = $w; > $imgfiles{$filename}{height} = $h; > > It is getting to the 2nd line ok but it appears that the decoded file is not > recognised as a valid gif file (the if command is failing). > The 'skipping ocr' message is triggered when there are no > '$imgfiles{$filename}{ftype}' being set. > > Gareth, I looked at the code and added some calls to infolog() which resulted in $pdatalen being 0. Looks like the call to decode() is either broken or the email it is working with is incomplete... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/731a1265/smime.bin From Denis.Beauchemin at USherbrooke.ca Wed Apr 18 13:56:33 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 18 13:57:06 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: <4626100B.8030801@USherbrooke.ca> References: <4626100B.8030801@USherbrooke.ca> Message-ID: <46261581.9040208@USherbrooke.ca> Denis Beauchemin a ?crit : > Gareth a ?crit : >>> -----Original Message----- >>> >>> I am experimenting with FuzzyOcr on a new server and my image spams are >>> printing the following messages while MS is being run with debug on: >>> >>> [14793] dbg: FuzzyOcr: Starting FuzzyOcr... >>> [14793] info: FuzzyOcr: Processing Message with ID >>> "<4624E33B.7050701@USherbrooke.ca>" (A B -> >>> A B ) >>> [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" >>> [14793] dbg: message: decoding base64 >>> [14793] info: FuzzyOcr: Skipping file with >>> content-type="image/gif" name="spam13.gif" >>> [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... >>> [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. >>> >> >> >> This is a section of the perl code that is causing the problem :- >> >> my $filename = $fname; $filename =~ tr{a-zA-Z0-9\-.}{_}cs; >> debuglog("fname: \"$fname\" => \"$filename\""); >> my $pdata = $p->decode(); >> my $pdatalen = length($pdata); >> my $w = 0; my $h = 0; >> >> if ( substr($pdata,0,3) eq "\x47\x49\x46" ) { >> ## GIF File >> $imgfiles{$filename}{ftype} = 1; >> ($w,$h) = unpack("vv",substr($pdata,6,4)); >> infolog("GIF: [${h}x${w}] $filename ($pdatalen)"); >> $imgfiles{$filename}{width} = $w; >> $imgfiles{$filename}{height} = $h; >> >> It is getting to the 2nd line ok but it appears that the decoded file >> is not >> recognised as a valid gif file (the if command is failing). >> The 'skipping ocr' message is triggered when there are no >> '$imgfiles{$filename}{ftype}' being set. >> >> > Gareth, > > I looked at the code and added some calls to infolog() which resulted > in $pdatalen being 0. > Looks like the call to decode() is either broken or the email it is > working with is incomplete... > > Denis > Anyone using FuzzyOcr on a RHEL5 (or CentOS 5) system? I installed using Red Hat's RPMS when available: netpbm netpbm-devel netpbm-progs gtk+-devel giflib giflib-utils giflib-devel ImageMagick. Is there some broken RPM in there? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/7c95c9ee/smime.bin From list-mailscanner at linguaphone.com Wed Apr 18 13:58:46 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 18 13:59:03 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: <4626100B.8030801@USherbrooke.ca> References: <4626100B.8030801@USherbrooke.ca> Message-ID: <1176901125.16165.14.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-04-18 at 13:33, Denis Beauchemin wrote: > Gareth, > > I looked at the code and added some calls to infolog() which resulted in > $pdatalen being 0. > > Looks like the call to decode() is either broken or the email it is > working with is incomplete... > > Denis I would run up perl CPAN and perform an update just to make sure you have the latest copy of all the modules installed. From Richard.Frovarp at sendit.nodak.edu Wed Apr 18 14:36:19 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Apr 18 14:36:27 2007 Subject: Anti Spoofing Ruleset In-Reply-To: <07f101c781b0$6aada2e0$4008e8a0$@swaney@fsl.com> References: <1176880293.9030.4.camel@localhost.localdomain> <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> <1176893402.9505.30.camel@localhost.localdomain> <07f101c781b0$6aada2e0$4008e8a0$@swaney@fsl.com> Message-ID: <46261ED3.30009@sendit.nodak.edu> Stephen Swaney wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Sean O'Reilly >> Sent: Wednesday, April 18, 2007 6:50 AM >> To: MailScanner discussion >> Subject: Re: Anti Spoofing Ruleset >> >> Basically all i want to say is if the mail is from anyone@ourdomain it >> has got to originate from our network or networks. Will RDJ do this for >> me ? >> >> >> > > No Rules du Jour adds and maintains a set of SARE rule sets for SpamAssassin to use but I definitely recommend using RDJ. > > Steve > > Steve Swaney > steve@fsl.com > Or alternatively you can use sa-update to do the same thing. In fact the author of Rules du Jour has recommended the use of sa-update over Rules du Jour. From Richard.Frovarp at sendit.nodak.edu Wed Apr 18 14:42:31 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Apr 18 14:42:35 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: <46262047.4030105@sendit.nodak.edu> Scott Silva wrote: > Claude Gagn? spake the following on 4/17/2007 11:49 AM: > >> Hi, >> >> I'm currently searching for a good POP3. I heard that dovecot is pretty >> good. >> >> What do you think ? >> > I just had to say this at the top of the thread. > Use what comes with the version of linux you install. Pop3 is less intensive > on a server because the mail is pulled to the client and deleted. Assuming default setup of the email clients. There are always users like me who turn it off and have the client keep a copy on the remote server. Then use multiple machines to access mail. IMAP on the other hand can be setup to have the user download the messages and delete them off the server just like a default POP3. IMAP and POP3 are tuned to different scenarios and the defaults in the mail clients are opposite. However, the end client can change that behavior. From rpoe at plattesheriff.org Wed Apr 18 15:25:05 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Apr 18 15:25:58 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: <4625E3F3.65ED.00A2.0@plattesheriff.org> >> I'm currently searching for a good POP3. I heard that dovecot is pretty good. >> What do you think ? >Dovecot is OK, its pretty fast, but buggy, it had 31 or so release >candicates before 1.0, and a bug was found the same day it was released >(under a week ago), Dovecot was my mail server of choice, until I started having problems where people would get multiple copies of their messages (did I mention that people leave their mail on the server??). I was also having problems with "LF not found where expected" which then made it so I kept having to go to the server and move the mail spool file, use formail to re-deliver the mail to a new mbox, then re-chown it back to the proper user. I went to WU and have been having good luck so far with that (knocks on wood). From Kevin_Miller at ci.juneau.ak.us Wed Apr 18 16:03:27 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 18 16:03:21 2007 Subject: Anti Spoofing Ruleset In-Reply-To: <1176893402.9505.30.camel@localhost.localdomain> References: <1176880293.9030.4.camel@localhost.localdomain><25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> <1176893402.9505.30.camel@localhost.localdomain> Message-ID: > Basically all i want to say is if the mail is from anyone@ourdomain > it has got to originate from our network or networks. Will RDJ do this for me ? Your best bet is to do that at the MTA level, not in MailScanner. Publish SPF records in your DNS defining which servers are authoritative to send your mail out. If you're running sendmail, look into the smf-spf milter. If you're running Postfix or another MTA, someone else can tell you how to integrate SPF with it, as I don't have any experience with them... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Wed Apr 18 18:27:42 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 18 18:28:05 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: Jeff A. Earickson spake the following on 4/18/2007 4:29 AM: > On Wed, 18 Apr 2007, Arto wrote: > >>> On Tue, 17 Apr 2007, Claude Gagn wrote: >>> >>>> Hi, >>>> >>>> I'm currently searching for a good POP3. I heard that dovecot is >>>> pretty good. >>>> >>>> What do you think ? >>>> >>> >>> Dovecot is OK, its pretty fast, but buggy, it had 31 or so release >>> candicates before 1.0, and a bug was found the same day it was released >>> (under a week ago), it reminds me of gaim, and how holey that is, the >>> only difference is, on dedicated sendmail boxes I will use Dovecot >>> (and never touch gaim despite its recent name change to try avoid the >>> stigma), as we use squirrelmail and its nice features, if you dont >>> need imap, try popa3d, very small, very fast. >> >> I have to disagree. I have followed the development of dovecot and I >> must say Timo's principles to implement it are really demanding. The >> amount of release candidates does not tell the truth. Already the >> first of them were used in demanding production. > > I second Arto's disagreement. In fact, calling dovecot buggy is really > unfair. > I have been using dovecot *in production* since beta9 (about 1.5 years and > about 40 releases ago). Even at beta9, it blew the doors off of UW IMAP. > It has just gotten better, faster, more features since then. The only > rc that ever blew up on me was rc27. I dropped back to rc26, and Timo > had rc28 released within two hours to fix the problem. Dovecot is rock > solid code now at 1.0. > > Disclaimer: I only use dovecot for IMAP, not POP. I use qpopper for > that (different machine). I should switch... > > Jeff Earickson > Colby College Dovecot was blowing away wu imap way back at 0.99! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From claude.gagne at multitech.qc.ca Wed Apr 18 19:45:45 2007 From: claude.gagne at multitech.qc.ca (=?UTF-8?B?Q2xhdWRlIEdhZ27DqQ==?=) Date: Wed Apr 18 19:44:01 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: <46266759.70305@multitech.qc.ca> Scott Silva a ?crit : > Jeff A. Earickson spake the following on 4/18/2007 4:29 AM: > >> On Wed, 18 Apr 2007, Arto wrote: >> >> >>>> On Tue, 17 Apr 2007, Claude Gagn wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> I'm currently searching for a good POP3. I heard that dovecot is >>>>> pretty good. >>>>> >>>>> What do you think ? >>>>> >>>>> >>>> Dovecot is OK, its pretty fast, but buggy, it had 31 or so release >>>> candicates before 1.0, and a bug was found the same day it was released >>>> (under a week ago), it reminds me of gaim, and how holey that is, the >>>> only difference is, on dedicated sendmail boxes I will use Dovecot >>>> (and never touch gaim despite its recent name change to try avoid the >>>> stigma), as we use squirrelmail and its nice features, if you dont >>>> need imap, try popa3d, very small, very fast. >>>> >>> I have to disagree. I have followed the development of dovecot and I >>> must say Timo's principles to implement it are really demanding. The >>> amount of release candidates does not tell the truth. Already the >>> first of them were used in demanding production. >>> >> I second Arto's disagreement. In fact, calling dovecot buggy is really >> unfair. >> I have been using dovecot *in production* since beta9 (about 1.5 years and >> about 40 releases ago). Even at beta9, it blew the doors off of UW IMAP. >> It has just gotten better, faster, more features since then. The only >> rc that ever blew up on me was rc27. I dropped back to rc26, and Timo >> had rc28 released within two hours to fix the problem. Dovecot is rock >> solid code now at 1.0. >> >> Disclaimer: I only use dovecot for IMAP, not POP. I use qpopper for >> that (different machine). I should switch... >> >> Jeff Earickson >> Colby College >> > Dovecot was blowing away wu imap way back at 0.99! > > All the peoples that had some problem with dovecot seems to be before the 1.0 ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/3a2b2d5a/attachment.html From mailscanner at yeticomputers.com Wed Apr 18 20:55:00 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Wed Apr 18 20:53:19 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: <46267794.4020107@yeticomputers.com> Claude Gagn? wrote: > Hi, > > I'm currently searching for a good POP3. I heard that dovecot is > pretty good. > > What do you think ? Weighing in late, but for what it's worth, I use Cyrus IMAP for both IMAP and POP3. The current server has been running for about five years with not a single problem related to Cyrus. It's reputed to be a lot more difficult to set up than Dovecot, however, and it does not use system accounts. Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/0ace1728/attachment.html From Denis.Beauchemin at USherbrooke.ca Wed Apr 18 20:59:23 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 18 20:59:30 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: <1176901125.16165.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <4626100B.8030801@USherbrooke.ca> <1176901125.16165.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <4626789B.9070007@USherbrooke.ca> Gareth a ?crit : > On Wed, 2007-04-18 at 13:33, Denis Beauchemin wrote: > > >> Gareth, >> >> I looked at the code and added some calls to infolog() which resulted in >> $pdatalen being 0. >> >> Looks like the call to decode() is either broken or the email it is >> working with is incomplete... >> >> Denis >> > > I would run up perl CPAN and perform an update just to make sure you > have the latest copy of all the modules installed. > > > Gareth, It didn't solve my problem... Digging some more, I found something interesting: I stopped MS but not sendmail, then sent one email with a spammy picture. In mqueue.in I ran "spamassassin -D < d*" and got this error message: [7149] dbg: FuzzyOcr: Skipping OCR, no image files found... I then copied both q* and d* (cat q* d* >new.email) into a new file and experimented with the whole email. Turns out I have to remove all (?) sendmail control lines and "H*" control characters before FuzzyOcr sees the picture... I just don't know in which format the email is presented to SA by MS... I will keep digging... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ecasarero at gmail.com Wed Apr 18 21:08:24 2007 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Apr 18 21:08:29 2007 Subject: Message too big for spam checks Message-ID: <7d9b3cf20704181308g38bf75bfl256b326f1575a92b@mail.gmail.com> hi, i've a case of an email that seemed to skip the black/whitelist filter. Three emails where detected by the blacklist, and a fourth was delivered as HAM. The only diference is the email size, that in the last case was bigger than the "too big for spam" limit. Did anyone had the same issue? Thanks. Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/7e4e9004/attachment.html From Richard.Frovarp at sendit.nodak.edu Wed Apr 18 21:26:25 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Apr 18 21:26:31 2007 Subject: Message too big for spam checks In-Reply-To: <7d9b3cf20704181308g38bf75bfl256b326f1575a92b@mail.gmail.com> References: <7d9b3cf20704181308g38bf75bfl256b326f1575a92b@mail.gmail.com> Message-ID: <46267EF1.9070603@sendit.nodak.edu> Eduardo Casarero wrote: > hi, i've a case of an email that seemed to skip the black/whitelist > filter. Three emails where detected by the blacklist, and a fourth was > delivered as HAM. The only diference is the email size, that in the > last case was bigger than the "too big for spam" limit. > > Did anyone had the same issue? > > Thanks. > > Eduardo. > Look for Max Spam Check Size in MailScanner.conf From ecasarero at gmail.com Wed Apr 18 21:37:22 2007 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Apr 18 21:37:27 2007 Subject: Message too big for spam checks In-Reply-To: <46267EF1.9070603@sendit.nodak.edu> References: <7d9b3cf20704181308g38bf75bfl256b326f1575a92b@mail.gmail.com> <46267EF1.9070603@sendit.nodak.edu> Message-ID: <7d9b3cf20704181337y3327b982j4a11fde268bd17bb@mail.gmail.com> 2007/4/18, Richard Frovarp : > > Eduardo Casarero wrote: > > hi, i've a case of an email that seemed to skip the black/whitelist > > filter. Three emails where detected by the blacklist, and a fourth was > > delivered as HAM. The only diference is the email size, that in the > > last case was bigger than the "too big for spam" limit. > > > > Did anyone had the same issue? > > > > Thanks. > > > > Eduardo. > > > Look for Max Spam Check Size in MailScanner.conf > -- # Spammers do not have the power to send out huge messages to everyone as # it costs them too much (more smaller messages makes more profit than less # very large messages). So if a message is bigger than a certain size, it # is highly unlikely to be spam. Limiting this saves a lot of time checking # huge messages. # This can also be the filename of a ruleset. Max Spam Check Size = 150000 It does not clarify if it bypass white/blacklist checking. MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/62bb6703/attachment.html From list-mailscanner at linguaphone.com Wed Apr 18 21:42:28 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Apr 18 21:42:32 2007 Subject: Message too big for spam checks In-Reply-To: <7d9b3cf20704181337y3327b982j4a11fde268bd17bb@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Eduardo > Casarero > Sent: 18 April 2007 21:37 > To: MailScanner discussion > Subject: Re: Message too big for spam checks > # This can also be the filename of a ruleset. > Max Spam Check Size = 150000 > > It does not clarify if it bypass white/blacklist checking. Yes the spam check size does also apply to the black and whitelists. I had a sending in my blacklist which was getting through sometimes so I increased the spam size limit which fixed the problem. From lists at jfworks.net Wed Apr 18 22:30:34 2007 From: lists at jfworks.net (James) Date: Wed Apr 18 22:29:42 2007 Subject: FuzzyOcr 3.5.1 not seeing my images In-Reply-To: <46261581.9040208@USherbrooke.ca> References: <4626100B.8030801@USherbrooke.ca> <46261581.9040208@USherbrooke.ca> Message-ID: <46268DFA.9070705@jfworks.net> Denis Beauchemin wrote: > Denis Beauchemin a ?crit : >> Gareth a ?crit : >>>> -----Original Message----- >>>> >>>> I am experimenting with FuzzyOcr on a new server and my image spams >>>> are >>>> printing the following messages while MS is being run with debug on: >>>> >>>> [14793] dbg: FuzzyOcr: Starting FuzzyOcr... >>>> [14793] info: FuzzyOcr: Processing Message with ID >>>> "<4624E33B.7050701@USherbrooke.ca>" (A B -> >>>> A B ) >>>> [14793] dbg: FuzzyOcr: fname: "spam13.gif" => "spam13.gif" >>>> [14793] dbg: message: decoding base64 >>>> [14793] info: FuzzyOcr: Skipping file with >>>> content-type="image/gif" name="spam13.gif" >>>> [14793] dbg: FuzzyOcr: Skipping OCR, no image files found... >>>> [14793] dbg: FuzzyOcr: Processed in 0.000415 sec. >>>> >>> >>> >>> This is a section of the perl code that is causing the problem :- >>> >>> my $filename = $fname; $filename =~ tr{a-zA-Z0-9\-.}{_}cs; >>> debuglog("fname: \"$fname\" => \"$filename\""); >>> my $pdata = $p->decode(); >>> my $pdatalen = length($pdata); >>> my $w = 0; my $h = 0; >>> >>> if ( substr($pdata,0,3) eq "\x47\x49\x46" ) { >>> ## GIF File >>> $imgfiles{$filename}{ftype} = 1; >>> ($w,$h) = unpack("vv",substr($pdata,6,4)); >>> infolog("GIF: [${h}x${w}] $filename ($pdatalen)"); >>> $imgfiles{$filename}{width} = $w; >>> $imgfiles{$filename}{height} = $h; >>> >>> It is getting to the 2nd line ok but it appears that the decoded >>> file is not >>> recognised as a valid gif file (the if command is failing). >>> The 'skipping ocr' message is triggered when there are no >>> '$imgfiles{$filename}{ftype}' being set. >>> >>> >> Gareth, >> >> I looked at the code and added some calls to infolog() which resulted >> in $pdatalen being 0. >> Looks like the call to decode() is either broken or the email it is >> working with is incomplete... >> >> Denis >> > Anyone using FuzzyOcr on a RHEL5 (or CentOS 5) system? > > I installed using Red Hat's RPMS when available: netpbm netpbm-devel > netpbm-progs gtk+-devel giflib giflib-utils giflib-devel ImageMagick. > Is there some broken RPM in there? > > Thanks! > > Denis > I just installed this on a CentOS 4.4 box and it seemed to work ok, did it work on 4.4 but not 5.0 ? I wont have a 5.0 box to test with for a couple days. James From daniel.maher at ubisoft.com Wed Apr 18 22:57:48 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 18 22:57:52 2007 Subject: mailscanner can't find clamav module? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204C0FD82@UBIMAIL1.ubisoft.org> Hello all, I have been using "clamav" as the virus scanner in MailScanner for quite some time now; however, the resource requirements are starting to become obscene, and I'd like to switch to clamavmodule. I installed perl-Mail-ClamAV 0.20, and specied clamavmodule in the MailScanner.conf . Unfortunately, MailScanner cannot "find" the module: # MailScanner -version ... missing Mail::ClamAV ... What must I do in order to have MailScanner use the installed module? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070418/81d87141/attachment.html From max at assuredata.com Wed Apr 18 23:07:05 2007 From: max at assuredata.com (Max Kipness) Date: Wed Apr 18 23:07:20 2007 Subject: Starting every few minutes... Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B06D220@addc01.assuredata.local> Hi - I'm thinking I've dealt with this in the past, but just wanted to confirm. My symptoms are the following: 1. MailScanner seems to show a message in the log that it's starting every minute or so, as the grep results below show. 2. Message are being processed sometimes hundreds of times before being sent to the destination and is therefore causing a delay of several hours in some cases. Is this problem with a bad config file? How can I diagnose where the problem is? This is something that just recently started happening, but I'm not sure if there was a change in the config or not. Spamassassin -D --lint doesn't show any problems, but not sure that it would pick up MailScanner issues. Thanks, Max Apr 18 16:39:56 server2 MailScanner[29872]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:41:10 server2 MailScanner[29979]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:42:23 server2 MailScanner[30080]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:42:56 server2 MailScanner[30156]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:43:07 server2 MailScanner[30170]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:45:34 server2 MailScanner[30401]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:45:45 server2 MailScanner[30402]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:48:21 server2 MailScanner[30616]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:49:29 server2 MailScanner[30788]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:50:40 server2 MailScanner[30903]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:51:24 server2 MailScanner[30976]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:52:29 server2 MailScanner[31059]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:54:55 server2 MailScanner[31256]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:56:48 server2 MailScanner[31394]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:58:24 server2 MailScanner[31553]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 16:59:36 server2 MailScanner[31685]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Apr 18 17:00:06 server2 MailScanner[31750]: MailScanner E-Mail Virus Scanner version 4.53.7 starting... Thanks - Max Kipness AssureDATA, Inc. Direct: 214-417-8412 Email: max@assuredata.com From raymond at prolocation.net Wed Apr 18 23:15:34 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Apr 18 23:15:31 2007 Subject: mailscanner can't find clamav module? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204C0FD82@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204C0FD82@UBIMAIL1.ubisoft.org> Message-ID: Hi! > # MailScanner -version > > ... > > missing Mail::ClamAV > > ... > > > > What must I do in order to have MailScanner use the installed module? cpan Mail::ClamAV ; ldconfig Bye, Raymond. From res at ausics.net Thu Apr 19 00:23:40 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:23:52 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Drew Marshall wrote: >> If you use Qmail, then use vpopmail, if you want a good webmail with it, >> instlal courier-imap and squirrelmail, useing mysql to hold user >> prefs/address books etc. >> >> If you use postmix and Maildir, who knows, probably Dovecot. > > Or indeed any of the above! As you will remember oh Evil Bunny, Postmix, the > flexibility of that 'aged monolithic software' you like with the Should have knowm hey Drewy, after all postmix does nothing but copy sendmail ;).. only thing it does that sendmail does not is use Maildir, but since there is no clear mess-free setup for virtual domains like qmail has with vpopmail, we stick to Qmail for those setups, mind you, some have sendmail front ends (means we dont have to spend all day patching qmail lol) :D > is nice and simple and you can delegate mailbox control to 'domain admins', > which saves loads of support time when users want another alias or mailbox This is why we use Qmail in virtual domain it does it with ease, one thing tho, we dont use database to auth pop3 users we use CDB file, it has far far far superior performance then databases, and many large users report the same results, it has been found a cluster of DB of 6 servers is required to match the same performance with say 6K concurrent accesses, but we do use databases for user prefs and user addressbooks etc. - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJqh+sWhAmSIQh7MRAiX3AJ94tGKlDkcIgJJwPycKv4ugtbJodQCfc8T4 r96C2yl/QLIBvStgXPndwUI= =jQ+n -----END PGP SIGNATURE----- From res at ausics.net Thu Apr 19 00:32:18 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:32:29 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Arto wrote: >> Dovecot is OK, its pretty fast, but buggy, it had 31 or so release >> candicates before 1.0, and a bug was found the same day it was released > I have to disagree. I have followed the development of dovecot and I must say > Timo's principles to implement it are really demanding. The amount of release He needs to impliment a change and test it properly, even HE admitted he needs more agressive testing (which I thought he said he introduced after rc20something) And the additions were 99% fixes, not new features. Maybe you want to trust your network with something like that, but I certainly have reservations, an rc, eery 6months fine, I can go with that, but when you occasionally get 2 a week and one every week or two, starts to ring alarms, I'll grant you that many of the bugs he fixes may not even affect my setup, but none the less they exist. - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJqqEsWhAmSIQh7MRAkCIAJ4o1YRNGCDhciZ7QkSvXIH64mcHAwCfYRhj AdRFQzsu049jm2HrKwJLjc0= =C/Ln -----END PGP SIGNATURE----- From res at ausics.net Thu Apr 19 00:34:40 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:34:49 2007 Subject: Wich POP3 server In-Reply-To: <00d801c78198$5404c7c0$23c051cb@ictnoc> References: <462516C5.3010306@multitech.qc.ca> <00d801c78198$5404c7c0$23c051cb@ictnoc> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Muhammad Nauman wrote: > One Good Option is QPOPPER ! I can agree with this, it's had no more security issues than most the others, but last time I used it ( some 8 or more years ago ) it was slow with many concurrent users, has the speed performance improved now days? - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJqsSsWhAmSIQh7MRAtzrAJ97EDREN1aLVpM72/hCXLcKIxuPZwCghwri SaBiqilxVkhTOWVHwdiQy6w= =LrOy -----END PGP SIGNATURE----- From res at ausics.net Thu Apr 19 00:38:52 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:39:01 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Scott Silva wrote: > Dovecot was blowing away wu imap way back at 0.99! It's one thing to have speed, I agree it is fast, but whats the point of being fast if it fails stability, I'd take a slower more robust setup over a lightening fast problematic daemon any day of the year. - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJqwOsWhAmSIQh7MRAjnTAJ46KkohgflriUTdNGZv28TqZb8B9gCfXKzR yPfQRqZMK5IYLL4PtXeZ+Uc= =UBjt -----END PGP SIGNATURE----- From res at ausics.net Thu Apr 19 00:44:04 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:44:12 2007 Subject: Message too big for spam checks In-Reply-To: <46267EF1.9070603@sendit.nodak.edu> References: <7d9b3cf20704181308g38bf75bfl256b326f1575a92b@mail.gmail.com> <46267EF1.9070603@sendit.nodak.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Richard Frovarp wrote: >> > Look for Max Spam Check Size in MailScanner.conf There is curently no 'disable' feature for this setting, many have found it wise to increase that size to more than what your MTA limit is. - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJq1GsWhAmSIQh7MRAiAxAJ97u6vyWdaJhDgP8ZzGsLAKNLpYxwCgiot4 bLK9PlYUbjLv0D+lfmz1Yq0= =medx -----END PGP SIGNATURE----- From res at ausics.net Thu Apr 19 00:48:59 2007 From: res at ausics.net (Res) Date: Thu Apr 19 00:49:08 2007 Subject: Starting every few minutes... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B06D220@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B06D220@addc01.assuredata.local> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Apr 2007, Max Kipness wrote: > > 1. MailScanner seems to show a message in the log that it's starting > every minute or so, as the grep results below show. > > 2. Message are being processed sometimes hundreds of times before being > sent to the destination and is therefore causing a delay of several > hours in some cases. > > Is this problem with a bad config file? How can I diagnose where the > problem is? This is something that just recently started happening, but Could be one of a hundred things stop mailscanner then run: ./MailScanner --lint If obvious errors, correct and re run ./MailScanner --debug --lint Also tell us your: MTA and version (and if Sendmail, your lock type) MailScanner version OS Anti-Virus and version - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJq5tsWhAmSIQh7MRAluVAJ9t8Rfmw4l3Hl/SQ/pojE64TwLIcACdE+GE CPCGfZDN9Ddqron1fkEuD6w= =tsa9 -----END PGP SIGNATURE----- From mike at vesol.com Thu Apr 19 02:44:24 2007 From: mike at vesol.com (Mike Kercher) Date: Thu Apr 19 02:46:06 2007 Subject: Wich POP3 server In-Reply-To: <462516C5.3010306@multitech.qc.ca> References: <462516C5.3010306@multitech.qc.ca> Message-ID: <6115482898C59848B35DB9D491C9A28E4D71@srv1.home.middlefinger.net> ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? Sent: Tuesday, April 17, 2007 1:50 PM To: mailscanner@lists.mailscanner.info Subject: Wich POP3 server Hi, I'm currently searching for a good POP3. I heard that dovecot is pretty good. What do you think ? -- I've been VERY happy with cucipop. It's the only POP3 server I use on my boxen. Mike From R.Sterenborg at netsourcing.nl Thu Apr 19 06:49:29 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Apr 19 06:52:00 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488DFBC@WISENT.dcyb.net> Res wrote: >On Wed, 18 Apr 2007, Scott Silva wrote: >> Dovecot was blowing away wu imap way back at 0.99! > > It's one thing to have speed, I agree it is fast, but whats > the point of being fast if it fails stability, I'd take a slower > more robust setup over a lightening fast problematic daemon any > day of the year. Not wanting to advocate any POP server (I don't have experience with POP servers in a large environment; I'm just using the IMAP feature for myself and a few others), the Dovecot website says this: - "Fri Apr 13 15:00:09 EEST 2007 Released v1.0.0. Finally, after almost 5 years of development." - "Dovecot's design and implementation is highly focused on security. Rather than taking the traditional road of just fixing vulnerabilities whenever someone happens to report them, I offer 1000 EUR of my own money to the first person to find a security hole from Dovecot." Nowhere it's mentioned that a security hole has been found: my guess is that none is found yet, so the 1000 Euro fee should still be available. (Well, v1.0.0 is only 6 days old so it would have been bad it one was found already.) When was the last time you actually used Dovecot? If you really think it's still full of holes (there "must" be because I don't know any software that hasn't got any bugs) then, by judging your posts here I guess you would be one of the people who can find them. Maybe you should try and find one so you can cash the 1000 Euro... ;^) Grts, Rob From paul at blacknight.ie Thu Apr 19 08:26:33 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight) Date: Thu Apr 19 08:23:50 2007 Subject: Wich POP3 server Message-ID: <462719A9.3070906@blacknight.ie> Oh deary me ... -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie -------------- next part -------------- An embedded message was scrubbed... From: rPath Update Announcements Subject: [Full-disclosure] rPSA-2007-0074-1 dovecot Date: Wed, 18 Apr 2007 12:03:43 -0400 Size: 4126 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/405e00fc/Full-disclosurerPSA-2007-0074-1dovecot.mht From martin.lyberg at gmail.com Thu Apr 19 09:41:00 2007 From: martin.lyberg at gmail.com (Martin) Date: Thu Apr 19 09:41:26 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow Message-ID: Hi, Upgraded clamav from 0.90.1 to 0.90.2 this morning. Since then scanning takes like forever and the mailqueue grows fast. in 'top' i can see that clamscan hogs the cpu for atleast 30-45 seconds while scanning, even if it's a mail with no attachment: Apr 19 10:36:15 antispam MailScanner[16598]: New Batch: Scanning 1 messages, 30520 bytes Apr 19 10:36:15 antispam MailScanner[16598]: Spam Checks: Starting Apr 19 10:36:15 antispam MailScanner[16598]: Expired 10 records from the SpamAssassin cache Apr 19 10:36:20 antispam MailScanner[16598]: Spam Checks completed at 6455 bytes per second Apr 19 10:36:20 antispam MailScanner[16598]: Virus and Content Scanning: Starting Apr 19 10:37:23 antispam MailScanner[16598]: Virus Scanning completed at 483 bytes per second I had no problem with 0.90.1. Anyone seeing the same problem? I'm using Debian Sarge and apt for upgrading Thank you From list-mailscanner at linguaphone.com Thu Apr 19 09:56:20 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 19 09:56:24 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Sent: 19 April 2007 09:41 > To: mailscanner@lists.mailscanner.info > Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > Hi, > > Upgraded clamav from 0.90.1 to 0.90.2 this morning. Since then scanning > takes like forever and the mailqueue grows fast. > > in 'top' i can see that clamscan hogs the cpu for atleast 30-45 seconds > while scanning, even if it's a mail with no attachment: > > Apr 19 10:36:15 antispam MailScanner[16598]: New Batch: Scanning 1 > messages, 30520 bytes > Apr 19 10:36:15 antispam MailScanner[16598]: Spam Checks: Starting > Apr 19 10:36:15 antispam MailScanner[16598]: Expired 10 records from the > SpamAssassin cache > Apr 19 10:36:20 antispam MailScanner[16598]: Spam Checks completed at > 6455 bytes per second > Apr 19 10:36:20 antispam MailScanner[16598]: Virus and Content Scanning: > Starting > Apr 19 10:37:23 antispam MailScanner[16598]: Virus Scanning completed at > 483 bytes per second > > > > I had no problem with 0.90.1. > > Anyone seeing the same problem? > > I'm using Debian Sarge and apt for upgrading > This is what I get and I am also using bitdefender. Apr 19 09:52:20 mailscanner MailScanner[23432]: New Batch: Scanning 1 messages, 2686 bytes Apr 19 09:52:27 mailscanner MailScanner[23432]: Spam Checks: Found 1 spam messages Apr 19 09:52:27 mailscanner MailScanner[23432]: Virus and Content Scanning: Starting Apr 19 09:52:29 mailscanner MailScanner[23432]: Requeue: C969EAA00D5.36483 to 7F6BEAA0051 Apr 19 09:52:29 mailscanner MailScanner[23432]: Uninfected: Delivered 1 messages Apr 19 09:52:29 mailscanner MailScanner[23432]: Logging message C969EAA00D5.36483 to SQL How do you get it to report the bytes per second? From mailing_lists+mailscanner at caleotech.com Thu Apr 19 10:04:57 2007 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Thu Apr 19 10:08:50 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> > Hi, > > Upgraded clamav from 0.90.1 to 0.90.2 this morning. Since then scanning > takes like forever and the mailqueue grows fast. > > in 'top' i can see that clamscan hogs the cpu for atleast 30-45 seconds > while scanning, even if it's a mail with no attachment: > > Apr 19 10:36:15 antispam MailScanner[16598]: New Batch: Scanning 1 > messages, 30520 bytes > Apr 19 10:36:15 antispam MailScanner[16598]: Spam Checks: Starting > Apr 19 10:36:15 antispam MailScanner[16598]: Expired 10 records from the > SpamAssassin cache > Apr 19 10:36:20 antispam MailScanner[16598]: Spam Checks completed at > 6455 bytes per second > Apr 19 10:36:20 antispam MailScanner[16598]: Virus and Content Scanning: > Starting > Apr 19 10:37:23 antispam MailScanner[16598]: Virus Scanning completed at > 483 bytes per second > > > > I had no problem with 0.90.1. > > Anyone seeing the same problem? > > I'm using Debian Sarge and apt for upgrading > > Thank you > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi, I see the same thing on 3 servers. I might revert back to 0.90.1... or hope that a fix is released soon. I'm using Dag Wieers repository for clamav. Jens From evanderleun at hal9000.nl Thu Apr 19 10:34:29 2007 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Thu Apr 19 10:34:51 2007 Subject: Performance discussion Message-ID: <462737A5.2090401@hal9000.nl> Hi, In my MailScanner setup, I use several addons like DCC, Pyzor, Razor, OCRText, Spamassassin-rulesdujour, Spamhaus lists, etc... I heard about FuzzyOCR's way of not continuing to detect several properties of an email, if the total SA score is high enough already. I can imagine it would be an interesting additional /*optional*/ feature for MailScanner, if MailScanner could stop further tests if let's say the High Scoring Spam threshold already is passed? I at least would be very interested in this... Anyone? Julian? :-) Kind regards, Erik van der Leun -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/29a27427/attachment.html From Andreas.Doerfler at kempten.de Thu Apr 19 10:35:12 2007 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Thu Apr 19 10:35:55 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow Message-ID: > Hi, > > I see the same thing on 3 servers. I might revert back to 0.90.1... or > hope that a fix is released soon. I'm using Dag Wieers repository for > clamav. > > Jens hi, dont know if this is an good idea > **Important note**: on April 16th CHM, CAB and PDF handlers will be > disabled for 0.90 and 0.90.1 users through the dynamic engine > configuration module (DCONF). Please upgrade to 0.90.2 immediately. quick check on my system shows me no problems but i run a self compiled version greetings andy From res at ausics.net Thu Apr 19 10:36:27 2007 From: res at ausics.net (Res) Date: Thu Apr 19 10:36:39 2007 Subject: Wich POP3 server In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488DFBC@WISENT.dcyb.net> References: <462516C5.3010306@multitech.qc.ca> <74ACEB3E6A055643A89B8CEC74C7BF2488DFBC@WISENT.dcyb.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did I say they were all security bugs? I said _stability_ .... big difference, some of them might have been security related as well, cant recall, I lose count when I see RC's every few days. also I can put a anything on my softwares site as well, hell even microsoft touted vista as most secure, yet had security bulletin issued by CERT within 2 weeks of release. On Thu, 19 Apr 2007, Rob Sterenborg wrote: > Res wrote: >> On Wed, 18 Apr 2007, Scott Silva wrote: >>> Dovecot was blowing away wu imap way back at 0.99! >> >> It's one thing to have speed, I agree it is fast, but whats >> the point of being fast if it fails stability, I'd take a slower >> more robust setup over a lightening fast problematic daemon any >> day of the year. > > Not wanting to advocate any POP server (I don't have experience with POP > servers in a large environment; I'm just using the IMAP feature for > myself and a few others), the Dovecot website says this: > > - "Fri Apr 13 15:00:09 EEST 2007 > Released v1.0.0. Finally, after almost 5 years of development." > > - "Dovecot's design and implementation is highly focused on security. > Rather than taking the traditional road of just fixing vulnerabilities > whenever someone happens to report them, I offer 1000 EUR of my own > money to the first person to find a security hole from Dovecot." > > Nowhere it's mentioned that a security hole has been found: my guess is > that none is found yet, so the 1000 Euro fee should still be available. > (Well, v1.0.0 is only 6 days old so it would have been bad it one was > found already.) > > When was the last time you actually used Dovecot? > If you really think it's still full of holes (there "must" be because I > don't know any software that hasn't got any bugs) then, by judging your > posts here I guess you would be one of the people who can find them. > Maybe you should try and find one so you can cash the 1000 Euro... ;^) > > > Grts, > Rob > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJzgdsWhAmSIQh7MRAgnWAKCwa4m86Wsk9qLLbcSFAdKJWpU/0gCeNOBL 6wuTh3zumB0hBmw51N0Pc3A= =Q0vv -----END PGP SIGNATURE----- From list-mailscanner at linguaphone.com Thu Apr 19 10:48:24 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 19 10:48:28 2007 Subject: Performance discussion In-Reply-To: <462737A5.2090401@hal9000.nl> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Erik van > der Leun > Sent: 19 April 2007 10:34 > To: MailScanner discussion > Subject: Performance discussion > > > Hi, > > In my MailScanner setup, I use several addons like DCC, Pyzor, > Razor, OCRText, Spamassassin-rulesdujour, Spamhaus lists, etc... > > I heard about FuzzyOCR's way of not continuing to detect several > properties of an email, if the total SA score is high enough already. > > I can imagine it would be an interesting additional optional > feature for MailScanner, if MailScanner could stop further tests > if let's say > the High Scoring Spam threshold already is passed? > > I at least would be very interested in this... I think all those tests are performed in one go when the mail is passed to spamassassin. FuzzyOCR gets told the current score of the mail when it is passed it by spamassassin so can choose whether to do any processing at that point. I dont think Mailscanner can have any coice in the matter. From raymond at prolocation.net Thu Apr 19 10:50:39 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Apr 19 10:50:39 2007 Subject: Performance discussion In-Reply-To: <462737A5.2090401@hal9000.nl> References: <462737A5.2090401@hal9000.nl> Message-ID: Hi! > I heard about FuzzyOCR's way of not continuing to detect several properties > of an email, if the total SA score is high enough already. > > I can imagine it would be an interesting additional /*optional*/ feature for > MailScanner, if MailScanner could stop further tests if let's say > the High Scoring Spam threshold already is passed? > > I at least would be very interested in this... MailScanner doesnt execute SA pluging, SA does. So i think, if you want the same things happening as with OCR, you have to look at how they did that and copy/paste that to the plugins you use for SA. ... Its sub processes of SA ... Bye, Raymond. From arto.saraniva at artio.net Thu Apr 19 11:02:54 2007 From: arto.saraniva at artio.net (Arto) Date: Thu Apr 19 11:03:42 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> Message-ID: Jens Ahlin wrote: >> Hi, >> >> Upgraded clamav from 0.90.1 to 0.90.2 this morning. Since then scanning >> takes like forever and the mailqueue grows fast. >> >> in 'top' i can see that clamscan hogs the cpu for atleast 30-45 seconds >> while scanning, even if it's a mail with no attachment: >> >> Apr 19 10:36:15 antispam MailScanner[16598]: New Batch: Scanning 1 >> messages, 30520 bytes >> Apr 19 10:36:15 antispam MailScanner[16598]: Spam Checks: Starting >> Apr 19 10:36:15 antispam MailScanner[16598]: Expired 10 records from the >> SpamAssassin cache >> Apr 19 10:36:20 antispam MailScanner[16598]: Spam Checks completed at >> 6455 bytes per second >> Apr 19 10:36:20 antispam MailScanner[16598]: Virus and Content Scanning: >> Starting >> Apr 19 10:37:23 antispam MailScanner[16598]: Virus Scanning completed at >> 483 bytes per second >> >> >> >> I had no problem with 0.90.1. >> >> Anyone seeing the same problem? >> >> I'm using Debian Sarge and apt for upgrading >> >> Thank you >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Hi, > > I see the same thing on 3 servers. I might revert back to 0.90.1... or > hope that a fix is released soon. I'm using Dag Wieers repository for > clamav. We had this too. Uninstalling clamav* and installing it again helped. -arto From steve.freegard at fsl.com Thu Apr 19 11:04:55 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Apr 19 11:04:57 2007 Subject: Performance discussion In-Reply-To: <462737A5.2090401@hal9000.nl> References: <462737A5.2090401@hal9000.nl> Message-ID: <46273EC7.3030405@fsl.com> Hi Erik, Erik van der Leun wrote: > Hi, > > In my MailScanner setup, I use several addons like DCC, Pyzor, Razor, > OCRText, Spamassassin-rulesdujour, Spamhaus lists, etc... > > I heard about FuzzyOCR's way of not continuing to detect several > properties of an email, if the total SA score is high enough already. > > I can imagine it would be an interesting additional /*optional*/ feature > for MailScanner, if MailScanner could stop further tests if let's say > the High Scoring Spam threshold already is passed? > > I at least would be very interested in this... You won't have too long to wait then... when SpamAssassin 3.2 is released it contains a plug-in called 'Shortcircuit' that allows it to skip further tests if a specific set to rules are triggered and immediately return spam or ham results. Kind regards, Steve. From prandal at herefordshire.gov.uk Thu Apr 19 11:04:20 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 19 11:08:30 2007 Subject: Performance discussion In-Reply-To: <462737A5.2090401@hal9000.nl> References: <462737A5.2090401@hal9000.nl> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA43EAA7@HC-MBX02.herefordshire.gov.uk> Shortcircuiting will be included as a feature in SpamAssassin 3.2.0. That should help. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun Sent: 19 April 2007 10:34 To: MailScanner discussion Subject: Performance discussion Hi, In my MailScanner setup, I use several addons like DCC, Pyzor, Razor, OCRText, Spamassassin-rulesdujour, Spamhaus lists, etc... I heard about FuzzyOCR's way of not continuing to detect several properties of an email, if the total SA score is high enough already. I can imagine it would be an interesting additional optional feature for MailScanner, if MailScanner could stop further tests if let's say the High Scoring Spam threshold already is passed? I at least would be very interested in this... Anyone? Julian? :-) Kind regards, Erik van der Leun -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/5b37d8e7/attachment.html From ms-list at alexb.ch Thu Apr 19 11:40:52 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Apr 19 11:41:00 2007 Subject: Performance discussion In-Reply-To: <46273EC7.3030405@fsl.com> References: <462737A5.2090401@hal9000.nl> <46273EC7.3030405@fsl.com> Message-ID: <46274734.8000600@alexb.ch> On 4/19/2007 12:04 PM, Steve Freegard wrote: > Hi Erik, > > Erik van der Leun wrote: >> Hi, >> >> In my MailScanner setup, I use several addons like DCC, Pyzor, Razor, >> OCRText, Spamassassin-rulesdujour, Spamhaus lists, etc... >> >> I heard about FuzzyOCR's way of not continuing to detect several >> properties of an email, if the total SA score is high enough already. >> >> I can imagine it would be an interesting additional /*optional*/ >> feature for MailScanner, if MailScanner could stop further tests if >> let's say >> the High Scoring Spam threshold already is passed? >> >> I at least would be very interested in this... > > You won't have too long to wait then... when SpamAssassin 3.2 is > released it contains a plug-in called 'Shortcircuit' that allows it to > skip further tests if a specific set to rules are triggered and > immediately return spam or ham results. Steve Have you guys got short_cirsuiting to work with MailScanner? I'm not seeing it triggering on my test MS/SA3.2 box. Alex From nauman at worldcall.net.pk Thu Apr 19 11:41:47 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Thu Apr 19 11:41:50 2007 Subject: Best Way to Control Relaying? References: <462737A5.2090401@hal9000.nl> <7EF0EE5CB3B263488C8C18823239BEBA43EAA7@HC-MBX02.herefordshire.gov.uk> Message-ID: <027e01c7826f$55d82d80$23c051cb@ictnoc> Best Way to Control Relaying? -------------------------------------------------------------------------------- Hi all, Despite having this in my access file # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY AUTH : OK * : REJECT# makemap hash /etc/mail/access.db < /etc/mail/accessand i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP Its still Not blocking the mail 250 HELP Mail from:no at no.com 250 2.1.0 no at no.com... Sender ok RCPT to:no at no.com 250 2.1.5 no at no.com... Recipient ok Any idea to why is it still acting like this - where it should not !! My Sendmail is Compiled with these options as in devtools/Site/site##############################################################APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')dnl SASL2APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2')APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl')APPENDDEF(`confINCDIRS', `-I/usr/local/include')dnl BERKELEY DBAPPENDDEF(`confMAPDEF', `-DNEWDB')#################################################################my Sendmail.mc is :----------------------------------------------------------------divert(-1)dnldivert(0)dnlVERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ')OSTYPE(linux)dnlDOMAIN(generic)dnlundefine(`UUCP_RELAY')dnlFEATURE(nouucp, `reject')dnlFEATURE(`delay_checks')dnlundefine(`BITNET_RELAY')dnldefine(`confAUTH_OPTIONS', `A')dnldefine(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnlTRUST_AUTH_MECH(`LOGIN PLAIN')dnldefine(`confDEF_CHAR_SET', `iso-8859-1')dnldefine(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacksdefine(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacksdefine(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacksdefine(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacksdefine(`confSINGLE_LINE_FROM_HEADER', `True')dnldefine(`confSMTP_LOGIN_MSG', `$j')dnldefine(`confDONT_PROBE_INTERFACES', `True')dnldefine(`confTO_INITIAL', `6m')dnldefine(`confTO_CONNECT', `20s')dnldefine(`confTO_HELO', `5m')dnldefine(`confTO_HOSTSTATUS', `2m')dnldefine(`confTO_DATAINIT', `6m')dnldefine(`confTO_DATABLOCK', `35m')dnldefine(`confTO_DATAFINAL', `35m')dnldefine(`confDIAL_DELAY', `20s')dnldefine(`confNO_RCPT_ACTION', `add-apparently-to')dnldefine(`confALIAS_WAIT', `0')dnldefine(`confMAX_HOP', `35')dnldefine(`confQUEUE_LA', `5')dnldefine(`confREFUSE_LA', `12')dnldefine(`confSEPARATE_PROC', `False')dnldefine(`confCON_EXPENSIVE', `true')dnldefine(`confWORK_RECIPIENT_FACTOR', `1000')dnldefine(`confWORK_TIME_FACTOR', `3000')dnldefine(`confQUEUE_SORT_ORDER', `Time')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnlFEATURE(`generics_entire_domain')dnlFEATURE(`local_procmail')dnlFEATURE(`masquerade_envelope')dnlFEATURE(`nouucp',`reject')dnlFEATURE(`redirect')dnlFEATURE(`relay_entire_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`virtuser_entire_domain')dnlFEATURE(access_db, `hash -T /etc/mail/access')dnlFEATURE(lookupdotdomain)dnlFEATURE(`blacklist_recipients')dnlFEATURE(`no_default_msa')dnldefine(`confDONT_PROBE_INTERFACES', true)dnldefine(`confBAD_RCPT_THROTTLE',`2')dnldefine(`confTO_IDENT',`0')dnldefine(`confSMTP_LOGIN_MSG',`')dnldefine(`confMIN_FREE_BLOCKS', 4000)dnldefine(`confMAX_DAEMON_CHILDREN', 100)dnldefine(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnldefine(`STATUS_FILE', `/etc/mail/statistics')dnlFEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnldefine(`HELP_FILE', `/dev/null')dnlFEATURE(smrsh, `/usr/sbin/smrsh')dnlFEATURE(ratecontrol)dnlFEATURE(conncontrol)dnldnl FEATURE(`greet_pause',`3000')dnlFEATURE(`mailertable')dnlFEATURE(`always_add_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`local_procmail')dnlMAILER(local)dnlMAILER(procmail)dnlMAILER(smtp)dnl___________________________________________________________________________________________________________________I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as :>telnet 192.168.1.9 25 220 ESMTPehlo qmail250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE 25000000250-AUTH LOGIN PLAIN250-DELIVERBY250 HELPmail from:anyone@what.com250 2.1.0 anyone@what.com... Sender okrcpt to:all@all.com250 2.1.5 all@all.com... Recipient okdata354 Enter mail, end with "." on a line by itself.354 Enter mail, end with "." on a line by itself250 2.0.0 l3JFQaWT004671 Message accepted for deliveryPlease HELP !!Thanking in Advance.Nauman. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/b4725fad/attachment.html From arturs at netvision.net.il Thu Apr 19 11:53:04 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Apr 19 11:56:14 2007 Subject: Best Way to Control Relaying? In-Reply-To: <027e01c7826f$55d82d80$23c051cb@ictnoc> Message-ID: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> could it be that you connect from whitelisted machine? Best, -- Arthur _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Muhammad Nauman Sent: Thursday, April 19, 2007 1:42 PM To: MailScanner discussion Subject: Best Way to Control Relaying? Best Way to Control Relaying? _____ Hi all, Despite having this in my access file # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY AUTH : OK * : REJECT # makemap hash /etc/mail/access.db < /etc/mail/access and i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP Its still Not blocking the mail 250 HELP Mail from:no at no.com 250 2.1.0 no at no.com... Sender ok RCPT to:no at no.com 250 2.1.5 no at no.com... Recipient ok Any idea to why is it still acting like this - where it should not !! My Sendmail is Compiled with these options as in devtools/Site/site ############################################################## APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') dnl SASL2 APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl') APPENDDEF(`confINCDIRS', `-I/usr/local/include') dnl BERKELEY DB APPENDDEF(`confMAPDEF', `-DNEWDB') ################################################################# my Sendmail.mc is : ---------------------------------------------------------------- divert(-1)dnl divert(0)dnl VERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ') OSTYPE(linux)dnl DOMAIN(generic)dnl undefine(`UUCP_RELAY')dnl FEATURE(nouucp, `reject')dnl FEATURE(`delay_checks')dnl undefine(`BITNET_RELAY')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confDEF_CHAR_SET', `iso-8859-1')dnl define(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacks define(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacks define(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacks define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks define(`confSINGLE_LINE_FROM_HEADER', `True')dnl define(`confSMTP_LOGIN_MSG', `$j')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `20s')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `35m')dnl define(`confTO_DATAFINAL', `35m')dnl define(`confDIAL_DELAY', `20s')dnl define(`confNO_RCPT_ACTION', `add-apparently-to')dnl define(`confALIAS_WAIT', `0')dnl define(`confMAX_HOP', `35')dnl define(`confQUEUE_LA', `5')dnl define(`confREFUSE_LA', `12')dnl define(`confSEPARATE_PROC', `False')dnl define(`confCON_EXPENSIVE', `true')dnl define(`confWORK_RECIPIENT_FACTOR', `1000')dnl define(`confWORK_TIME_FACTOR', `3000')dnl define(`confQUEUE_SORT_ORDER', `Time')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl FEATURE(`generics_entire_domain')dnl FEATURE(`local_procmail')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`nouucp',`reject')dnl FEATURE(`redirect')dnl FEATURE(`relay_entire_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`virtuser_entire_domain')dnl FEATURE(access_db, `hash -T /etc/mail/access')dnl FEATURE(lookupdotdomain)dnl FEATURE(`blacklist_recipients')dnl FEATURE(`no_default_msa')dnl define(`confDONT_PROBE_INTERFACES', true)dnl define(`confBAD_RCPT_THROTTLE',`2')dnl define(`confTO_IDENT',`0')dnl define(`confSMTP_LOGIN_MSG',`')dnl define(`confMIN_FREE_BLOCKS', 4000)dnl define(`confMAX_DAEMON_CHILDREN', 100)dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictma ilq,restrictqrun,restrictexpand,nobodyreturn')dnl define(`HELP_FILE', `/dev/null')dnl FEATURE(smrsh, `/usr/sbin/smrsh')dnl FEATURE(ratecontrol)dnl FEATURE(conncontrol)dnl dnl FEATURE(`greet_pause',`3000')dnl FEATURE(`mailertable')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`local_procmail')dnl MAILER(local)dnl MAILER(procmail)dnl MAILER(smtp)dnl ____________________________________________________________________________ _______________________________________ I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as : >telnet 192.168.1.9 25 220 ESMTP ehlo qmail 250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 25000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP mail from:anyone@what.com 250 2.1.0 anyone@what.com... Sender ok rcpt to:all@all.com 250 2.1.5 all@all.com... Recipient ok data 354 Enter mail, end with "." on a line by itself . 354 Enter mail, end with "." on a line by itself 250 2.0.0 l3JFQaWT004671 Message accepted for delivery Please HELP !! Thanking in Advance. Nauman. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/f062cf5e/attachment.html From nauman at worldcall.net.pk Thu Apr 19 12:11:05 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Thu Apr 19 12:11:06 2007 Subject: Best Way to Control Relaying? References: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> Message-ID: <02c001c78273$6dd0aa30$23c051cb@ictnoc> Nopz, it the same from 4 difference machines and i have no whitelisted machine , just configured MailScanner-4.58.9-1 and Sendmail 8.14.1 Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: Arthur Sherman To: 'MailScanner discussion' Sent: Thursday, April 19, 2007 3:53 PM Subject: RE: Best Way to Control Relaying? could it be that you connect from whitelisted machine? Best, -- Arthur ---------------------------------------------------------------------------- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Muhammad Nauman Sent: Thursday, April 19, 2007 1:42 PM To: MailScanner discussion Subject: Best Way to Control Relaying? Best Way to Control Relaying? ---------------------------------------------------------------------------- Hi all, Despite having this in my access file # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY AUTH : OK * : REJECT# makemap hash /etc/mail/access.db < /etc/mail/accessand i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP Its still Not blocking the mail 250 HELP Mail from:no at no.com 250 2.1.0 no at no.com... Sender ok RCPT to:no at no.com 250 2.1.5 no at no.com... Recipient ok Any idea to why is it still acting like this - where it should not !! My Sendmail is Compiled with these options as in devtools/Site/site##############################################################APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')dnl SASL2APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2')APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl')APPENDDEF(`confINCDIRS', `-I/usr/local/include')dnl BERKELEY DBAPPENDDEF(`confMAPDEF', `-DNEWDB')#################################################################my Sendmail.mc is :----------------------------------------------------------------divert(-1)dnldivert(0)dnlVERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ')OSTYPE(linux)dnlDOMAIN(generic)dnlundefine(`UUCP_RELAY')dnlFEATURE(nouucp, `reject')dnlFEATURE(`delay_checks')dnlundefine(`BITNET_RELAY')dnldefine(`confAUTH_OPTIONS', `A')dnldefine(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnlTRUST_AUTH_MECH(`LOGIN PLAIN')dnldefine(`confDEF_CHAR_SET', `iso-8859-1')dnldefine(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacksdefine(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacksdefine(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacksdefine(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacksdefine(`confSINGLE_LINE_FROM_HEADER', `True')dnldefine(`confSMTP_LOGIN_MSG', `$j')dnldefine(`confDONT_PROBE_INTERFACES', `True')dnldefine(`confTO_INITIAL', `6m')dnldefine(`confTO_CONNECT', `20s')dnldefine(`confTO_HELO', `5m')dnldefine(`confTO_HOSTSTATUS', `2m')dnldefine(`confTO_DATAINIT', `6m')dnldefine(`confTO_DATABLOCK', `35m')dnldefine(`confTO_DATAFINAL', `35m')dnldefine(`confDIAL_DELAY', `20s')dnldefine(`confNO_RCPT_ACTION', `add-apparently-to')dnldefine(`confALIAS_WAIT', `0')dnldefine(`confMAX_HOP', `35')dnldefine(`confQUEUE_LA', `5')dnldefine(`confREFUSE_LA', `12')dnldefine(`confSEPARATE_PROC', `False')dnldefine(`confCON_EXPENSIVE', `true')dnldefine(`confWORK_RECIPIENT_FACTOR', `1000')dnldefine(`confWORK_TIME_FACTOR', `3000')dnldefine(`confQUEUE_SORT_ORDER', `Time')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnlFEATURE(`generics_entire_domain')dnlFEATURE(`local_procmail')dnlFEATURE(`masquerade_envelope')dnlFEATURE(`nouucp',`reject')dnlFEATURE(`redirect')dnlFEATURE(`relay_entire_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`virtuser_entire_domain')dnlFEATURE(access_db, `hash -T /etc/mail/access')dnlFEATURE(lookupdotdomain)dnlFEATURE(`blacklist_recipients')dnlFEATURE(`no_default_msa')dnldefine(`confDONT_PROBE_INTERFACES', true)dnldefine(`confBAD_RCPT_THROTTLE',`2')dnldefine(`confTO_IDENT',`0')dnldefine(`confSMTP_LOGIN_MSG',`')dnldefine(`confMIN_FREE_BLOCKS', 4000)dnldefine(`confMAX_DAEMON_CHILDREN', 100)dnldefine(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnldefine(`STATUS_FILE', `/etc/mail/statistics')dnlFEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnldefine(`HELP_FILE', `/dev/null')dnlFEATURE(smrsh, `/usr/sbin/smrsh')dnlFEATURE(ratecontrol)dnlFEATURE(conncontrol)dnldnl FEATURE(`greet_pause',`3000')dnlFEATURE(`mailertable')dnlFEATURE(`always_add_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`local_procmail')dnlMAILER(local)dnlMAILER(procmail)dnlMAILER(smtp)dnl___________________________________________________________________________________________________________________I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as :>telnet 192.168.1.9 25 220 ESMTPehlo qmail250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE 25000000250-AUTH LOGIN PLAIN250-DELIVERBY250 HELPmail from:anyone@what.com250 2.1.0 anyone@what.com... Sender okrcpt to:all@all.com250 2.1.5 all@all.com... Recipient okdata354 Enter mail, end with "." on a line by itself.354 Enter mail, end with "." on a line by itself250 2.0.0 l3JFQaWT004671 Message accepted for deliveryPlease HELP !!Thanking in Advance.Nauman. ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/2d1bf4af/attachment.html From mailing_lists+mailscanner at caleotech.com Thu Apr 19 12:08:54 2007 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Thu Apr 19 12:13:45 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> Message-ID: <2108.172.16.1.34.1176980934.squirrel@www.caleotech.com> > > We had this too. Uninstalling clamav* and installing it again helped. > > -arto > Tried this, 1 server seems to be ok now. I'll have to investigate this further. The 2 servers that I felt got a performance hit are quite old and maybe they have been running at this pace for a long time :) Thanks, Jens From mailing_lists+mailscanner at caleotech.com Thu Apr 19 12:09:56 2007 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Thu Apr 19 12:13:53 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <2121.172.16.1.34.1176980996.squirrel@www.caleotech.com> > >> Hi, >> >> I see the same thing on 3 servers. I might revert back to 0.90.1... or >> hope that a fix is released soon. I'm using Dag Wieers repository for >> clamav. >> >> Jens > > > hi, > > dont know if this is an good idea > >> **Important note**: on April 16th CHM, CAB and PDF handlers will be >> disabled for 0.90 and 0.90.1 users through the dynamic engine >> configuration module (DCONF). Please upgrade to 0.90.2 immediately. > > > quick check on my system shows me no problems but i run a self compiled > version > > greetings > andy > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Noted, will abandon this path... Thanks, Jens From R.Sterenborg at netsourcing.nl Thu Apr 19 12:45:22 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Apr 19 12:48:11 2007 Subject: Wich POP3 server In-Reply-To: References: <462516C5.3010306@multitech.qc.ca><74ACEB3E6A055643A89B8CEC74C7BF2488DFBC@WISENT.dcyb.net> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488DFBF@WISENT.dcyb.net> > Where did I say they were all security bugs? > > I said _stability_ .... big difference, some of them might have been Ah yes. Sorry about that; I must have been fuzzy when I wrote it. Grts, Rob From mailscanner at lists.com.ar Thu Apr 19 13:06:45 2007 From: mailscanner at lists.com.ar (Leonardo Helman) Date: Thu Apr 19 13:09:18 2007 Subject: Starting every few minutes... In-Reply-To: References: <11375BD8FE838A409E10DB32B9BFFE9B06D220@addc01.assuredata.local> Message-ID: <20070419120645.GA5436@pert.com.ar> If you mailscanner stop working something like one week ago, and you are using clamav, it could be the clamav thing discussed in this list On Thu, Apr 19, 2007 at 09:48:37AM +1000, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 18 Apr 2007, Max Kipness wrote: > > > > >1. MailScanner seems to show a message in the log that it's starting > >every minute or so, as the grep results below show. > > > >2. Message are being processed sometimes hundreds of times before being > >sent to the destination and is therefore causing a delay of several > >hours in some cases. > > > >Is this problem with a bad config file? How can I diagnose where the > >problem is? This is something that just recently started happening, but > > Could be one of a hundred things > > stop mailscanner then run: > ./MailScanner --lint > If obvious errors, correct and re run ./MailScanner --debug --lint > > Also tell us your: > MTA and version (and if Sendmail, your lock type) > MailScanner version > OS > Anti-Virus and version > > > - -- > > Cheers > Res > > Let Novell know what you think of their back door deal with the devil. > Sign the petition today: http://techp.org/p/1/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGJq5tsWhAmSIQh7MRAluVAJ9t8Rfmw4l3Hl/SQ/pojE64TwLIcACdE+GE > CPCGfZDN9Ddqron1fkEuD6w= > =tsa9 > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jaearick at colby.edu Thu Apr 19 13:25:54 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Apr 19 13:26:01 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: On Thu, 19 Apr 2007, D?rfler Andreas wrote: > Date: Thu, 19 Apr 2007 11:35:12 +0200 > From: D?rfler Andreas > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > >> Hi, >> >> I see the same thing on 3 servers. I might revert back to 0.90.1... or >> hope that a fix is released soon. I'm using Dag Wieers repository for >> clamav. >> >> Jens > > > hi, > > dont know if this is an good idea > >> **Important note**: on April 16th CHM, CAB and PDF handlers will be >> disabled for 0.90 and 0.90.1 users through the dynamic engine >> configuration module (DCONF). Please upgrade to 0.90.2 immediately. > > > quick check on my system shows me no problems but i run a self compiled version I've been running 0.90.2 since last Friday on Solaris 10, with no change in performance over 0.90.1. Self compiled version... Jeff Earickson Colby College From martinh at solidstatelogic.com Thu Apr 19 14:30:04 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 19 14:30:28 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > Sent: 19 April 2007 13:26 > To: MailScanner discussion > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > On Thu, 19 Apr 2007, D?rfler Andreas wrote: > > > Date: Thu, 19 Apr 2007 11:35:12 +0200 > > From: D?rfler Andreas > > Reply-To: MailScanner discussion > > To: MailScanner discussion > > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > > > >> Hi, > >> > >> I see the same thing on 3 servers. I might revert back to 0.90.1... or > >> hope that a fix is released soon. I'm using Dag Wieers repository for > >> clamav. > >> > >> Jens > > > > > > hi, > > > > dont know if this is an good idea > > > >> **Important note**: on April 16th CHM, CAB and PDF handlers will be > >> disabled for 0.90 and 0.90.1 users through the dynamic engine > >> configuration module (DCONF). Please upgrade to 0.90.2 immediately. > > > > > > quick check on my system shows me no problems but i run a self compiled > version > > I've been running 0.90.2 since last Friday on Solaris 10, with no change > in performance over 0.90.1. Self compiled version... > > Jeff Earickson > Colby College Same here - self compiled on FreeBSD 4.10. I wonder if the now default pthreads is making some difference. I had to disable this to get it to compile.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Apr 19 14:33:17 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 14:33:21 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <1175765469.18300.8.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1175698544.15557.44.camel@gblades-suse.linguaphone-intranet.co.uk> <25a66d840704040805l51a82a04m5bdfdde70cbfaa82@mail.gmail.com> <60D398EB2DB948409CA1F50D8AF122570222119B@exch1.dekalbmemorial.local> <1175761994.18290.5.camel@gblades-suse.linguaphone-intranet.co.uk> <4614BD11.6080104@netmagicsolutions.com> <1175765469.18300.8.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700704190633o5a93e325ld7d589b99b220d5a@mail.gmail.com> On 05/04/07, Gareth wrote: > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > > Gareth wrote: > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > > > >> Are you using the clamavmodule? I've had the same problem. There's a > > >> commandline switch to turn that notice if when using clamscan, but not > > >> with the module. I'd suggested earlier that someone should add code for > > >> clamav, like the code for Sophos that allows you to specify messages to > > >> ignore. > > > > > > I think its a bug in Mailscanner. There appears to be code in place in > > > the routine which calls clamavmodule which disables blocking of > > > encrypted files if there is a config option 'allowpasszips' set but I > > > cannot find that option. > > > > > > Anyway below is a diff which disables blocking of encrypted archives > > > which is working fine for me. > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > > 1069c1069 > > > < Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > | > > > --- > > >> # Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > | > > > > [Quoting Julian from 07/20/2005] > > If you have MailScanner set to allow password-protected zip and rar > > archives, then this option is disabled. If you have it set to block > > password-protected archives, then this option is enabled. > > [Quoting Julian from 07/20/2005] > > > > See this thread: http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > Thanks. I wanted Mailscanner to block encrypted archives which it does > well by itself but not to tell clamav to identify encrypted archives as > viruses. > It's Ruleset Time: You want MailScanner to block the initial message, hence you want a default of "yes" in the ruleset, but not when releasing from quarantine... so ... since this will likely be released from 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan Message) for that IP address. Problem solved:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Thu Apr 19 14:37:49 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Apr 19 14:37:52 2007 Subject: mailscanner can't find clamav module? In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204C0FF32@UBIMAIL1.ubisoft.org> > > # MailScanner --version > > ... > > missing Mail::ClamAV > > ... > > > > > > What must I do in order to have MailScanner use the installed module? > > cpan Mail::ClamAV ; ldconfig Thank you for your prompt reply - unfortunately, this did not solve the problem. I don't suppose anybody else has further ideas? Thank you. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From jaearick at colby.edu Thu Apr 19 14:39:29 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Apr 19 14:39:36 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: On Thu, 19 Apr 2007, Martin.Hepworth wrote: > Date: Thu, 19 Apr 2007 14:30:04 +0100 > From: Martin.Hepworth > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson >> Sent: 19 April 2007 13:26 >> To: MailScanner discussion >> Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow >> >> On Thu, 19 Apr 2007, D?rfler Andreas wrote: >> >>> Date: Thu, 19 Apr 2007 11:35:12 +0200 >>> From: D?rfler Andreas >>> Reply-To: MailScanner discussion > >>> To: MailScanner discussion >>> Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow >>> >>> >>>> Hi, >>>> >>>> I see the same thing on 3 servers. I might revert back to 0.90.1... > or >>>> hope that a fix is released soon. I'm using Dag Wieers repository > for >>>> clamav. >>>> >>>> Jens >>> >>> >>> hi, >>> >>> dont know if this is an good idea >>> >>>> **Important note**: on April 16th CHM, CAB and PDF handlers will be >>>> disabled for 0.90 and 0.90.1 users through the dynamic engine >>>> configuration module (DCONF). Please upgrade to 0.90.2 immediately. >>> >>> >>> quick check on my system shows me no problems but i run a self > compiled >> version >> >> I've been running 0.90.2 since last Friday on Solaris 10, with no > change >> in performance over 0.90.1. Self compiled version... >> >> Jeff Earickson >> Colby College > > > Same here - self compiled on FreeBSD 4.10. > > I wonder if the now default pthreads is making some difference. I had to > disable this to get it to compile.... Good point. My version of perl is self-compiled, and I do not have pthreads enabled in it. Jeff Earickson Colby College From mikea at mikea.ath.cx Thu Apr 19 14:54:16 2007 From: mikea at mikea.ath.cx (mikea) Date: Thu Apr 19 14:54:26 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <20070419135416.GA50443@mikea.ath.cx> On Thu, Apr 19, 2007 at 02:30:04PM +0100, Martin.Hepworth wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > > Sent: 19 April 2007 13:26 > > To: MailScanner discussion > > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > > On Thu, 19 Apr 2007, Dörfler Andreas wrote: > > > > >> Hi, > > >> > > >> I see the same thing on 3 servers. I might revert back to > > >> 0.90.1... or hope that a fix is released soon. I'm using Dag > > >> Wieers repository for clamav. > > >> > > >> Jens > > > > > > > > > hi, > > > > > > dont know if this is an good idea > > > > > >> **Important note**: on April 16th CHM, CAB and PDF handlers > > >> will be disabled for 0.90 and 0.90.1 users through the dynamic > > >> engine configuration module (DCONF). Please upgrade to 0.90.2 > > >> immediately. > > > > > > > > > quick check on my system shows me no problems but i run a self > > > compiled version > > > > > > I've been running 0.90.2 since last Friday on Solaris 10, with > > > no change in performance over 0.90.1. Self compiled version... > > > > > > Jeff Earickson Colby College > > > Same here - self compiled on FreeBSD 4.10. > > I wonder if the now default pthreads is making some difference. I > had to disable this to get it to compile.... Ah! I'm not the only one, then. Also no change in performance noted, and also running the self-compiled flavor. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From dyioulos at firstbhph.com Thu Apr 19 15:04:18 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Apr 19 15:04:25 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <200704191004.19060.dyioulos@firstbhph.com> On Thursday 19 April 2007 5:35 am, D?rfler Andreas wrote: > > Hi, > > > > I see the same thing on 3 servers. I might revert back to 0.90.1... or > > hope that a fix is released soon. I'm using Dag Wieers repository for > > clamav. > > > > Jens > > hi, > > dont know if this is an good idea > > > **Important note**: on April 16th CHM, CAB and PDF handlers will be > > disabled for 0.90 and 0.90.1 users through the dynamic engine > > configuration module (DCONF). Please upgrade to 0.90.2 immediately. > > quick check on my system shows me no problems but i run a self compiled > version > > greetings > andy > -- Likewise, I run a compiled version of 0.90.2, and see no problems. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Thu Apr 19 15:04:29 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Apr 19 15:04:36 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <462776ED.9060409@USherbrooke.ca> Jeff A. Earickson a ?crit : > On Thu, 19 Apr 2007, D?rfler Andreas wrote: > >> Date: Thu, 19 Apr 2007 11:35:12 +0200 >> From: D?rfler Andreas >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow >> >> >>> Hi, >>> >>> I see the same thing on 3 servers. I might revert back to 0.90.1... or >>> hope that a fix is released soon. I'm using Dag Wieers repository for >>> clamav. >>> >>> Jens >> >> >> hi, >> >> dont know if this is an good idea >> >>> **Important note**: on April 16th CHM, CAB and PDF handlers will be >>> disabled for 0.90 and 0.90.1 users through the dynamic engine >>> configuration module (DCONF). Please upgrade to 0.90.2 immediately. >> >> >> quick check on my system shows me no problems but i run a self >> compiled version > > I've been running 0.90.2 since last Friday on Solaris 10, with no change > in performance over 0.90.1. Self compiled version... > > Jeff Earickson > Colby College I've been running 0.90.2 (self-compiled with Julian's Install-Clam-SA script) since Tuesday on RHEL4 servers and didn't see a performance hit either. My servers are running clamavmodule (Mail-ClamAV-0.20.tar.gz) which I had to recompile after installing 0.90.2. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070419/fdf31b56/smime.bin From glenn.steen at gmail.com Thu Apr 19 15:21:02 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 15:21:08 2007 Subject: Whitelisting Problem In-Reply-To: References: <20070412055002.FE1E.GERARD@seibercom.net> Message-ID: <223f97700704190721oa1b0207vcb05e30e2ca631fa@mail.gmail.com> On 12/04/07, --[ UxBoD ]-- wrote: > Yup. I have already slapped myself around the face with a wet fish ! ;) I have merged the two configs and running just one instance now. > > Many thanks, > Good. If you find that you need two instances, look at my suggestions on the wiki regarding splitting mails... Perhaps that might be merged to ine instance too, I haven't exactly had time to play with that for a while... vaacation and all...:-). Look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient next time you need it:-)... It's in the "Notes"... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Thu Apr 19 15:42:45 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Apr 19 15:42:50 2007 Subject: mailscanner can't find clamav module? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204C0FF32@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204C0FF32@UBIMAIL1.ubisoft.org> Message-ID: <46277FE5.3030104@alexb.ch> On 4/19/2007 3:37 PM, Daniel Maher wrote: >>> # MailScanner --version >>> ... >>> missing Mail::ClamAV >>> ... >>> >>> >>> What must I do in order to have MailScanner use the installed module? >> cpan Mail::ClamAV ; ldconfig > > Thank you for your prompt reply - unfortunately, this did not solve the problem. I don't suppose anybody else has further ideas? did you force install Mail::ClamaAV ? after doing it, ldconfig should do the trick Alex From glenn.steen at gmail.com Thu Apr 19 16:06:24 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 16:06:28 2007 Subject: I'm back at home In-Reply-To: References: <46128E8E.1060508@ecs.soton.ac.uk> Message-ID: <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> On 03/04/07, Kevin Miller wrote: > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi folks, > snip > > So I'm still alive, though it was very touch and go for the first 10 > > days, and more or less back in the land of the living. Don't expect > > any more than the odd health update for a while yet though :-) > > Great to hear you're back in the land of the living. You haven't missed > much. No major bugs have cropped up in the last month (that I recall > anyway), no "must have or I'll be banished to Siberia" feature requests. > So you can rest easy. And now that you're awake, hopefully your folks > can rest easy too! I'm sure the worry was quite a strain on them. Our > thoughts & prayers are with them as well as yourself. CC. Great to hear that you're finally home, and on the mend. > To save you reading five thousand emails, here's a brief recap: > > some folks don't like sender verification > res is still an evil bunny > Glenn's on vacation in S.E. Asia Wouldn't call the last anything worth mentioning, Kev...:-). Alas, I'm back at work now, trying to wade through everything that has backed up during my absence.... Sigh. > Um, yup, that about sums it up. > > Here's to a speedy recuperation... Hear hear! Cheers (mind you Jules, go easy on the wine now...:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Thu Apr 19 16:15:56 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Apr 19 16:15:42 2007 Subject: I'm back at home In-Reply-To: <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> Message-ID: Glenn Steen wrote: >> Glenn's on vacation in S.E. Asia > > Wouldn't call the last anything worth mentioning, Kev...:-). Alas, I'm > back at work now, trying to wade through everything that has backed up > during my absence.... Sigh. Well, it's just that the rest of us weren't on vacation, and, er, are just a bit jealous. Good to see you back too... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From JeremyBlonde at grant.k12.ca.us Thu Apr 19 16:18:06 2007 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Thu Apr 19 16:17:33 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462776ED.9060409@USherbrooke.ca> References: <462776ED.9060409@USherbrooke.ca> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Denis Beauchemin > Sent: Thursday, April 19, 2007 7:04 AM > To: MailScanner discussion > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > Jeff A. Earickson a ?crit : > > On Thu, 19 Apr 2007, D?rfler Andreas wrote: > > > >> Date: Thu, 19 Apr 2007 11:35:12 +0200 > >> From: D?rfler Andreas > >> Reply-To: MailScanner discussion > > >> To: MailScanner discussion > >> Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > >> > >> > >>> Hi, > >>> > >>> I see the same thing on 3 servers. I might revert back to > 0.90.1... or > >>> hope that a fix is released soon. I'm using Dag Wieers > repository for > >>> clamav. > >>> > >>> Jens > >> > >> > >> hi, > >> > >> dont know if this is an good idea > >> > >>> **Important note**: on April 16th CHM, CAB and PDF > handlers will be > >>> disabled for 0.90 and 0.90.1 users through the dynamic engine > >>> configuration module (DCONF). Please upgrade to 0.90.2 > immediately. > >> > >> > >> quick check on my system shows me no problems but i run a self > >> compiled version > > > > I've been running 0.90.2 since last Friday on Solaris 10, > with no change > > in performance over 0.90.1. Self compiled version... > > > > Jeff Earickson > > Colby College > I've been running 0.90.2 (self-compiled with Julian's Install-Clam-SA > script) since Tuesday on RHEL4 servers and didn't see a > performance hit > either. My servers are running clamavmodule > (Mail-ClamAV-0.20.tar.gz) > which I had to recompile after installing 0.90.2. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > I've been running 0.90.2 since yesterday under Gentoo Linux and I'm seeing a huge performance impact. I usually have only a couple of messages in the hold queue but I'm now seeing an average of 30 msgs waiting. I also see clamscan taking a long time when viewed with top. I guess I'll be going back to 0.90.1 until the issue is resolved. BTW, since it's Gentoo, clamav is complied from source. Jeremy Blonde Instructional Technology - Server Support Grant Joint Union High School District From glenn.steen at gmail.com Thu Apr 19 16:29:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 16:29:40 2007 Subject: Anti Spoofing Ruleset In-Reply-To: References: <1176880293.9030.4.camel@localhost.localdomain> <25a66d840704180345u719f3c40k1d05857602c1184c@mail.gmail.com> <1176893402.9505.30.camel@localhost.localdomain> Message-ID: <223f97700704190829i646eb084g31abff3fdee112e4@mail.gmail.com> On 18/04/07, Kevin Miller wrote: > > Basically all i want to say is if the mail is from anyone@ourdomain > > it has got to originate from our network or networks. Will RDJ do this > for me ? > > Your best bet is to do that at the MTA level, not in MailScanner. > Publish SPF records in your DNS defining which servers are authoritative > to send your mail out. If you're running sendmail, look into the > smf-spf milter. If you're running Postfix or another MTA, someone else > can tell you how to integrate SPF with it, as I don't have any > experience with them... > I do this in Postfix directly (not SPF)... Anyone pretending to be my domain will get a big fat REJECT... Works since we don't allow roadrunners to pretend they are us... They get to VPN (or similar)/OWA if they need send official mail. I suppose you can do similar things in most MTAs. This disqualifies sites like greeting-card/resume/whatnot senders, that regularly spoof your domain. It therefore needs be a well-anchored policy decision. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Thu Apr 19 16:46:54 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Apr 19 16:47:01 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: <46278EEE.5010603@evi-inc.com> Gareth wrote: > > How do you get it to report the bytes per second? > MailScanner.conf: Log Speed = yes From glenn.steen at gmail.com Thu Apr 19 16:51:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 16:51:30 2007 Subject: I'm back at home In-Reply-To: References: <46128E8E.1060508@ecs.soton.ac.uk> <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> Message-ID: <223f97700704190851k3c721a11paba399f80324c4d6@mail.gmail.com> On 19/04/07, Kevin Miller wrote: > Glenn Steen wrote: > > >> Glenn's on vacation in S.E. Asia > > > > Wouldn't call the last anything worth mentioning, Kev...:-). Alas, I'm > > back at work now, trying to wade through everything that has backed up > > during my absence.... Sigh. > > Well, it's just that the rest of us weren't on vacation, and, er, are > just a bit jealous. There's a Swedish saying (that will _not_ translate well) along the lines "The only true joy is the hurtfull joy"... Skadegl?dje... The Germans have a word for it too, but I don't know german, so ...:-). Basic concept is that you enjoy your own situation much more knowing that others have it worse..;-) > Good to see you back too... Thanks&Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Apr 19 17:00:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 17:00:08 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <462776ED.9060409@USherbrooke.ca> Message-ID: <223f97700704190900t246c014eldc5ba95c655c97b3@mail.gmail.com> On 19/04/07, Jeremy Blonde wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Denis Beauchemin > > Sent: Thursday, April 19, 2007 7:04 AM > > To: MailScanner discussion > > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > > Jeff A. Earickson a ?crit : > > > On Thu, 19 Apr 2007, D?rfler Andreas wrote: > > > > > >> Date: Thu, 19 Apr 2007 11:35:12 +0200 > > >> From: D?rfler Andreas > > >> Reply-To: MailScanner discussion > > > > >> To: MailScanner discussion > > >> Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > >> > > >> > > >>> Hi, > > >>> > > >>> I see the same thing on 3 servers. I might revert back to > > 0.90.1... or > > >>> hope that a fix is released soon. I'm using Dag Wieers > > repository for > > >>> clamav. > > >>> > > >>> Jens > > >> > > >> > > >> hi, > > >> > > >> dont know if this is an good idea > > >> > > >>> **Important note**: on April 16th CHM, CAB and PDF > > handlers will be > > >>> disabled for 0.90 and 0.90.1 users through the dynamic engine > > >>> configuration module (DCONF). Please upgrade to 0.90.2 > > immediately. > > >> > > >> > > >> quick check on my system shows me no problems but i run a self > > >> compiled version > > > > > > I've been running 0.90.2 since last Friday on Solaris 10, > > with no change > > > in performance over 0.90.1. Self compiled version... > > > > > > Jeff Earickson > > > Colby College > > I've been running 0.90.2 (self-compiled with Julian's Install-Clam-SA > > script) since Tuesday on RHEL4 servers and didn't see a > > performance hit > > either. My servers are running clamavmodule > > (Mail-ClamAV-0.20.tar.gz) > > which I had to recompile after installing 0.90.2. > > > > Denis > > > > -- > > _ > > ?v? Denis Beauchemin, analyste > > /(_)\ Universit? de Sherbrooke, S.T.I. > > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > > > > > > I've been running 0.90.2 since yesterday under Gentoo Linux and I'm seeing a huge performance impact. I usually have only a couple of messages in the hold queue but I'm now seeing an average of 30 msgs waiting. I also see clamscan taking a long time when viewed with top. I guess I'll be going back to 0.90.1 until the issue is resolved. > > BTW, since it's Gentoo, clamav is complied from source. > I saw clamscan linger at 99% CPU after doing a "copy over&ldconfig" type of source install. Stopped MS, cleaned /usr/local/* (except etc) out manually (well, all the clamav files, including the /usr/local/share/clamav directory (where updates live)), redid the "make install", ran a freshclam... and now see more normal behaviour. Since I run clamscan (not Mail::ClamAV) I needn't have bothered with the ldconfig/forced rebuild of Mail::ClamAV, but who knows... somesay I might change over to that, and by then will have forgotten every little bit of the possible issues of not relinking to the correct lib file:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.swaney at fsl.com Thu Apr 19 17:19:01 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Apr 19 17:19:23 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <223f97700704190900t246c014eldc5ba95c655c97b3@mail.gmail.com> References: <462776ED.9060409@USherbrooke.ca> <223f97700704190900t246c014eldc5ba95c655c97b3@mail.gmail.com> Message-ID: <025301c7829e$710bf080$5323d180$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Thursday, April 19, 2007 12:00 PM > To: MailScanner discussion > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow I have installed ClamAV 0.90.2 from source on several RH and one SuSe system(s). I have always had to run `ldconfig` on all systems after the ClamAV install to get ClamAV to find the new libraries. I have also run a cpan `force install Mail::ClamAV` after the ClamAV install on all systems just to be safe. No problems so far using calling clamavmodule as the virus scanner. Best regards, Steve Steve Swaney steve@fsl.com From list-mailscanner at linguaphone.com Thu Apr 19 17:29:38 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 19 17:29:42 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <223f97700704190633o5a93e325ld7d589b99b220d5a@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > Steen > Sent: 19 April 2007 14:33 > To: MailScanner discussion > Subject: Re: stopping clamav detecting encrypted zip files > > > On 05/04/07, Gareth wrote: > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > > > Gareth wrote: > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > > > > > >> Are you using the clamavmodule? I've had the same > problem. There's a > > > >> commandline switch to turn that notice if when using > clamscan, but not > > > >> with the module. I'd suggested earlier that someone > should add code for > > > >> clamav, like the code for Sophos that allows you to > specify messages to > > > >> ignore. > > > > > > > > I think its a bug in Mailscanner. There appears to be code > in place in > > > > the routine which calls clamavmodule which disables blocking of > > > > encrypted files if there is a config option 'allowpasszips' > set but I > > > > cannot find that option. > > > > > > > > Anyway below is a diff which disables blocking of encrypted archives > > > > which is working fine for me. > > > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > > > 1069c1069 > > > > < > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > | > > > > --- > > > >> # > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > | > > > > > > [Quoting Julian from 07/20/2005] > > > If you have MailScanner set to allow password-protected zip and rar > > > archives, then this option is disabled. If you have it set to block > > > password-protected archives, then this option is enabled. > > > [Quoting Julian from 07/20/2005] > > > > > > See this thread: > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > > > Thanks. I wanted Mailscanner to block encrypted archives which it does > > well by itself but not to tell clamav to identify encrypted archives as > > viruses. > > > It's Ruleset Time: > You want MailScanner to block the initial message, hence you want a > default of "yes" in the ruleset, but not when releasing from > quarantine... so ... since this will likely be released from > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan > Message) for that IP address. Problem solved:-). > > Cheers > -- > -- Glenn Please read my question again. The problem was mailwatch not allowing the file to be released from quaranteen because it was identified as a virus. Not the fact that a released message was being re-quaranteened which your answer would refer to. From glenn.steen at gmail.com Thu Apr 19 19:34:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 19 19:34:42 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: References: <223f97700704190633o5a93e325ld7d589b99b220d5a@mail.gmail.com> Message-ID: <223f97700704191134wd46ac07nced313d673fb6be0@mail.gmail.com> On 19/04/07, Gareth wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > > Steen > > Sent: 19 April 2007 14:33 > > To: MailScanner discussion > > Subject: Re: stopping clamav detecting encrypted zip files > > > > > > On 05/04/07, Gareth wrote: > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > > > > Gareth wrote: > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > > > > > > > >> Are you using the clamavmodule? I've had the same > > problem. There's a > > > > >> commandline switch to turn that notice if when using > > clamscan, but not > > > > >> with the module. I'd suggested earlier that someone > > should add code for > > > > >> clamav, like the code for Sophos that allows you to > > specify messages to > > > > >> ignore. > > > > > > > > > > I think its a bug in Mailscanner. There appears to be code > > in place in > > > > > the routine which calls clamavmodule which disables blocking of > > > > > encrypted files if there is a config option 'allowpasszips' > > set but I > > > > > cannot find that option. > > > > > > > > > > Anyway below is a diff which disables blocking of encrypted archives > > > > > which is working fine for me. > > > > > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > > > > 1069c1069 > > > > > < > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > | > > > > > --- > > > > >> # > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > | > > > > > > > > [Quoting Julian from 07/20/2005] > > > > If you have MailScanner set to allow password-protected zip and rar > > > > archives, then this option is disabled. If you have it set to block > > > > password-protected archives, then this option is enabled. > > > > [Quoting Julian from 07/20/2005] > > > > > > > > See this thread: > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > > > > > Thanks. I wanted Mailscanner to block encrypted archives which it does > > > well by itself but not to tell clamav to identify encrypted archives as > > > viruses. > > > > > It's Ruleset Time: > > You want MailScanner to block the initial message, hence you want a > > default of "yes" in the ruleset, but not when releasing from > > quarantine... so ... since this will likely be released from > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan > > Message) for that IP address. Problem solved:-). > > > > Cheers > > -- > > -- Glenn > > Please read my question again. The problem was mailwatch not allowing the > file to be released from quaranteen because it was identified as a virus. > Not the fact that a released message was being re-quaranteened which your > answer would refer to. > Ah... Sorry for the sloppy reading, been on vacation.... not turned on brain, such as that is, yet:-). What you are really "griping" about is the default behaviour of MW to not let you release (some) harmful content (by not including the necessary checkboxes:). I do beleive Aaron mentioned how to get around it... And it shouldn't be hard at all to modify MW to accomodate your idea about letting admin do that. Or simply release the file from a commandline (I'm pretty confident you know your way around that enough to manage;-). If your aim is users releasing this file themselves.... this moght be slightly more problematic. As I'm sure you realise, one "solution" is to allow encrypted archives, bad as that may seem.... Or switch to clamscan, where that is more readily settable. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From list-mailscanner at linguaphone.com Thu Apr 19 22:00:04 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Apr 19 22:00:11 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <223f97700704191134wd46ac07nced313d673fb6be0@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > Steen > Sent: 19 April 2007 19:35 > To: MailScanner discussion > Subject: Re: stopping clamav detecting encrypted zip files > > > On 19/04/07, Gareth wrote: > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > > > Steen > > > Sent: 19 April 2007 14:33 > > > To: MailScanner discussion > > > Subject: Re: stopping clamav detecting encrypted zip files > > > > > > > > > On 05/04/07, Gareth wrote: > > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > > > > > Gareth wrote: > > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > > > > > > > > > >> Are you using the clamavmodule? I've had the same > > > problem. There's a > > > > > >> commandline switch to turn that notice if when using > > > clamscan, but not > > > > > >> with the module. I'd suggested earlier that someone > > > should add code for > > > > > >> clamav, like the code for Sophos that allows you to > > > specify messages to > > > > > >> ignore. > > > > > > > > > > > > I think its a bug in Mailscanner. There appears to be code > > > in place in > > > > > > the routine which calls clamavmodule which disables blocking of > > > > > > encrypted files if there is a config option 'allowpasszips' > > > set but I > > > > > > cannot find that option. > > > > > > > > > > > > Anyway below is a diff which disables blocking of > encrypted archives > > > > > > which is working fine for me. > > > > > > > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > > > > > 1069c1069 > > > > > > < > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > > | > > > > > > --- > > > > > >> # > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > > | > > > > > > > > > > [Quoting Julian from 07/20/2005] > > > > > If you have MailScanner set to allow password-protected > zip and rar > > > > > archives, then this option is disabled. If you have it > set to block > > > > > password-protected archives, then this option is enabled. > > > > > [Quoting Julian from 07/20/2005] > > > > > > > > > > See this thread: > > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > > > > > > > Thanks. I wanted Mailscanner to block encrypted archives > which it does > > > > well by itself but not to tell clamav to identify encrypted > archives as > > > > viruses. > > > > > > > It's Ruleset Time: > > > You want MailScanner to block the initial message, hence you want a > > > default of "yes" in the ruleset, but not when releasing from > > > quarantine... so ... since this will likely be released from > > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan > > > Message) for that IP address. Problem solved:-). > > > > > > Cheers > > > -- > > > -- Glenn > > > > Please read my question again. The problem was mailwatch not > allowing the > > file to be released from quaranteen because it was identified > as a virus. > > Not the fact that a released message was being re-quaranteened > which your > > answer would refer to. > > > Ah... Sorry for the sloppy reading, been on vacation.... not turned on > brain, such as that is, yet:-). > What you are really "griping" about is the default behaviour of MW to > not let you release (some) harmful content (by not including the > necessary checkboxes:). I do beleive Aaron mentioned how to get around > it... And it shouldn't be hard at all to modify MW to accomodate your > idea about letting admin do that. Or simply release the file from a > commandline (I'm pretty confident you know your way around that enough > to manage;-). If your aim is users releasing this file themselves.... > this moght be slightly more problematic. > As I'm sure you realise, one "solution" is to allow encrypted > archives, bad as that may seem.... Or switch to clamscan, where that > is more readily settable. > > Cheers > -- > -- Glenn I did manage to get it working as I wanted it by editing the perl code which calls clamavmodule so that password protected archives were not classed as a virus. That leaves it down to mailscanner to detect itself which then as it is just classed as a blocked attackment and not a virus allows mailwatch to release it. I have the patch togeter with a few other customisations I have made detailed on my webpage :- http://www.gbnetwork.co.uk/mailscanner/index.html From res at ausics.net Thu Apr 19 22:42:59 2007 From: res at ausics.net (Res) Date: Thu Apr 19 22:43:09 2007 Subject: I'm back at home In-Reply-To: <223f97700704190851k3c721a11paba399f80324c4d6@mail.gmail.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> <223f97700704190851k3c721a11paba399f80324c4d6@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 19 Apr 2007, Glenn Steen wrote: > Basic concept is that you enjoy your own situation much more knowing > that others have it worse..;-) There must be a lil bit of Sweed in the ancestry of 'evil bunny' :P Welcome back - -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJ+JlsWhAmSIQh7MRAgGzAJ9pNfJulrX4IoqZOdLfhb+gx/4guQCfVV9C qj7D1gTqFKDvE34SP0W+0mU= =nHZA -----END PGP SIGNATURE----- From cparker at swatgear.com Thu Apr 19 23:19:08 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Thu Apr 19 23:19:11 2007 Subject: I need all files that are removed to be quarantined and not deleted. Message-ID: <97FD54B5E57A1842AA1A4B232E47611773E30C@ati-ex-02.ati.local> Hi Everyone, This has been a recurring problem here and I've not be able to solve it on my own. I REALLY need for MailScanner to quarantine EVERY file that it removes from an email so that, if needed, I can use Pine (or some such) to send that file to the intended recipient. My boss had a zip file removed that he needs but I've looked everyone and I can't find a file or a quarantine email even though I've got tons of emails quarantined in /var/spool/MailScanner/quarantine/. I don't know what's being quarantined or why. (So many options to choose from in the MailScanner config.) I don't want to allow all attachments for one (or more) users and I don't want to allow all types of a certain files (e.g. zip files). I want to keep the same rules as I have now but add the flexibility of resending attachments if I need to. How can I do this? Here is the output from 'MailScanner -v': Running on Linux filter.swatgear.com 2.6.9-22.0.1.EL #1 Thu Oct 27 12:26:11 CDT 2005 i686 i686 i386 GNU/Linux This is CentOS release 4.2 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.50.15 Module versions are: 1.00 AnyDBM_File 1.14 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 1.32 HTML::Entities 3.48 HTML::Parser 2.35 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.419 MIME::Decoder 5.419 MIME::Decoder::UU 5.419 MIME::Head 5.419 MIME::Parser 3.03 MIME::QuotedPrint 5.419 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 0.08 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.809 DB_File 1.11 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 0.44 Inline 0.17 Mail::ClamAV 3.001000 Mail::SpamAssassin 1.997 Mail::SPF::Query 0.15 Net::CIDR::Lite 0.48 Net::DNS 0.31 Net::LDAP 1.94 Parse::RecDescent missing SAVI 1.4 Sys::Hostname::Long 2.42 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI Thanks! Chris. From ssilva at sgvwater.com Thu Apr 19 23:31:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 19 23:31:39 2007 Subject: I'm back at home In-Reply-To: <223f97700704190851k3c721a11paba399f80324c4d6@mail.gmail.com> References: <46128E8E.1060508@ecs.soton.ac.uk> <223f97700704190806o5f822e31k588f84c77909f5e7@mail.gmail.com> <223f97700704190851k3c721a11paba399f80324c4d6@mail.gmail.com> Message-ID: Glenn Steen spake the following on 4/19/2007 8:51 AM: > On 19/04/07, Kevin Miller wrote: >> Glenn Steen wrote: >> >> >> Glenn's on vacation in S.E. Asia >> > >> > Wouldn't call the last anything worth mentioning, Kev...:-). Alas, I'm >> > back at work now, trying to wade through everything that has backed up >> > during my absence.... Sigh. >> >> Well, it's just that the rest of us weren't on vacation, and, er, are >> just a bit jealous. > There's a Swedish saying (that will _not_ translate well) along the > lines "The only true joy is the hurtfull joy"... Skadegl?dje... The > Germans have a word for it too, but I don't know german, so ...:-). > Basic concept is that you enjoy your own situation much more knowing > that others have it worse..;-) In the US that would loosely translate to "In your face!" ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Apr 19 23:40:36 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 19 23:40:57 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: Message-ID: Martin spake the following on 4/19/2007 1:41 AM: > Hi, > > Upgraded clamav from 0.90.1 to 0.90.2 this morning. Since then scanning > takes like forever and the mailqueue grows fast. > > in 'top' i can see that clamscan hogs the cpu for atleast 30-45 seconds > while scanning, even if it's a mail with no attachment: > > Apr 19 10:36:15 antispam MailScanner[16598]: New Batch: Scanning 1 > messages, 30520 bytes > Apr 19 10:36:15 antispam MailScanner[16598]: Spam Checks: Starting > Apr 19 10:36:15 antispam MailScanner[16598]: Expired 10 records from the > SpamAssassin cache > Apr 19 10:36:20 antispam MailScanner[16598]: Spam Checks completed at > 6455 bytes per second > Apr 19 10:36:20 antispam MailScanner[16598]: Virus and Content Scanning: > Starting > Apr 19 10:37:23 antispam MailScanner[16598]: Virus Scanning completed at > 483 bytes per second > > > > I had no problem with 0.90.1. > > Anyone seeing the same problem? > > I'm using Debian Sarge and apt for upgrading > > Thank you > Did your apt upgrade turn clamd on? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Apr 20 00:28:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 20 00:28:41 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <200704191004.19060.dyioulos@firstbhph.com> References: <200704191004.19060.dyioulos@firstbhph.com> Message-ID: Dimitri Yioulos spake the following on 4/19/2007 7:04 AM: > On Thursday 19 April 2007 5:35 am, D?rfler Andreas wrote: >>> Hi, >>> >>> I see the same thing on 3 servers. I might revert back to 0.90.1... or >>> hope that a fix is released soon. I'm using Dag Wieers repository for >>> clamav. >>> >>> Jens >> hi, >> >> dont know if this is an good idea >> >>> **Important note**: on April 16th CHM, CAB and PDF handlers will be >>> disabled for 0.90 and 0.90.1 users through the dynamic engine >>> configuration module (DCONF). Please upgrade to 0.90.2 immediately. >> quick check on my system shows me no problems but i run a self compiled >> version >> >> greetings >> andy >> -- > > Likewise, I run a compiled version of 0.90.2, and see no problems. > > Dimitri > Looking back in my logs, I see better performance. Maybe back to the level that 0.87 ran at. But I am also using clamavodule. So go figure. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From nauman at worldcall.net.pk Fri Apr 20 06:06:00 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Fri Apr 20 06:06:01 2007 Subject: Best Way to Control Relaying? References: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> <02c001c78273$6dd0aa30$23c051cb@ictnoc> Message-ID: <007401c78309$96bb4c70$23c051cb@ictnoc> Is there Any Other Relay Controlling Mechanism in Sendmail, which can over ride the access file ? And What if i want to Force Sendmail to Authenticate Every User Before sending any mail , once you start your OUTLOOK . Like when you Exit you outlook and then login again and then try to send a new mail - it should again ask for AUTH. Any HELP !!! Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: Muhammad Nauman To: MailScanner discussion Sent: Thursday, April 19, 2007 4:11 PM Subject: Re: Best Way to Control Relaying? Nopz, it the same from 4 difference machines and i have no whitelisted machine , just configured MailScanner-4.58.9-1 and Sendmail 8.14.1 Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: Arthur Sherman To: 'MailScanner discussion' Sent: Thursday, April 19, 2007 3:53 PM Subject: RE: Best Way to Control Relaying? could it be that you connect from whitelisted machine? Best, -- Arthur -------------------------------------------------------------------------- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Muhammad Nauman Sent: Thursday, April 19, 2007 1:42 PM To: MailScanner discussion Subject: Best Way to Control Relaying? Best Way to Control Relaying? -------------------------------------------------------------------------- Hi all, Despite having this in my access file # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY AUTH : OK * : REJECT# makemap hash /etc/mail/access.db < /etc/mail/accessand i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP Its still Not blocking the mail 250 HELP Mail from:no at no.com 250 2.1.0 no at no.com... Sender ok RCPT to:no at no.com 250 2.1.5 no at no.com... Recipient ok Any idea to why is it still acting like this - where it should not !! My Sendmail is Compiled with these options as in devtools/Site/site##############################################################APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE')dnl SASL2APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2')APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl')APPENDDEF(`confINCDIRS', `-I/usr/local/include')dnl BERKELEY DBAPPENDDEF(`confMAPDEF', `-DNEWDB')#################################################################my Sendmail.mc is :----------------------------------------------------------------divert(-1)dnldivert(0)dnlVERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ')OSTYPE(linux)dnlDOMAIN(generic)dnlundefine(`UUCP_RELAY')dnlFEATURE(nouucp, `reject')dnlFEATURE(`delay_checks')dnlundefine(`BITNET_RELAY')dnldefine(`confAUTH_OPTIONS', `A')dnldefine(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnlTRUST_AUTH_MECH(`LOGIN PLAIN')dnldefine(`confDEF_CHAR_SET', `iso-8859-1')dnldefine(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacksdefine(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacksdefine(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacksdefine(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacksdefine(`confSINGLE_LINE_FROM_HEADER', `True')dnldefine(`confSMTP_LOGIN_MSG', `$j')dnldefine(`confDONT_PROBE_INTERFACES', `True')dnldefine(`confTO_INITIAL', `6m')dnldefine(`confTO_CONNECT', `20s')dnldefine(`confTO_HELO', `5m')dnldefine(`confTO_HOSTSTATUS', `2m')dnldefine(`confTO_DATAINIT', `6m')dnldefine(`confTO_DATABLOCK', `35m')dnldefine(`confTO_DATAFINAL', `35m')dnldefine(`confDIAL_DELAY', `20s')dnldefine(`confNO_RCPT_ACTION', `add-apparently-to')dnldefine(`confALIAS_WAIT', `0')dnldefine(`confMAX_HOP', `35')dnldefine(`confQUEUE_LA', `5')dnldefine(`confREFUSE_LA', `12')dnldefine(`confSEPARATE_PROC', `False')dnldefine(`confCON_EXPENSIVE', `true')dnldefine(`confWORK_RECIPIENT_FACTOR', `1000')dnldefine(`confWORK_TIME_FACTOR', `3000')dnldefine(`confQUEUE_SORT_ORDER', `Time')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnlFEATURE(`generics_entire_domain')dnlFEATURE(`local_procmail')dnlFEATURE(`masquerade_envelope')dnlFEATURE(`nouucp',`reject')dnlFEATURE(`redirect')dnlFEATURE(`relay_entire_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`virtuser_entire_domain')dnlFEATURE(access_db, `hash -T /etc/mail/access')dnlFEATURE(lookupdotdomain)dnlFEATURE(`blacklist_recipients')dnlFEATURE(`no_default_msa')dnldefine(`confDONT_PROBE_INTERFACES', true)dnldefine(`confBAD_RCPT_THROTTLE',`2')dnldefine(`confTO_IDENT',`0')dnldefine(`confSMTP_LOGIN_MSG',`')dnldefine(`confMIN_FREE_BLOCKS', 4000)dnldefine(`confMAX_DAEMON_CHILDREN', 100)dnldefine(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnldefine(`STATUS_FILE', `/etc/mail/statistics')dnlFEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnldefine(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnldefine(`HELP_FILE', `/dev/null')dnlFEATURE(smrsh, `/usr/sbin/smrsh')dnlFEATURE(ratecontrol)dnlFEATURE(conncontrol)dnldnl FEATURE(`greet_pause',`3000')dnlFEATURE(`mailertable')dnlFEATURE(`always_add_domain')dnlFEATURE(`use_cw_file')dnlFEATURE(`local_procmail')dnlMAILER(local)dnlMAILER(procmail)dnlMAILER(smtp)dnl___________________________________________________________________________________________________________________I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as :>telnet 192.168.1.9 25 220 ESMTPehlo qmail250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you250-ENHANCEDSTATUSCODES250-PIPELINING250-8BITMIME250-SIZE 25000000250-AUTH LOGIN PLAIN250-DELIVERBY250 HELPmail from:anyone@what.com250 2.1.0 anyone@what.com... Sender okrcpt to:all@all.com250 2.1.5 all@all.com... Recipient okdata354 Enter mail, end with "." on a line by itself.354 Enter mail, end with "." on a line by itself250 2.0.0 l3JFQaWT004671 Message accepted for deliveryPlease HELP !!Thanking in Advance.Nauman. ---------------------------------------------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070420/33eda0ec/attachment.html From azher at niit.edu.pk Fri Apr 20 06:23:42 2007 From: azher at niit.edu.pk (Azher Amin) Date: Fri Apr 20 06:24:06 2007 Subject: Best Way to Control Relaying? In-Reply-To: <007401c78309$96bb4c70$23c051cb@ictnoc> References: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> <02c001c78273$6dd0aa30$23c051cb@ictnoc> <007401c78309$96bb4c70$23c051cb@ictnoc> Message-ID: <46284E5E.5040105@niit.edu.pk> Hi Nauman, To force everyone for the Auth before sending email, try enabling SMTP-AUTH with SASL and removing your local ip blocks from access. -Azher Amin Muhammad Nauman wrote: > Is there Any Other Relay Controlling Mechanism in Sendmail, which can > over ride the access file ? > > And What if i want to Force Sendmail to Authenticate Every User Before > sending any mail , once you start your OUTLOOK . > > Like when you Exit you outlook and then login again and then try to > send a new mail - it should again ask for AUTH. > > Any HELP !!! > > > Thanks and Regards, > > M.Nauman Habib > Network Engineer > > ----- Original Message ----- > *From:* Muhammad Nauman > *To:* MailScanner discussion > > *Sent:* Thursday, April 19, 2007 4:11 PM > *Subject:* Re: Best Way to Control Relaying? > > Nopz, it the same from 4 difference machines and i have no > whitelisted machine , just configured MailScanner-4.58.9-1 > and Sendmail 8.14.1 > > Thanks and Regards, > > M.Nauman Habib > Network Engineer > > ----- Original Message ----- > *From:* Arthur Sherman > *To:* 'MailScanner discussion' > > *Sent:* Thursday, April 19, 2007 3:53 PM > *Subject:* RE: Best Way to Control Relaying? > > could it be that you connect from whitelisted machine? > > > Best, > > -- > Arthur > > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] *On > Behalf Of *Muhammad Nauman > *Sent:* Thursday, April 19, 2007 1:42 PM > *To:* MailScanner discussion > *Subject:* Best Way to Control Relaying? > > > Best Way to Control Relaying? > > ------------------------------------------------------------------------ > > Hi all, > > Despite having this in my access file > > # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc > # package. > # > # by default we allow relaying from localhost... > localhost.localdomain RELAY > localhost RELAY > AUTH : OK > * : REJECT > > # makemap hash /etc/mail/access.db < /etc/mail/access > > and i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine > > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE 15000000 > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP > > Its still Not blocking the mail > > 250 HELP > Mail from:*MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com > 250 2.1.0 *MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com... Sender ok > RCPT to:*MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com > 250 2.1.5 *MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com... Recipient ok > > Any idea to why is it still acting like this - where it should not !! > > My Sendmail is Compiled with these options as in devtools/Site/site > > ############################################################## > > APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') > APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') > dnl SASL2 > APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2') > APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') > APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl') > APPENDDEF(`confINCDIRS', `-I/usr/local/include') > dnl BERKELEY DB > APPENDDEF(`confMAPDEF', `-DNEWDB') > > ################################################################# > > my Sendmail.mc is : > > ---------------------------------------------------------------- > > divert(-1)dnl > > divert(0)dnl > VERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ') > OSTYPE(linux)dnl > DOMAIN(generic)dnl > undefine(`UUCP_RELAY')dnl > FEATURE(nouucp, `reject')dnl > FEATURE(`delay_checks')dnl > undefine(`BITNET_RELAY')dnl > define(`confAUTH_OPTIONS', `A')dnl > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl > define(`confDEF_CHAR_SET', `iso-8859-1')dnl > define(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacks > define(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacks > define(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacks > define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks > define(`confSINGLE_LINE_FROM_HEADER', `True')dnl > define(`confSMTP_LOGIN_MSG', `$j')dnl > define(`confDONT_PROBE_INTERFACES', `True')dnl > define(`confTO_INITIAL', `6m')dnl > define(`confTO_CONNECT', `20s')dnl > define(`confTO_HELO', `5m')dnl > define(`confTO_HOSTSTATUS', `2m')dnl > define(`confTO_DATAINIT', `6m')dnl > define(`confTO_DATABLOCK', `35m')dnl > define(`confTO_DATAFINAL', `35m')dnl > define(`confDIAL_DELAY', `20s')dnl > define(`confNO_RCPT_ACTION', `add-apparently-to')dnl > define(`confALIAS_WAIT', `0')dnl > define(`confMAX_HOP', `35')dnl > define(`confQUEUE_LA', `5')dnl > define(`confREFUSE_LA', `12')dnl > define(`confSEPARATE_PROC', `False')dnl > define(`confCON_EXPENSIVE', `true')dnl > define(`confWORK_RECIPIENT_FACTOR', `1000')dnl > define(`confWORK_TIME_FACTOR', `3000')dnl > define(`confQUEUE_SORT_ORDER', `Time')dnl > define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl > FEATURE(`generics_entire_domain')dnl > FEATURE(`local_procmail')dnl > FEATURE(`masquerade_envelope')dnl > FEATURE(`nouucp',`reject')dnl > FEATURE(`redirect')dnl > FEATURE(`relay_entire_domain')dnl > FEATURE(`use_cw_file')dnl > FEATURE(`virtuser_entire_domain')dnl > FEATURE(access_db, `hash -T /etc/mail/access')dnl > FEATURE(lookupdotdomain)dnl > FEATURE(`blacklist_recipients')dnl > FEATURE(`no_default_msa')dnl > define(`confDONT_PROBE_INTERFACES', true)dnl > define(`confBAD_RCPT_THROTTLE',`2')dnl > define(`confTO_IDENT',`0')dnl > define(`confSMTP_LOGIN_MSG',`')dnl > define(`confMIN_FREE_BLOCKS', 4000)dnl > define(`confMAX_DAEMON_CHILDREN', 100)dnl > define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl > define(`STATUS_FILE', `/etc/mail/statistics')dnl > FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl > define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnl > define(`HELP_FILE', `/dev/null')dnl > FEATURE(smrsh, `/usr/sbin/smrsh')dnl > FEATURE(ratecontrol)dnl > FEATURE(conncontrol)dnl > dnl FEATURE(`greet_pause',`3000')dnl > FEATURE(`mailertable')dnl > FEATURE(`always_add_domain')dnl > FEATURE(`use_cw_file')dnl > FEATURE(`local_procmail')dnl > MAILER(local)dnl > MAILER(procmail)dnl > MAILER(smtp)dnl > ___________________________________________________________________________________________________________________ > > I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as : > > > >telnet 192.168.1.9 25 > > > 220 ESMTP > ehlo qmail > 250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE 25000000 > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP > mail from:anyone@what.com > 250 2.1.0 anyone@what.com ... Sender ok > rcpt to:all@all.com > 250 2.1.5 all@all.com ... Recipient ok > data > > 354 Enter mail, end with "." on a line by itself > . > > 354 Enter mail, end with "." on a line by itself > 250 2.0.0 l3JFQaWT004671 Message accepted for delivery > > Please HELP !! > > Thanking in Advance. > > Nauman. > > ------------------------------------------------------------------------ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ------------------------------------------------------------------------ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From azher at niit.edu.pk Fri Apr 20 06:25:23 2007 From: azher at niit.edu.pk (Azher Amin) Date: Fri Apr 20 06:25:48 2007 Subject: Best Way to Control Relaying? In-Reply-To: <007401c78309$96bb4c70$23c051cb@ictnoc> References: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> <02c001c78273$6dd0aa30$23c051cb@ictnoc> <007401c78309$96bb4c70$23c051cb@ictnoc> Message-ID: <46284EC3.1070501@niit.edu.pk> Further you can also configure SASL to authenticate from MYSQL for allowing SMTP-AUTH to everyone or not. -Azher Muhammad Nauman wrote: > Is there Any Other Relay Controlling Mechanism in Sendmail, which can > over ride the access file ? > > And What if i want to Force Sendmail to Authenticate Every User Before > sending any mail , once you start your OUTLOOK . > > Like when you Exit you outlook and then login again and then try to > send a new mail - it should again ask for AUTH. > > Any HELP !!! > > > Thanks and Regards, > > M.Nauman Habib > Network Engineer > > ----- Original Message ----- > *From:* Muhammad Nauman > *To:* MailScanner discussion > > *Sent:* Thursday, April 19, 2007 4:11 PM > *Subject:* Re: Best Way to Control Relaying? > > Nopz, it the same from 4 difference machines and i have no > whitelisted machine , just configured MailScanner-4.58.9-1 > and Sendmail 8.14.1 > > Thanks and Regards, > > M.Nauman Habib > Network Engineer > > ----- Original Message ----- > *From:* Arthur Sherman > *To:* 'MailScanner discussion' > > *Sent:* Thursday, April 19, 2007 3:53 PM > *Subject:* RE: Best Way to Control Relaying? > > could it be that you connect from whitelisted machine? > > > Best, > > -- > Arthur > > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] *On > Behalf Of *Muhammad Nauman > *Sent:* Thursday, April 19, 2007 1:42 PM > *To:* MailScanner discussion > *Subject:* Best Way to Control Relaying? > > > Best Way to Control Relaying? > > ------------------------------------------------------------------------ > > Hi all, > > Despite having this in my access file > > # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc > # package. > # > # by default we allow relaying from localhost... > localhost.localdomain RELAY > localhost RELAY > AUTH : OK > * : REJECT > > # makemap hash /etc/mail/access.db < /etc/mail/access > > and i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine > > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE 15000000 > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP > > Its still Not blocking the mail > > 250 HELP > Mail from:*MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com > 250 2.1.0 *MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com... Sender ok > RCPT to:*MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com > 250 2.1.5 *MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be* no at no.com... Recipient ok > > Any idea to why is it still acting like this - where it should not !! > > My Sendmail is Compiled with these options as in devtools/Site/site > > ############################################################## > > APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') > APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') > dnl SASL2 > APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2') > APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') > APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl') > APPENDDEF(`confINCDIRS', `-I/usr/local/include') > dnl BERKELEY DB > APPENDDEF(`confMAPDEF', `-DNEWDB') > > ################################################################# > > my Sendmail.mc is : > > ---------------------------------------------------------------- > > divert(-1)dnl > > divert(0)dnl > VERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ') > OSTYPE(linux)dnl > DOMAIN(generic)dnl > undefine(`UUCP_RELAY')dnl > FEATURE(nouucp, `reject')dnl > FEATURE(`delay_checks')dnl > undefine(`BITNET_RELAY')dnl > define(`confAUTH_OPTIONS', `A')dnl > define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl > TRUST_AUTH_MECH(`LOGIN PLAIN')dnl > define(`confDEF_CHAR_SET', `iso-8859-1')dnl > define(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacks > define(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacks > define(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacks > define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks > define(`confSINGLE_LINE_FROM_HEADER', `True')dnl > define(`confSMTP_LOGIN_MSG', `$j')dnl > define(`confDONT_PROBE_INTERFACES', `True')dnl > define(`confTO_INITIAL', `6m')dnl > define(`confTO_CONNECT', `20s')dnl > define(`confTO_HELO', `5m')dnl > define(`confTO_HOSTSTATUS', `2m')dnl > define(`confTO_DATAINIT', `6m')dnl > define(`confTO_DATABLOCK', `35m')dnl > define(`confTO_DATAFINAL', `35m')dnl > define(`confDIAL_DELAY', `20s')dnl > define(`confNO_RCPT_ACTION', `add-apparently-to')dnl > define(`confALIAS_WAIT', `0')dnl > define(`confMAX_HOP', `35')dnl > define(`confQUEUE_LA', `5')dnl > define(`confREFUSE_LA', `12')dnl > define(`confSEPARATE_PROC', `False')dnl > define(`confCON_EXPENSIVE', `true')dnl > define(`confWORK_RECIPIENT_FACTOR', `1000')dnl > define(`confWORK_TIME_FACTOR', `3000')dnl > define(`confQUEUE_SORT_ORDER', `Time')dnl > define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl > FEATURE(`generics_entire_domain')dnl > FEATURE(`local_procmail')dnl > FEATURE(`masquerade_envelope')dnl > FEATURE(`nouucp',`reject')dnl > FEATURE(`redirect')dnl > FEATURE(`relay_entire_domain')dnl > FEATURE(`use_cw_file')dnl > FEATURE(`virtuser_entire_domain')dnl > FEATURE(access_db, `hash -T /etc/mail/access')dnl > FEATURE(lookupdotdomain)dnl > FEATURE(`blacklist_recipients')dnl > FEATURE(`no_default_msa')dnl > define(`confDONT_PROBE_INTERFACES', true)dnl > define(`confBAD_RCPT_THROTTLE',`2')dnl > define(`confTO_IDENT',`0')dnl > define(`confSMTP_LOGIN_MSG',`')dnl > define(`confMIN_FREE_BLOCKS', 4000)dnl > define(`confMAX_DAEMON_CHILDREN', 100)dnl > define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl > define(`STATUS_FILE', `/etc/mail/statistics')dnl > FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl > define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnl > define(`HELP_FILE', `/dev/null')dnl > FEATURE(smrsh, `/usr/sbin/smrsh')dnl > FEATURE(ratecontrol)dnl > FEATURE(conncontrol)dnl > dnl FEATURE(`greet_pause',`3000')dnl > FEATURE(`mailertable')dnl > FEATURE(`always_add_domain')dnl > FEATURE(`use_cw_file')dnl > FEATURE(`local_procmail')dnl > MAILER(local)dnl > MAILER(procmail)dnl > MAILER(smtp)dnl > ___________________________________________________________________________________________________________________ > > I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as : > > > >telnet 192.168.1.9 25 > > > 220 ESMTP > ehlo qmail > 250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE 25000000 > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP > mail from:anyone@what.com > 250 2.1.0 anyone@what.com ... Sender ok > rcpt to:all@all.com > 250 2.1.5 all@all.com ... Recipient ok > data > > 354 Enter mail, end with "." on a line by itself > . > > 354 Enter mail, end with "." on a line by itself > 250 2.0.0 l3JFQaWT004671 Message accepted for delivery > > Please HELP !! > > Thanking in Advance. > > Nauman. > > ------------------------------------------------------------------------ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ------------------------------------------------------------------------ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nauman at worldcall.net.pk Fri Apr 20 07:04:00 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Fri Apr 20 07:04:01 2007 Subject: Best Way to Control Relaying? References: <0JGQ001B8ROB46D0@mxout5.netvision.net.il> <02c001c78273$6dd0aa30$23c051cb@ictnoc><007401c78309$96bb4c70$23c051cb@ictnoc> <46284EC3.1070501@niit.edu.pk> Message-ID: <00a501c78311$b115d830$23c051cb@ictnoc> I Have No Ip In the Access file - and i am Using SMTP Auth - with SASL. It is that - When i do check the box in my e-mail setting to ask for Authentication - its works fine. But when i uncheck the box, it still do'nt block sending - which it should !!! Is there any other way - Sendmail - auto matically starts building the whitelist ??? Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: "Azher Amin" To: "MailScanner discussion" Sent: Friday, April 20, 2007 10:25 AM Subject: Re: Best Way to Control Relaying? > Further you can also configure SASL to authenticate from MYSQL for > allowing SMTP-AUTH to everyone or not. > > -Azher > > Muhammad Nauman wrote: >> Is there Any Other Relay Controlling Mechanism in Sendmail, which can >> over ride the access file ? >> And What if i want to Force Sendmail to Authenticate Every User Before >> sending any mail , once you start your OUTLOOK . >> Like when you Exit you outlook and then login again and then try to send >> a new mail - it should again ask for AUTH. >> Any HELP !!! >> # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc >> # package. >> # >> # by default we allow relaying from localhost... >> localhost.localdomain RELAY >> localhost RELAY >> AUTH : OK >> * : REJECT >> >> # makemap hash /etc/mail/access.db < /etc/mail/access >> >> and i can clearly see the my sendmail is compiled with AUTH >> options - As i telnet from another machine >> >> 250-ENHANCEDSTATUSCODES >> 250-PIPELINING >> 250-8BITMIME >> 250-SIZE 15000000 >> 250-AUTH LOGIN PLAIN >> 250-DELIVERBY >> 250 HELP >> >> Its still Not blocking the mail >> >> I m Really Worried Beacause Even When i Empty my Access file >> and then Makemap hasth Access.db file it still allows mail as : >> >> >telnet 192.168.1.9 25 >> >> 220 ESMTP >> ehlo qmail >> 250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] >> you >> 250-ENHANCEDSTATUSCODES >> 250-PIPELINING >> 250-8BITMIME >> 250-SIZE 25000000 >> 250-AUTH LOGIN PLAIN >> 250-DELIVERBY >> 250 HELP >> mail from:anyone@what.com >> 250 2.1.0 anyone@what.com ... Sender >> ok >> rcpt to:all@all.com >> 250 2.1.5 all@all.com ... Recipient ok >> data >> >> 354 Enter mail, end with "." on a line by itself >> . >> >> 354 Enter mail, end with "." on a line by itself >> 250 2.0.0 l3JFQaWT004671 Message accepted for delivery >> >> Please HELP !! >> From list-mailscanner at linguaphone.com Fri Apr 20 08:53:07 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 20 08:53:16 2007 Subject: I need all files that are removed to be quarantined and not deleted. In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773E30C@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773E30C@ati-ex-02.ati.local> Message-ID: <1177055587.20780.6.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-04-19 at 23:19, Chris W. Parker wrote: > Hi Everyone, > > This has been a recurring problem here and I've not be able to solve > it > on my own. I REALLY need for MailScanner to quarantine EVERY file that > it removes from an email so that, if needed, I can use Pine (or some > such) to send that file to the intended recipient. > > My boss had a zip file removed that he needs but I've looked everyone > and I can't find a file or a quarantine email even though I've got > tons > of emails quarantined in /var/spool/MailScanner/quarantine/. I don't > know what's being quarantined or why. (So many options to choose from > in > the MailScanner config.) > > I don't want to allow all attachments for one (or more) users and I > don't want to allow all types of a certain files (e.g. zip files). I > want to keep the same rules as I have now but add the flexibility of > resending attachments if I need to. > > How can I do this?Quarantine Infections = yes Quarantine Silent Viruses = yes Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no If you are using clamavmodule have a look on my website http://www.gbnetwork.co.uk/mailscanner/ for a patch to disable clamav detecting encrypted archives as viruses. Then if you use mailwatch you can use its interface to release messages as long as they dont contain a virus (mailwatch wont allow you to release a virus). From arturs at netvision.net.il Fri Apr 20 09:28:58 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Apr 20 09:31:22 2007 Subject: Best Way to Control Relaying? In-Reply-To: <007401c78309$96bb4c70$23c051cb@ictnoc> Message-ID: <0JGS00GIHFO6WX40@mxout5.netvision.net.il> Nauman, could you post your sendmail.mc so people get a better clue what is in it? Please don't post in HTML - i've heard many people are frustrated by HTML in mailing list, so they won't answer just because of it. Best, -- Arthur _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Muhammad Nauman Sent: Friday, April 20, 2007 8:06 AM To: MailScanner discussion Subject: Re: Best Way to Control Relaying? Is there Any Other Relay Controlling Mechanism in Sendmail, which can over ride the access file ? And What if i want to Force Sendmail to Authenticate Every User Before sending any mail , once you start your OUTLOOK . Like when you Exit you outlook and then login again and then try to send a new mail - it should again ask for AUTH. Any HELP !!! Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: Muhammad Nauman To: MailScanner discussion Sent: Thursday, April 19, 2007 4:11 PM Subject: Re: Best Way to Control Relaying? Nopz, it the same from 4 difference machines and i have no whitelisted machine , just configured MailScanner-4.58.9-1 and Sendmail 8.14.1 Thanks and Regards, M.Nauman Habib Network Engineer ----- Original Message ----- From: Arthur Sherman To: 'MailScanner discussion' Sent: Thursday, April 19, 2007 3:53 PM Subject: RE: Best Way to Control Relaying? could it be that you connect from whitelisted machine? Best, -- Arthur _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Muhammad Nauman Sent: Thursday, April 19, 2007 1:42 PM To: MailScanner discussion Subject: Best Way to Control Relaying? Best Way to Control Relaying? _____ Hi all, Despite having this in my access file # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY AUTH : OK * : REJECT # makemap hash /etc/mail/access.db < /etc/mail/access and i can clearly see the my sendmail is compiled with AUTH options - As i telnet from another machine 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 15000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP Its still Not blocking the mail 250 HELP Mail from:no at no.com 250 2.1.0 no at no.com... Sender ok RCPT to:no at no.com 250 2.1.5 no at no.com... Recipient ok Any idea to why is it still acting like this - where it should not !! My Sendmail is Compiled with these options as in devtools/Site/site ############################################################## APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') dnl SASL2 APPENDDEF(`conf_sendmail_ENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib/sasl') APPENDDEF(`confINCDIRS', `-I/usr/local/include') dnl BERKELEY DB APPENDDEF(`confMAPDEF', `-DNEWDB') ################################################################# my Sendmail.mc is : ---------------------------------------------------------------- divert(-1)dnl divert(0)dnl VERSIONID(`Custom Linux config by Douglas Hunley /doug at hunley.homeip.net/ ') OSTYPE(linux)dnl DOMAIN(generic)dnl undefine(`UUCP_RELAY')dnl FEATURE(nouucp, `reject')dnl FEATURE(`delay_checks')dnl undefine(`BITNET_RELAY')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confDEF_CHAR_SET', `iso-8859-1')dnl define(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacks define(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacks define(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacks define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks define(`confSINGLE_LINE_FROM_HEADER', `True')dnl define(`confSMTP_LOGIN_MSG', `$j')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `20s')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `35m')dnl define(`confTO_DATAFINAL', `35m')dnl define(`confDIAL_DELAY', `20s')dnl define(`confNO_RCPT_ACTION', `add-apparently-to')dnl define(`confALIAS_WAIT', `0')dnl define(`confMAX_HOP', `35')dnl define(`confQUEUE_LA', `5')dnl define(`confREFUSE_LA', `12')dnl define(`confSEPARATE_PROC', `False')dnl define(`confCON_EXPENSIVE', `true')dnl define(`confWORK_RECIPIENT_FACTOR', `1000')dnl define(`confWORK_TIME_FACTOR', `3000')dnl define(`confQUEUE_SORT_ORDER', `Time')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl FEATURE(`generics_entire_domain')dnl FEATURE(`local_procmail')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`nouucp',`reject')dnl FEATURE(`redirect')dnl FEATURE(`relay_entire_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`virtuser_entire_domain')dnl FEATURE(access_db, `hash -T /etc/mail/access')dnl FEATURE(lookupdotdomain)dnl FEATURE(`blacklist_recipients')dnl FEATURE(`no_default_msa')dnl define(`confDONT_PROBE_INTERFACES', true)dnl define(`confBAD_RCPT_THROTTLE',`2')dnl define(`confTO_IDENT',`0')dnl define(`confSMTP_LOGIN_MSG',`')dnl define(`confMIN_FREE_BLOCKS', 4000)dnl define(`confMAX_DAEMON_CHILDREN', 100)dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictma ilq,restrictqrun,restrictexpand,nobodyreturn')dnl define(`HELP_FILE', `/dev/null')dnl FEATURE(smrsh, `/usr/sbin/smrsh')dnl FEATURE(ratecontrol)dnl FEATURE(conncontrol)dnl dnl FEATURE(`greet_pause',`3000')dnl FEATURE(`mailertable')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`local_procmail')dnl MAILER(local)dnl MAILER(procmail)dnl MAILER(smtp)dnl ____________________________________________________________________________ _______________________________________ I m Really Worried Beacause Even When i Empty my Access file and then Makemap hasth Access.db file it still allows mail as : >telnet 192.168.1.9 25 220 ESMTP ehlo qmail 250-worldcall.net.pk Hello noc.worldcall.net.pk [203.81.1] you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 25000000 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP mail from:anyone@what.com 250 2.1.0 anyone@what.com... Sender ok rcpt to:all@all.com 250 2.1.5 all@all.com... Recipient ok data 354 Enter mail, end with "." on a line by itself . 354 Enter mail, end with "." on a line by itself 250 2.0.0 l3JFQaWT004671 Message accepted for delivery Please HELP !! Thanking in Advance. Nauman. _____ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! _____ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070420/d127f30b/attachment-0001.html From nauman at worldcall.net.pk Fri Apr 20 10:02:58 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Fri Apr 20 10:03:06 2007 Subject: Best Way to Control Relaying? References: <0JGS00GIHFO6WX40@mxout5.netvision.net.il> Message-ID: <015901c7832a$b4161680$23c051cb@ictnoc> sendmail.mc file is as follws : divert(-1)dnl #copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 # The Regents of the University of California. All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # # divert(0)dnl OSTYPE(linux)dnl DOMAIN(generic)dnl dnl define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl dnl define(`confDEF_CHAR_SET', `iso-8859-1')dnl define(`confMAX_MESSAGE_SIZE', `25000000')dnl Denial of Service Attacks define(`confMAX_DAEMON_CHILDREN', `100')dnl Denial of Service Attacks define(`confCONNECTION_RATE_THROTTLE', `9')dnl Denial of Service Attacks define(`confMAXRCPTSPERMESSAGE', `50')dnl Denial of service Attacks define(`confSINGLE_LINE_FROM_HEADER', `True')dnl define(`confSMTP_LOGIN_MSG', `$j')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`confTO_INITIAL', `6m')dnl define(`confTO_CONNECT', `20s')dnl define(`confTO_HELO', `5m')dnl define(`confTO_HOSTSTATUS', `2m')dnl define(`confTO_DATAINIT', `6m')dnl define(`confTO_DATABLOCK', `35m')dnl define(`confTO_DATAFINAL', `35m')dnl define(`confDIAL_DELAY', `20s')dnl define(`confNO_RCPT_ACTION', `add-apparently-to')dnl define(`confALIAS_WAIT', `0')dnl define(`confMAX_HOP', `35')dnl define(`confQUEUE_LA', `5')dnl define(`confREFUSE_LA', `12')dnl define(`confSEPARATE_PROC', `False')dnl define(`confCON_EXPENSIVE', `true')dnl define(`confWORK_RECIPIENT_FACTOR', `1000')dnl define(`confWORK_TIME_FACTOR', `3000')dnl define(`confQUEUE_SORT_ORDER', `Time')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictmailq,restrictqrun,needmailhelo')dnl FEATURE(`generics_entire_domain')dnl FEATURE(`delay_checks')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl FEATURE(`virtuser_entire_domain')dnl FEATURE(access_db, `hash -T /etc/mail/access')dnl FEATURE(lookupdotdomain)dnl FEATURE(`blacklist_recipients')dnl FEATURE(`no_default_msa')dnl define(`confDONT_PROBE_INTERFACES', true)dnl define(`confBAD_RCPT_THROTTLE',`3')dnl define(`confTO_IDENT',`0')dnl define(`confSMTP_LOGIN_MSG',`')dnl define(`confMIN_FREE_BLOCKS', 4000)dnl define(`confMAX_DAEMON_CHILDREN', 100)dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,noexpn,novrfy,noetrn,needmailhelo,restrictmailq,restrictqrun,restrictexpand,nobodyreturn')dnl FEATURE(ratecontrol)dnl FEATURE(conncontrol)dnl dnl FEATURE(`greet_pause',`3000')dnl FEATURE(`mailertable')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(access_db, `hash -T /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl FEATURE(smrsh, `/usr/sbin/smrsh')dnl FEATURE(`local_procmail')dnl MAILER(local)dnl MAILER(procmail)dnl MAILER(smtp)dnl Thanks and Regards, M.Nauman Habib Network Engineer Nauman, could you post your sendmail.mc so people get a better clue what is in it? Please don't post in HTML - i've heard many people are frustrated by HTML in mailing list, so they won't answer just because of it. ---------------------------------------------------------------------------- Best Way to Control Relaying? ---------------------------------------------------------------------- Hi all, Despite having this in my access file -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070420/a446081f/attachment.html From glenn.steen at gmail.com Fri Apr 20 10:21:02 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 20 10:21:17 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: References: <223f97700704191134wd46ac07nced313d673fb6be0@mail.gmail.com> Message-ID: <223f97700704200221k12c7e487td5002a7069a87c4a@mail.gmail.com> On 19/04/07, Gareth wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > > Steen > > Sent: 19 April 2007 19:35 > > To: MailScanner discussion > > Subject: Re: stopping clamav detecting encrypted zip files > > > > > > On 19/04/07, Gareth wrote: > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Glenn > > > > Steen > > > > Sent: 19 April 2007 14:33 > > > > To: MailScanner discussion > > > > Subject: Re: stopping clamav detecting encrypted zip files > > > > > > > > > > > > On 05/04/07, Gareth wrote: > > > > > On Thu, 2007-04-05 at 10:10, Dhawal Doshy wrote: > > > > > > Gareth wrote: > > > > > > > On Wed, 2007-04-04 at 17:04, Aaron K. Moore wrote: > > > > > > > > > > > > > >> Are you using the clamavmodule? I've had the same > > > > problem. There's a > > > > > > >> commandline switch to turn that notice if when using > > > > clamscan, but not > > > > > > >> with the module. I'd suggested earlier that someone > > > > should add code for > > > > > > >> clamav, like the code for Sophos that allows you to > > > > specify messages to > > > > > > >> ignore. > > > > > > > > > > > > > > I think its a bug in Mailscanner. There appears to be code > > > > in place in > > > > > > > the routine which calls clamavmodule which disables blocking of > > > > > > > encrypted files if there is a config option 'allowpasszips' > > > > set but I > > > > > > > cannot find that option. > > > > > > > > > > > > > > Anyway below is a diff which disables blocking of > > encrypted archives > > > > > > > which is working fine for me. > > > > > > > > > > > > > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm > > > > > > > 1069c1069 > > > > > > > < > > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > > > | > > > > > > > --- > > > > > > >> # > > > > Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() > > > > > > > | > > > > > > > > > > > > [Quoting Julian from 07/20/2005] > > > > > > If you have MailScanner set to allow password-protected > > zip and rar > > > > > > archives, then this option is disabled. If you have it > > set to block > > > > > > password-protected archives, then this option is enabled. > > > > > > [Quoting Julian from 07/20/2005] > > > > > > > > > > > > See this thread: > > > > http://thread.gmane.org/gmane.mail.virus.mailscanner/30201 > > > > > > > > > > Thanks. I wanted Mailscanner to block encrypted archives > > which it does > > > > > well by itself but not to tell clamav to identify encrypted > > archives as > > > > > viruses. > > > > > > > > > It's Ruleset Time: > > > > You want MailScanner to block the initial message, hence you want a > > > > default of "yes" in the ruleset, but not when releasing from > > > > quarantine... so ... since this will likely be released from > > > > 127.0.0.1, make a rule that sets it to "no" (or indeed do this on Scan > > > > Message) for that IP address. Problem solved:-). > > > > > > > > Cheers > > > > -- > > > > -- Glenn > > > > > > Please read my question again. The problem was mailwatch not > > allowing the > > > file to be released from quaranteen because it was identified > > as a virus. > > > Not the fact that a released message was being re-quaranteened > > which your > > > answer would refer to. > > > > > Ah... Sorry for the sloppy reading, been on vacation.... not turned on > > brain, such as that is, yet:-). > > What you are really "griping" about is the default behaviour of MW to > > not let you release (some) harmful content (by not including the > > necessary checkboxes:). I do beleive Aaron mentioned how to get around > > it... And it shouldn't be hard at all to modify MW to accomodate your > > idea about letting admin do that. Or simply release the file from a > > commandline (I'm pretty confident you know your way around that enough > > to manage;-). If your aim is users releasing this file themselves.... > > this moght be slightly more problematic. > > As I'm sure you realise, one "solution" is to allow encrypted > > archives, bad as that may seem.... Or switch to clamscan, where that > > is more readily settable. > > > > Cheers > > -- > > -- Glenn > > I did manage to get it working as I wanted it by editing the perl code which > calls clamavmodule so that password protected archives were not classed as a > virus. That leaves it down to mailscanner to detect itself which then as it > is just classed as a blocked attackment and not a virus allows mailwatch to > release it. > > I have the patch togeter with a few other customisations I have made > detailed on my webpage :- > http://www.gbnetwork.co.uk/mailscanner/index.html > Ah great. Perhaps when Jules is better he'll grace us with yet another config option for this:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkellermann at net-com.de Fri Apr 20 11:48:57 2007 From: mkellermann at net-com.de (Matthias Kellermann) Date: Fri Apr 20 11:58:11 2007 Subject: Forwarding x unscanned messages / slow scanning Message-ID: <46289A99.2040109@net-com.de> Hi folks, i've a running MailScanner system with Postfix. When the queue runs full (about 250 messages) I get lots of messages like this from MailScanner: Apr 20 12:40:39 server check[23677]: Batch completed at 895 bytes per second (35672 / 39) Apr 20 12:40:39 server check[23677]: Batch (3 messages) processed in 39.83 seconds Apr 20 12:40:39 server check[23677]: New Batch: Found 195 messages waiting Apr 20 12:40:39 server check[23677]: New Batch: Forwarding 1 unscanned messages, 1916 bytes Apr 20 12:40:39 server check[23677]: New Batch: Scanning 3 messages, 108887 bytes It needs a long time (about 30minutes) to clear the queue because MailScanner is too slow. There are lots of messages in the queue that shouldn't be scanned because I've setup a own scanning rule (scan.messages.rules). So I think this messages should get processed very fast by MailScanner, but they aren't. Here are my settings in the MailScanner.conf file: Max Unscanned Bytes Per Scan = 10000 Max Unsafe Bytes Per Scan = 50000 Max Unscanned Messages Per Scan = 10 Max Unsafe Messages Per Scan = 10 Maximal MailScanner children: Max Children = 4 I've got played with the Unscanned-/Unsafe-settings with no success. Can you give me any hints to speed up things? Thanks in advance. Best Regards Matthias From martinh at solidstatelogic.com Fri Apr 20 12:16:58 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 20 12:17:18 2007 Subject: Forwarding x unscanned messages / slow scanning In-Reply-To: <46289A99.2040109@net-com.de> Message-ID: <90a40646b14bf74b8ad38577e92724e9@solidstatelogic.com> Matthias http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot :performance also http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips I'd also ask how much RAM/ CPU you've got. A local caching DNS server on the computer can make a huge difference too. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann > Sent: 20 April 2007 11:49 > To: MailScanner discussion > Subject: Forwarding x unscanned messages / slow scanning > > Hi folks, > > i've a running MailScanner system with Postfix. > > When the queue runs full (about 250 messages) I get lots of messages > like this from MailScanner: > > Apr 20 12:40:39 server check[23677]: Batch completed at 895 bytes per > second (35672 / 39) > Apr 20 12:40:39 server check[23677]: Batch (3 messages) processed in > 39.83 seconds > Apr 20 12:40:39 server check[23677]: New Batch: Found 195 messages waiting > Apr 20 12:40:39 server check[23677]: New Batch: Forwarding 1 unscanned > messages, 1916 bytes > Apr 20 12:40:39 server check[23677]: New Batch: Scanning 3 messages, > 108887 bytes > > It needs a long time (about 30minutes) to clear the queue because > MailScanner is too slow. > > There are lots of messages in the queue that shouldn't be scanned > because I've setup a own scanning rule (scan.messages.rules). So I think > this messages should get processed very fast by MailScanner, but they > aren't. > > Here are my settings in the MailScanner.conf file: > > Max Unscanned Bytes Per Scan = 10000 > Max Unsafe Bytes Per Scan = 50000 > Max Unscanned Messages Per Scan = 10 > Max Unsafe Messages Per Scan = 10 > > Maximal MailScanner children: > Max Children = 4 > > I've got played with the Unscanned-/Unsafe-settings with no success. Can > you give me any hints to speed up things? > > Thanks in advance. > > Best Regards > Matthias > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From nauman at worldcall.net.pk Fri Apr 20 12:35:48 2007 From: nauman at worldcall.net.pk (Muhammad Nauman) Date: Fri Apr 20 12:35:48 2007 Subject: Best Way to Control Relaying? References: <0JGS00GIHFO6WX40@mxout5.netvision.net.il> <015901c7832a$b4161680$23c051cb@ictnoc> Message-ID: <01f001c78340$0ae872e0$23c051cb@ictnoc> I Have this unusual behavior from sendmail One i start sending mails at yahoo and hotmail ( After been AUTHENTICATED) then i exit my outlook - login again from a different user , keeping the AUTH unchecked - the mails are just going and going. seams like there is some decision made on the base of IP - any one has an idea of this ? Does Sendmail perform any such task ???? Thanks and Regards, M.Nauman Habib -------------------------------------------------------------------------------- Best Way to Control Relaying? -------------------------------------------------------------------- Hi all, Despite having this in my access file -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070420/252dcc35/attachment.html From mkellermann at net-com.de Fri Apr 20 12:46:58 2007 From: mkellermann at net-com.de (Matthias Kellermann) Date: Fri Apr 20 12:46:59 2007 Subject: Forwarding x unscanned messages / slow scanning In-Reply-To: <90a40646b14bf74b8ad38577e92724e9@solidstatelogic.com> References: <90a40646b14bf74b8ad38577e92724e9@solidstatelogic.com> Message-ID: <4628A832.3000008@net-com.de> Thanks Martin. Some facts about the machine: 1 x Intel(R) Pentium(R) D CPU 3.00GHz 2GByte RAM Timing cached reads: 2168 MB in 1.99 seconds = 1092.10 MB/sec Timing buffered disk reads: 94 MB in 3.00 seconds = 31.32 MB/sec OS: Debian Etch Here are a few things I've already done to speed things up: - using a ramdisk for the MS working directory - setting the clamav & spamassassin timeouts lower - lowered the max. MS processes to 3 The DNS server I use is on the same network. Perhaps I'll try to use a local caching DNS though. Just wondering why MS is so slow about the messages that I defined in the scan.messages.rules not to be scanned. Any ideas? Best Regards Matthias Martin.Hepworth schrieb: > Matthias > > http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot > :performance > > also > > http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips > > I'd also ask how much RAM/ CPU you've got. > > A local caching DNS server on the computer can make a huge difference > too. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann >> Sent: 20 April 2007 11:49 >> To: MailScanner discussion >> Subject: Forwarding x unscanned messages / slow scanning >> >> Hi folks, >> >> i've a running MailScanner system with Postfix. >> >> When the queue runs full (about 250 messages) I get lots of messages >> like this from MailScanner: >> >> Apr 20 12:40:39 server check[23677]: Batch completed at 895 bytes per >> second (35672 / 39) >> Apr 20 12:40:39 server check[23677]: Batch (3 messages) processed in >> 39.83 seconds >> Apr 20 12:40:39 server check[23677]: New Batch: Found 195 messages >> > waiting > >> Apr 20 12:40:39 server check[23677]: New Batch: Forwarding 1 unscanned >> messages, 1916 bytes >> Apr 20 12:40:39 server check[23677]: New Batch: Scanning 3 messages, >> 108887 bytes >> >> It needs a long time (about 30minutes) to clear the queue because >> MailScanner is too slow. >> >> There are lots of messages in the queue that shouldn't be scanned >> because I've setup a own scanning rule (scan.messages.rules). So I >> > think > >> this messages should get processed very fast by MailScanner, but they >> aren't. >> >> Here are my settings in the MailScanner.conf file: >> >> Max Unscanned Bytes Per Scan = 10000 >> Max Unsafe Bytes Per Scan = 50000 >> Max Unscanned Messages Per Scan = 10 >> Max Unsafe Messages Per Scan = 10 >> >> Maximal MailScanner children: >> Max Children = 4 >> >> I've got played with the Unscanned-/Unsafe-settings with no success. >> > Can > >> you give me any hints to speed up things? >> >> Thanks in advance. >> >> Best Regards >> Matthias >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > From martinh at solidstatelogic.com Fri Apr 20 13:51:57 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 20 13:52:18 2007 Subject: Forwarding x unscanned messages / slow scanning In-Reply-To: <4628A832.3000008@net-com.de> Message-ID: <34fc6ec215ba79419fef2d19f14c40a6@solidstatelogic.com> Matthias Doing a local caching nameserver will have dramatic results....someone the IRC channel did the other day and the scan times dropped from 55secs per batch to around 20-30. I'd also check what RBL's you're scanning especially in spamassassin. If you're doing all of them you may want to consider just running a couple in SA by giving the others a zero score in /etc/mail/spamassassin/mailscanner.cf -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann > Sent: 20 April 2007 12:47 > To: MailScanner discussion > Subject: Re: Forwarding x unscanned messages / slow scanning > > Thanks Martin. > > Some facts about the machine: > > 1 x Intel(R) Pentium(R) D CPU 3.00GHz > 2GByte RAM > > Timing cached reads: 2168 MB in 1.99 seconds = 1092.10 MB/sec > Timing buffered disk reads: 94 MB in 3.00 seconds = 31.32 MB/sec > > OS: Debian Etch > > Here are a few things I've already done to speed things up: > - using a ramdisk for the MS working directory > - setting the clamav & spamassassin timeouts lower > - lowered the max. MS processes to 3 > > The DNS server I use is on the same network. Perhaps I'll try to use a > local caching DNS though. > > Just wondering why MS is so slow about the messages that I defined in > the scan.messages.rules not to be scanned. Any ideas? > > Best Regards > Matthias > > > Martin.Hepworth schrieb: > > Matthias > > > > http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot > > :performance > > > > also > > > > http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips > > > > I'd also ask how much RAM/ CPU you've got. > > > > A local caching DNS server on the computer can make a huge difference > > too. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann > >> Sent: 20 April 2007 11:49 > >> To: MailScanner discussion > >> Subject: Forwarding x unscanned messages / slow scanning > >> > >> Hi folks, > >> > >> i've a running MailScanner system with Postfix. > >> > >> When the queue runs full (about 250 messages) I get lots of messages > >> like this from MailScanner: > >> > >> Apr 20 12:40:39 server check[23677]: Batch completed at 895 bytes per > >> second (35672 / 39) > >> Apr 20 12:40:39 server check[23677]: Batch (3 messages) processed in > >> 39.83 seconds > >> Apr 20 12:40:39 server check[23677]: New Batch: Found 195 messages > >> > > waiting > > > >> Apr 20 12:40:39 server check[23677]: New Batch: Forwarding 1 unscanned > >> messages, 1916 bytes > >> Apr 20 12:40:39 server check[23677]: New Batch: Scanning 3 messages, > >> 108887 bytes > >> > >> It needs a long time (about 30minutes) to clear the queue because > >> MailScanner is too slow. > >> > >> There are lots of messages in the queue that shouldn't be scanned > >> because I've setup a own scanning rule (scan.messages.rules). So I > >> > > think > > > >> this messages should get processed very fast by MailScanner, but they > >> aren't. > >> > >> Here are my settings in the MailScanner.conf file: > >> > >> Max Unscanned Bytes Per Scan = 10000 > >> Max Unsafe Bytes Per Scan = 50000 > >> Max Unscanned Messages Per Scan = 10 > >> Max Unsafe Messages Per Scan = 10 > >> > >> Maximal MailScanner children: > >> Max Children = 4 > >> > >> I've got played with the Unscanned-/Unsafe-settings with no success. > >> > > Can > > > >> you give me any hints to speed up things? > >> > >> Thanks in advance. > >> > >> Best Regards > >> Matthias > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From root at doctor.nl2k.ab.ca Fri Apr 20 14:06:44 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Apr 20 14:08:15 2007 Subject: Problems receiving E-mail In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570230D798@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF122570230D798@exch1.dekalbmemorial.local> Message-ID: <20070420130643.GA4333@doctor.nl2k.ab.ca> On Tue, Apr 17, 2007 at 03:50:30PM -0400, Aaron K. Moore wrote: > > We are having problems receiving mail from large e-mail hosting > > companies such as Yahoo, Hotmail, Bell Canada, Telus , Shaw and maybe > > other. > > Are you using any RBLs within sendmail or any other milters? I've had > problems with some of the less reliable RBLs adding ISP mail servers. > > > I hae used sendmail 8.13.8 and 8.14.1 and the problem is ever-present. > > > > Here is a snippet from my logs of an e-mail that was supposed to go > > to me and never got to me: > > > > Apr 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: from=<>, > > size=5575, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, > > relay=incomingmailserver [IP of incoming Mail Server] Apr 6 20:02:00 > > doctor clamav-milter[805]: l3721wnV001728: clean message from <> Apr > > 6 20:02:00 doctor sendmail[1728]: l3721wnV001728: Milter add: header: > > X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 > > on doctor.nl2k.ab.ca Apr 6 20:02:00 doctor sendmail[1728]: > > l3721wnV001728: Milter add: header: X-Virus-Status: Clean > > > > What is needed to resolve the problem so that all mail can make it > > through? > You might be correct. I had set High score on RBLs set to 3. As soon as I changed the High Scoring spams from deleted to deliver with tag, the problem soon just turned in a a RBL/ISP-on-the-other-side problem. NOw what I would like to do is to add a meesage i nthe body of the e-mail indicating that the other side is listed in a black hole. How do I do that? > -- > Aaron Kent Moore > Information Technology Services > DeKalb Memorial Hospital, Inc. > Auburn, Indiana > Phone: 260.920.2808 > E-Mail: amoore@dekalbmemorial.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkellermann at net-com.de Fri Apr 20 14:38:34 2007 From: mkellermann at net-com.de (Matthias Kellermann) Date: Fri Apr 20 14:38:56 2007 Subject: Forwarding x unscanned messages / slow scanning In-Reply-To: <34fc6ec215ba79419fef2d19f14c40a6@solidstatelogic.com> References: <34fc6ec215ba79419fef2d19f14c40a6@solidstatelogic.com> Message-ID: <4628C25A.2010604@net-com.de> Thank you, now I've setup a local caching DNS. Seems to really speed up things. I don't use any RBLs, so this shouldn't be the problem. I'll wait and see how the next big mailing will be processed by mailscanner ;) Best Regards Matthias Martin.Hepworth schrieb: > Matthias > > Doing a local caching nameserver will have dramatic results....someone > the IRC channel did the other day and the scan times dropped from 55secs > per batch to around 20-30. > > I'd also check what RBL's you're scanning especially in spamassassin. If > you're doing all of them you may want to consider just running a couple > in SA by giving the others a zero score in > /etc/mail/spamassassin/mailscanner.cf > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann >> Sent: 20 April 2007 12:47 >> To: MailScanner discussion >> Subject: Re: Forwarding x unscanned messages / slow scanning >> >> Thanks Martin. >> >> Some facts about the machine: >> >> 1 x Intel(R) Pentium(R) D CPU 3.00GHz >> 2GByte RAM >> >> Timing cached reads: 2168 MB in 1.99 seconds = 1092.10 MB/sec >> Timing buffered disk reads: 94 MB in 3.00 seconds = 31.32 MB/sec >> >> OS: Debian Etch >> >> Here are a few things I've already done to speed things up: >> - using a ramdisk for the MS working directory >> - setting the clamav & spamassassin timeouts lower >> - lowered the max. MS processes to 3 >> >> The DNS server I use is on the same network. Perhaps I'll try to use a >> local caching DNS though. >> >> Just wondering why MS is so slow about the messages that I defined in >> the scan.messages.rules not to be scanned. Any ideas? >> >> Best Regards >> Matthias >> >> >> Martin.Hepworth schrieb: >> >>> Matthias >>> >>> >>> > http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot > >>> :performance >>> >>> also >>> >>> http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips >>> >>> I'd also ask how much RAM/ CPU you've got. >>> >>> A local caching DNS server on the computer can make a huge >>> > difference > >>> too. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> > [mailto:mailscanner- > >>>> bounces@lists.mailscanner.info] On Behalf Of Matthias Kellermann >>>> Sent: 20 April 2007 11:49 >>>> To: MailScanner discussion >>>> Subject: Forwarding x unscanned messages / slow scanning >>>> >>>> Hi folks, >>>> >>>> i've a running MailScanner system with Postfix. >>>> >>>> When the queue runs full (about 250 messages) I get lots of >>>> > messages > >>>> like this from MailScanner: >>>> >>>> Apr 20 12:40:39 server check[23677]: Batch completed at 895 bytes >>>> > per > >>>> second (35672 / 39) >>>> Apr 20 12:40:39 server check[23677]: Batch (3 messages) processed >>>> > in > >>>> 39.83 seconds >>>> Apr 20 12:40:39 server check[23677]: New Batch: Found 195 messages >>>> >>>> >>> waiting >>> >>> >>>> Apr 20 12:40:39 server check[23677]: New Batch: Forwarding 1 >>>> > unscanned > >>>> messages, 1916 bytes >>>> Apr 20 12:40:39 server check[23677]: New Batch: Scanning 3 >>>> > messages, > >>>> 108887 bytes >>>> >>>> It needs a long time (about 30minutes) to clear the queue because >>>> MailScanner is too slow. >>>> >>>> There are lots of messages in the queue that shouldn't be scanned >>>> because I've setup a own scanning rule (scan.messages.rules). So I >>>> >>>> >>> think >>> >>> >>>> this messages should get processed very fast by MailScanner, but >>>> > they > >>>> aren't. >>>> >>>> Here are my settings in the MailScanner.conf file: >>>> >>>> Max Unscanned Bytes Per Scan = 10000 >>>> Max Unsafe Bytes Per Scan = 50000 >>>> Max Unscanned Messages Per Scan = 10 >>>> Max Unsafe Messages Per Scan = 10 >>>> >>>> Maximal MailScanner children: >>>> Max Children = 4 >>>> >>>> I've got played with the Unscanned-/Unsafe-settings with no >>>> > success. > >>> Can >>> >>> >>>> you give me any hints to speed up things? >>>> >>>> Thanks in advance. >>>> >>>> Best Regards >>>> Matthias >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> >>> >>> > ********************************************************************** > >>> Confidentiality : This e-mail and any attachments are intended for >>> > the > >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show >>> > them > >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> >>> Opinion : Any opinions expressed in this e-mail are entirely those >>> > of > >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We >>> > advise > >>> that you consider this fact when e-mailing us. >>> >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> >>> > ********************************************************************** > >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > From jstevens at athensdistributing.com Fri Apr 20 16:39:59 2007 From: jstevens at athensdistributing.com (James R. Stevens) Date: Fri Apr 20 16:40:11 2007 Subject: Coming from everywhere Message-ID: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> Have we already addressed these 'Failure notice' , 'Undeliverable' -mails that are coming from everywhere. It seems to be more and more users are seeing these messages getting through. Some 100 per day. Anyone else seeing these things? Different subjects etc.. -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070420/9d262138/attachment.html From cparker at swatgear.com Fri Apr 20 16:40:14 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Apr 20 16:40:18 2007 Subject: I need all files that are removed to be quarantined and notdeleted. References: <97FD54B5E57A1842AA1A4B232E47611773E30C@ati-ex-02.ati.local> <1177055587.20780.6.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773E312@ati-ex-02.ati.local> On Friday, April 20, 2007 12:53 AM Gareth <> said: >> How can I do this? > Quarantine Infections = yes > Quarantine Silent Viruses = yes > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > Keep Spam And MCP Archive Clean = no > > If you are using clamavmodule have a look on my website > http://www.gbnetwork.co.uk/mailscanner/ for a patch to disable clamav > detecting encrypted archives as viruses. Then if you use mailwatch you > can use its interface to release messages as long as they dont > contain a virus (mailwatch wont allow you to release a virus). Great thanks. I'll give them a try. Chris. From tonyc at foe.co.uk Fri Apr 20 16:52:21 2007 From: tonyc at foe.co.uk (Tony Canning) Date: Fri Apr 20 16:52:42 2007 Subject: stopping clamav detecting encrypted zip files Message-ID: <200704201552.l3KFqLs02994@portia.foe.co.uk> Hi, I've been following this thread with interest as I still haven't solved this problem on my network, as posted previously (see below). I have allowed encrypted messages in MailScanner.conf, and disabled everything I can find which might be blocking them, but we still can't send or receive password-protected zip files unless I bypass mailscanner completely.. if anyone can suggest anything further it would be appreciated.. thanks Tony Canning -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Tony Canning [tonyc@foe.co.uk] Sent: 15 March 2007 12:10 To: mailscanner@lists.mailscanner.info Subject: RE: Problem with password protected spreadsheets >>Tony Canning wrote: >> I have a problem which is upsetting several of our network users - password protected excel (.xls) files are not delivered, in-bound or out-bound. >> >> I am using MailScanner-4.57.6, with Sophos, ClamAV & Spamassassin under Solaris. >> Here is a sample of the problem from the system log: >> >> Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: ClamAV >> found 1 infections Mar 13 17:03:31 localhost MailScanner[6078]: >> Infected message l2DH2wid008740 came from 172.16.1.13 Mar 13 17:03:31 >> localhost MailScanner[6078]: Virus Scanning: Found 1 viruses Mar 13 >> 17:03:31 localhost MailScanner[6078]: tag found in message >> l2DH2wid008740 from v.harwood-smart@foe.co.uk Mar 13 17:03:31 >> localhost MailScanner[6078]: Virus Scanning completed at 959 bytes >> per second Mar 13 17:03:31 localhost MailScanner[6078]: Viruses >> marked as >> silent: Password protected file ./l2DH2wid008740/rolling phone >> upgrade gift aid decs.zip/rolling phone upgrade gift aid decs.txt >> >> It appears from the above that ClamAV is treating it as false positive virus? >That's not a password protected XLS, it's a password protected .zip file containing a .txt file. Yes, you're right of course from the example I provided - here is the same thing happening with a spreadsheet: Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: ClamAV found 1 infections Mar 8 10:01:59 localhost MailScanner[25266]: Infected message l28A1aid025590 came from 172.16.1.13 Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: Found 1 viruses Mar 8 10:01:59 localhost MailScanner[25266]: tag found in message l28A1aid025590 from v.harwood-smart@foe.co.uk Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning completed at 24252 bytes per second Mar 8 10:01:59 localhost MailScanner[25266]: Viruses marked as silent: Password protected file ./l28A1aid025590/Rolling Phone Upgrade Data Output.xls >> I have the following parameters configured: >> >> Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses >> = no Block Encrypted Messages = no Allow Password-Protected Archives >> = yes Allowed Sophos Error Messages = "File was encrypted" >> >From the looks of it, you're using clamav, not clamavmodule. do you have the "block-encrypted" option in /usr/lib/MailScanner/clamav-wrapper? -- No, there is no entry relating the encryption at all. Thanks Tony -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From cparker at swatgear.com Fri Apr 20 16:56:38 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Apr 20 16:56:41 2007 Subject: Coming from everywhere References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773E313@ati-ex-02.ati.local> On Friday, April 20, 2007 8:40 AM James R. Stevens <> said: > Have we already addressed these 'Failure notice' , 'Undeliverable' > -mails that are coming from everywhere. It seems to be more and more > users are seeing these messages getting through. Some 100 per day. > > > > Anyone else seeing these things? Different subjects etc.. Yeah those messsages exploded for me several weeks ago. I've just been ignoring them though since no one has complained to me here. Chris. From mkettler at evi-inc.com Fri Apr 20 16:58:54 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 20 16:59:01 2007 Subject: Coming from everywhere In-Reply-To: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> Message-ID: <4628E33E.3030907@evi-inc.com> James R. Stevens wrote: > Have we already addressed these ?Failure notice? , ?Undeliverable? > ?mails that are coming from everywhere. It seems to be more and more > users are seeing these messages getting through. Some 100 per day. > > > > Anyone else seeing these things? Different subjects etc.. http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search From ka at pacific.net Fri Apr 20 17:01:04 2007 From: ka at pacific.net (Ken A) Date: Fri Apr 20 17:01:06 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <200704201552.l3KFqLs02994@portia.foe.co.uk> References: <200704201552.l3KFqLs02994@portia.foe.co.uk> Message-ID: <4628E3C0.4010701@pacific.net> Tony Canning wrote: > Hi, I've been following this thread with interest as I still haven't > solved this problem on my network, as posted previously (see below). > I have allowed encrypted messages in MailScanner.conf, and disabled > everything I can find which might be blocking them, but we still > can't send or receive password-protected zip files unless I bypass > mailscanner completely.. if anyone can suggest anything further it > would be appreciated.. thanks Tony Canning Virus Scanning = %rules-dir%/virus.scanning.rules FromOrTo: user@domain.com no FromOrTo: default yes -- Ken Anderson Pacific.Net From tonyc at foe.co.uk Fri Apr 20 17:12:21 2007 From: tonyc at foe.co.uk (Tony Canning) Date: Fri Apr 20 17:12:45 2007 Subject: stopping clamav detecting encrypted zip files Message-ID: <200704201612.l3KGCLx02998@portia.foe.co.uk> Thanks for the response - I didn't make myself clear, this is the technique I am already using as a workaround, but it is of course reactive, after each user complains about non receipt/delivery of mail. Is this really a bug with no solution? thanks Tony -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Ken A [ka@pacific.net] Sent: 20 April 2007 17:01 To: MailScanner discussion Subject: Re: stopping clamav detecting encrypted zip files Tony Canning wrote: > Hi, I've been following this thread with interest as I still haven't > solved this problem on my network, as posted previously (see below). > I have allowed encrypted messages in MailScanner.conf, and disabled > everything I can find which might be blocking them, but we still can't > send or receive password-protected zip files unless I bypass > mailscanner completely.. if anyone can suggest anything further it > would be appreciated.. thanks Tony Canning Virus Scanning = %rules-dir%/virus.scanning.rules FromOrTo: user@domain.com no FromOrTo: default yes -- Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Fri Apr 20 17:15:51 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Apr 20 17:17:18 2007 Subject: Coming from everywhere In-Reply-To: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> Message-ID: <4628E737.60006@pixelhammer.com> James R. Stevens wrote: > Have we already addressed these ?Failure notice? , ?Undeliverable? > ?mails that are coming from everywhere. It seems to be more and more > users are seeing these messages getting through. Some 100 per day. > > > > Anyone else seeing these things? Different subjects etc.. We have been getting hit hard for two weeks now. Someone Joe Jobbed several of our domains. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jstevens at athensdistributing.com Fri Apr 20 17:18:23 2007 From: jstevens at athensdistributing.com (James R. Stevens) Date: Fri Apr 20 17:18:32 2007 Subject: Coming from everywhere References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> <4628E33E.3030907@evi-inc.com> Message-ID: <1A65E6BAEADF9B4F865314484A13ECF1608855@atlas.athensdistributing.com> We've been looking at the origin or the NDR for a week now. They are coming from many MTA's on the Internet. None of our users are sending the original -email or even know anyone at the claimed domains. We believe this is some type of spam attack used by altering the return receipt within the header causing the bounce to penetrate MailScanner to our users. (A more experienced Mail Admin can explain this technique better) So the question is how to drop/filter the incorrect NDR's? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, April 20, 2007 10:59 AM To: MailScanner discussion Subject: Re: Coming from everywhere James R. Stevens wrote: > Have we already addressed these ?Failure notice? , ?Undeliverable? > ?mails that are coming from everywhere. It seems to be more and more > users are seeing these messages getting through. Some 100 per day. > > > > Anyone else seeing these things? Different subjects etc.. http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. From martinh at solidstatelogic.com Fri Apr 20 17:24:24 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 20 17:24:35 2007 Subject: Coming from everywhere In-Reply-To: <4628E737.60006@pixelhammer.com> Message-ID: <140d59aed739554f9e18dac8c9656b4c@solidstatelogic.com> Guys There's this ruleset from Tim Jackson. http://www.timj.co.uk/linux/bogus-virus-warnings.cf you'll have to zero score the MailScanner bounce rules by putting the following into /etc/mail/spamassassin/mailscanner.conf score VIRUS_WARNING15 0 score VIRUS_WARNING28 0 score VIRUS_WARNING33 0 score VIRUS_WARNING62 0 score VIRUS_WARNING66 0 score VIRUS_WARNING226 0 score VIRUS_WARNING250 0 score VIRUS_WARNING300 0 score VIRUS_WARNING326 0 score VIRUS_WARNING339 0 score VIRUS_WARNING340 0 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 20 April 2007 17:16 > To: MailScanner discussion > Subject: Re: Coming from everywhere > > James R. Stevens wrote: > > Have we already addressed these 'Failure notice' , 'Undeliverable' > > -mails that are coming from everywhere. It seems to be more and more > > users are seeing these messages getting through. Some 100 per day. > > > > > > > > Anyone else seeing these things? Different subjects etc.. > > We have been getting hit hard for two weeks now. Someone Joe Jobbed > several of our domains. > > DAve > > -- > Three years now I've asked Google why they don't have a > logo change for Memorial Day. Why do they choose to do logos > for other non-international holidays, but nothing for > Veterans? > > Maybe they forgot who made that choice possible. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Fri Apr 20 17:29:57 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 20 17:29:59 2007 Subject: stopping clamav detecting encrypted zip files In-Reply-To: <200704201552.l3KFqLs02994@portia.foe.co.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Tony > Canning > Sent: 20 April 2007 16:52 > To: mailscanner@lists.mailscanner.info > Subject: RE: stopping clamav detecting encrypted zip files > > > Hi, I've been following this thread with interest as I still > haven't solved this problem on my network, as posted previously > (see below). I have allowed encrypted messages in > MailScanner.conf, and disabled everything I can find which might > be blocking them, but we still can't send or receive > password-protected zip files unless I bypass mailscanner > completely.. if anyone can suggest anything further it would be > appreciated.. > thanks > Tony Canning Which clamav scanner are you using? clamav, clamd or clamavmodule? For clamavmodule use the patch on my website at http://www.gbnetwork.co.uk/mailscanner/ For clamd you will need to edit the clamd configuration file to exclude encrypted archives being classed as viruses. For clamav I guess there must be an option you need to change somewhere in the wrapper. From MailScanner at ecs.soton.ac.uk Fri Apr 20 18:10:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 20 18:16:06 2007 Subject: Coming from everywhere In-Reply-To: <4628E33E.3030907@evi-inc.com> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> <4628E33E.3030907@evi-inc.com> Message-ID: <4628F40F.3060808@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > James R. Stevens wrote: > >> Have we already addressed these ?Failure notice? , ?Undeliverable? >> ?mails that are coming from everywhere. It seems to be more and more >> users are seeing these messages getting through. Some 100 per day. >> >> >> >> Anyone else seeing these things? Different subjects etc.. >> > > http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search > If you haven't got it installed already, grab a copy of milter-null. Kills these things dead instantly. And you still get the delivery failure messages that were actually caused by you mistyping addresses, it doesn't just ditch all delivery failure reports. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGKPUsEfZZRxQVtlQRAtqlAJ9rE1wJ6zM5SPW2hMxAjFZeEnOydgCgia76 J+SPMS4iVyJIU9evgwIKT2E= =GygJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From chris at bluecobras.com Fri Apr 20 18:47:47 2007 From: chris at bluecobras.com (Chris Hammond) Date: Fri Apr 20 18:47:51 2007 Subject: Coming from everywhere In-Reply-To: <4628F40F.3060808@ecs.soton.ac.uk> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> <4628E33E.3030907@evi-inc.com> <4628F40F.3060808@ecs.soton.ac.uk> Message-ID: <4628FCC3.6030600@bluecobras.com> Julian Field wrote: > > > Matt Kettler wrote: >> James R. Stevens wrote: > >>> Have we already addressed these Failure notice , Undeliverable >>> mails that are coming from everywhere. It seems to be more and more >>> users are seeing these messages getting through. Some 100 per day. >>> >>> >>> >>> Anyone else seeing these things? Different subjects etc.. >>> >> http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search > > If you haven't got it installed already, grab a copy of milter-null. > Kills these things dead instantly. And you still get the delivery > failure messages that were actually caused by you mistyping addresses, > it doesn't just ditch all delivery failure reports. Julian, good to hear from you! How are you feeling? Chris From MailScanner at ecs.soton.ac.uk Fri Apr 20 20:58:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 20 21:00:15 2007 Subject: Coming from everywhere In-Reply-To: <4628FCC3.6030600@bluecobras.com> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com> <4628E33E.3030907@evi-inc.com> <4628F40F.3060808@ecs.soton.ac.uk> <4628FCC3.6030600@bluecobras.com> Message-ID: <46291B7E.6010506@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Hammond wrote: > Julian Field wrote: > >> Matt Kettler wrote: >> >>> James R. Stevens wrote: >>> >>>> Have we already addressed these Failure notice , Undeliverable >>>> mails that are coming from everywhere. It seems to be more and more >>>> users are seeing these messages getting through. Some 100 per day. >>>> >>>> >>>> >>>> Anyone else seeing these things? Different subjects etc.. >>>> >>>> >>> http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search >>> >> If you haven't got it installed already, grab a copy of milter-null. >> Kills these things dead instantly. And you still get the delivery >> failure messages that were actually caused by you mistyping addresses, >> it doesn't just ditch all delivery failure reports. >> > > Julian, good to hear from you! How are you feeling? > Doing okay thanks. I'm getting stronger every day and can now walk for about 45 minutes without feeling totally worn out, which is up from about 5 minutes 3 weeks ago. I am getting considerably less pain now too which makes me feel a lot more comfortable. With co-operation from my doctor, I have ended up back on Oxycodone as it is just about the best painkiller for me and it actually works, which can't be said for most painkillers these days. I have developed resistance to most of the popular ones over the years, so I end up having to take ever stronger drugs. So I'm not getting too much pain, and I'm growing stronger, so all is good. I'll find out on Monday or Tuesday if I am managing to put on a decent amount of weight too. I was about 115 pounds when I left hospital. Hopefully that's a bit better now :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGKRurEfZZRxQVtlQRAk37AKDfvH41h8Z8QMf1lU/Fl8NNanW4+gCffNlM 0HdINNZm1+KcA+zljZFTy2E= =ycoE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ajos1 at onion.demon.co.uk Sat Apr 21 01:14:44 2007 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sat Apr 21 01:14:55 2007 Subject: Coming from everywhere Message-ID: - >> >> and can now walk for about 45 minutes without feeling totally worn out >> Most of us oldies cannot manage 5 minutes these days... sounds like you are already streets ahead of the most of us in terms of fitness. Most marv-o indeed-o... -----Original Message----- From: MailScanner discussion -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You need to do 2 things. Firstly, download and install the latest version of the ClamAV+SpamAssassin easy-to-install package from www.mailscanner.info. This includes the latest ClamAV and Mail::ClamAV. Secondly, correct a MailScanner.conf setting as follows: Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Then just restart MailScanner. That's about all there is to it, though no doubt you will correct me if I've missed something :-) (And yes, I know I shouldn't be doing this, but I've been watching films all day and fancied staring at a different screen for a bit :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGK6H4EfZZRxQVtlQRAiR/AJ97V5mMiAQMeg8X7E+Fyz/2W6INUACeNpr1 tZT5yh84Ab+sK5u6I1r7LaU= =bI6C -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Sun Apr 22 19:24:30 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sun Apr 22 19:25:53 2007 Subject: How to use "clamavmodule" with ClamAV 0.92 In-Reply-To: <462BA1F3.2080106@ecs.soton.ac.uk> References: <462BA1F3.2080106@ecs.soton.ac.uk> Message-ID: <20070422182429.GA13549@doctor.nl2k.ab.ca> On Sun, Apr 22, 2007 at 06:57:07PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You need to do 2 things. > > Firstly, download and install the latest version of the > ClamAV+SpamAssassin easy-to-install package from www.mailscanner.info. > This includes the latest ClamAV and Mail::ClamAV. > > Secondly, correct a MailScanner.conf setting as follows: > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > Or paths to thereof :-) > Then just restart MailScanner. > That's about all there is to it, though no doubt you will correct me if > I've missed something :-) > > (And yes, I know I shouldn't be doing this, but I've been watching films > all day and fancied staring at a different screen for a bit :-) > So what are the medics saying? > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGK6H4EfZZRxQVtlQRAiR/AJ97V5mMiAQMeg8X7E+Fyz/2W6INUACeNpr1 > tZT5yh84Ab+sK5u6I1r7LaU= > =bI6C > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Apr 22 20:42:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Apr 22 20:45:08 2007 Subject: How to use "clamavmodule" with ClamAV 0.92 In-Reply-To: <20070422182429.GA13549@doctor.nl2k.ab.ca> References: <462BA1F3.2080106@ecs.soton.ac.uk> <20070422182429.GA13549@doctor.nl2k.ab.ca> Message-ID: <462BBAA7.9030205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > So what are the medics saying? > I will find out on Tuesday (I think) and will let you know what they say. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGK7siEfZZRxQVtlQRAlwZAKD620jXHfYmm1g5NilOj/sIxhfsPwCg/WgP HmoCuPIkSk2OeNYH0J/X0pA= =vsb1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From smlists at shaw.ca Sun Apr 22 23:36:57 2007 From: smlists at shaw.ca (Steve Mason) Date: Sun Apr 22 23:37:07 2007 Subject: MailScanner and Centos 5 Message-ID: <462BE389.7060802@shaw.ca> Hi all. I'm about to setup MailScanner and MailWatch (and possibly fuzzyocr) for a small non-profit. Is there any reason I shouldn't use Centos 5? I looked through my local copy of the list and didn't see much talk of it. Hopefully that's a good sign. Thanks, Steve From root at doctor.nl2k.ab.ca Sun Apr 22 23:38:44 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sun Apr 22 23:40:21 2007 Subject: How to use "clamavmodule" with ClamAV 0.92 In-Reply-To: <462BBAA7.9030205@ecs.soton.ac.uk> References: <462BA1F3.2080106@ecs.soton.ac.uk> <20070422182429.GA13549@doctor.nl2k.ab.ca> <462BBAA7.9030205@ecs.soton.ac.uk> Message-ID: <20070422223844.GA18266@doctor.nl2k.ab.ca> On Sun, Apr 22, 2007 at 08:42:31PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: > > So what are the medics saying? > > > I will find out on Tuesday (I think) and will let you know what they say. > > Jules > thank you get better soon. Also there is a nice Botnet.pm modules for spamassassin I recommend. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at robhq.com Mon Apr 23 01:10:01 2007 From: rob at robhq.com (Rob Freeman) Date: Mon Apr 23 01:10:13 2007 Subject: MailScanner and Centos 5 In-Reply-To: <462BE389.7060802@shaw.ca> References: <462BE389.7060802@shaw.ca> Message-ID: <000b01c7853b$bd123440$37369cc0$@com> Since Centos 5 just got released, I doubt many people are using it yet in a production environment. We are testing it here now, but are going to stay with Centos 4.4 for a while to see if anything is wrong with the new release. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Mason Sent: Sunday, April 22, 2007 5:37 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner and Centos 5 Hi all. I'm about to setup MailScanner and MailWatch (and possibly fuzzyocr) for a small non-profit. Is there any reason I shouldn't use Centos 5? I looked through my local copy of the list and didn't see much talk of it. Hopefully that's a good sign. Thanks, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.5.7/771 - Release Date: 4/21/2007 11:56 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.5.7/771 - Release Date: 4/21/2007 11:56 AM From hvdkooij at vanderkooij.org Mon Apr 23 06:33:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 23 06:33:37 2007 Subject: MailScanner and Centos 5 In-Reply-To: <462BE389.7060802@shaw.ca> References: <462BE389.7060802@shaw.ca> Message-ID: On Sun, 22 Apr 2007, Steve Mason wrote: > Hi all. I'm about to setup MailScanner and MailWatch (and possibly fuzzyocr) > for a small non-profit. > > Is there any reason I shouldn't use Centos 5? I looked through my local copy > of the list and didn't see much talk of it. Hopefully that's a good sign. I am awaiting new hardware and that server is intended to become a Centos 5 server. At which time I will also try to create a repository of RPM packages which ware not available on other repositories. So in a month or so I hope you can just use `yum MailScanner` and besides doing the config the process should be more or less automagic. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From bilias at edu.physics.uoc.gr Mon Apr 23 09:00:43 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Mon Apr 23 09:01:00 2007 Subject: Bug report / f-prot parser broken? Message-ID: Hello, I would like to report some sort of a bug I have found. I talked to Julian about it but we haven't managed to sort it out. Reproduction of the bug: ------------------------ I've installed the f-prot antivirus for linux in rpm. http://www.f-prot.com/download/trial_forms/linux-ws-rpm.html http://files.f-prot.com/files/linux-x86/fp-linux-ws.rpm Test 1: ------- Now I test a file that contains the EICAR_Test_File virus. Check f-prot_report.txt attachment for f-prot's report. It identifies the virus correclty. So far so good. Test 2: ------- I test again by using the f-prot-wrapper. Check f-prot-wrapper_report.txt attachment for the report. Works good as well. It identifies the virus. Test 3: ------- Then I add f-prot in MailScanner.conf (f-prot only!) Virus Scanning = yes Virus Scanners = f-prot Now I try to send the virus by mail: f-prot fails to identify the virus. Check f-prot-mailscanner_report.txt attachment. Test 4: ------- I remove f-prot from MailScanner.conf and add Virus Scanners = bitdefender antivir I send again the virus file (the same way as before) and now the virus is being identified by both antivir and bitdifender. Check f-prot-mailscanner_report2.txt attachment. Test 5 ------ If I put in the conf Virus Scanners = bitdefender antivir f-prot I get in the logs: Apr 22 19:44:49 server MailScanner[19305]: Virus Scanning: F-Prot found 1 infections However in the mail report I receive there is no report/alert from f-prot. Check attachment many_scanners.txt I also tried a few more tests Julian told me: Postfix user can run f-prot and can identify the virus from command line. So there is probably not any permissions problem. MailScanner -lint discovers f-prot MailScanner -debug does not produce any funny info about viruscanners My guess is that f-prot has changed it's output report and MailScanner fails to parse it correct??? My system is Fedora Core 6 Linux Linux 2.6.20-1.2944.fc6 i686 i686 model name : Intel(R) Pentium(R) 4 CPU 3.00GHz Ram : 2 G running: postfix-2.3.3-2 mailscanner-4.58.9-1 spamassassin-3.1.8-2.fc6 f-prot fp-linux-ws-4.6.8-1 BitDefender-Console-Antivirus-7.1-3 Antivir engine version: 7.3.1.53 / product version: 2.1.10-36 The rest of the system is up to date. Thanks in advance Kapetanakis Giannis System & Network Admin University of Crete / Physics Dep. -------------- next part -------------- Virus scanning report - 20 April 2007 @ 14:49 F-PROT ANTIVIRUS Program version: 4.6.8 Engine version: 3.16.16 VIRUS SIGNATURE FILES SIGN.DEF created 18 April 2007 SIGN2.DEF created 18 April 2007 MACRO.DEF created 18 April 2007 Search: foo Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /root/foo Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 -------------- next part -------------- Virus scanning report - 20 April 2007 @ 14:52 F-PROT ANTIVIRUS Program version: 4.6.8 Engine version: 3.16.16 VIRUS SIGNATURE FILES SIGN.DEF created 18 April 2007 SIGN2.DEF created 18 April 2007 MACRO.DEF created 18 April 2007 Search: foo Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /root/foo Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 -------------- next part -------------- Apr 20 14:55:23 server postfix/pickup[1698]: 73FEB1005F: uid=0 from= Apr 20 14:55:23 server postfix/cleanup[1732]: 73FEB1005F: hold: header Received: by server.physics.uoc.gr (Postfix, from userid 0)??id 73FEB1005F; Fri, 20 Apr 2007 14:55:23 +0300 (EEST) from local; from= to= Apr 20 14:55:23 server postfix/cleanup[1732]: 73FEB1005F: message-id=<20070420115523.73FEB1005F@server.physics.uoc.gr> Apr 20 14:55:23 server MailScanner[1757]: New Batch: Scanning 1 messages, 581 bytes Apr 20 14:55:24 server MailScanner[1757]: Virus and Content Scanning: Starting Apr 20 14:55:24 server MailScanner[1757]: Requeue: 73FEB1005F.57B39 to 18FD110049 Apr 20 14:55:24 server postfix/qmgr[1703]: 18FD110049: from=, size=617, nrcpt=1 (queue active) Apr 20 14:55:24 server MailScanner[1757]: Uninfected: Delivered 1 messages -------------- next part -------------- Apr 20 15:00:22 server postfix/pickup[2142]: D853C1006B: uid=0 from= Apr 20 15:00:22 server postfix/cleanup[2177]: D853C1006B: hold: header Received: by server.physics.uoc.gr (Postfix, from userid 0)??id D853C1006B; Fri, 20 Apr 2007 15:00:22 +0300 (EEST) from local; from= to= Apr 20 15:00:23 server MailScanner[2168]: New Batch: Scanning 1 messages, 581 bytes Apr 20 15:00:23 server MailScanner[2168]: Virus and Content Scanning: Starting Apr 20 15:00:25 server MailScanner[2168]: D853C1006B.4E2BF/msg-2168-2.txt:infected: EICAR-Test-File (not a virus) Apr 20 15:00:25 server MailScanner[2168]: Virus Scanning: Bitdefender found 1 infections Apr 20 15:00:27 server MailScanner[2168]: ALERT: [Eicar-Test-Signature] ./D853C1006B.4E2BF/msg-2168-2.txt <<< Contains code of the Eicar-Test-Signature virus Apr 20 15:00:27 server MailScanner[2168]: Virus Scanning: AntiVir found 1 infections Apr 20 15:00:27 server MailScanner[2168]: Infected message D853C1006B.4E2BF came from 127.0.0.1 Apr 20 15:00:27 server MailScanner[2168]: Virus Scanning: Found 1 viruses Apr 20 15:00:28 server MailScanner[2168]: Requeue: D853C1006B.4E2BF to 025EC1006C From res at ausics.net Mon Apr 23 10:01:44 2007 From: res at ausics.net (Res) Date: Mon Apr 23 10:01:55 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 23 Apr 2007, Kapetanakis Giannis wrote: >F-PROT ANTIVIRUS >Program version: 4.6.8 >Engine version: 3.16.16 Errrr where did you get this from???? 4.6.7 is current workstation version according to their website. 4.6.7 is also current commercial version as well, which clearly detects the eicar test file. Virus and Content Scanning: Starting /var/spool/MailScanner/incoming/21956/l3N8iRp3005155/eicar_com.zip->eicar.com Virus Scanning: F-Prot found virus EICAR_Test_File Virus Scanning: F-Prot found 1 infections - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGLHX7sWhAmSIQh7MRAn6zAJ413u8ZKZw9Y/Qih+HowyOxCcZSxwCeOnAc 9hP4mhR7ccp7aEUuSil2I0o= =Zxpp -----END PGP SIGNATURE----- From bilias at edu.physics.uoc.gr Mon Apr 23 10:16:29 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Mon Apr 23 10:16:45 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: On Mon, 23 Apr 2007, Res wrote: >> F-PROT ANTIVIRUS >> Program version: 4.6.8 >> Engine version: 3.16.16 > > Errrr where did you get this from???? > 4.6.7 is current workstation version according to their website. > > 4.6.7 is also current commercial version as well, which clearly > detects the eicar test file. > > Cheers > Res I got it from their site: http://www.f-prot.com/download/home_user/download_fplinux.html They indeed say 4.6.7 there but when you click they give rpm fp-linux-ws-4.6.8-1 They probably haven't updated the .html yet. # f-prot -verno F-PROT ANTIVIRUS Program version: 4.6.8 Engine version: 3.16.16 EICAR is detected both in command line and with /usr/lib/MailScanner/f-prot-wrapper. It does not being detected inside MailScanner Kapetanakis Giannis From res at ausics.net Mon Apr 23 10:35:58 2007 From: res at ausics.net (Res) Date: Mon Apr 23 10:36:12 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 23 Apr 2007, Kapetanakis Giannis wrote: >> 4.6.7 is current workstation version according to their website. >> >> 4.6.7 is also current commercial version as well, which clearly detects the >> eicar test file. > > I got it from their site: > http://www.f-prot.com/download/home_user/download_fplinux.html > > They indeed say 4.6.7 there > but when you click they give rpm fp-linux-ws-4.6.8-1 > They probably haven't updated the .html yet. OK, you know you should not be using the workstation on a server :) > with /usr/lib/MailScanner/f-prot-wrapper. > > It does not being detected inside MailScanner I'm not sure what you are saying, are you saying if you run the wrapper by hand it works, but if you rely on MailScanner handling the wrapper, it does not? In the meantime I'll grab the ws version and throw it on this desktop and test it. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGLH4AsWhAmSIQh7MRAh85AJ982kcbq8Sh7JfNuloSQVffhiDpEgCfaye/ nhI25n2vYytHu0HHMgCCixg= =QJaC -----END PGP SIGNATURE----- From res at ausics.net Mon Apr 23 10:46:37 2007 From: res at ausics.net (Res) Date: Mon Apr 23 10:46:46 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Question when did you d/l this? I find it strange there is no changes to the changelog, the timestamps reflect april 16 so ample time to update not only the html for d/l but also the "news" section which they updated on april 20 about new release of windows v6, and also the last time I d/l f-prot for ws I'm sure I had to fill out a registration form, this time I was not prompted. There is an f-prot "agent" if I can call them that on this list, maybe they can clarify if this is in fact a legitimate release. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGLIB/sWhAmSIQh7MRAnVgAJ9G2e/O9+vDhPxKNc7jxwHBkaeKnQCcDooH Je7gQ/OMJZZZ+T8eZAYwfwo= =x5OX -----END PGP SIGNATURE----- From bilias at edu.physics.uoc.gr Mon Apr 23 10:57:50 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Mon Apr 23 10:58:15 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: On Mon, 23 Apr 2007, Res wrote: > > OK, you know you should not be using the workstation on a server :) > I'm not. I 've just changed the hostname in the logs to the generic term server :) > I'm not sure what you are saying, are you saying if you run the > wrapper by hand it works, but if you rely on MailScanner handling the > wrapper, it does not? > > Res Exactly. And what I say by "it works" I mean it detects the virus. I'm quite sure that it detects the virus in mailscanner too, but I believe that mailscanner does not understand it's output. That's the only probability I could think of. Maybe I'm wrong... Giannis From bilias at edu.physics.uoc.gr Mon Apr 23 11:03:22 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Mon Apr 23 11:03:38 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: On Mon, 23 Apr 2007, Res wrote: > Question when did you d/l this? Apr 16 2007 -rw-r--r-- 1 root root 6958028 Apr 16 13:12 fp-linux-ws.rpm 65a1d571ac1b252c8d2e14ceb12a4527 fp-linux-ws.rpm (md5) > I find it strange there is no changes to the changelog, the > timestamps reflect april 16 so ample time to update not only the html > for d/l but also the "news" section which they updated on april 20 > about new release of windows v6, and also the last time I d/l f-prot > for ws I'm sure I had > to fill out a registration form, this time I was not prompted. > Cheers > Res I didn't fill any form either. I also downloaded today the source version. The Changelog has not been updated but the program itself reports 4.6.8. Seemed strange to me too but didn't thought about it much... Regards Giannis From bilias at edu.physics.uoc.gr Mon Apr 23 11:13:42 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Mon Apr 23 11:13:59 2007 Subject: Bug report / f-prot parser broken? In-Reply-To: References: Message-ID: On Mon, 23 Apr 2007, Res wrote: > > In the meantime I'll grab the ws version and throw it on this desktop > and test it. > Check it alone. Virus Scanners = f-prot Otherwise if you test it with other viruscanners it "says" it detects the virus: Virus Scanning: F-Prot found 1 infections but it does not produce any other alert. Good luck Giannis From prandal at herefordshire.gov.uk Mon Apr 23 11:46:22 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Apr 23 11:47:12 2007 Subject: MailScanner and Centos 5 In-Reply-To: <462BE389.7060802@shaw.ca> References: <462BE389.7060802@shaw.ca> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA921765@HC-MBX02.herefordshire.gov.uk> One big advantage would be netpbm-10.35-6.fc6.i386.rpm which would make FuzzyOCR a bit easier to use. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Steve Mason > Sent: 22 April 2007 23:37 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner and Centos 5 > > Hi all. I'm about to setup MailScanner and MailWatch (and possibly > fuzzyocr) for a small non-profit. > > Is there any reason I shouldn't use Centos 5? I looked > through my local > copy of the list and didn't see much talk of it. Hopefully > that's a good > sign. > > Thanks, > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Mon Apr 23 11:58:10 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Apr 23 11:59:59 2007 Subject: How to use "clamavmodule" with ClamAV 0.92 In-Reply-To: <462BA1F3.2080106@ecs.soton.ac.uk> References: <462BA1F3.2080106@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA921771@HC-MBX02.herefordshire.gov.uk> Jules, the install.sh file needs this patch applying: --- install.sh 2007-04-13 15:45:57.000000000 +0100 +++ install.sh.new 2007-04-23 11:54:51.000000000 +0100 @@ -232,8 +232,8 @@ echo the ClamAV library can be found by the clamavmodule and echo clamav virus scanners. echo /usr/local/lib >> $LDSOCONF - /sbin/ldconfig fi + /sbin/ldconfig sleep 2 else echo You may need to add /usr/local/lib to the directories searched There's a discussion in the archives about it. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 22 April 2007 18:57 > To: MailScanner discussion > Subject: How to use "clamavmodule" with ClamAV 0.92 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You need to do 2 things. > > Firstly, download and install the latest version of the > ClamAV+SpamAssassin easy-to-install package from > www.mailscanner.info. > This includes the latest ClamAV and Mail::ClamAV. > > Secondly, correct a MailScanner.conf setting as follows: > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > > Then just restart MailScanner. > That's about all there is to it, though no doubt you will > correct me if > I've missed something :-) > > (And yes, I know I shouldn't be doing this, but I've been > watching films > all day and fancied staring at a different screen for a bit :-) > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGK6H4EfZZRxQVtlQRAiR/AJ97V5mMiAQMeg8X7E+Fyz/2W6INUACeNpr1 > tZT5yh84Ab+sK5u6I1r7LaU= > =bI6C > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From alex at skynet-srl.com Mon Apr 23 14:22:37 2007 From: alex at skynet-srl.com (Alex) Date: Mon Apr 23 14:22:39 2007 Subject: Ignoring last received from In-Reply-To: <200704231100.l3NB0jQ4020744@safir.blacknight.ie> References: <200704231100.l3NB0jQ4020744@safir.blacknight.ie> Message-ID: <462CB31D.60308@skynet-srl.com> Hi guys I'm playing with a damned configuration I cant' figure how to have i t working. THE PROBLEM ============= All the mail that comes on some servere passes on STMP servers that are behind a firewall. Those servers are placed in a DMZ and use Postfix with load balancing. Those SMTP servers decide where to send their mail on different mail servers using sendmail AND Mailscanner. INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to SMTP using MS -->Mailscanner If I set up a wihitelist like the following From: 1.2.3.4 and To: address@domain yes it will never match since the headers of the received mail on the Mailscanner servers look like Received from: 10.0.0.55 <----- this is the internal IP of the last passed trough SMTP server Received from : 1.2.3.4 <---- this is the public INTERNET server who sent the mail and I cant' match to... THE SOLUTIONS I TRIED (with no success) ===================== a) used the Remove Header in MS configuration, but this seems top only match complete headers. I cannote remove Received from : 10.0.0. but I can remove all the receive from headers (uselsess for my problem) b) It seems I cant find a m4 macro to tell sendmail not to avoid adding the Received from header (it's so easy in Postfix) I don't think I'm the only one with this problem. How did you guys solve this? TIA Alessandro From root at doctor.nl2k.ab.ca Mon Apr 23 14:37:06 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 23 14:38:21 2007 Subject: Creating a ruleset Message-ID: <20070423133706.GB27249@doctor.nl2k.ab.ca> I have set one rule to >50. I would like that if any e-mail come across that rule then drop/delete. Also if Spamscore is > 30, then delete/bounce. Otherwise is possible spam, tag else hence deliver. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From snifer_ at hotmail.com Mon Apr 23 14:36:31 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Mon Apr 23 14:40:12 2007 Subject: phishing not being detected Message-ID: Hi, i've found a message not being detected as phishing by MailScanner. I uploaded it to http://www.divshare.com/download/464926-a8a. I sent it to ClamAV and it's now beeing detected as Email.Phishing.RB-653, but I think there's something MailScanner is not catching and should be fixed. Thanks. From list-mailscanner at linguaphone.com Mon Apr 23 14:44:23 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 23 14:44:42 2007 Subject: Creating a ruleset In-Reply-To: <20070423133706.GB27249@doctor.nl2k.ab.ca> References: <20070423133706.GB27249@doctor.nl2k.ab.ca> Message-ID: <1177335863.27274.12.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-04-23 at 14:37, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > I have set one rule to >50. > > I would like that if any e-mail come across that rule then drop/delete. Perhaps MCP would be a good use for this? > > Also if Spamscore is > 30, then delete/bounce. > > Otherwise is possible spam, tag else hence deliver. There is no point bouncing high scoring spam as the sender will be a fake address anyway. > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From root at doctor.nl2k.ab.ca Mon Apr 23 14:43:46 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 23 14:45:01 2007 Subject: phishing not being detected In-Reply-To: References: Message-ID: <20070423134346.GD27249@doctor.nl2k.ab.ca> On Mon, Apr 23, 2007 at 01:36:31PM +0000, Juan Pablo Salazar Bert?n wrote: > Hi, i've found a message not being detected as phishing by MailScanner. I > uploaded it to http://www.divshare.com/download/464926-a8a. > > I sent it to ClamAV and it's now beeing detected as Email.Phishing.RB-653, but I > think there's something MailScanner is not catching and should be fixed. > Are you using Clamav and/or clamavmodule? > Thanks. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Apr 23 14:49:48 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 23 14:52:18 2007 Subject: How to use "clamavmodule" with ClamAV 0.92 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA921771@HC-MBX02.herefordshire.gov.uk> References: <462BA1F3.2080106@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA921771@HC-MBX02.herefordshire.gov.uk> Message-ID: <462CB97C.2020007@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bother, I spotted that change was needed and put in the change but forgot to commit it to SVN so it didn't get propagated to my build server :-( Fixed now. Randal, Phil wrote: > Jules, > > the install.sh file needs this patch applying: > > --- install.sh 2007-04-13 15:45:57.000000000 +0100 > +++ install.sh.new 2007-04-23 11:54:51.000000000 +0100 > @@ -232,8 +232,8 @@ > echo the ClamAV library can be found by the clamavmodule and > echo clamav virus scanners. > echo /usr/local/lib >> $LDSOCONF > - /sbin/ldconfig > fi > + /sbin/ldconfig > sleep 2 > else > echo You may need to add /usr/local/lib to the directories searched > > > There's a discussion in the archives about it. > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 22 April 2007 18:57 >> To: MailScanner discussion >> Subject: How to use "clamavmodule" with ClamAV 0.92 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> You need to do 2 things. >> >> Firstly, download and install the latest version of the >> ClamAV+SpamAssassin easy-to-install package from >> www.mailscanner.info. >> This includes the latest ClamAV and Mail::ClamAV. >> >> Secondly, correct a MailScanner.conf setting as follows: >> >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* >> /usr/local/share/clamav/*.cvd >> >> Then just restart MailScanner. >> That's about all there is to it, though no doubt you will >> correct me if >> I've missed something :-) >> >> (And yes, I know I shouldn't be doing this, but I've been >> watching films >> all day and fancied staring at a different screen for a bit :-) >> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.0 (Build 214) >> Charset: ISO-8859-1 >> >> wj8DBQFGK6H4EfZZRxQVtlQRAiR/AJ97V5mMiAQMeg8X7E+Fyz/2W6INUACeNpr1 >> tZT5yh84Ab+sK5u6I1r7LaU= >> =bI6C >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLLnrEfZZRxQVtlQRAnOwAKDjvqsBVRENnFsnOjuWCnPD2AzqMQCfa9mo YbSnmPnSffpdSRfjS2SCr+k= =8H7f -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Apr 23 14:51:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 23 14:52:56 2007 Subject: Creating a ruleset In-Reply-To: <20070423133706.GB27249@doctor.nl2k.ab.ca> References: <20070423133706.GB27249@doctor.nl2k.ab.ca> Message-ID: <462CB9E6.9060507@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You are asking for 3 spam score thresholds where I only provide 2. You will have to do this in a very small Custom Function with a few "if" statements in it. Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > I have set one rule to >50. > > I would like that if any e-mail come across that rule then drop/delete. > > Also if Spamscore is > 30, then delete/bounce. > > Otherwise is possible spam, tag else hence deliver. > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLLntEfZZRxQVtlQRApMhAKDu6y/bn/PQbV3/GSmC6mqW88PmhQCfXbB3 RGTCeyEPsuQgwjrj+5hhcG0= =s5p8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martin.lyberg at gmail.com Mon Apr 23 15:00:05 2007 From: martin.lyberg at gmail.com (Martin) Date: Mon Apr 23 15:00:35 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> Message-ID: Arto wrote: > We had this too. Uninstalling clamav* and installing it again helped. > > -arto > Thanks for all replies. Read about this issue on the clamav-list and hopefully it will be fixed in the next version. From glenn.steen at gmail.com Mon Apr 23 15:08:12 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 23 15:08:16 2007 Subject: Ignoring last received from In-Reply-To: <462CB31D.60308@skynet-srl.com> References: <200704231100.l3NB0jQ4020744@safir.blacknight.ie> <462CB31D.60308@skynet-srl.com> Message-ID: <223f97700704230708i68431d0fu93f256ceed5e1c24@mail.gmail.com> On 23/04/07, Alex wrote: > Hi guys > > I'm playing with a damned configuration I cant' figure how to have i t > working. > > THE PROBLEM > ============= > All the mail that comes on some servere passes on STMP servers that are > behind a firewall. > > Those servers are placed in a DMZ and use Postfix with load balancing. > > Those SMTP servers decide where to send their mail on different mail > servers using sendmail AND Mailscanner. > > > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to > SMTP using MS -->Mailscanner > > If I set up a wihitelist like the following > > From: 1.2.3.4 and To: address@domain yes > > it will never match since the headers of the received mail on the > Mailscanner servers look like > > Received from: 10.0.0.55 <----- this is the internal IP of the last > passed trough SMTP server > Received from : 1.2.3.4 <---- this is the public INTERNET server who > sent the mail and I cant' match to... > > THE SOLUTIONS I TRIED (with no success) > ===================== > a) used the Remove Header in MS configuration, but this seems top only > match complete headers. > > I cannote remove > Received from : 10.0.0. > > but I can remove all the receive from headers (uselsess for my problem) > > b) It seems I cant find a m4 macro to tell sendmail not to avoid adding > the Received from header (it's so easy in Postfix) > > I don't think I'm the only one with this problem. > > How did you guys solve this? > By having the flow: INET -> FW -> PF with MS -> mailstore Question: Why would you not put MailScanner closer to the internet? It would solve the problem neatly:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From root at doctor.nl2k.ab.ca Mon Apr 23 15:11:39 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 23 15:12:56 2007 Subject: Creating a ruleset In-Reply-To: <462CB9E6.9060507@ecs.soton.ac.uk> References: <20070423133706.GB27249@doctor.nl2k.ab.ca> <462CB9E6.9060507@ecs.soton.ac.uk> Message-ID: <20070423141139.GA12567@doctor.nl2k.ab.ca> On Mon, Apr 23, 2007 at 02:51:34PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You are asking for 3 spam score thresholds where I only provide 2. You > will have to do this in a very small Custom Function with a few "if" > statements in it. > Just wondering if such recipes are in the MailScanner book? > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: > > I have set one rule to >50. > > > > I would like that if any e-mail come across that rule then drop/delete. > > > > Also if Spamscore is > 30, then delete/bounce. > > > > Otherwise is possible spam, tag else hence deliver. > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGLLntEfZZRxQVtlQRApMhAKDu6y/bn/PQbV3/GSmC6mqW88PmhQCfXbB3 > RGTCeyEPsuQgwjrj+5hhcG0= > =s5p8 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From snifer_ at hotmail.com Mon Apr 23 15:53:03 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Mon Apr 23 15:53:17 2007 Subject: phishing not being detected References: <20070423134346.GD27249@doctor.nl2k.ab.ca> Message-ID: Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem doctor.nl2k.ab.ca> writes: > > On Mon, Apr 23, 2007 at 01:36:31PM +0000, Juan Pablo Salazar Bert?n wrote: > > Hi, i've found a message not being detected as phishing by MailScanner. I > > uploaded it to http://www.divshare.com/download/464926-a8a. > > > > I sent it to ClamAV and it's now beeing detected as Email.Phishing.RB-653, but I > > think there's something MailScanner is not catching and should be fixed. > > > > Are you using Clamav and/or clamavmodule? > > > Thanks. > > I'm using clamavmodule. My ClamAV database: main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) daily.inc is up to date (version: 3150, sigs: 6694, f-level: 15, builder: ccordes) The phishing is supposed to be detected by ClamAV daily update 3140 as Email.Phishing.RB-653 (ref: http://lurker.clamav.net/message/20070420.184222.fc0538d6.en.html), but it's not being detected by ClamAV through MailScanner nor by MailScanner's own phishing protection nor by manually using ClamAV. I'll try to contact ClamAV, but i'm posting this here so maybe someone can figure out why it's not being detected by MailScanner phishing protection, so next version gets better. Regards, Juan Pablo Salazar B. From ram at netcore.co.in Mon Apr 23 16:01:28 2007 From: ram at netcore.co.in (ram) Date: Mon Apr 23 16:01:51 2007 Subject: Postfix milter with MailScanner , extra 0 problem Message-ID: <1177340488.25796.153.camel@localhost.localdomain> I have just written a *very* simple milter with postfix that logs the incoming mail clients ip address ( of course for testing) When I use postfix alone the milter works fine. When I use MailScanner MS seems to insert an extra "0" in the body of the mail. I have got no idea why ? Is this a bug ? Thanks Ram From list-mailscanner at linguaphone.com Mon Apr 23 16:04:53 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 23 16:05:01 2007 Subject: phishing not being detected In-Reply-To: References: <20070423134346.GD27249@doctor.nl2k.ab.ca> Message-ID: <1177340693.27275.17.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-04-23 at 15:53, Juan Pablo Salazar Bert?n wrote: > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem > doctor.nl2k.ab.ca> writes: > > > > > On Mon, Apr 23, 2007 at 01:36:31PM +0000, Juan Pablo Salazar Bert?n wrote: > > > Hi, i've found a message not being detected as phishing by MailScanner. I > > > uploaded it to http://www.divshare.com/download/464926-a8a. > > > > > > I sent it to ClamAV and it's now beeing detected as Email.Phishing.RB-653, > but I > > > think there's something MailScanner is not catching and should be fixed. > > > > > > > Are you using Clamav and/or clamavmodule? > > > > > Thanks. > > > > > I'm using clamavmodule. My ClamAV database: > > main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) > daily.inc is up to date (version: 3150, sigs: 6694, f-level: 15, builder: > ccordes) > > The phishing is supposed to be detected by ClamAV daily update 3140 as > Email.Phishing.RB-653 (ref: > http://lurker.clamav.net/message/20070420.184222.fc0538d6.en.html), but it's not > being detected by ClamAV through MailScanner nor by MailScanner's own phishing > protection nor by manually using ClamAV. > > I'll try to contact ClamAV, but i'm posting this here so maybe someone can > figure out why it's not being detected by MailScanner phishing protection, so > next version gets better. Are you running the latest clamav 0.90.2. Earlier 0.90 versions did not detect phishing attacks when used with clamavmodule. From ram at netcore.co.in Mon Apr 23 16:06:23 2007 From: ram at netcore.co.in (ram) Date: Mon Apr 23 16:06:39 2007 Subject: Ignoring last received from In-Reply-To: <462CB31D.60308@skynet-srl.com> References: <200704231100.l3NB0jQ4020744@safir.blacknight.ie> <462CB31D.60308@skynet-srl.com> Message-ID: <1177340783.25796.158.camel@localhost.localdomain> On Mon, 2007-04-23 at 15:22 +0200, Alex wrote: > Hi guys > > I'm playing with a damned configuration I cant' figure how to have i t > working. > > THE PROBLEM > ============= > All the mail that comes on some servere passes on STMP servers that are > behind a firewall. > > Those servers are placed in a DMZ and use Postfix with load balancing. > > Those SMTP servers decide where to send their mail on different mail > servers using sendmail AND Mailscanner. > > > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to > SMTP using MS -->Mailscanner > > If I set up a wihitelist like the following > > From: 1.2.3.4 and To: address@domain yes > > it will never match since the headers of the received mail on the > Mailscanner servers look like I too have the same problem, I have been looking for a fix since 3 months now. Probably the only way now is to use a high negative score in spamassassin by using a meta custom ruleset of the combination of the incoming ip address and the domain Very messy thing to do but I cannot see any alternative Thanks Ram From glenn.steen at gmail.com Mon Apr 23 16:18:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 23 16:18:33 2007 Subject: Postfix milter with MailScanner , extra 0 problem In-Reply-To: <1177340488.25796.153.camel@localhost.localdomain> References: <1177340488.25796.153.camel@localhost.localdomain> Message-ID: <223f97700704230818t3ffae2e3u1f28b09aad5d454@mail.gmail.com> On 23/04/07, ram wrote: > I have just written a *very* simple milter with postfix that logs the > incoming mail clients ip address ( of course for testing) > > When I use postfix alone the milter works fine. > When I use MailScanner MS seems to insert an extra "0" in the body of > the mail. I have got no idea why ? > > Is this a bug ? > Sort of. What you see is Postfix adding in "possible p record jumpoff points". MailScanner doesn't handle that yet. If you look at the archives for "p records", "patches" and possibly "Nerijus" you could find the patches I made to handle these (for Postfix 2.3. 2.4 can do full body edits, I only have a rather rough patch available for that)... If you can't find them, give a shout and I'll send you what I have so far, tomorrow. The patches aim at removing the p records entirely... Since we construct a completely new queue file, there really is no value in preserving them. Nerijus Baliunas (and I) have been running those patches for a few months (or somesuch) without problems. Unfortunately Jules illness taking a bad turn happened to coincide with me sending off the patches to him... So they haven't made it into MailScanner proper. Yet. Let the man get a bit better before we start yammering at him to incorporate them (or better yet, something more clever than what I've done:-)... Eh;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From snifer_ at hotmail.com Mon Apr 23 16:15:47 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Mon Apr 23 16:21:37 2007 Subject: phishing not being detected References: <20070423134346.GD27249@doctor.nl2k.ab.ca> <1177340693.27275.17.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Gareth linguaphone.com> writes: > > Are you running the latest clamav 0.90.2. Earlier 0.90 versions did not > detect phishing attacks when used with clamavmodule. > I'm using ClamAV 0.90.2 from rpmforge. From root at doctor.nl2k.ab.ca Mon Apr 23 16:39:44 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 23 16:41:03 2007 Subject: Creating a ruleset In-Reply-To: <1177335863.27274.12.camel@gblades-suse.linguaphone-intranet.co.uk> References: <20070423133706.GB27249@doctor.nl2k.ab.ca> <1177335863.27274.12.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <20070423153944.GA16762@doctor.nl2k.ab.ca> On Mon, Apr 23, 2007 at 02:44:23PM +0100, Gareth wrote: > On Mon, 2007-04-23 at 14:37, Dave Shariff Yadallee - System > Administrator a.k.a. The Root of the Problem wrote: > > I have set one rule to >50. > > > > I would like that if any e-mail come across that rule then drop/delete. > > Perhaps MCP would be a good use for this? > I am running SA 3.2.0 rc2 Patches need to be redone :-) > > > > Also if Spamscore is > 30, then delete/bounce. > > > > Otherwise is possible spam, tag else hence deliver. > > There is no point bouncing high scoring spam as the sender will be a > fake address anyway. > delete then :-) > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From claude.gagne at multitech.qc.ca Mon Apr 23 16:45:46 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Mon Apr 23 16:43:53 2007 Subject: Converting mbox to Maildir Message-ID: <462CD4AA.7090702@multitech.qc.ca> Hi, I need to convert emails in mbox to Maildir format. Anyone has something to suggest ? Thanks ! -- Claude Gagne From martinh at solidstatelogic.com Mon Apr 23 16:46:39 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 23 16:46:55 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD4AA.7090702@multitech.qc.ca> Message-ID: <220517da9c92ed46a230394422013cac@solidstatelogic.com> Claude Do a google search on mb2md (mbox 2 maildir). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? > Sent: 23 April 2007 16:46 > To: MailScanner discussion > Subject: Converting mbox to Maildir > > Hi, > > I need to convert emails in mbox to Maildir format. Anyone has something > to suggest ? > > Thanks ! > -- > Claude Gagne > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From claude.gagne at multitech.qc.ca Mon Apr 23 16:54:10 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Mon Apr 23 16:52:18 2007 Subject: Converting mbox to Maildir In-Reply-To: <220517da9c92ed46a230394422013cac@solidstatelogic.com> References: <220517da9c92ed46a230394422013cac@solidstatelogic.com> Message-ID: <462CD6A2.7080900@multitech.qc.ca> Hi Martin, Thanks for your answer. Yes I saw it on Google. Does it work good ? Martin.Hepworth a ?crit : > Claude > > Do a google search on mb2md (mbox 2 maildir). > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? >> Sent: 23 April 2007 16:46 >> To: MailScanner discussion >> Subject: Converting mbox to Maildir >> >> Hi, >> >> I need to convert emails in mbox to Maildir format. Anyone has >> > something > >> to suggest ? >> >> Thanks ! >> -- >> Claude Gagne >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ram at netcore.co.in Mon Apr 23 16:59:23 2007 From: ram at netcore.co.in (ram) Date: Mon Apr 23 16:59:37 2007 Subject: Postfix milter with MailScanner , extra 0 problem In-Reply-To: <223f97700704230818t3ffae2e3u1f28b09aad5d454@mail.gmail.com> References: <1177340488.25796.153.camel@localhost.localdomain> <223f97700704230818t3ffae2e3u1f28b09aad5d454@mail.gmail.com> Message-ID: <1177343963.25796.159.camel@localhost.localdomain> On Mon, 2007-04-23 at 17:18 +0200, Glenn Steen wrote: > On 23/04/07, ram wrote: > > I have just written a *very* simple milter with postfix that logs the > > incoming mail clients ip address ( of course for testing) > > > > When I use postfix alone the milter works fine. > > When I use MailScanner MS seems to insert an extra "0" in the body of > > the mail. I have got no idea why ? > > > > Is this a bug ? > > > Sort of. What you see is Postfix adding in "possible p record jumpoff > points". MailScanner doesn't handle that yet. > If you look at the archives for "p records", "patches" and possibly > "Nerijus" you could find the patches I made to handle these (for > Postfix 2.3. 2.4 can do full body edits, I only have a rather rough > patch available for that)... If you can't find them, give a shout and > I'll send you what I have so far, tomorrow. > > The patches aim at removing the p records entirely... Since we > construct a completely new queue file, there really is no value in > preserving them. > > Nerijus Baliunas (and I) have been running those patches for a few > months (or somesuch) without problems. > Can I get these patches Might be I would try them for myself Thanks Ram From clacroix at cegep-ste-foy.qc.ca Mon Apr 23 17:00:33 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Mon Apr 23 17:00:41 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD6A2.7080900@multitech.qc.ca> References: <220517da9c92ed46a230394422013cac@solidstatelogic.com> <462CD6A2.7080900@multitech.qc.ca> Message-ID: <200704231200.33279.clacroix@cegep-ste-foy.qc.ca> I've used it recently for about 50 mbox we had here. I didn't get any problem using it. On Monday 23 April 2007 11:54, Claude Gagn? wrote: > Hi Martin, > > Thanks for your answer. Yes I saw it on Google. Does it work good ? > > Martin.Hepworth a ?crit : > > Claude > > > > Do a google search on mb2md (mbox 2 maildir). > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? > >> Sent: 23 April 2007 16:46 > >> To: MailScanner discussion > >> Subject: Converting mbox to Maildir > >> > >> Hi, > >> > >> I need to convert emails in mbox to Maildir format. Anyone has > > > > something > > > >> to suggest ? > >> > >> Thanks ! > >> -- > >> Claude Gagne > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From neilw at dcdata.co.za Mon Apr 23 17:00:52 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Mon Apr 23 17:01:37 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD4AA.7090702@multitech.qc.ca> References: <462CD4AA.7090702@multitech.qc.ca> Message-ID: <462CD834.9080407@dcdata.co.za> Claude Gagn? wrote: > Hi, > > I need to convert emails in mbox to Maildir format. Anyone has something > to suggest ? > > Thanks ! I use the two scripts attached to convert all the mailboxes in one go. Just check the paths in convert.sh and rename files accordingly(remove .txt etc :) I normally put both of these under /usr/local/bin/ then the only thing you need to change in it is... spool=/var/spool/mail Leave as is if your mboxes are here... maild=/home/vmail Change to the location of your Maildirs, mine are /home/user/Maildir so I just change this to... maild=/home/ Once it's done you need to change the permissions on your homedirs as the users and the group gets changed to root. I use this all the time, hope it helps. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -------------- next part -------------- #!/bin/bash #-This all correct - maybe change /home/vmail. #-After running this chown vmail:vmail [vmail dir] # 2002 - Luciano Linhares Martins # Patch do programa para converter as mensagens prog="/usr/local/bin/mbox2maildir" # SPOOL - Diret?rio onde os e-mais v?o estar armazenados spool=/var/spool/mail # Diret?rio base onde as mensagens no formato Maildir v?o ficar maild=/home/vmail # Loop que pega as mboxs do spool e gera o Maildir for user in `ls $spool` do # Maildir BASE - Diret?rio base do Maildir do usu?rio mbase=$maild/$user # Maildir do Usu?rio mdir=$mbase/Maildir # Arquivo onde os e-mails dos usu?rios ficam armazenados no spool email=$spool/$user tmail=$spool/$user.bk export MAILDIR=$mdir export MAIL=$tmail export MAILTMP=/tmp/tmp mkdir -p $mbase cp $email $tmail perl $prog done -------------- next part -------------- #!/usr/local/bin/perl # #-!!!!!!!!!!DO NOT EDIT THIS!!!!!!!!!!!!!!! - USE convert.sh # mbox2maildir: coverts mbox file to maildir directory - the reverse of # maildir2mbox from the qmail distribution. # # Usage: mbox2maildir uses the same environment variables as maildir2mbox: # MAILDIR is the name of your maildir directory; MAIL is the name of your # mbox file; MAILTMP is ignored. MAIL is deleted after the conversion. # # WARNING: there is no locking; don't run more than one of these! you # have been warned. # # based on convert-and-create by Russell Nelson # kludged into this by Ivan Kohler 97-sep-17 require 'stat.pl'; local $SIG{HUP} = 'IGNORE'; local $SIG{INT} = 'IGNORE'; local $SIG{QUIT} = 'IGNORE'; local $SIG{TERM} = 'IGNORE'; local $SIG{TSTP} = 'IGNORE'; ($name, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell) = getpwuid($<); die "fatal: home dir $dir doesn't exist\n" unless -e $dir; &Stat($dir); die "fatal: $name is $uid, but $dir is owned by $st_uid\n" if $uid != $st_uid; chdir($dir) or die "fatal: unable to chdir to $dir\n"; $spoolname = "$ENV{MAILDIR}"; -d $spoolname or mkdir $spoolname,0700 or die("fatal: $spoolname doesn't exist and can't be created.\n"); chdir($spoolname) or die("fatal: unable to chdir to $spoolname.\n"); -d "tmp" or mkdir("tmp",0700) or die("fatal: unable to make tmp/ subdir\n"); -d "new" or mkdir("new",0700) or die("fatal: unable to make new/ subdir\n"); -d "cur" or mkdir("cur",0700) or die("fatal: unable to make cur/ subdir\n"); open(SPOOL, "<$ENV{MAIL}") or die "Unable to open $ENV{$MAIL}\n"; $i = time; while() { if (/^From /) { $fn = sprintf("new/%d.$$.mbox", $i); open(OUT, ">$fn") or die("fatal: unable to create new message"); $i++; next; } s/^>From /From /; print OUT or die("fatal: unable to write to new message"); } close(SPOOL); close(OUT); unlink("$ENV{MAIL}"); From martinh at solidstatelogic.com Mon Apr 23 17:03:07 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 23 17:03:15 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD6A2.7080900@multitech.qc.ca> Message-ID: <015d49111b86e548a596072b0d26b919@solidstatelogic.com> Works very well.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? > Sent: 23 April 2007 16:54 > To: MailScanner discussion > Subject: Re: Converting mbox to Maildir > > Hi Martin, > > Thanks for your answer. Yes I saw it on Google. Does it work good ? > > > Martin.Hepworth a ?crit : > > Claude > > > > Do a google search on mb2md (mbox 2 maildir). > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? > >> Sent: 23 April 2007 16:46 > >> To: MailScanner discussion > >> Subject: Converting mbox to Maildir > >> > >> Hi, > >> > >> I need to convert emails in mbox to Maildir format. Anyone has > >> > > something > > > >> to suggest ? > >> > >> Thanks ! > >> -- > >> Claude Gagne > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From arjan at anymore.nl Mon Apr 23 18:12:09 2007 From: arjan at anymore.nl (Arjan Schrijver) Date: Mon Apr 23 18:12:14 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD6A2.7080900@multitech.qc.ca> References: <220517da9c92ed46a230394422013cac@solidstatelogic.com> <462CD6A2.7080900@multitech.qc.ca> Message-ID: <462CE8E9.1070504@anymore.nl> I've used it multiple times too, and it works very well. Claude Gagn? wrote: > Hi Martin, > > Thanks for your answer. Yes I saw it on Google. Does it work good ? > > > Martin.Hepworth a ?crit : >> Claude >> >> Do a google search on mb2md (mbox 2 maildir). >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Claude Gagn? >>> Sent: 23 April 2007 16:46 >>> To: MailScanner discussion >>> Subject: Converting mbox to Maildir >>> >>> Hi, >>> >>> I need to convert emails in mbox to Maildir format. Anyone has >>> >> something >> >>> to suggest ? >>> >>> Thanks ! >>> -- >>> Claude Gagne >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for >> the addressee only and may be confidential. If they come to you in >> error you must take no action based on them, nor must you copy or >> show them to anyone. Please advise the sender by replying to this >> e-mail immediately and then delete the original from your computer. >> >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We >> advise that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales (Company >> No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> From claude.gagne at multitech.qc.ca Mon Apr 23 18:19:49 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Mon Apr 23 18:17:56 2007 Subject: Converting mbox to Maildir In-Reply-To: <462CD834.9080407@dcdata.co.za> References: <462CD4AA.7090702@multitech.qc.ca> <462CD834.9080407@dcdata.co.za> Message-ID: <462CEAB5.7010906@multitech.qc.ca> Hi Neil, It's exactly my situation. I'll give it a try as soon as I merge. Thanks for your great help. Neil Wilson a ?crit : > Claude Gagn? wrote: >> Hi, >> >> I need to convert emails in mbox to Maildir format. Anyone has >> something to suggest ? >> >> Thanks ! > > I use the two scripts attached to convert all the mailboxes in one go. > > Just check the paths in convert.sh and rename files accordingly(remove > .txt etc :) > > I normally put both of these under /usr/local/bin/ > then the only thing you need to change in it is... > > spool=/var/spool/mail > > Leave as is if your mboxes are here... > > maild=/home/vmail > Change to the location of your Maildirs, mine are /home/user/Maildir > so I just change this to... > maild=/home/ > > Once it's done you need to change the permissions on your homedirs as > the users and the group gets changed to root. > > I use this all the time, hope it helps. > > Neil > > > > From vosburgh at dalsemi.com Mon Apr 23 18:33:25 2007 From: vosburgh at dalsemi.com (David Vosburgh) Date: Mon Apr 23 18:34:21 2007 Subject: blacklists and archiving In-Reply-To: <461BB31E.7060500@dalsemi.com> References: <461BB31E.7060500@dalsemi.com> Message-ID: <462CEDE5.3020007@dalsemi.com> I know it's Monday, but can anyone provide some insight into this problem? Thanks. Dave David Vosburgh wrote: > I have setup mail archiving to both a file and another email address for > all mail from a particular domain. That much has worked fine for some > time now. I recently got a request to blacklist one address in that > domain, so I put an entry in the spam.blacklists.rules file. The next > time a message came through from that address, rather than being > blacklisted, the message was delivered and archived as normal (and yes I > did restart MailScanner). Is this a matter of precedence? That is, > does archiving take precedence over blacklisting? Or is this a > misconfiguration on my part, or a bug? > > Here's the MailScanner -v output: > > # MailScanner -v > Running on > Linux artesia 2.6.9-42.0.3.ELsmp #1 SMP Fri Oct 6 06:21:39 CDT 2006 i686 > i686 i386 GNU/Linux > This is CentOS release 4.4 (Final) > This is Perl version 5.008005 (5.8.5) > > This is MailScanner version 4.55.10 > Module versions are: > 1.00 AnyDBM_File > 1.14 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.4 Sys::Hostname::Long > 0.17 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > Optional module versions are: > 0.17 Convert::TNEF > 1.814 DB_File > 1.12 DBD::SQLite > 1.50 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > 0.17 Mail::ClamAV > 3.001004 Mail::SpamAssassin > 1.999001 Mail::SPF::Query > 0.20 Net::CIDR::Lite > 1.25 Net::IP > 0.57 Net::DNS > 0.31 Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.56 Test::Harness > 0.47 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > Dave From root at doctor.nl2k.ab.ca Mon Apr 23 19:55:43 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 23 19:57:20 2007 Subject: {Spam?} Re: blacklists and archiving In-Reply-To: <462CEDE5.3020007@dalsemi.com> References: <461BB31E.7060500@dalsemi.com> <462CEDE5.3020007@dalsemi.com> Message-ID: <20070423185542.GA10213@doctor.nl2k.ab.ca> This came up in my Spamcheck headers vosburgh@dalsemi.com spam, SpamAssassin (not cached, score=5, required 5, RCVD_IN_WHOIS_BOGONS 5.00) Hoe this helps. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From wilson.galafassi at gmail.com Tue Apr 24 05:33:24 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 05:36:49 2007 Subject: mailscanner loggin in mailwatch mysql duplicated Message-ID: <001c01c78629$b38d6e00$1aa84a00$@com.br> Hello. I?m installing mailscanner + mailwatch with fc6 and postfix 2.3.7 The messages are logged exact the same in mailwatch database. Can someone have some Idea of what is happening? Thanks Wilson From wilson.galafassi at gmail.com Tue Apr 24 06:05:08 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 06:08:33 2007 Subject: duplicated SQL logging Message-ID: <001e01c7862e$2278ace0$676a06a0$@com.br> Hello. My messages are logged to SQL duplicate: see the log above: Apr 24 02:04:02 netserver postfix/pickup[13168]: 9F7FD16FCAF: uid=0 from= Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: hold: header Received: by netserver.ftpman (Postfix, from userid 0)??id 9F7FD16FCAF; Tue, 24 Apr 2007 02:04:02 -0300 (BRT) from local; from= to= Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: message-id=<20070424050402.9F7FD16FCAF@netserver.ftpmanagerbr> Apr 24 02:04:07 netserver MailScanner[13183]: New Batch: Scanning 1 messages, 540 bytes Apr 24 02:04:07 netserver MailScanner[13183]: Logging message 9F7FD16FCAF.25F36 to SQL Apr 24 02:04:07 netserver MailScanner[13183]: Virus and Content Scanning: Starting Apr 24 02:04:07 netserver MailScanner[13183]: Logging message 9F7FD16FCAF.25F36 to SQL Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to MailWatch SQL Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to MailWatch SQL Apr 24 02:04:07 netserver MailScanner[13183]: Requeue: 9F7FD16FCAF.25F36 to 5592316FCAE Apr 24 02:04:07 netserver postfix/qmgr[13169]: 5592316FCAE: from=, size=711, nrcpt=1 (queue active) Apr 24 02:04:07 netserver MailScanner[13183]: Uninfected: Delivered 1 messages Some ideas? Thanks Wilson From hvdkooij at vanderkooij.org Tue Apr 24 06:28:22 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 24 06:28:54 2007 Subject: duplicated SQL logging In-Reply-To: <001e01c7862e$2278ace0$676a06a0$@com.br> References: <001e01c7862e$2278ace0$676a06a0$@com.br> Message-ID: On Tue, 24 Apr 2007, Wilson A. Galafassi Jr. wrote: > Hello. > My messages are logged to SQL duplicate: see the log above: > > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Requeue: 9F7FD16FCAF.25F36 to > 5592316FCAE And which Line(s) are responsible for this logging in your config? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From list-mailscanner at linguaphone.com Tue Apr 24 08:59:10 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 24 08:59:26 2007 Subject: mailscanner loggin in mailwatch mysql duplicated In-Reply-To: <001c01c78629$b38d6e00$1aa84a00$@com.br> References: <001c01c78629$b38d6e00$1aa84a00$@com.br> Message-ID: <1177401550.29785.0.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-04-24 at 05:33, Wilson A. Galafassi Jr. wrote: > Hello. > > I?m installing mailscanner + mailwatch with fc6 and postfix 2.3.7 > The messages are logged exact the same in mailwatch database. > > Can someone have some Idea of what is happening? > Thanks > Wilson Please explain what exactly is going wrong. From list-mailscanner at linguaphone.com Tue Apr 24 09:02:11 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 24 09:02:33 2007 Subject: duplicated SQL logging In-Reply-To: <001e01c7862e$2278ace0$676a06a0$@com.br> References: <001e01c7862e$2278ace0$676a06a0$@com.br> Message-ID: <1177401731.29785.3.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-04-24 at 06:05, Wilson A. Galafassi Jr. wrote: > Hello. > My messages are logged to SQL duplicate: see the log above: > > Apr 24 02:04:02 netserver postfix/pickup[13168]: 9F7FD16FCAF: uid=0 > from= > Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: hold: header > Received: by netserver.ftpman (Postfix, from userid 0)??id 9F7FD16FCAF; Tue, > 24 Apr 2007 02:04:02 -0300 (BRT) from local; from= > to= > Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: > message-id=<20070424050402.9F7FD16FCAF@netserver.ftpmanagerbr> > Apr 24 02:04:07 netserver MailScanner[13183]: New Batch: Scanning 1 > messages, 540 bytes > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Virus and Content Scanning: > Starting > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Requeue: 9F7FD16FCAF.25F36 to > 5592316FCAE > Apr 24 02:04:07 netserver postfix/qmgr[13169]: 5592316FCAE: > from=, size=711, nrcpt=1 (queue active) > Apr 24 02:04:07 netserver MailScanner[13183]: Uninfected: Delivered 1 > messages > What do you get if you run this command :- [root@mailscanner ~]# cat /etc/MailScanner/MailScanner.conf | grep MailWatch Always Looked Up Last = &MailWatchLogging My guess is that you are somehow calling it twice. From martinh at solidstatelogic.com Tue Apr 24 10:01:51 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Apr 24 10:02:02 2007 Subject: blacklists and archiving In-Reply-To: <462CEDE5.3020007@dalsemi.com> Message-ID: <849e4bf278e67641bcebd0c87d3ce024@solidstatelogic.com> Dave What's he spam.blacklists.rules look like and what setting in MailScanner.conf is calling this rules file. Yes order is important, it runs through the rules top to bottom and stops at any hit, ie putting a default line at the top will hit that every time and no other rules will be evaluated. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of David Vosburgh > Sent: 23 April 2007 18:33 > To: MailScanner discussion > Subject: Re: blacklists and archiving > > I know it's Monday, but can anyone provide some insight into this > problem? Thanks. > > Dave > > David Vosburgh wrote: > > I have setup mail archiving to both a file and another email address for > > all mail from a particular domain. That much has worked fine for some > > time now. I recently got a request to blacklist one address in that > > domain, so I put an entry in the spam.blacklists.rules file. The next > > time a message came through from that address, rather than being > > blacklisted, the message was delivered and archived as normal (and yes I > > did restart MailScanner). Is this a matter of precedence? That is, > > does archiving take precedence over blacklisting? Or is this a > > misconfiguration on my part, or a bug? > > > > Here's the MailScanner -v output: > > > > # MailScanner -v > > Running on > > Linux artesia 2.6.9-42.0.3.ELsmp #1 SMP Fri Oct 6 06:21:39 CDT 2006 i686 > > i686 i386 GNU/Linux > > This is CentOS release 4.4 (Final) > > This is Perl version 5.008005 (5.8.5) > > > > This is MailScanner version 4.55.10 > > Module versions are: > > 1.00 AnyDBM_File > > 1.14 Archive::Zip > > 1.03 Carp > > 1.119 Convert::BinHex > > 1.00 DirHandle > > 1.05 Fcntl > > 2.73 File::Basename > > 2.08 File::Copy > > 2.01 FileHandle > > 1.06 File::Path > > 0.14 File::Temp > > 0.90 Filesys::Df > > 1.35 HTML::Entities > > 3.54 HTML::Parser > > 2.37 HTML::TokeParser > > 1.21 IO > > 1.10 IO::File > > 1.123 IO::Pipe > > 1.71 Mail::Header > > 3.05 MIME::Base64 > > 5.420 MIME::Decoder > > 5.420 MIME::Decoder::UU > > 5.420 MIME::Head > > 5.420 MIME::Parser > > 3.03 MIME::QuotedPrint > > 5.420 MIME::Tools > > 0.10 Net::CIDR > > 1.08 POSIX > > 1.77 Socket > > 1.4 Sys::Hostname::Long > > 0.17 Sys::Syslog > > 1.86 Time::HiRes > > 1.02 Time::localtime > > Optional module versions are: > > 0.17 Convert::TNEF > > 1.814 DB_File > > 1.12 DBD::SQLite > > 1.50 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.36 Digest::MD5 > > 2.10 Digest::SHA1 > > 0.44 Inline > > 0.17 Mail::ClamAV > > 3.001004 Mail::SpamAssassin > > 1.999001 Mail::SPF::Query > > 0.20 Net::CIDR::Lite > > 1.25 Net::IP > > 0.57 Net::DNS > > 0.31 Net::LDAP > > 1.94 Parse::RecDescent > > missing SAVI > > 2.56 Test::Harness > > 0.47 Test::Simple > > 1.95 Text::Balanced > > 1.35 URI > > > > Dave > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Tue Apr 24 10:11:40 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 24 10:11:50 2007 Subject: Deleting detected spam for some addresses only Message-ID: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> What I would like to do is have high scoring spam automatically deleted for some addresses but still delivered for the remaining users. Currently mailscanner configuration contains :- High Scoring Spam Actions = deliver attachment header "X-Spam-Flag: YES" If I change this to :- High Scoring Spam Actions = %rules-dir%/high.scoring.spam.rules and then create the high.scoring.spam.rules file containing :- To: an.address@domain.com delete To: another.address@domain.com delete FromOrTo: default deliver attachment header "X-Spam-Flag: YES" Would that work? Is there any problems associates with having a quotes string on the right hand side for example? From glenn.steen at gmail.com Tue Apr 24 10:16:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 24 10:16:27 2007 Subject: Postfix milter with MailScanner , extra 0 problem In-Reply-To: <1177343963.25796.159.camel@localhost.localdomain> References: <1177340488.25796.153.camel@localhost.localdomain> <223f97700704230818t3ffae2e3u1f28b09aad5d454@mail.gmail.com> <1177343963.25796.159.camel@localhost.localdomain> Message-ID: <223f97700704240216u4cbd4cbey1df9503fa3a2c7f6@mail.gmail.com> On 23/04/07, ram wrote: > On Mon, 2007-04-23 at 17:18 +0200, Glenn Steen wrote: > > On 23/04/07, ram wrote: > > > I have just written a *very* simple milter with postfix that logs the > > > incoming mail clients ip address ( of course for testing) > > > > > > When I use postfix alone the milter works fine. > > > When I use MailScanner MS seems to insert an extra "0" in the body of > > > the mail. I have got no idea why ? > > > > > > Is this a bug ? > > > > > Sort of. What you see is Postfix adding in "possible p record jumpoff > > points". MailScanner doesn't handle that yet. > > If you look at the archives for "p records", "patches" and possibly > > "Nerijus" you could find the patches I made to handle these (for > > Postfix 2.3. 2.4 can do full body edits, I only have a rather rough > > patch available for that)... If you can't find them, give a shout and > > I'll send you what I have so far, tomorrow. > > > > The patches aim at removing the p records entirely... Since we > > construct a completely new queue file, there really is no value in > > preserving them. > > > > Nerijus Baliunas (and I) have been running those patches for a few > > months (or somesuch) without problems. > > > > Can I get these patches > Might be I would try them for myself > > Please do! These patches are for use with Postfix 2.3... Although PFDiskStore.pm will handle the body edits we need do some check to see that all the body is there by spinning through the p records in ReadQf (in Postfix.pm)... Or something smarter (I'm open to sugegstions:-). If you need that (and run PF 2.4) I can probably find my patch for that too ... somewhere...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- A non-text attachment was scrubbed... Name: Postfix.pm.precord.patch Type: text/x-patch Size: 8555 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070424/b3657482/Postfix.pm.precord.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: PFDiskStore.pm.precord1.patch Type: text/x-patch Size: 800 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070424/b3657482/PFDiskStore.pm.precord1.bin From glenn.steen at gmail.com Tue Apr 24 10:26:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 24 10:26:41 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> On 24/04/07, Gareth wrote: > What I would like to do is have high scoring spam automatically deleted > for some addresses but still delivered for the remaining users. > > Currently mailscanner configuration contains :- > > High Scoring Spam Actions = deliver attachment header "X-Spam-Flag: YES" > > If I change this to :- > High Scoring Spam Actions = %rules-dir%/high.scoring.spam.rules > and then create the high.scoring.spam.rules file containing :- > > To: an.address@domain.com delete > To: another.address@domain.com delete > FromOrTo: default deliver attachment header > "X-Spam-Flag: YES" > > Would that work? > Is there any problems associates with having a quotes string on the > right hand side for example? > Yes, it should. You can always do the edits and test them prior to going live... Just do the edits, then run MailScanner --lint and then some permutations of MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se --to=some@add.res --ip=127.0.0.1 Looked up internal option name "highscorespamactions" With sender = glenn.steen@ap1.se recipient = some@add.res Client IP = 127.0.0.1 Virus = Result is "store delete" .... you get the picture:-). When you've got it right, just reload/restart MailScanner... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Tue Apr 24 11:34:35 2007 From: res at ausics.net (Res) Date: Tue Apr 24 11:34:46 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 24 Apr 2007, Gareth wrote: > What I would like to do is have high scoring spam automatically deleted > for some addresses but still delivered for the remaining users. Yes this works, I use it on several news-email gateways to stop anything labelled as spam from nntp going into the lists. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGLd09sWhAmSIQh7MRAihvAJ9OQrjoxk1x1MT0icVt9WLgsBZ0SACfUVd6 ZHbUC8YF52TCvXJHODPbiT4= =j2bF -----END PGP SIGNATURE----- From bilias at edu.physics.uoc.gr Tue Apr 24 11:43:46 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Tue Apr 24 11:43:57 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> Message-ID: On Mon, 23 Apr 2007, Martin wrote: > Arto wrote: > > > We had this too. Uninstalling clamav* and installing it again > helped. >> >> -arto >> > > Thanks for all replies. Read about this issue on the clamav-list and > hopefully it will be fixed in the next version. I have similar problems with clamav myself. What I did that improved a little bit was deleting the virus database in /var/lib/clamav/* and running freshclam again. Still is very slow. If you try clamscan -debug you will find out why it is so damn slow.... Clamd works fast on the other hand. Maybe it should be included officialy (clamdscan) in MailScanner's the next version. Giannis From bilias at edu.physics.uoc.gr Tue Apr 24 11:47:27 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Tue Apr 24 11:47:39 2007 Subject: mailscanner loggin in mailwatch mysql duplicated In-Reply-To: <001c01c78629$b38d6e00$1aa84a00$@com.br> References: <001c01c78629$b38d6e00$1aa84a00$@com.br> Message-ID: On Tue, 24 Apr 2007, Wilson A. Galafassi Jr. wrote: > Hello. > > I?m installing mailscanner + mailwatch with fc6 and postfix 2.3.7 > The messages are logged exact the same in mailwatch database. > > Can someone have some Idea of what is happening? > Thanks > Wilson It works sweet :) There are complete installation details in MailScanner docs, and in mailwatch docs. Giannis From bilias at edu.physics.uoc.gr Tue Apr 24 11:51:16 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Tue Apr 24 11:51:27 2007 Subject: duplicated SQL logging In-Reply-To: <001e01c7862e$2278ace0$676a06a0$@com.br> References: <001e01c7862e$2278ace0$676a06a0$@com.br> Message-ID: On Tue, 24 Apr 2007, Wilson A. Galafassi Jr. wrote: > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > > Thanks > Wilson What do you have in MailScanner.conf I have something like this: Always Looked Up Last = &MailWatchLogging Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist I also remember to put MailWatch.pm, SQLBlackWhiteList.pm in /usr/lib/MailScanner/MailScanner/CustomFunctions Giannis From neilw at dcdata.co.za Tue Apr 24 12:23:00 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Tue Apr 24 12:23:02 2007 Subject: Disabling Spam lists not working. Message-ID: <462DE894.60004@dcdata.co.za> Hi guys, I've tried disabling my Spam list options, but for some reason I've still got some senders who keep getting blocked because of the Spam list checks. Below are my options out of my MailScanner.conf Spam Checks = yes Spam List = # Spam Domain List = Spam Lists To Be Spam = 9 These are the options that are showing up in my MailWatch front end as to why the mail was blocked. 1.33 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 1.80 RCVD_IN_DSBL Received via a relay in list.dsbl.org 1.24 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server I've restarted MailScanner after disabling these and I still can't get it to not use RBLs. Any ideas? Thanks. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From wilson.galafassi at gmail.com Tue Apr 24 12:25:19 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 12:28:48 2007 Subject: RES: duplicated SQL logging In-Reply-To: References: <001e01c7862e$2278ace0$676a06a0$@com.br> Message-ID: <002b01c78663$3f4af5f0$bde0e1d0$@com.br> Sorry if this log in insuficiente. How i can send more debbuged logs for the list? Thanks Wilson -----Mensagem original----- De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Em nome de Hugo van der Kooij Enviada em: ter?a-feira, 24 de abril de 2007 02:28 Para: MailScanner discussion Assunto: Re: duplicated SQL logging On Tue, 24 Apr 2007, Wilson A. Galafassi Jr. wrote: > Hello. > My messages are logged to SQL duplicate: see the log above: > > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Requeue: 9F7FD16FCAF.25F36 to > 5592316FCAE And which Line(s) are responsible for this logging in your config? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Tue Apr 24 12:35:05 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Apr 24 12:35:12 2007 Subject: Disabling Spam lists not working. In-Reply-To: <462DE894.60004@dcdata.co.za> References: <462DE894.60004@dcdata.co.za> Message-ID: <1177414505.29789.13.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-04-24 at 12:23, Neil Wilson wrote: > Hi guys, > > I've tried disabling my Spam list options, but for some reason I've still got some senders > who keep getting blocked because of the Spam list checks. > > Below are my options out of my MailScanner.conf > > Spam Checks = yes > Spam List = # > Spam Domain List = > Spam Lists To Be Spam = 9 > > These are the options that are showing up in my MailWatch front end as to why the mail was > blocked. > > 1.33 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 1.80 RCVD_IN_DSBL Received via a relay in list.dsbl.org > 1.24 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server > > I've restarted MailScanner after disabling these and I still can't get it to not use RBLs. > > Any ideas? > > Thanks. > > Neil Are you sure it is not spamassassin itself which is using these rules. If you are finding that these rules are matchine a lot of your normal email then you can reduce the score associated with the rule or even set it to a score of 0 to disable them. From neilw at dcdata.co.za Tue Apr 24 12:41:54 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Tue Apr 24 12:41:54 2007 Subject: Disabling Spam lists not working. In-Reply-To: <1177414505.29789.13.camel@gblades-suse.linguaphone-intranet.co.uk> References: <462DE894.60004@dcdata.co.za> <1177414505.29789.13.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <462DED02.5080106@dcdata.co.za> Gareth wrote: > Are you sure it is not spamassassin itself which is using these rules. > If you are finding that these rules are matchine a lot of your normal > email then you can reduce the score associated with the rule or even set > it to a score of 0 to disable them. Correct you are, my bad for not reading what's written in front of me :) SpamAssassin Spam: Y Listed in RBL: N Thanks for the help Gareth, much appreciated. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From wilson.galafassi at gmail.com Tue Apr 24 12:44:57 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 12:48:27 2007 Subject: RES: duplicated SQL logging In-Reply-To: <1177401731.29785.3.camel@gblades-suse.linguaphone-intranet.co.uk> References: <001e01c7862e$2278ace0$676a06a0$@com.br> <1177401731.29785.3.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <002c01c78665$fd313d70$f793b850$@com.br> Thanks for you help. Really i have 2 time the: &MailWatchLogging I have: Always Looked Up Last = &MailWatchLogging and Always Include SpamAssassin Report = &MailWatchLogging On the second i have changed to: Yes and now is logging one time. Thanks for all support. Wilson -----Mensagem original----- De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Em nome de Gareth Enviada em: ter?a-feira, 24 de abril de 2007 05:02 Para: MailScanner discussion Assunto: Re: duplicated SQL logging On Tue, 2007-04-24 at 06:05, Wilson A. Galafassi Jr. wrote: > Hello. > My messages are logged to SQL duplicate: see the log above: > > Apr 24 02:04:02 netserver postfix/pickup[13168]: 9F7FD16FCAF: uid=0 > from= > Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: hold: header > Received: by netserver.ftpman (Postfix, from userid 0)??id 9F7FD16FCAF; Tue, > 24 Apr 2007 02:04:02 -0300 (BRT) from local; from= > to= > Apr 24 02:04:02 netserver postfix/cleanup[13190]: 9F7FD16FCAF: > message-id=<20070424050402.9F7FD16FCAF@netserver.ftpmanagerbr> > Apr 24 02:04:07 netserver MailScanner[13183]: New Batch: Scanning 1 > messages, 540 bytes > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Virus and Content Scanning: > Starting > Apr 24 02:04:07 netserver MailScanner[13183]: Logging message > 9F7FD16FCAF.25F36 to SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13179]: 9F7FD16FCAF.25F36: Logged to > MailWatch SQL > Apr 24 02:04:07 netserver MailScanner[13183]: Requeue: 9F7FD16FCAF.25F36 to > 5592316FCAE > Apr 24 02:04:07 netserver postfix/qmgr[13169]: 5592316FCAE: > from=, size=711, nrcpt=1 (queue active) > Apr 24 02:04:07 netserver MailScanner[13183]: Uninfected: Delivered 1 > messages > What do you get if you run this command :- [root@mailscanner ~]# cat /etc/MailScanner/MailScanner.conf | grep MailWatch Always Looked Up Last = &MailWatchLogging My guess is that you are somehow calling it twice. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From wilson.galafassi at gmail.com Tue Apr 24 13:04:23 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 13:07:52 2007 Subject: using mailscanner/mailwatch ony for reports and logging Message-ID: <003e01c78668$b48f27f0$1dad77d0$@com.br> Hello to all. I have this situation in one of my servers: The domain is always scanned by mailscanner at an "external" Server And we have a internal mail Server with relay in the external. The messages are downloaded by fetchmail every 3 minutes. My question is: it?s possible to use mailscanner only to log the messages send and received to generate reports only? How i have to configure it? Thanks Wilson From wilson.galafassi at gmail.com Tue Apr 24 13:06:27 2007 From: wilson.galafassi at gmail.com (Wilson A. Galafassi Jr.) Date: Tue Apr 24 13:09:57 2007 Subject: using mailscanner/mailwatch ony for reports and logging Message-ID: <003f01c78668$fe84b820$fb8e2860$@com.br> Hello to all. I have this situation in one of my servers: The domain is always scanned by mailscanner at an "external" Server And we have a internal mail Server with relay in the external. The messages are downloaded by fetchmail every 3 minutes. My question is: it?s possible to use mailscanner only to log the messages send and received to generate reports only? How i have to configure it? Thanks Wilson From alex at skynet-srl.com Tue Apr 24 13:44:36 2007 From: alex at skynet-srl.com (Alex) Date: Tue Apr 24 13:44:38 2007 Subject: Ignoring last Received From In-Reply-To: <200704241100.l3OB026J026609@safir.blacknight.ie> References: <200704241100.l3OB026J026609@safir.blacknight.ie> Message-ID: <462DFBB4.1060801@skynet-srl.com> > Hi guys > > I'm playing with a damned configuration I cant' figure how to have i t > working. > > THE PROBLEM > ============= > All the mail that comes on some servere passes on STMP servers that > are behind a firewall. > > Those servers are placed in a DMZ and use Postfix with load balancing. > > Those SMTP servers decide where to send their mail on different mail > servers using sendmail AND Mailscanner. > > > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to > SMTP using MS -->Mailscanner > > If I set up a wihitelist like the following > > From: 1.2.3.4 and To: address@domain yes > > it will never match since the headers of the received mail on the > Mailscanner servers look like > > Received from: 10.0.0.55 <----- this is the internal IP of the last > passed trough SMTP server > Received from : 1.2.3.4 <---- this is the public INTERNET server who > sent the mail and I cant' match to... > > THE SOLUTIONS I TRIED (with no success) > ===================== > a) used the Remove Header in MS configuration, but this seems to only > match complete headers. > > I cannote remove > Received from : 10.0.0. > > but I can remove all the Received from headers (uselsess for my problem) > > b) It seems I cant find a m4 macro to tell sendmail not to add the > Received from header (it's so easy in Postfix) > > I don't think I'm the only one with this problem. > > How did you guys solved this? > > First of all thanks to all the guys who answered this (I discovered not so) simple question, Someone suggested to change the network architecture. This is not a choice, since not all the domains we manage have to pass through MS, so only specific ones are routed to the servers running MS. Furthermore it is not a spam detection problem, so writing a specific SA rules won't help since the spam detection works fine. The problem only arises when I to write a MS rule where the from IP address is involved, since MS seems to only consider the very last (indeed top-first) Received from header. From: 1.2.3.4 and From *@mydomain.com yes <--- never matches The Header says the last server the message passed through is our DMZ server (10.0.0.55) so it never matches the above From rule. I think this damned thing may be managed in two ways: - Instructing sendmail on the private servers to not add the Received from header but don't know how to do that. In Postfix this is very easy: write a header_check rule that simply ignores the matching header so it doesn't get added to the final message and BANG it works! - Instructing MS to match the second Received from: header instead of the first one (?????) I see someone else is having the same problem (may I say Welcome??) I have searched the internet for the IP hiding problem in Sendmail (usually used to hide internal private IP's and names from the external) but I came to a lot of infos (milter, voodoo and so on) but no specific ideas. Using procmail with formail may be a way, but it looks very complicated since the recipe's formail action should do a complete rewrite of the received from header, and to accomplish that I suspect it needs an external PERL/BASH/other scripting langiage that may lead to system vulnerabilities or instability. Any ideas out there?? Thank you From glenn.steen at gmail.com Tue Apr 24 14:10:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 24 14:10:28 2007 Subject: Ignoring last Received From In-Reply-To: <462DFBB4.1060801@skynet-srl.com> References: <200704241100.l3OB026J026609@safir.blacknight.ie> <462DFBB4.1060801@skynet-srl.com> Message-ID: <223f97700704240610l399b9cf6t8e42ea821acf58f6@mail.gmail.com> On 24/04/07, Alex wrote: > > Hi guys > > > > I'm playing with a damned configuration I cant' figure how to have i t > > working. > > > > THE PROBLEM > > ============= > > All the mail that comes on some servere passes on STMP servers that > > are behind a firewall. > > > > Those servers are placed in a DMZ and use Postfix with load balancing. > > > > Those SMTP servers decide where to send their mail on different mail > > servers using sendmail AND Mailscanner. > > > > > > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to > > SMTP using MS -->Mailscanner > > > > If I set up a wihitelist like the following > > > > From: 1.2.3.4 and To: address@domain yes > > > > it will never match since the headers of the received mail on the > > Mailscanner servers look like > > > > Received from: 10.0.0.55 <----- this is the internal IP of the last > > passed trough SMTP server > > Received from : 1.2.3.4 <---- this is the public INTERNET server who > > sent the mail and I cant' match to... > > > > THE SOLUTIONS I TRIED (with no success) > > ===================== > > a) used the Remove Header in MS configuration, but this seems to only > > match complete headers. > > > > I cannote remove > > Received from : 10.0.0. > > > > but I can remove all the Received from headers (uselsess for my problem) > > > > b) It seems I cant find a m4 macro to tell sendmail not to add the > > Received from header (it's so easy in Postfix) > > > > I don't think I'm the only one with this problem. > > > > How did you guys solved this? > > > > > First of all thanks to all the guys who answered this (I discovered not > so) simple question, > > Someone suggested to change the network architecture. > > This is not a choice, since not all the domains we manage have to pass > through MS, so only specific ones are routed to the servers running MS. Someone would be me then:-). Of course you can change the topology. You can let MailScanner avoid all non-managed domains. Or you could manage them via a separate set of MX:s (instead of having all going through the same set of servers)... The posibilities are well-nigh endless:-D. Would likely simplify your topology a whiole lot, removing a (then not needed) layer of indirection;-). > Furthermore it is not a spam detection problem, so writing a specific SA > rules won't help since the spam detection works fine. > > The problem only arises when I to write a MS rule where the from IP > address is involved, since MS seems to only consider the very last > (indeed top-first) Received from header. > > From: 1.2.3.4 and From *@mydomain.com yes <--- never matches > > The Header says the last server the message passed through is our DMZ > server (10.0.0.55) so it never matches the above From rule. You might actually have more problems than that (in SA, no less), but lets not go there:-). > > I think this damned thing may be managed in two ways: > > - Instructing sendmail on the private servers to not add the Received > from header but don't know how to do that. In Postfix this is very easy: > write a header_check rule that simply ignores the matching header so it > doesn't get added to the final message and BANG it works! This break one of the few MUST statements in the RFC. Not really a good thing, even though you can do it with PF. > - Instructing MS to match the second Received from: header instead of > the first one (?????) There is no provision for this in MS. > I see someone else is having the same problem (may I say Welcome??) > > I have searched the internet for the IP hiding problem in Sendmail > (usually used to hide internal private IP's and names from the external) > but I came to a lot of infos (milter, voodoo and so on) but no specific > ideas. > > Using procmail with formail may be a way, but it looks very complicated > since the recipe's formail action should do a complete rewrite of the > received from header, and to accomplish that I suspect it needs an > external PERL/BASH/other scripting langiage that may lead to system > vulnerabilities or instability. > > Any ideas out there?? > As said, I think you are going at this a bit backward, trying to defeat the standard instead of working with it. Sure, you might find a solution eventually... Like, for example, not using Sendmail with the "backend MS servers"... As you say, breaking the RFC in this particular way is rather easy in Postfix... And Postfix works nice with MailScanner....;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From support-lists at petdoctors.co.uk Tue Apr 24 14:33:08 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Apr 24 14:35:22 2007 Subject: 'Could not analyze message' Message-ID: <01dd01c78675$18703190$3c65a8c0@support01> Yesterday and today we have had four very short, legitimate, plain text emails (not at the same time) from the same sender that were quarantined as 'Could not analyze message'. I have had a look at them and cannot see any formatting errors or suspect content so I just wondered what might have triggered such an event. Is there anything I should perhaps check? Thanks Nigel Kendrick From uxbod at splatnix.net Tue Apr 24 14:39:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Apr 24 14:39:26 2007 Subject: 'Could not analyze message' In-Reply-To: <01dd01c78675$18703190$3c65a8c0@support01> References: <01dd01c78675$18703190$3c65a8c0@support01> Message-ID: I have had that before and after look at the code it seemed to point to invalid MIME format. On Tue, 24 Apr 2007 14:33:08 +0100, "Nigel Kendrick" wrote: > > Yesterday and today we have had four very short, legitimate, plain text > emails (not at the same time) from the same sender that were quarantined > as > 'Could not analyze message'. I have had a look at them and cannot see any > formatting errors or suspect content so I just wondered what might have > triggered such an event. > > Is there anything I should perhaps check? > > Thanks > > Nigel Kendrick > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Tue Apr 24 14:45:14 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Apr 24 14:45:44 2007 Subject: 'Could not analyze message' In-Reply-To: <01dd01c78675$18703190$3c65a8c0@support01> References: <01dd01c78675$18703190$3c65a8c0@support01> Message-ID: <053601c78676$c93e1360$5bba3a20$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick > Sent: Tuesday, April 24, 2007 9:33 AM > To: 'MailScanner discussion' > Subject: 'Could not analyze message' > > > Yesterday and today we have had four very short, legitimate, plain text > emails (not at the same time) from the same sender that were > quarantined as > 'Could not analyze message'. I have had a look at them and cannot see > any > formatting errors or suspect content so I just wondered what might have > triggered such an event. > > Is there anything I should perhaps check? > > Thanks > > Nigel Kendrick > In mailscanner.conf, is TNEF Expander set to internal? TNEF Expander = internal Best regards, Steve Steve Swaney steve@fsl.com From edwardbruce at sbcglobal.net Tue Apr 24 14:46:05 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Apr 24 14:46:11 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> Message-ID: <462E0A1D.4010108@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 24/04/07, Gareth wrote: >> What I would like to do is have high scoring spam automatically deleted >> for some addresses but still delivered for the remaining users. >> >> Currently mailscanner configuration contains :- >> >> High Scoring Spam Actions = deliver attachment header "X-Spam-Flag: YES" >> >> If I change this to :- >> High Scoring Spam Actions = %rules-dir%/high.scoring.spam.rules >> and then create the high.scoring.spam.rules file containing :- >> >> To: an.address@domain.com delete >> To: another.address@domain.com delete >> FromOrTo: default deliver attachment header >> "X-Spam-Flag: YES" >> >> Would that work? >> Is there any problems associates with having a quotes string on the >> right hand side for example? >> > Yes, it should. > You can always do the edits and test them prior to going live... Just > do the edits, then run > MailScanner --lint > and then some permutations of > > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se > --to=some@add.res --ip=127.0.0.1 > Looked up internal option name "highscorespamactions" > With sender = glenn.steen@ap1.se > recipient = some@add.res > Client IP = 127.0.0.1 > Virus = > Result is "store delete" > .... you get the picture:-). > When you've got it right, just reload/restart MailScanner... > > Cheers Interesting. What values are valid with "--value" ??? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGLgocpdNaP9x3McgRAltzAJ0XOO2cMt3IoCpvq8QAqvnTBVfA7wCeL0ot gnlpqZoh/anMUtlsD9ravJw= =uSdi -----END PGP SIGNATURE----- From glenn.steen at gmail.com Tue Apr 24 15:06:17 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 24 15:06:47 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <462E0A1D.4010108@sbcglobal.net> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> <462E0A1D.4010108@sbcglobal.net> Message-ID: <223f97700704240706m394fd0edwc88c548ee8218ef2@mail.gmail.com> On 24/04/07, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: (snip) > > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se > > --to=some@add.res --ip=127.0.0.1 > > Looked up internal option name "highscorespamactions" > > With sender = glenn.steen@ap1.se > > recipient = some@add.res > > Client IP = 127.0.0.1 > > Virus = > > Result is "store delete" > > .... you get the picture:-). > > When you've got it right, just reload/restart MailScanner... > > > > Cheers > > Interesting. What values are valid with "--value" ??? Everything in the MailScanner.conf file that is a valid lval, basically. That is: Any option in that file... just lowercase (optional, I think) and runtogether (no whitespace) and you're set. You can also use the internal shorthand from ConfigDefs.pl ... Use "MailScanner --help" to get some more ideas (supply a virus name or somesuch and see what happens ...). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Apr 24 15:06:17 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 24 15:06:57 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <462E0A1D.4010108@sbcglobal.net> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> <462E0A1D.4010108@sbcglobal.net> Message-ID: <223f97700704240706m394fd0edwc88c548ee8218ef2@mail.gmail.com> On 24/04/07, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: (snip) > > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se > > --to=some@add.res --ip=127.0.0.1 > > Looked up internal option name "highscorespamactions" > > With sender = glenn.steen@ap1.se > > recipient = some@add.res > > Client IP = 127.0.0.1 > > Virus = > > Result is "store delete" > > .... you get the picture:-). > > When you've got it right, just reload/restart MailScanner... > > > > Cheers > > Interesting. What values are valid with "--value" ??? Everything in the MailScanner.conf file that is a valid lval, basically. That is: Any option in that file... just lowercase (optional, I think) and runtogether (no whitespace) and you're set. You can also use the internal shorthand from ConfigDefs.pl ... Use "MailScanner --help" to get some more ideas (supply a virus name or somesuch and see what happens ...). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From support-lists at petdoctors.co.uk Tue Apr 24 15:10:05 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Apr 24 15:17:38 2007 Subject: 'Could not analyze message' In-Reply-To: <053601c78676$c93e1360$5bba3a20$@swaney@fsl.com> Message-ID: <01f801c7867a$41cc7940$3c65a8c0@support01> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Stephen Swaney Sent: Tuesday, April 24, 2007 2:45 PM To: 'MailScanner discussion' Subject: RE: 'Could not analyze message' > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick > Sent: Tuesday, April 24, 2007 9:33 AM > To: 'MailScanner discussion' > Subject: 'Could not analyze message' > > > Yesterday and today we have had four very short, legitimate, plain text > emails (not at the same time) from the same sender that were > quarantined as > 'Could not analyze message'. I have had a look at them and cannot see > any > formatting errors or suspect content so I just wondered what might have > triggered such an event. > > Is there anything I should perhaps check? > > Thanks > > Nigel Kendrick > In mailscanner.conf, is TNEF Expander set to internal? TNEF Expander = internal Best regards, Steve Steve Swaney steve@fsl.com It is Is there anyone MIME-savvy that could take a look at a few sample messages or anything I can put them through to see what's up. I believe the messages are auto generated so it's possible the problem is caused by a 'tweak' in the supplier's app. Thanks From ka at pacific.net Tue Apr 24 16:29:59 2007 From: ka at pacific.net (Ken A) Date: Tue Apr 24 16:29:57 2007 Subject: Ignoring last Received From In-Reply-To: <462DFBB4.1060801@skynet-srl.com> References: <200704241100.l3OB026J026609@safir.blacknight.ie> <462DFBB4.1060801@skynet-srl.com> Message-ID: <462E2277.5050709@pacific.net> Alex wrote: >> Hi guys >> >> I'm playing with a damned configuration I cant' figure how to have i t >> working. >> >> THE PROBLEM >> ============= >> All the mail that comes on some servere passes on STMP servers that >> are behind a firewall. >> >> Those servers are placed in a DMZ and use Postfix with load balancing. >> >> Those SMTP servers decide where to send their mail on different mail >> servers using sendmail AND Mailscanner. >> >> >> INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to >> SMTP using MS -->Mailscanner >> >> If I set up a wihitelist like the following >> >> From: 1.2.3.4 and To: address@domain yes >> >> it will never match since the headers of the received mail on the >> Mailscanner servers look like >> >> Received from: 10.0.0.55 <----- this is the internal IP of the last >> passed trough SMTP server >> Received from : 1.2.3.4 <---- this is the public INTERNET server who >> sent the mail and I cant' match to... >> >> THE SOLUTIONS I TRIED (with no success) >> ===================== >> a) used the Remove Header in MS configuration, but this seems to only >> match complete headers. >> >> I cannote remove >> Received from : 10.0.0. >> >> but I can remove all the Received from headers (uselsess for my problem) >> >> b) It seems I cant find a m4 macro to tell sendmail not to add the >> Received from header (it's so easy in Postfix) >> >> I don't think I'm the only one with this problem. >> >> How did you guys solved this? >> >> > First of all thanks to all the guys who answered this (I discovered not > so) simple question, > > Someone suggested to change the network architecture. > > This is not a choice, since not all the domains we manage have to pass > through MS, so only specific ones are routed to the servers running MS. > > Furthermore it is not a spam detection problem, so writing a specific SA > rules won't help since the spam detection works fine. > > The problem only arises when I to write a MS rule where the from IP > address is involved, since MS seems to only consider the very last > (indeed top-first) Received from header. > > From: 1.2.3.4 and From *@mydomain.com yes <--- never matches > > The Header says the last server the message passed through is our DMZ > server (10.0.0.55) so it never matches the above From rule. > > I think this damned thing may be managed in two ways: > > - Instructing sendmail on the private servers to not add the Received > from header but don't know how to do that. In Postfix this is very easy: > write a header_check rule that simply ignores the matching header so it > doesn't get added to the final message and BANG it works! > > - Instructing MS to match the second Received from: header instead of > the first one (?????) You can look at all headers in a Custom Function. Very simple with MailScanner. IIRC, Julian said something about being able to call custom functions from within rulesets too, which I have not played with but sounded intriguing! See my basic example custom function posted here a few weeks ago. Ken Anderson Pacific.Net > I see someone else is having the same problem (may I say Welcome??) > > I have searched the internet for the IP hiding problem in Sendmail > (usually used to hide internal private IP's and names from the external) > but I came to a lot of infos (milter, voodoo and so on) but no specific > ideas. > > Using procmail with formail may be a way, but it looks very complicated > since the recipe's formail action should do a complete rewrite of the > received from header, and to accomplish that I suspect it needs an > external PERL/BASH/other scripting langiage that may lead to system > vulnerabilities or instability. > > Any ideas out there?? > > Thank you -- Ken Anderson Pacific.Net From MailScanner at ecs.soton.ac.uk Tue Apr 24 16:52:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 24 16:54:28 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> Message-ID: <462E27AD.7080703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kapetanakis Giannis wrote: > On Mon, 23 Apr 2007, Martin wrote: > >> Arto wrote: >> >> > We had this too. Uninstalling clamav* and installing it again helped. >>> >>> -arto >>> >> >> Thanks for all replies. Read about this issue on the clamav-list and >> hopefully it will be fixed in the next version. > > I have similar problems with clamav myself. > > What I did that improved a little bit > was deleting the virus database in /var/lib/clamav/* > and running freshclam again. > > Still is very slow. If you try clamscan -debug you will > find out why it is so damn slow.... > > Clamd works fast on the other hand. > Maybe it should be included officialy (clamdscan) > in MailScanner's the next version. Why? I already support the "clamavmodule" which is faster than clamd anyway. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLigeEfZZRxQVtlQRAkLtAKD24+oHcoxA1++rrI7e10Du3a9gogCfVcey QudvPJcREtIH2WezpSQJkFI= =PwuT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Tue Apr 24 17:08:36 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 24 17:09:03 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E27AD.7080703@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 4/24/2007 8:52 AM: > > > Kapetanakis Giannis wrote: >> On Mon, 23 Apr 2007, Martin wrote: > >>> Arto wrote: >>> >>>> We had this too. Uninstalling clamav* and installing it again helped. >>>> >>>> -arto >>>> >>> Thanks for all replies. Read about this issue on the clamav-list and >>> hopefully it will be fixed in the next version. >> I have similar problems with clamav myself. > >> What I did that improved a little bit >> was deleting the virus database in /var/lib/clamav/* >> and running freshclam again. > >> Still is very slow. If you try clamscan -debug you will >> find out why it is so damn slow.... > >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules > Are there any tips on commandline diagnostics for the clamavmodule? I have a system that has been choking with the module for 2 weeks, and the mailscanner.conf fix isn't working with it. I am running clamav now, but the load is much higher. I am going to try the tip of clearing the definitions and re-running freshclam to see if that helps. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From edwardbruce at sbcglobal.net Tue Apr 24 17:22:01 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Apr 24 17:22:07 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E27AD.7080703@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: <462E2EA9.9090305@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > > > Kapetanakis Giannis wrote: >> On Mon, 23 Apr 2007, Martin wrote: > >>> Arto wrote: >>> >>>> We had this too. Uninstalling clamav* and installing it again helped. >>>> >>>> -arto >>>> >>> Thanks for all replies. Read about this issue on the clamav-list and >>> hopefully it will be fixed in the next version. >> I have similar problems with clamav myself. > >> What I did that improved a little bit >> was deleting the virus database in /var/lib/clamav/* >> and running freshclam again. > >> Still is very slow. If you try clamscan -debug you will >> find out why it is so damn slow.... > >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules > And I haven't noticed any performance degradation with clamavmodule since upgrading to 0.90.2. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGLi6ppdNaP9x3McgRAgJvAJ94r/PBKB+GzCkH3yaQTwAXPYi2FgCghN7y ZvuZ77JK93k/71xB4gKxCOM= =jGLv -----END PGP SIGNATURE----- From paul.hutchings at mira.co.uk Tue Apr 24 17:27:21 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Apr 24 17:28:03 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: Newbie talking so feel free to shoot me down in flames :-) My understanding (from clamscan --debug) is that each time you run clamscan it appears it has to read the virus patterns, unpack them (to /tmp), scan the files, remove the files. This is the "probably talking out my bum" bit, but that sounds less efficient than clamd where (I assume) the daemon loads the definitions once and each child process doesn't have to do this? Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 24 April 2007 17:09 To: mailscanner@lists.mailscanner.info Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow Julian Field spake the following on 4/24/2007 8:52 AM: > > > Kapetanakis Giannis wrote: >> On Mon, 23 Apr 2007, Martin wrote: > >>> Arto wrote: >>> >>>> We had this too. Uninstalling clamav* and installing it again helped. >>>> >>>> -arto >>>> >>> Thanks for all replies. Read about this issue on the clamav-list and >>> hopefully it will be fixed in the next version. >> I have similar problems with clamav myself. > >> What I did that improved a little bit >> was deleting the virus database in /var/lib/clamav/* >> and running freshclam again. > >> Still is very slow. If you try clamscan -debug you will >> find out why it is so damn slow.... > >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules > Are there any tips on commandline diagnostics for the clamavmodule? I have a system that has been choking with the module for 2 weeks, and the mailscanner.conf fix isn't working with it. I am running clamav now, but the load is much higher. I am going to try the tip of clearing the definitions and re-running freshclam to see if that helps. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From vosburgh at dalsemi.com Tue Apr 24 18:51:35 2007 From: vosburgh at dalsemi.com (David Vosburgh) Date: Tue Apr 24 18:52:10 2007 Subject: {Spam?} Re: blacklists and archiving In-Reply-To: <20070423185542.GA10213@doctor.nl2k.ab.ca> References: <461BB31E.7060500@dalsemi.com> <462CEDE5.3020007@dalsemi.com> <20070423185542.GA10213@doctor.nl2k.ab.ca> Message-ID: <462E43A7.7070804@dalsemi.com> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > This came up in my Spamcheck headers vosburgh@dalsemi.com > > spam, > SpamAssassin (not cached, score=5, required 5, > RCVD_IN_WHOIS_BOGONS 5.00) > > Hoe this helps. > Thanks for the heads-up. Never heard of that RBL, but they have my attention now :-). Dave From campbell at cnpapers.com Tue Apr 24 20:06:15 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Apr 24 20:06:37 2007 Subject: Deleting detected spam for some addresses only References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk><223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com><462E0A1D.4010108@sbcglobal.net> <223f97700704240706m394fd0edwc88c548ee8218ef2@mail.gmail.com> Message-ID: <001e01c786a3$a1cbaea0$0705000a@ddf5dw71> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Tuesday, April 24, 2007 10:06 AM Subject: Re: Deleting detected spam for some addresses only > On 24/04/07, Ed Bruce wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: > (snip) >> > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se >> > --to=some@add.res --ip=127.0.0.1 >> > Looked up internal option name "highscorespamactions" >> > With sender = glenn.steen@ap1.se >> > recipient = some@add.res >> > Client IP = 127.0.0.1 >> > Virus = >> > Result is "store delete" >> > .... you get the picture:-). >> > When you've got it right, just reload/restart MailScanner... >> > >> > Cheers >> >> Interesting. What values are valid with "--value" ??? > > Everything in the MailScanner.conf file that is a valid lval, > basically. That is: Any option in that file... just lowercase > (optional, I think) and runtogether (no whitespace) and you're set. > You can also use the internal shorthand from ConfigDefs.pl ... Use > "MailScanner --help" to get some more ideas (supply a virus name or > somesuch and see what happens ...). > > Cheers > -- > -- Glenn Glenn, Can you explain this a little more? All I seem to get is "store delete" for any options. I have an IP in my spam.whitelist.rules.conf and used it as --ip=xxx.xxx.xxx.xxx along with the --value=highscoringspamactions thinking I should have received something other than store, delete. Call me confused. Thanks. Steve From hvdkooij at vanderkooij.org Tue Apr 24 20:32:20 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 24 20:32:53 2007 Subject: {Spam?} Re: blacklists and archiving In-Reply-To: <462E43A7.7070804@dalsemi.com> References: <461BB31E.7060500@dalsemi.com> <462CEDE5.3020007@dalsemi.com> <20070423185542.GA10213@doctor.nl2k.ab.ca> <462E43A7.7070804@dalsemi.com> Message-ID: On Tue, 24 Apr 2007, David Vosburgh wrote: > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the > Problem wrote: >> This came up in my Spamcheck headers vosburgh@dalsemi.com >> >> spam, >> SpamAssassin (not cached, score=5, required 5, >> RCVD_IN_WHOIS_BOGONS 5.00) >> >> Hoe this helps. >> > Thanks for the heads-up. Never heard of that RBL, but they have my attention > now :-). But they are overrated in this case. What does anyone care how I number my network inside? So why attach 5 points just because someone happens to use an internal network number on his internal network? I also do documentation and 192.0.2 does not overlap with any other network so far so my VPN's are clean as well. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Tue Apr 24 20:50:57 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 24 20:51:22 2007 Subject: blacklists and archiving In-Reply-To: References: <461BB31E.7060500@dalsemi.com> <462CEDE5.3020007@dalsemi.com> <20070423185542.GA10213@doctor.nl2k.ab.ca> <462E43A7.7070804@dalsemi.com> Message-ID: Hugo van der Kooij spake the following on 4/24/2007 12:32 PM: > On Tue, 24 Apr 2007, David Vosburgh wrote: > >> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the >> Problem wrote: >>> This came up in my Spamcheck headers vosburgh@dalsemi.com >>> >>> spam, >>> SpamAssassin (not cached, score=5, required 5, >>> RCVD_IN_WHOIS_BOGONS 5.00) >>> >>> Hoe this helps. >>> >> Thanks for the heads-up. Never heard of that RBL, but they have my >> attention now :-). > > But they are overrated in this case. What does anyone care how I number > my network inside? So why attach 5 points just because someone happens > to use an internal network number on his internal network? > > I also do documentation and 192.0.2 does not overlap with any other > network so far so my VPN's are clean as well. > > Hugo. > That rule shouldn't be firing unless a bogon address is the last relay. It is perfectly valid to have a bogon address for your internal network, in fact it is probably encouraged. I see some traffic on this mis-firing since spamassassin 3.1.3 came out on the spamassassin list, and I think there is an oldish bug report on it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Tue Apr 24 21:47:22 2007 From: ka at pacific.net (Ken Anderson) Date: Tue Apr 24 21:47:29 2007 Subject: blacklists and archiving In-Reply-To: References: <461BB31E.7060500@dalsemi.com> <462CEDE5.3020007@dalsemi.com> <20070423185542.GA10213@doctor.nl2k.ab.ca> <462E43A7.7070804@dalsemi.com> Message-ID: <462E6CDA.5030705@pacific.net> Scott Silva wrote: > Hugo van der Kooij spake the following on 4/24/2007 12:32 PM: >> On Tue, 24 Apr 2007, David Vosburgh wrote: >> >>> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the >>> Problem wrote: >>>> This came up in my Spamcheck headers vosburgh@dalsemi.com >>>> >>>> spam, >>>> SpamAssassin (not cached, score=5, required 5, >>>> RCVD_IN_WHOIS_BOGONS 5.00) >>>> >>>> Hoe this helps. >>>> >>> Thanks for the heads-up. Never heard of that RBL, but they have my >>> attention now :-). >> But they are overrated in this case. What does anyone care how I number >> my network inside? So why attach 5 points just because someone happens >> to use an internal network number on his internal network? >> >> I also do documentation and 192.0.2 does not overlap with any other >> network so far so my VPN's are clean as well. >> >> Hugo. >> > That rule shouldn't be firing unless a bogon address is the last relay. It is > perfectly valid to have a bogon address for your internal network, in fact it > is probably encouraged. > bogons are only bogons until they are not.... or "bogons could cause swapping".. Yes, too much Rocky and Bullwinkle. Point is not all bogons are created equal. 192.0.2 is rfc 3330 reserved. Others bogons may be allocated; thus the swapping. Ken Anderson Pacific.Net > I see some traffic on this mis-firing since spamassassin 3.1.3 came out on the > spamassassin list, and I think there is an oldish bug report on it. > From jstevens at athensdistributing.com Tue Apr 24 21:49:17 2007 From: jstevens at athensdistributing.com (James R. Stevens) Date: Tue Apr 24 21:49:25 2007 Subject: Coming from everywhere References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com><4628E33E.3030907@evi-inc.com> <4628F40F.3060808@ecs.soton.ac.uk> Message-ID: <1A65E6BAEADF9B4F865314484A13ECF160885D@atlas.athensdistributing.com> Ok, I've been working on this for a few days and keep getting build errors on libsnert. Trying to install Libsnert1.63 and milter-null. Working with RedHat 9 box and RH ES and get the same issue when issue 'make build' of libsnert... sendmail-8.12.8-9.90 which I understand already has libmilter compiled. cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER returns MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 After configure (No options) of libsnert I get this this after make build...Anyone hve clear directions to install milters on RH 9 and RHES? gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 -Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o smtpout smtpout.c -lsnert -lpthread -ldl ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function `socketAddressCreate': : undefined reference to `VectorGet' .. [Snipit] .. collect2: ld returned 1 exit status make[1]: *** [smtpout] Error 1 make[1]: Leaving directory `/usr/local/com/snert/src/tools' make: *** [build] Error 2 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, April 20, 2007 12:11 PM To: MailScanner discussion Subject: Re: Coming from everywhere -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > James R. Stevens wrote: > >> Have we already addressed these ?Failure notice? , ?Undeliverable? >> ?mails that are coming from everywhere. It seems to be more and more >> users are seeing these messages getting through. Some 100 per day. >> >> >> >> Anyone else seeing these things? Different subjects etc.. >> > > http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search > If you haven't got it installed already, grab a copy of milter-null. Kills these things dead instantly. And you still get the delivery failure messages that were actually caused by you mistyping addresses, it doesn't just ditch all delivery failure reports. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGKPUsEfZZRxQVtlQRAtqlAJ9rE1wJ6zM5SPW2hMxAjFZeEnOydgCgia76 J+SPMS4iVyJIU9evgwIKT2E= =GygJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. From steve.swaney at fsl.com Tue Apr 24 22:14:52 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Apr 24 22:14:55 2007 Subject: Coming from everywhere In-Reply-To: <1A65E6BAEADF9B4F865314484A13ECF160885D@atlas.athensdistributing.com> References: <1A65E6BAEADF9B4F865314484A13ECF1608854@atlas.athensdistributing.com><4628E33E.3030907@evi-inc.com> <4628F40F.3060808@ecs.soton.ac.uk> <1A65E6BAEADF9B4F865314484A13ECF160885D@atlas.athensdistributing.com> Message-ID: <075e01c786b5$996f28b0$cc4d7a10$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James R. Stevens > Sent: Tuesday, April 24, 2007 4:49 PM > To: MailScanner discussion > Subject: RE: Coming from everywhere > > Ok, I've been working on this for a few days and keep getting build > errors on libsnert. > Trying to install Libsnert1.63 and milter-null. > Working with RedHat 9 box and RH ES and get the same issue when issue > 'make build' of libsnert... > sendmail-8.12.8-9.90 which I understand already has libmilter compiled. > > cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER > > returns > > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 > > After configure (No options) of libsnert I get this this after make > build...Anyone hve clear directions to install milters on RH 9 and > RHES? > > gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 > -Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o > smtpout smtpout.c -lsnert -lpthread -ldl > ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function > `socketAddressCreate': > : undefined reference to `VectorGet' > .. > [Snipit] > .. > collect2: ld returned 1 exit status > make[1]: *** [smtpout] Error 1 > make[1]: Leaving directory `/usr/local/com/snert/src/tools' > make: *** [build] Error 2 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, April 20, 2007 12:11 PM > To: MailScanner discussion > Subject: Re: Coming from everywhere > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Kettler wrote: > > James R. Stevens wrote: > > You're better off going to www.snertsoft .com for support. Anthony Howe does not monitor this list although I've bcc'd him on this response. Best regards, Steve Steve Swaney steve@fsl.com From alden at engineno9inc.com Tue Apr 24 23:38:23 2007 From: alden at engineno9inc.com (=?UTF-8?B?QWxkZW4gTGV2eQ==?=) Date: Tue Apr 24 23:57:43 2007 Subject: No sendmail processes start when MS starts Message-ID: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> I've been using MS for a few years now with very few problems. However, my old server is on its last legs, so I've decided to migrate to a shiny new box. I've moved my /etc/MailScanner conf, prefs, rules, etc. files from the old box to the new. I've not yet moved bayes, but I assume that shouldn't be a problem (right?) The new OS is CentOS 4.4, and I've upgraded MS to the latest version. I'm unsure if MS worked properly before the upgrade. I am also using sendmail 8.13 (the old server was 8.10), and I changed the Lock Type. I've upgraded sa to 3.18 and clamav to 0.92, but I'm using clamav, not clamavmodule, so that should work. After I installed, I went through the routine of chkconfig sendmail off..... When I start up MS, I get notification "starting MailScanner [OK]" (or similar--I'm not in front of a console now), but no sendmail processes are started. My maillog files seem to be okay, all the children start, sa is okay as is clam; but of course, there are no sendmail processes. When I lint sa, everything's okay. I can't seem to debug MS; it hangs, because there's no mail--or is my assumption incorrect? I'm not sure where to look, though. Any suggestions would be appreciated. Thanks, Alden Alden Levy Engine No. 9, Inc. 130 West 57th Street, Suite 2F New York, NY 10019 (212) 981-1122 (212) 504-9598 (fax) www.engineno9inc.com From mike at vesol.com Wed Apr 25 00:02:46 2007 From: mike at vesol.com (Mike Kercher) Date: Wed Apr 25 00:04:49 2007 Subject: No sendmail processes start when MS starts In-Reply-To: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Message-ID: <6115482898C59848B35DB9D491C9A28E4D87@srv1.home.middlefinger.net> mailscanner-bounces@lists.mailscanner.info <> scribbled on : : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden : Did you STOP sendmail before starting MS? Mike From mike at vesol.com Wed Apr 25 00:12:08 2007 From: mike at vesol.com (Mike Kercher) Date: Wed Apr 25 00:14:08 2007 Subject: No sendmail processes start when MS starts In-Reply-To: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Message-ID: <6115482898C59848B35DB9D491C9A28E4D88@srv1.home.middlefinger.net> mailscanner-bounces@lists.mailscanner.info <> scribbled on : : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden I'd also look in other logs...could this be an SELinux problem? Mike From bilias at edu.physics.uoc.gr Wed Apr 25 00:14:11 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 00:14:26 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E27AD.7080703@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: On Tue, 24 Apr 2007, Julian Field wrote: > Kapetanakis Giannis wrote: >> >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules > I haven't tried clamavmodule. I took the wrapper for clamd and the modified VirusSweep.pm and it works sweet. I'll also check clamavmodule to see what's going on :) Giannis From bilias at edu.physics.uoc.gr Wed Apr 25 00:19:23 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 00:19:40 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E2EA9.9090305@sbcglobal.net> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> <462E2EA9.9090305@sbcglobal.net> Message-ID: On Tue, 24 Apr 2007, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: >> >> >> Kapetanakis Giannis wrote: >>> On Mon, 23 Apr 2007, Martin wrote: >> >>> Clamd works fast on the other hand. >>> Maybe it should be included officialy (clamdscan) >>> in MailScanner's the next version. >> Why? I already support the "clamavmodule" which is faster than clamd anyway. >> >> Jules >> > > And I haven't noticed any performance degradation with clamavmodule > since upgrading to 0.90.2. Same for me... I remembered now that I did try clamavmodule. The load now is seen in the MailScanner but I guess it is the perl module that is being loaded. >From a little debug I did in clamavscan what it does and takes so long is: Loading the database copying the database to /tmp/ loading the database from /tmp It does this for every mail it comes in. How does clamavmodule handle the db? Clamd only loads the db once. Giannis From alden at engineno9inc.com Wed Apr 25 02:43:45 2007 From: alden at engineno9inc.com (Alden Levy) Date: Wed Apr 25 02:43:52 2007 Subject: No sendmail processes start when MS starts In-Reply-To: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Message-ID: <000601c786db$2ac2ae70$5e01a8c0@AldenLap> -----Original Message----- From: Alden Levy [mailto:alden@engineno9inc.com] Sent: Tuesday, April 24, 2007 6:38 PM To: mailscanner@lists.mailscanner.info Subject: No sendmail processes start when MS starts : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden I'd also look in other logs...could this be an SELinux problem? Mike SELinux is disabled. And, yes, I restarted MailScanner after the install. Would that it were so easy! Please keep the ideas and suggestions coming. Thanks, Alden From mike at vesol.com Wed Apr 25 03:05:45 2007 From: mike at vesol.com (Mike Kercher) Date: Wed Apr 25 03:07:46 2007 Subject: No sendmail processes start when MS starts In-Reply-To: <000601c786db$2ac2ae70$5e01a8c0@AldenLap> References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> <000601c786db$2ac2ae70$5e01a8c0@AldenLap> Message-ID: <6115482898C59848B35DB9D491C9A28E4D8A@srv1.home.middlefinger.net> mailscanner-bounces@lists.mailscanner.info <> scribbled on : : : I'd also look in other logs...could this be an SELinux problem? : : Mike : : SELinux is disabled. And, yes, I restarted MailScanner after : the install. : Would that it were so easy! Please keep the ideas and : suggestions coming. : : Thanks, : Alden : How about some log entries from /var/log/maillog and /var/log/messages at the time of a 'service MailScanner restart'. Just do this: # service MailScanner restart;tail -f /var/log/maillog /var/log/message Paste a bit of those logs and also a ps -ef Might as well throw a chkconfig sendmail --list in there too. Mike From alden at engineno9inc.com Wed Apr 25 03:29:31 2007 From: alden at engineno9inc.com (Alden Levy) Date: Wed Apr 25 03:29:39 2007 Subject: No sendmail processes start when MS starts References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Message-ID: <001101c786e1$900b6d20$5e01a8c0@AldenLap> : : I'd also look in other logs...could this be an SELinux problem? : : Mike : : SELinux is disabled. And, yes, I restarted MailScanner after : the install. : Would that it were so easy! Please keep the ideas and : suggestions coming. : : Thanks, : Alden : How about some log entries from /var/log/maillog and /var/log/messages at the time of a 'service MailScanner restart'. Just do this: # service MailScanner restart;tail -f /var/log/maillog /var/log/message Paste a bit of those logs and also a ps -ef Might as well throw a chkconfig sendmail --list in there too. Mike Here you go: service MailScanner restart;tail -f /var/log/maillog /var/log/messages Shutting down MailScanner: [ OK ] Starting MailScanner: [ OK ] ==> /var/log/maillog <== Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the phishing whitelist Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results cache Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache database Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a SIGHUP ==> /var/log/messages <== Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. Apr 24 22:10:02 E9 logger: weblogs: (14070) done. Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. Apr 24 22:20:02 E9 logger: weblogs: (14080) done. Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root by root(uid=0) Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed Apr 24 22:25:35 E9 MailScanner: succeeded Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded Apr 24 22:26:36 E9 MailScanner: succeeded ==> /var/log/maillog <== Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results cache Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache database Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results cache Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache database Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results cache Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache database Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results cache Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache database Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock subroutine for linux (Linux-type) chkconfig sendmail --list sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Thanks, Alden From micoots at yahoo.com Wed Apr 25 07:35:02 2007 From: micoots at yahoo.com (Michael Mansour) Date: Wed Apr 25 07:35:05 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E2EA9.9090305@sbcglobal.net> Message-ID: <989725.51785.qm@web33303.mail.mud.yahoo.com> Hi Ed, Ed Bruce wrote:Julian Field wrote: > > Kapetanakis Giannis wrote: >> On Mon, 23 Apr 2007, Martin wrote: > >>> Arto wrote: >>> >>>> We had this too. Uninstalling clamav* and installing it again helped. >>>> >>>> -arto >>>> >>> Thanks for all replies. Read about this issue on the clamav-list and >>> hopefully it will be fixed in the next version. >> I have similar problems with clamav myself. > >> What I did that improved a little bit >> was deleting the virus database in /var/lib/clamav/* >> and running freshclam again. > >> Still is very slow. If you try clamscan -debug you will >> find out why it is so damn slow.... > >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules And I haven't noticed any performance degradation with clamavmodule since upgrading to 0.90.2. Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just use the clamscan approach and have also experienced the load shoot up since updating to 0.90.2. Are there any instructions on installing clamavmodule? If that fixes the load problem I'll be happy to do it. Thanks. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070425/d577b665/attachment.html From martinh at solidstatelogic.com Wed Apr 25 09:07:11 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Apr 25 09:08:03 2007 Subject: No sendmail processes start when MS starts In-Reply-To: <001101c786e1$900b6d20$5e01a8c0@AldenLap> Message-ID: Alden Try "service MailScanner startin" This starts the incoming sendmail. Have a look for errors In the logs - /var/log/messages and /var/log/maillog. Also have a look at the mailscanner rc script and make sure things are pointing at the correct sendmail configs/binaries etc... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alden Levy > Sent: 25 April 2007 03:30 > To: mailscanner@lists.mailscanner.info > Subject: RE: No sendmail processes start when MS starts > > : > : I'd also look in other logs...could this be an SELinux problem? > : > : Mike > : > : SELinux is disabled. And, yes, I restarted MailScanner after > : the install. > : Would that it were so easy! Please keep the ideas and > : suggestions coming. > : > : Thanks, > : Alden > : > > How about some log entries from /var/log/maillog and /var/log/messages > at the time of a 'service MailScanner restart'. Just do this: > > # service MailScanner restart;tail -f /var/log/maillog /var/log/message > > Paste a bit of those logs and also a ps -ef Might as well throw a > chkconfig sendmail --list in there too. > > Mike > > Here you go: > service MailScanner restart;tail -f /var/log/maillog /var/log/messages > Shutting down MailScanner: [ OK ] > Starting MailScanner: [ OK ] > ==> /var/log/maillog <== > Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results cache > Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache > database > Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix > Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a SIGHUP > > ==> /var/log/messages <== > Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. > Apr 24 22:10:02 E9 logger: weblogs: (14070) done. > Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. > Apr 24 22:20:02 E9 logger: weblogs: (14080) done. > Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root by > root(uid=0) > Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed > Apr 24 22:25:35 E9 MailScanner: succeeded > Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:26:36 E9 MailScanner: succeeded > > ==> /var/log/maillog <== > Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results cache > Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache > database > Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix > Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results cache > Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache > database > Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix > Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results cache > Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache > database > Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix > Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results cache > Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache > database > Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix > Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > > > > chkconfig sendmail --list > sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > Thanks, > Alden > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Wed Apr 25 10:49:22 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 25 10:54:30 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: <462F2422.7060508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Hutchings wrote: > Newbie talking so feel free to shoot me down in flames :-) > > My understanding (from clamscan --debug) is that each time you run clamscan it appears it has to read the virus patterns, unpack them (to /tmp), scan the files, remove the files. > Correct. > This is the "probably talking out my bum" bit, but that sounds less efficient than clamd where (I assume) the daemon loads the definitions once and each child process doesn't have to do this? > The "clamavmodule" method is more efficient as it just communicates directly with the clam function library and doesn't involve any external processes at all. The definitions are loaded up once and kept in memory by the function library. This is also more reliable as there is no external daemon (clamd) which might crash, or leak memory or other resources. The signature files are monitored and if any of them change at all then the library is immediately told to re-load the new definitions so it is always using up to date signatures. If you use my latest ClamAV+SA package from www.mailscanner.info, that will install everything needed to use the "clamavmodule" method and will even do the configuration for you. I hope that explains it to you :-) Jules. > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: 24 April 2007 17:09 > To: mailscanner@lists.mailscanner.info > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > Julian Field spake the following on 4/24/2007 8:52 AM: > >> Kapetanakis Giannis wrote: >> >>> On Mon, 23 Apr 2007, Martin wrote: >>> >>>> Arto wrote: >>>> >>>> >>>>> We had this too. Uninstalling clamav* and installing it again helped. >>>>> >>>>> -arto >>>>> >>>>> >>>> Thanks for all replies. Read about this issue on the clamav-list and >>>> hopefully it will be fixed in the next version. >>>> >>> I have similar problems with clamav myself. >>> >>> What I did that improved a little bit >>> was deleting the virus database in /var/lib/clamav/* >>> and running freshclam again. >>> >>> Still is very slow. If you try clamscan -debug you will >>> find out why it is so damn slow.... >>> >>> Clamd works fast on the other hand. >>> Maybe it should be included officialy (clamdscan) >>> in MailScanner's the next version. >>> >> Why? I already support the "clamavmodule" which is faster than clamd anyway. >> >> Jules >> >> > Are there any tips on commandline diagnostics for the clamavmodule? > I have a system that has been choking with the module for 2 weeks, and the > mailscanner.conf fix isn't working with it. > I am running clamav now, but the load is much higher. > > I am going to try the tip of clearing the definitions and re-running freshclam > to see if that helps. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGLyUjEfZZRxQVtlQRAgHmAKDicios1jDH3ARV1ICK/aFwvNhxGQCeLwST aSDBRADTfsx8XmrCUPCKfIw= =sWwm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Apr 25 10:53:12 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 25 10:55:07 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> <462E2EA9.9090305@sbcglobal.net> Message-ID: <462F2508.3000505@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kapetanakis Giannis wrote: > On Tue, 24 Apr 2007, Ed Bruce wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian Field wrote: >>> >>> >>> Kapetanakis Giannis wrote: >>>> On Mon, 23 Apr 2007, Martin wrote: >>> >>>> Clamd works fast on the other hand. >>>> Maybe it should be included officialy (clamdscan) >>>> in MailScanner's the next version. >>> Why? I already support the "clamavmodule" which is faster than clamd >>> anyway. >>> >>> Jules >>> >> >> And I haven't noticed any performance degradation with clamavmodule >> since upgrading to 0.90.2. > > Same for me... > > I remembered now that I did try clamavmodule. > The load now is seen in the MailScanner but I guess it is > the perl module that is being loaded. > >> From a little debug I did in clamavscan > what it does and takes so long is: > > Loading the database > copying the database to /tmp/ > loading the database from /tmp > > It does this for every mail it comes in. Slight correction: it does it once for every batch. > > How does clamavmodule handle the db? > > Clamd only loads the db once. clamavmodule loads the db once at startup. It then monitors the signature files and instantly reloads the db if the signatures files change at all. > > Giannis Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLyUlEfZZRxQVtlQRAhm5AJ4p6bnCBNLPT8vl8aDKsfxBRrxPqACgnHxB 8yt9xZuLY9J8fq6e0jv2E0M= =Ot+1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Apr 25 10:54:32 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 25 10:55:14 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <989725.51785.qm@web33303.mail.mud.yahoo.com> References: <989725.51785.qm@web33303.mail.mud.yahoo.com> Message-ID: <462F2558.3060802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mansour wrote: > Hi Ed, > > */Ed Bruce /* wrote: > > Julian Field wrote: > > > > Kapetanakis Giannis wrote: > >> On Mon, 23 Apr 2007, Martin wrote: > > > >>> Arto wrote: > >>> > >>>> We had this too. Uninstalling clamav* and installing it again > helped. > >>>> > >>>> -arto > >>>> > >>> Thanks for all replies. Read about this issue on the > clamav-list and > >>> hopefully it will be fixed in the next version. > >> I have similar problems with clamav myself. > > > >> What I did that improved a little bit > >> was deleting the virus database in /var/lib/clamav/* > >> and running freshclam again. > > > >> Still is very slow. If you try clamscan -debug you will > >> find out why it is so damn slow.... > > > >> Clamd works fast on the other hand. > >> Maybe it should be included officialy (clamdscan) > >> in MailScanner's the next version. > > Why? I already support the "clamavmodule" which is faster than > clamd anyway. > > > > Jules > > And I haven't noticed any performance degradation with clamavmodule > since upgrading to 0.90.2. > > Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just > use the clamscan approach and have also experienced the load shoot up > since updating to 0.90.2. > > Are there any instructions on installing clamavmodule? Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead simple. > > If that fixes the load problem I'll be happy to do it. > > Thanks. > > Michael. > > Send instant messages to your online friends > http://au.messenger.yahoo.com > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLyVlEfZZRxQVtlQRAmBuAJ0YKR63Xsqlk9+XxqKnMkQqcOF41ACeKKeP wAk5atE53YSjXciVUNDdYTs= =YhPX -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mogens at fumlersoft.dk Wed Apr 25 11:26:58 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Wed Apr 25 11:26:27 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462F2558.3060802@ecs.soton.ac.uk> References: <989725.51785.qm@web33303.mail.mud.yahoo.com> <462F2558.3060802@ecs.soton.ac.uk> Message-ID: <1202.90.184.17.152.1177496818.squirrel@mail.fumlersoft.dk> Hi all, >> Are there any instructions on installing clamavmodule? > Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead > simple. I'm using openprotect w/ clamav. Would i be able to install this "easy-to-use ClamAV+SA package" on top of openprotect, and live to tell about it ? -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. From bilias at edu.physics.uoc.gr Wed Apr 25 12:15:54 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 12:16:10 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462F2508.3000505@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> <462E2EA9.9090305@sbcglobal.net> <462F2508.3000505@ecs.soton.ac.uk> Message-ID: On Wed, 25 Apr 2007, Julian Field wrote: > Kapetanakis Giannis wrote: >> >> Loading the database >> copying the database to /tmp/ >> loading the database from /tmp >> >> It does this for every mail it comes in. > Slight correction: it does it once for every batch. correct >> How does clamavmodule handle the db? >> >> Clamd only loads the db once. > clamavmodule loads the db once at startup. It then monitors the > signature files and instantly reloads the db if the signatures files > change at all. >> >> Giannis > > Jules I've tried again clamavmodule. Performance went down again... I'm talking about load 4-5 continuously. Each MailScanner batch takes up to 16 seconds to complete. (clamscan also needed 12 seconds itself for each scan) CPU at 100% all the time. I've registered in clamav-users a while ago. They are also talking about clamav's performance in 0.90.2 There is a patch going around the list but I haven't tried that yet. So I'm going back to clamd which at least works fine and fast for me. 1-3 seconds for each MailScanner batch, including the virus scanning by all scanners. Load 0.5-1.0 aprox. Clamd also comes with a clamdwatch that watches if the daemon dies or stops responding for those who are afraid of that. Giannis ps. I'm not advertising clamd :-) From daniel.maher at ubisoft.com Wed Apr 25 12:30:39 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 25 12:30:43 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204C7B16E@UBIMAIL1.ubisoft.org> > So I'm going back to clamd which at least works fine and fast > for me. 1-3 seconds for each MailScanner batch, including > the virus scanning by all scanners. Load 0.5-1.0 aprox. > > Clamd also comes with a clamdwatch that watches > if the daemon dies or stops responding for those who > are afraid of that. > > Giannis Would you be willing to share you patch(es) w/ the list? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007.book off the website! From alden at engineno9inc.com Wed Apr 25 13:01:13 2007 From: alden at engineno9inc.com (Alden Levy) Date: Wed Apr 25 13:01:21 2007 Subject: No sendmail processes start when MS starts References: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Message-ID: <007701c78731$6c36dab0$5e01a8c0@AldenLap> : Alden : Try "service MailScanner startin" : This starts the incoming sendmail. Have a look for errors In the logs - : /var/log/messages and /var/log/maillog. : Also have a look at the mailscanner rc script and make sure things are : pointing at the correct sendmail configs/binaries etc... : -- : Martin Hepworth : Snr Systems Administrator : Solid State Logic : Tel: +44 (0)1865 842300 Martin, That did it. Thanks. Basically, when I "service MailScanner startin", I just got a command prompt back. I then examined /etc/rc.d/init.d/MailScanner (actually, MailScanner_app_init). startin and startout were blank! I was able to pull over the file from my old, working server and overwrite the bad file and it looks like everything is working now. I know I never mentioned Ensim, but I'm wondering if the Ensim setup is different from a standard install. On my old server, my install of Ensim predates Ensim's integration of MailScanner, so I always ran MS from the command line, not from the Ensim control panel. Regards, Alden Alden Levy Engine No. 9, Inc. 130 W. 57th Street, Suite 2F New York, NY 10019 (212) 981-1122 (212) 504-9598 fax From bilias at edu.physics.uoc.gr Wed Apr 25 13:16:27 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 13:16:55 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204C7B16E@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204C7B16E@UBIMAIL1.ubisoft.org> Message-ID: On Wed, 25 Apr 2007, Daniel Maher wrote: >> So I'm going back to clamd which at least works fine and fast >> for me. 1-3 seconds for each MailScanner batch, including >> the virus scanning by all scanners. Load 0.5-1.0 aprox. >> >> Clamd also comes with a clamdwatch that watches >> if the daemon dies or stops responding for those who >> are afraid of that. >> >> Giannis > > > Would you be willing to share you patch(es) w/ the list? > _ > ?v? Daniel Maher I think I discovered the patches in this same list. Anyway I'll post them again (wrapper might be slightly modified -- I don't remember) Apply SweepViruses.patch: cp SweepViruses.patch /usr/lib/MailScanner/MailScanner/ cd /usr/lib/MailScanner/MailScanner/ cp SweepViruses.pm SweepViruses.pm-org patch -p0 < SweepViruses.patch cp clamd-wrapper /usr/lib/MailScanner/ chmod 755 /usr/lib/MailScanner/clamd-wrapper edit /etc/MailScanner/virus.scanners.conf and put the line clamd /usr/lib/MailScanner/clamd-wrapper /usr (Change /usr at the end according to where clamdscan in located in your system. Mine is in /usr/bin/clamdscan) Check if it works /usr/lib/MailScanner/clamd-wrapper /usr /tmp/test_file (clamav user must have read access to the test_file) Edit /etc/MailScanner/MailScanner.conf Incoming Work Group = clamav Incoming Work Permissions = 0640 add clamd to virus scanners, like bellow Virus Scanners = clamd bitdefender antivir Find where is your Incoming Work Dir directive Incoming Work Dir = /var/spool/MailScanner/incoming chgrp clamav /var/spool/MailScanner/incoming chmod g+rx /var/spool/MailScanner/incoming Clamd must be able to read there otherwise it will fail. do a /usr/sbin/MailScanner -lint it should report clamd now do a /usr/sbin/MailScanner -debug You might also want to install clamdwatch from clamav's source clamav-0.90.2/contrib/clamdwatch There are install instructions there That's all. I don't remember doing something else, apart from telling the system that clamd should be running on system reboot. Good luck Giannis ps. This configuration works for me, Apply at your own risk. -------------- next part -------------- --- SweepViruses.pm 2007-04-25 14:51:24.000000000 +0300 +++ SweepViruses.pm-clamd 2007-04-25 14:51:05.000000000 +0300 @@ -301,6 +301,17 @@ SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_NONE, }, + "clamd" => { + Name => 'ClamAV', + Lock => 'ClamAVBusy.lock', + CommonOptions => '--no-summary --stdout', + DisinfectOptions => '', + ScanOptions => '', + InitParser => \&InitClamAVParser, + ProcessOutput => \&ProcessClamAVOutput, + SupportScanning => $S_SUPPORTED, + SupportDisinfect => $S_NONE, + }, "trend" => { Name => 'Trend', Lock => 'TrendBusy.lock', -------------- next part -------------- #!/bin/sh # clamd-wrapper -- invoke clamdscan for use with mailscanner # ###### IF YOU ARE RUNNING MAILSCANNER AS ROOT ###### # You need to set the following in MailScanner.conf so that external # unpackers can be used... # Incoming Work Group = clamav # Incoming Work Permissions = 0640 # You may want to check this script for bash-isms ClamUser="clamav" ClamGroup="clamav" ScanOptions="" ExtraScanOptions="" # Extra options we try to pass to clam but we handle it failing # For each option there are two alternatives... # --option # if the required program is in the PATH # --option=/path/to/program # If its in a non standard location # If you use the second option make sure you set the correct path in each case ClamScan=$1/bin/clamdscan shift if [ ! -x $ClamScan ]; then ClamScan=/usr/bin/clamdscan fi if [ "x$1" = "x-IsItInstalled" ]; then [ -x $ClamScan ] && exit 0 exit 1 fi # Add this for Solaris users so they can find whoami PATH=$PATH:/usr/ucb export PATH if [ $? ]; then ExtraScanOptions="$ExtraScanOptions" fi $ClamScan $ExtraScanOptions $ScanOptions "$@" retval=$? if [ "$retval" = "40" ]; then # Clam complained we passed an illegal command-line option # (As this calls without external unpackers the temp dir isn't used) exec $ClamScan $ScanOptions "$@" else exit $retval fi From jan-peter at koopmann.eu Wed Apr 25 15:03:52 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 25 15:01:48 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: > I took the wrapper for clamd and the modified VirusSweep.pm Modified VirusSweep.pm? Please bring me up to speed since I seem to have missed this. From jan-peter at koopmann.eu Wed Apr 25 15:11:48 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 25 15:09:30 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E27AD.7080703@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: On Tuesday, April 24, 2007 5:52 PM Julian Field wrote: > Why? I already support the "clamavmodule" which is faster than clamd > anyway. Welcome back! What are you doing out of bed anyways? :-) Kind regards, JP From glenn.steen at gmail.com Wed Apr 25 16:08:29 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 25 16:08:33 2007 Subject: Deleting detected spam for some addresses only In-Reply-To: <001e01c786a3$a1cbaea0$0705000a@ddf5dw71> References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com> <462E0A1D.4010108@sbcglobal.net> <223f97700704240706m394fd0edwc88c548ee8218ef2@mail.gmail.com> <001e01c786a3$a1cbaea0$0705000a@ddf5dw71> Message-ID: <223f97700704250808p118337a1p98ac3987cb9df509@mail.gmail.com> On 24/04/07, Steve Campbell wrote: > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Tuesday, April 24, 2007 10:06 AM > Subject: Re: Deleting detected spam for some addresses only > > > > On 24/04/07, Ed Bruce wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Glenn Steen wrote: > > (snip) > >> > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se > >> > --to=some@add.res --ip=127.0.0.1 > >> > Looked up internal option name "highscorespamactions" > >> > With sender = glenn.steen@ap1.se > >> > recipient = some@add.res > >> > Client IP = 127.0.0.1 > >> > Virus = > >> > Result is "store delete" > >> > .... you get the picture:-). > >> > When you've got it right, just reload/restart MailScanner... > >> > > >> > Cheers > >> > >> Interesting. What values are valid with "--value" ??? > > > > Everything in the MailScanner.conf file that is a valid lval, > > basically. That is: Any option in that file... just lowercase > > (optional, I think) and runtogether (no whitespace) and you're set. > > You can also use the internal shorthand from ConfigDefs.pl ... Use > > "MailScanner --help" to get some more ideas (supply a virus name or > > somesuch and see what happens ...). > > > > Cheers > > -- > > -- Glenn > Glenn, > > Can you explain this a little more? All I seem to get is "store delete" for > any options. I have an IP in my spam.whitelist.rules.conf and used it > as --ip=xxx.xxx.xxx.xxx along with the --value=highscoringspamactions > thinking I should have received something other than store, delete. > > Call me confused. Ok Confused, I will:-):-). Anyway, the likely reasons might be that you are3 a) testing the wrong setting, b) have a flawed ruleset/understanding of its application (... I'm not pointing any fingers of calling any names here...:-) For me it works flawlessly... Checking something I've got a ruleset for IP addresses on: # egrep "Virus Scanning" /etc/MailScanner/MailScanner.conf|egrep -v "^#"" Virus Scanning = %rules-dir%/virus.whitelist.rules # cat /etc/MailScanner/rules/virus.whitelist.rules |egrep -v "^#" From: 127.0.0.1 no FromOrTo: default yes # MailScanner --value="virusscanning" --ip=127.0.0.1 Looked up internal option name "virusscan" With sender = Client IP = 127.0.0.1 Virus = Result is "0" 0=No 1=Yes # MailScanner --value="virusscanning" --ip=127.0.0.2 Looked up internal option name "virusscan" With sender = Client IP = 127.0.0.2 Virus = Result is "1" 0=No 1=Yes # So... as you see, it works very well for me;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Wed Apr 25 16:50:17 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Apr 25 16:51:50 2007 Subject: Deleting detected spam for some addresses only References: <1177405900.29791.10.camel@gblades-suse.linguaphone-intranet.co.uk><223f97700704240226oad3feddwc0ec03d066486d2a@mail.gmail.com><462E0A1D.4010108@sbcglobal.net><223f97700704240706m394fd0edwc88c548ee8218ef2@mail.gmail.com><001e01c786a3$a1cbaea0$0705000a@ddf5dw71> <223f97700704250808p118337a1p98ac3987cb9df509@mail.gmail.com> Message-ID: <000701c78751$6c90acf0$0705000a@ddf5dw71> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Wednesday, April 25, 2007 11:08 AM Subject: Re: Deleting detected spam for some addresses only > On 24/04/07, Steve Campbell wrote: >> >> ----- Original Message ----- >> From: "Glenn Steen" >> To: "MailScanner discussion" >> Sent: Tuesday, April 24, 2007 10:06 AM >> Subject: Re: Deleting detected spam for some addresses only >> >> >> > On 24/04/07, Ed Bruce wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> > (snip) >> >> > MailScanner --value=highscoringspamactions --from=glenn.steen@ap1.se >> >> > --to=some@add.res --ip=127.0.0.1 >> >> > Looked up internal option name "highscorespamactions" >> >> > With sender = glenn.steen@ap1.se >> >> > recipient = some@add.res >> >> > Client IP = 127.0.0.1 >> >> > Virus = >> >> > Result is "store delete" >> >> > .... you get the picture:-). >> >> > When you've got it right, just reload/restart MailScanner... >> >> > >> >> > Cheers >> >> >> >> Interesting. What values are valid with "--value" ??? >> > >> > Everything in the MailScanner.conf file that is a valid lval, >> > basically. That is: Any option in that file... just lowercase >> > (optional, I think) and runtogether (no whitespace) and you're set. >> > You can also use the internal shorthand from ConfigDefs.pl ... Use >> > "MailScanner --help" to get some more ideas (supply a virus name or >> > somesuch and see what happens ...). >> > >> > Cheers >> > -- >> > -- Glenn >> Glenn, >> >> Can you explain this a little more? All I seem to get is "store delete" >> for >> any options. I have an IP in my spam.whitelist.rules.conf and used it >> as --ip=xxx.xxx.xxx.xxx along with the --value=highscoringspamactions >> thinking I should have received something other than store, delete. >> >> Call me confused. > Ok Confused, I will:-):-). > > Anyway, the likely reasons might be that you are3 a) testing the wrong > setting, b) have a flawed ruleset/understanding of its application > (... I'm not pointing any fingers of calling any names here...:-) > > For me it works flawlessly... Checking something I've got a ruleset > for IP addresses on: > > # egrep "Virus Scanning" /etc/MailScanner/MailScanner.conf|egrep -v "^#"" > Virus Scanning = %rules-dir%/virus.whitelist.rules > # cat /etc/MailScanner/rules/virus.whitelist.rules |egrep -v "^#" > From: 127.0.0.1 no > FromOrTo: default yes > # MailScanner --value="virusscanning" --ip=127.0.0.1 > Looked up internal option name "virusscan" > With sender = > Client IP = 127.0.0.1 > Virus = > Result is "0" > > 0=No 1=Yes > # MailScanner --value="virusscanning" --ip=127.0.0.2 > Looked up internal option name "virusscan" > With sender = > Client IP = 127.0.0.2 > Virus = > Result is "1" > > 0=No 1=Yes > # > > So... as you see, it works very well for me;). For me also, now. I was misunderstanding the purpose of "value", thinking that was something to supply data to the function, not requesting the value of "value". You can stop calling me "Confused" now and thanks for the enlightenment. Steve > > Cheers > -- > -- Glenn From ncanepa at fcen.uba.ar Wed Apr 25 18:03:13 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Apr 25 18:04:21 2007 Subject: scan.messager.rules Message-ID: <462F89D1.6000404@fcen.uba.ar> I need to whitelist some mails from on determined address to other email address. playing a bit with scan.messages.rules, I,ve seen that if I put this From: email1@domain1.net no Does not scan at all messages coming from email1@domain1.net But, if a put two rules, like this: From: email1@domain1.net no To: email2@mydomain.net no does not check mail coming from email1@domain1.net, and does not check mail going to email2@mydomain.net. But if a mail matches the two rules, that mail is checked by mailscanner. Is this the suppossed behavior? Thanks, -- *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ From ncanepa at fcen.uba.ar Wed Apr 25 18:05:30 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Apr 25 18:06:30 2007 Subject: Zip files Message-ID: <462F8A5A.3060605@fcen.uba.ar> I hace a problem with zip files. I want mailscanner not to unzip zip files, so I put in MailScanner.conf : # Where the "gunzip" command is installed. # This is used for expanding .gz files. # To disable gzipped file checking, set this value to blank # and the timeout to 0. # Gunzip Command = /bin/gunzip Gunzip Command = # The maximum length of time the "gunzip" command is allowed to run to expand # 1 attachment file (in seconds). # Gunzip Timeout = 50 Gunzip Timeout = 0 The problem is that still unzips the files! Should I change something else in the config file? Thanks, -- *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ From dominian at slackadelic.com Wed Apr 25 18:31:12 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Apr 25 18:31:24 2007 Subject: Zip files In-Reply-To: <462F8A5A.3060605@fcen.uba.ar> References: <462F8A5A.3060605@fcen.uba.ar> Message-ID: <462F9060.7030201@slackadelic.com> Nicolas Canepa wrote: > I hace a problem with zip files. I want mailscanner not to unzip zip > files, so I put in MailScanner.conf : > > # Where the "gunzip" command is installed. > # This is used for expanding .gz files. > # To disable gzipped file checking, set this value to blank > # and the timeout to 0. > # Gunzip Command = /bin/gunzip > Gunzip Command = > > # The maximum length of time the "gunzip" command is allowed to run to > expand > # 1 attachment file (in seconds). > # Gunzip Timeout = 50 > Gunzip Timeout = 0 > > The problem is that still unzips the files! > Should I change something else in the config file? > > Thanks, Well, first off, gunzip has nothing to do with .zip files. Gunzip deals with .gz files. So you may want to double-check the config again and look for /bin/zip or /usr/bin/zip. -Matt From ncanepa at fcen.uba.ar Wed Apr 25 18:37:20 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Apr 25 18:37:29 2007 Subject: Zip files In-Reply-To: <462F9060.7030201@slackadelic.com> References: <462F8A5A.3060605@fcen.uba.ar> <462F9060.7030201@slackadelic.com> Message-ID: <462F91D0.3060407@fcen.uba.ar> Thank you! I found it. # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password-Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 0 # Find zip archives by filename or by file contents? # Finding them by content is a far more reliable way of finding them, but # it does mean that you cannot tell your users to avoid zip file checking # by renaming the file from ".zip" to "_zip" and tricks like that. # Only set this to no (i.e. check by filename only) if you don't want to # reliably check the contents of zip files. Note this does not affect # virus checking, but it will affect all the other checks done on the contents # of the zip file. # This can also be the filename of a ruleset. Find Archives By Content = no thanks, *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ Matt Hayes wrote: > Nicolas Canepa wrote: > >> I hace a problem with zip files. I want mailscanner not to unzip zip >> files, so I put in MailScanner.conf : >> >> # Where the "gunzip" command is installed. >> # This is used for expanding .gz files. >> # To disable gzipped file checking, set this value to blank >> # and the timeout to 0. >> # Gunzip Command = /bin/gunzip >> Gunzip Command = >> >> # The maximum length of time the "gunzip" command is allowed to run >> to expand >> # 1 attachment file (in seconds). >> # Gunzip Timeout = 50 >> Gunzip Timeout = 0 >> >> The problem is that still unzips the files! >> Should I change something else in the config file? >> >> Thanks, > > > > Well, first off, gunzip has nothing to do with .zip files. Gunzip > deals with .gz files. So you may want to double-check the config > again and look for /bin/zip or /usr/bin/zip. > > -Matt > > From Denis.Beauchemin at USherbrooke.ca Wed Apr 25 18:43:37 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 25 18:43:52 2007 Subject: Zip files In-Reply-To: <462F8A5A.3060605@fcen.uba.ar> References: <462F8A5A.3060605@fcen.uba.ar> Message-ID: <462F9349.8050503@USherbrooke.ca> Nicolas Canepa a ?crit : > I hace a problem with zip files. I want mailscanner not to unzip zip > files, so I put in MailScanner.conf : > > # Where the "gunzip" command is installed. > # This is used for expanding .gz files. > # To disable gzipped file checking, set this value to blank > # and the timeout to 0. > # Gunzip Command = /bin/gunzip > Gunzip Command = > > # The maximum length of time the "gunzip" command is allowed to run to > expand > # 1 attachment file (in seconds). > # Gunzip Timeout = 50 > Gunzip Timeout = 0 > > The problem is that still unzips the files! > Should I change something else in the config file? > > Thanks, Nicolas, What you are looking for is: # The maximum depth to which zip archives will be unpacked, to allow for # checking filenames and filetypes within zip archives. # # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password-Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 0 Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070425/8110fe65/smime.bin From daniel.maher at ubisoft.com Wed Apr 25 19:35:19 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 25 19:35:22 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> > I think I discovered the patches in this same list. > Anyway I'll post them again (wrapper might be slightly > modified -- I don't remember) > > Apply SweepViruses.patch: > clamav-0.90.2/contrib/clamdwatch > There are install instructions there > > That's all. > I don't remember doing something else, > apart from telling the system that clamd > should be running on system reboot. > > Good luck > > Giannis > ps. This configuration works for me, > Apply at your own risk. Thank you for your prompt and informative reply! Unfortunately, it "didn't work". :( I followed all of the steps, including the wrapper, lint, and debug tests, and everything appeared to be ok. When I restarted MailScanner with "clamd" as the Virus Scanner, all continued to appear well. Messages were coming in, getting processed, ostensibly scanned, and passed along. However, the load had dropped /so much/ compared to clamscan that I became suspicious. I sent a handful of messages with either the Eicar test string, or the Eicar zip file, through the mail server. They passed through cleanly, without so much as a warning. Clearly, messages were /not/ getting scanned by clamd. I re-enabled clamscan, and sent the same Eicar test messages again; this time, they were indentified as normal. After some investigation, I noticed that the Incoming Work Dir was not owned by the proper group, as defined by: Incoming Work Group = clamv I chgrp -R'd the directory, and tried again, but to my surprise, when I restarted MailScanner, ownership reverted to postfix.root ! Does anybody have any idea why the permissions on the Incoming Work Dir are not being set properly, and what might be changing them? Furthermore, does this even seem to be the reason why clamd wasn't able to scan incoming mail? As always, I appreciate any commentary or feedback. Thank you. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From beatinger at edenhosting.net Wed Apr 25 19:38:54 2007 From: beatinger at edenhosting.net (Bjorgen T. Eatinger) Date: Wed Apr 25 19:40:00 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: <200704251100.l3PB06ZU008913@safir.blacknight.ie> References: <200704251100.l3PB06ZU008913@safir.blacknight.ie> Message-ID: Why haven't there been any updates to MailScanner for a long time? Bjorgen -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Wednesday, April 25, 2007 4:00 AM To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 16, Issue 38 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. RE: Coming from everywhere (James R. Stevens) 2. RE: Coming from everywhere (Stephen Swaney) 3. No sendmail processes start when MS starts ( Alden Levy ) 4. RE: No sendmail processes start when MS starts (Mike Kercher) 5. RE: No sendmail processes start when MS starts (Mike Kercher) 6. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Kapetanakis Giannis) 7. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Kapetanakis Giannis) 8. RE: No sendmail processes start when MS starts (Alden Levy) 9. RE: No sendmail processes start when MS starts (Mike Kercher) 10. RE: No sendmail processes start when MS starts (Alden Levy) 11. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Michael Mansour) 12. RE: No sendmail processes start when MS starts (Martin.Hepworth) 13. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Julian Field) 14. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Julian Field) 15. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Julian Field) 16. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow (Mogens Melander) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Apr 2007 15:49:17 -0500 From: "James R. Stevens" Subject: RE: Coming from everywhere To: "MailScanner discussion" Message-ID: <1A65E6BAEADF9B4F865314484A13ECF160885D@atlas.athensdistributing.com> Content-Type: text/plain; charset="utf-8" Ok, I've been working on this for a few days and keep getting build errors on libsnert. Trying to install Libsnert1.63 and milter-null. Working with RedHat 9 box and RH ES and get the same issue when issue 'make build' of libsnert... sendmail-8.12.8-9.90 which I understand already has libmilter compiled. cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER returns MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 After configure (No options) of libsnert I get this this after make build...Anyone hve clear directions to install milters on RH 9 and RHES? gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 -Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o smtpout smtpout.c -lsnert -lpthread -ldl ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function `socketAddressCreate': : undefined reference to `VectorGet' .. [Snipit] .. collect2: ld returned 1 exit status make[1]: *** [smtpout] Error 1 make[1]: Leaving directory `/usr/local/com/snert/src/tools' make: *** [build] Error 2 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, April 20, 2007 12:11 PM To: MailScanner discussion Subject: Re: Coming from everywhere -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > James R. Stevens wrote: > >> Have we already addressed these ?EUR~Failure notice?EUR(tm) , >> ?EUR~Undeliverable?EUR(tm) ?EUR"mails that are coming from everywhere. It >> seems to be more and more users are seeing these messages getting through. Some 100 per day. >> >> >> >> Anyone else seeing these things? Different subjects etc.. >> > > http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search > If you haven't got it installed already, grab a copy of milter-null. Kills these things dead instantly. And you still get the delivery failure messages that were actually caused by you mistyping addresses, it doesn't just ditch all delivery failure reports. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGKPUsEfZZRxQVtlQRAtqlAJ9rE1wJ6zM5SPW2hMxAjFZeEnOydgCgia76 J+SPMS4iVyJIU9evgwIKT2E= =GygJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by Athens Hyperion Scanner, and is believed to be clean. ------------------------------ Message: 2 Date: Tue, 24 Apr 2007 17:14:52 -0400 From: "Stephen Swaney" Subject: RE: Coming from everywhere To: "'MailScanner discussion'" Message-ID: <075e01c786b5$996f28b0$cc4d7a10$@swaney@fsl.com> Content-Type: text/plain; charset="utf-8" > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James R. Stevens > Sent: Tuesday, April 24, 2007 4:49 PM > To: MailScanner discussion > Subject: RE: Coming from everywhere > > Ok, I've been working on this for a few days and keep getting build > errors on libsnert. > Trying to install Libsnert1.63 and milter-null. > Working with RedHat 9 box and RH ES and get the same issue when issue > 'make build' of libsnert... > sendmail-8.12.8-9.90 which I understand already has libmilter compiled. > > cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER > > returns > > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 > > After configure (No options) of libsnert I get this this after make > build...Anyone hve clear directions to install milters on RH 9 and > RHES? > > gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 > -Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o > smtpout smtpout.c -lsnert -lpthread -ldl > ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function > `socketAddressCreate': > : undefined reference to `VectorGet' > .. > [Snipit] > .. > collect2: ld returned 1 exit status > make[1]: *** [smtpout] Error 1 > make[1]: Leaving directory `/usr/local/com/snert/src/tools' > make: *** [build] Error 2 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, April 20, 2007 12:11 PM > To: MailScanner discussion > Subject: Re: Coming from everywhere > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Kettler wrote: > > James R. Stevens wrote: > > You're better off going to www.snertsoft .com for support. Anthony Howe does not monitor this list although I've bcc'd him on this response. Best regards, Steve Steve Swaney steve@fsl.com ------------------------------ Message: 3 Date: Tue, 24 Apr 2007 22:38:23 +0000 From: " Alden Levy " Subject: No sendmail processes start when MS starts To: mailscanner@lists.mailscanner.info Message-ID: <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026-cell00.bisx.prod.on.blackberry> Content-Type: text/plain I've been using MS for a few years now with very few problems. However, my old server is on its last legs, so I've decided to migrate to a shiny new box. I've moved my /etc/MailScanner conf, prefs, rules, etc. files from the old box to the new. I've not yet moved bayes, but I assume that shouldn't be a problem (right?) The new OS is CentOS 4.4, and I've upgraded MS to the latest version. I'm unsure if MS worked properly before the upgrade. I am also using sendmail 8.13 (the old server was 8.10), and I changed the Lock Type. I've upgraded sa to 3.18 and clamav to 0.92, but I'm using clamav, not clamavmodule, so that should work. After I installed, I went through the routine of chkconfig sendmail off..... When I start up MS, I get notification "starting MailScanner [OK]" (or similar--I'm not in front of a console now), but no sendmail processes are started. My maillog files seem to be okay, all the children start, sa is okay as is clam; but of course, there are no sendmail processes. When I lint sa, everything's okay. I can't seem to debug MS; it hangs, because there's no mail--or is my assumption incorrect? I'm not sure where to look, though. Any suggestions would be appreciated. Thanks, Alden Alden Levy Engine No. 9, Inc. 130 West 57th Street, Suite 2F New York, NY 10019 (212) 981-1122 (212) 504-9598 (fax) www.engineno9inc.com ------------------------------ Message: 4 Date: Tue, 24 Apr 2007 18:02:46 -0500 From: "Mike Kercher" Subject: RE: No sendmail processes start when MS starts To: "MailScanner discussion" Message-ID: <6115482898C59848B35DB9D491C9A28E4D87@srv1.home.middlefinger.net> Content-Type: text/plain; charset="us-ascii" mailscanner-bounces@lists.mailscanner.info <> scribbled on : : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden : Did you STOP sendmail before starting MS? Mike ------------------------------ Message: 5 Date: Tue, 24 Apr 2007 18:12:08 -0500 From: "Mike Kercher" Subject: RE: No sendmail processes start when MS starts To: "MailScanner discussion" Message-ID: <6115482898C59848B35DB9D491C9A28E4D88@srv1.home.middlefinger.net> Content-Type: text/plain; charset="us-ascii" mailscanner-bounces@lists.mailscanner.info <> scribbled on : : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden I'd also look in other logs...could this be an SELinux problem? Mike ------------------------------ Message: 6 Date: Wed, 25 Apr 2007 02:14:11 +0300 (EEST) From: Kapetanakis Giannis Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Tue, 24 Apr 2007, Julian Field wrote: > Kapetanakis Giannis wrote: >> >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules > I haven't tried clamavmodule. I took the wrapper for clamd and the modified VirusSweep.pm and it works sweet. I'll also check clamavmodule to see what's going on :) Giannis ------------------------------ Message: 7 Date: Wed, 25 Apr 2007 02:19:23 +0300 (EEST) From: Kapetanakis Giannis Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Tue, 24 Apr 2007, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: >> >> >> Kapetanakis Giannis wrote: >>> On Mon, 23 Apr 2007, Martin wrote: >> >>> Clamd works fast on the other hand. >>> Maybe it should be included officialy (clamdscan) >>> in MailScanner's the next version. >> Why? I already support the "clamavmodule" which is faster than clamd anyway. >> >> Jules >> > > And I haven't noticed any performance degradation with clamavmodule > since upgrading to 0.90.2. Same for me... I remembered now that I did try clamavmodule. The load now is seen in the MailScanner but I guess it is the perl module that is being loaded. >From a little debug I did in clamavscan what it does and takes so long is: Loading the database copying the database to /tmp/ loading the database from /tmp It does this for every mail it comes in. How does clamavmodule handle the db? Clamd only loads the db once. Giannis ------------------------------ Message: 8 Date: Tue, 24 Apr 2007 21:43:45 -0400 From: "Alden Levy" Subject: RE: No sendmail processes start when MS starts To: Message-ID: <000601c786db$2ac2ae70$5e01a8c0@AldenLap> Content-Type: text/plain; charset="us-ascii" -----Original Message----- From: Alden Levy [mailto:alden@engineno9inc.com] Sent: Tuesday, April 24, 2007 6:38 PM To: mailscanner@lists.mailscanner.info Subject: No sendmail processes start when MS starts : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden : I've been using MS for a few years now with very few : problems. However, my old server is on its last legs, so I've : decided to migrate to a shiny new box. I've moved my : /etc/MailScanner conf, prefs, rules, etc. files from the old : box to the new. I've not yet moved bayes, but I assume that : shouldn't be a problem (right?) : : The new OS is CentOS 4.4, and I've upgraded MS to the latest : version. I'm unsure if MS worked properly before the upgrade. : I am also using sendmail 8.13 (the old server was 8.10), and : I changed the Lock Type. I've upgraded sa to 3.18 and clamav : to 0.92, but I'm using clamav, not clamavmodule, so that should work. : : After I installed, I went through the routine of chkconfig : sendmail off..... : : When I start up MS, I get notification "starting MailScanner : [OK]" (or similar--I'm not in front of a console now), but no : sendmail processes are started. My maillog files seem to be : okay, all the children start, sa is okay as is clam; but of : course, there are no sendmail processes. : : When I lint sa, everything's okay. I can't seem to debug MS; : it hangs, because there's no mail--or is my assumption : incorrect? I'm not sure where to look, though. Any : suggestions would be appreciated. : : Thanks, : Alden I'd also look in other logs...could this be an SELinux problem? Mike SELinux is disabled. And, yes, I restarted MailScanner after the install. Would that it were so easy! Please keep the ideas and suggestions coming. Thanks, Alden ------------------------------ Message: 9 Date: Tue, 24 Apr 2007 21:05:45 -0500 From: "Mike Kercher" Subject: RE: No sendmail processes start when MS starts To: "MailScanner discussion" Message-ID: <6115482898C59848B35DB9D491C9A28E4D8A@srv1.home.middlefinger.net> Content-Type: text/plain; charset="us-ascii" mailscanner-bounces@lists.mailscanner.info <> scribbled on : : : I'd also look in other logs...could this be an SELinux problem? : : Mike : : SELinux is disabled. And, yes, I restarted MailScanner after : the install. : Would that it were so easy! Please keep the ideas and : suggestions coming. : : Thanks, : Alden : How about some log entries from /var/log/maillog and /var/log/messages at the time of a 'service MailScanner restart'. Just do this: # service MailScanner restart;tail -f /var/log/maillog /var/log/message Paste a bit of those logs and also a ps -ef Might as well throw a chkconfig sendmail --list in there too. Mike ------------------------------ Message: 10 Date: Tue, 24 Apr 2007 22:29:31 -0400 From: "Alden Levy" Subject: RE: No sendmail processes start when MS starts To: Message-ID: <001101c786e1$900b6d20$5e01a8c0@AldenLap> Content-Type: text/plain; charset="us-ascii" : : I'd also look in other logs...could this be an SELinux problem? : : Mike : : SELinux is disabled. And, yes, I restarted MailScanner after : the install. : Would that it were so easy! Please keep the ideas and : suggestions coming. : : Thanks, : Alden : How about some log entries from /var/log/maillog and /var/log/messages at the time of a 'service MailScanner restart'. Just do this: # service MailScanner restart;tail -f /var/log/maillog /var/log/message Paste a bit of those logs and also a ps -ef Might as well throw a chkconfig sendmail --list in there too. Mike Here you go: service MailScanner restart;tail -f /var/log/maillog /var/log/messages Shutting down MailScanner: [ OK ] Starting MailScanner: [ OK ] ==> /var/log/maillog <== Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the phishing whitelist Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results cache Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache database Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a SIGHUP Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a SIGHUP ==> /var/log/messages <== Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. Apr 24 22:10:02 E9 logger: weblogs: (14070) done. Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. Apr 24 22:20:02 E9 logger: weblogs: (14080) done. Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root by root(uid=0) Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed Apr 24 22:25:35 E9 MailScanner: succeeded Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded Apr 24 22:26:36 E9 MailScanner: succeeded ==> /var/log/maillog <== Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results cache Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache database Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results cache Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache database Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results cache Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache database Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the phishing whitelist Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results cache Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache database Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock subroutine for linux (Linux-type) chkconfig sendmail --list sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Thanks, Alden ------------------------------ Message: 11 Date: Wed, 25 Apr 2007 16:35:02 +1000 (EST) From: Michael Mansour Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: <989725.51785.qm@web33303.mail.mud.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Hi Ed, Ed Bruce wrote:Julian Field wrote: > > Kapetanakis Giannis wrote: >> On Mon, 23 Apr 2007, Martin wrote: > >>> Arto wrote: >>> >>>> We had this too. Uninstalling clamav* and installing it again helped. >>>> >>>> -arto >>>> >>> Thanks for all replies. Read about this issue on the clamav-list and >>> hopefully it will be fixed in the next version. >> I have similar problems with clamav myself. > >> What I did that improved a little bit >> was deleting the virus database in /var/lib/clamav/* >> and running freshclam again. > >> Still is very slow. If you try clamscan -debug you will >> find out why it is so damn slow.... > >> Clamd works fast on the other hand. >> Maybe it should be included officialy (clamdscan) >> in MailScanner's the next version. > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules And I haven't noticed any performance degradation with clamavmodule since upgrading to 0.90.2. Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just use the clamscan approach and have also experienced the load shoot up since updating to 0.90.2. Are there any instructions on installing clamavmodule? If that fixes the load problem I'll be happy to do it. Thanks. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070425/d577b665/attachment-0001.html ------------------------------ Message: 12 Date: Wed, 25 Apr 2007 09:07:11 +0100 From: "Martin.Hepworth" Subject: RE: No sendmail processes start when MS starts To: "MailScanner discussion" Message-ID: Content-Type: text/plain; charset="us-ascii" Alden Try "service MailScanner startin" This starts the incoming sendmail. Have a look for errors In the logs - /var/log/messages and /var/log/maillog. Also have a look at the mailscanner rc script and make sure things are pointing at the correct sendmail configs/binaries etc... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alden Levy > Sent: 25 April 2007 03:30 > To: mailscanner@lists.mailscanner.info > Subject: RE: No sendmail processes start when MS starts > > : > : I'd also look in other logs...could this be an SELinux problem? > : > : Mike > : > : SELinux is disabled. And, yes, I restarted MailScanner after > : the install. > : Would that it were so easy! Please keep the ideas and > : suggestions coming. > : > : Thanks, > : Alden > : > > How about some log entries from /var/log/maillog and /var/log/messages > at the time of a 'service MailScanner restart'. Just do this: > > # service MailScanner restart;tail -f /var/log/maillog /var/log/message > > Paste a bit of those logs and also a ps -ef Might as well throw a > chkconfig sendmail --list in there too. > > Mike > > Here you go: > service MailScanner restart;tail -f /var/log/maillog /var/log/messages > Shutting down MailScanner: [ OK ] > Starting MailScanner: [ OK ] > ==> /var/log/maillog <== > Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results cache > Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache > database > Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix > Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a SIGHUP > > ==> /var/log/messages <== > Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. > Apr 24 22:10:02 E9 logger: weblogs: (14070) done. > Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. > Apr 24 22:20:02 E9 logger: weblogs: (14080) done. > Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root by > root(uid=0) > Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed > Apr 24 22:25:35 E9 MailScanner: succeeded > Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:26:36 E9 MailScanner: succeeded > > ==> /var/log/maillog <== > Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results cache > Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache > database > Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix > Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results cache > Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache > database > Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix > Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results cache > Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache > database > Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix > Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results cache > Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache > database > Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix > Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > > > > chkconfig sendmail --list > sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > Thanks, > Alden > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** ------------------------------ Message: 13 Date: Wed, 25 Apr 2007 10:49:22 +0100 From: Julian Field Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: <462F2422.7060508@ecs.soton.ac.uk> Content-Type: text/plain; charset="UTF-8" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Hutchings wrote: > Newbie talking so feel free to shoot me down in flames :-) > > My understanding (from clamscan --debug) is that each time you run clamscan it appears it has to read the virus patterns, unpack them (to /tmp), scan the files, remove the files. > Correct. > This is the "probably talking out my bum" bit, but that sounds less efficient than clamd where (I assume) the daemon loads the definitions once and each child process doesn't have to do this? > The "clamavmodule" method is more efficient as it just communicates directly with the clam function library and doesn't involve any external processes at all. The definitions are loaded up once and kept in memory by the function library. This is also more reliable as there is no external daemon (clamd) which might crash, or leak memory or other resources. The signature files are monitored and if any of them change at all then the library is immediately told to re-load the new definitions so it is always using up to date signatures. If you use my latest ClamAV+SA package from www.mailscanner.info, that will install everything needed to use the "clamavmodule" method and will even do the configuration for you. I hope that explains it to you :-) Jules. > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: 24 April 2007 17:09 > To: mailscanner@lists.mailscanner.info > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > Julian Field spake the following on 4/24/2007 8:52 AM: > >> Kapetanakis Giannis wrote: >> >>> On Mon, 23 Apr 2007, Martin wrote: >>> >>>> Arto wrote: >>>> >>>> >>>>> We had this too. Uninstalling clamav* and installing it again helped. >>>>> >>>>> -arto >>>>> >>>>> >>>> Thanks for all replies. Read about this issue on the clamav-list and >>>> hopefully it will be fixed in the next version. >>>> >>> I have similar problems with clamav myself. >>> >>> What I did that improved a little bit >>> was deleting the virus database in /var/lib/clamav/* >>> and running freshclam again. >>> >>> Still is very slow. If you try clamscan -debug you will >>> find out why it is so damn slow.... >>> >>> Clamd works fast on the other hand. >>> Maybe it should be included officialy (clamdscan) >>> in MailScanner's the next version. >>> >> Why? I already support the "clamavmodule" which is faster than clamd anyway. >> >> Jules >> >> > Are there any tips on commandline diagnostics for the clamavmodule? > I have a system that has been choking with the module for 2 weeks, and the > mailscanner.conf fix isn't working with it. > I am running clamav now, but the load is much higher. > > I am going to try the tip of clearing the definitions and re-running freshclam > to see if that helps. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGLyUjEfZZRxQVtlQRAgHmAKDicios1jDH3ARV1ICK/aFwvNhxGQCeLwST aSDBRADTfsx8XmrCUPCKfIw= =sWwm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk ------------------------------ Message: 14 Date: Wed, 25 Apr 2007 10:53:12 +0100 From: Julian Field Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: <462F2508.3000505@ecs.soton.ac.uk> Content-Type: text/plain; charset="ISO-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kapetanakis Giannis wrote: > On Tue, 24 Apr 2007, Ed Bruce wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian Field wrote: >>> >>> >>> Kapetanakis Giannis wrote: >>>> On Mon, 23 Apr 2007, Martin wrote: >>> >>>> Clamd works fast on the other hand. >>>> Maybe it should be included officialy (clamdscan) >>>> in MailScanner's the next version. >>> Why? I already support the "clamavmodule" which is faster than clamd >>> anyway. >>> >>> Jules >>> >> >> And I haven't noticed any performance degradation with clamavmodule >> since upgrading to 0.90.2. > > Same for me... > > I remembered now that I did try clamavmodule. > The load now is seen in the MailScanner but I guess it is > the perl module that is being loaded. > >> From a little debug I did in clamavscan > what it does and takes so long is: > > Loading the database > copying the database to /tmp/ > loading the database from /tmp > > It does this for every mail it comes in. Slight correction: it does it once for every batch. > > How does clamavmodule handle the db? > > Clamd only loads the db once. clamavmodule loads the db once at startup. It then monitors the signature files and instantly reloads the db if the signatures files change at all. > > Giannis Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLyUlEfZZRxQVtlQRAhm5AJ4p6bnCBNLPT8vl8aDKsfxBRrxPqACgnHxB 8yt9xZuLY9J8fq6e0jv2E0M= =Ot+1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk ------------------------------ Message: 15 Date: Wed, 25 Apr 2007 10:54:32 +0100 From: Julian Field Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: MailScanner discussion Message-ID: <462F2558.3060802@ecs.soton.ac.uk> Content-Type: text/plain; charset="ISO-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Mansour wrote: > Hi Ed, > > */Ed Bruce /* wrote: > > Julian Field wrote: > > > > Kapetanakis Giannis wrote: > >> On Mon, 23 Apr 2007, Martin wrote: > > > >>> Arto wrote: > >>> > >>>> We had this too. Uninstalling clamav* and installing it again > helped. > >>>> > >>>> -arto > >>>> > >>> Thanks for all replies. Read about this issue on the > clamav-list and > >>> hopefully it will be fixed in the next version. > >> I have similar problems with clamav myself. > > > >> What I did that improved a little bit > >> was deleting the virus database in /var/lib/clamav/* > >> and running freshclam again. > > > >> Still is very slow. If you try clamscan -debug you will > >> find out why it is so damn slow.... > > > >> Clamd works fast on the other hand. > >> Maybe it should be included officialy (clamdscan) > >> in MailScanner's the next version. > > Why? I already support the "clamavmodule" which is faster than > clamd anyway. > > > > Jules > > And I haven't noticed any performance degradation with clamavmodule > since upgrading to 0.90.2. > > Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just > use the clamscan approach and have also experienced the load shoot up > since updating to 0.90.2. > > Are there any instructions on installing clamavmodule? Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead simple. > > If that fixes the load problem I'll be happy to do it. > > Thanks. > > Michael. > > Send instant messages to your online friends > http://au.messenger.yahoo.com > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGLyVlEfZZRxQVtlQRAmBuAJ0YKR63Xsqlk9+XxqKnMkQqcOF41ACeKKeP wAk5atE53YSjXciVUNDdYTs= =YhPX -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk ------------------------------ Message: 16 Date: Wed, 25 Apr 2007 12:26:58 +0200 (CEST) From: "Mogens Melander" Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow To: "MailScanner discussion" Message-ID: <1202.90.184.17.152.1177496818.squirrel@mail.fumlersoft.dk> Content-Type: text/plain;charset=utf-8 Hi all, >> Are there any instructions on installing clamavmodule? > Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead > simple. I'm using openprotect w/ clamav. Would i be able to install this "easy-to-use ClamAV+SA package" on top of openprotect, and live to tell about it ? -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 16, Issue 38 ******************************************* -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dhawal at netmagicsolutions.com Wed Apr 25 19:49:49 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Apr 25 19:50:01 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: References: <200704251100.l3PB06ZU008913@safir.blacknight.ie> Message-ID: <462FA2CD.3030401@netmagicsolutions.com> Bjorgen T. Eatinger wrote: > Why haven't there been any updates to MailScanner for a long time? its got to do with some voodoo stuff.. details are on a need to know basis only.. From ssilva at sgvwater.com Wed Apr 25 20:35:02 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 20:35:40 2007 Subject: scan.messager.rules In-Reply-To: <462F89D1.6000404@fcen.uba.ar> References: <462F89D1.6000404@fcen.uba.ar> Message-ID: Nicolas Canepa spake the following on 4/25/2007 10:03 AM: > I need to whitelist some mails from on determined address to other email > address. playing a bit with scan.messages.rules, I,ve seen that if I put > this > > From: email1@domain1.net no > > Does not scan at all messages coming from email1@domain1.net > But, if a put two rules, like this: > From: email1@domain1.net no > To: email2@mydomain.net no > does not check mail coming from email1@domain1.net, and does not check > mail going to email2@mydomain.net. But if a mail matches the two rules, > that mail is checked by mailscanner. > > Is this the suppossed behavior? > > Thanks, Your system seems to think the rule looks like this; From: email1@domain1.net and To: email2@mydomain.net no I don't think that is the behavior intended. Do you have a "FromorTo: default yes" rule in there? Not sure if it is necessary, but maybe the parser is getting loaded, and without a default action is firing on the last seen variables. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Apr 25 20:38:35 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 20:40:14 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: <462FA2CD.3030401@netmagicsolutions.com> References: <200704251100.l3PB06ZU008913@safir.blacknight.ie> <462FA2CD.3030401@netmagicsolutions.com> Message-ID: Dhawal Doshy spake the following on 4/25/2007 11:49 AM: > Bjorgen T. Eatinger wrote: >> Why haven't there been any updates to MailScanner for a long time? > > its got to do with some voodoo stuff.. details are on a need to know > basis only.. Aww.. You told Dhawal! Now we are going to have to take care of him! ;-P Waving the chicken over my head right now!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Apr 25 20:48:13 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 20:48:23 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: > Are there any tips on commandline diagnostics for the clamavmodule? > I have a system that has been choking with the module for 2 weeks, and the > mailscanner.conf fix isn't working with it. > I am running clamav now, but the load is much higher. > > I am going to try the tip of clearing the definitions and re-running freshclam > to see if that helps. I have tried re-downloading the definitions, but this system still just keeps re-starting with clamavmodule. I have another near-identical system that works fine. I guess I will have to run MailScanner in debug this weekend to see if I get more clues as to why one system is failing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Apr 25 20:54:11 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 20:54:31 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462F2558.3060802@ecs.soton.ac.uk> References: <989725.51785.qm@web33303.mail.mud.yahoo.com> <462F2558.3060802@ecs.soton.ac.uk> Message-ID: > >> Are there any instructions on installing clamavmodule? > Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead > simple. >> If that fixes the load problem I'll be happy to do it. > Anybody have any commandline tests for clamavmodule? I have a system that it isn't working on since the last upgrade. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Apr 25 20:52:26 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 20:55:08 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher spake the following on 4/25/2007 11:35 AM: >> I think I discovered the patches in this same list. >> Anyway I'll post them again (wrapper might be slightly >> modified -- I don't remember) >> >> Apply SweepViruses.patch: > > > >> clamav-0.90.2/contrib/clamdwatch >> There are install instructions there >> >> That's all. >> I don't remember doing something else, >> apart from telling the system that clamd >> should be running on system reboot. >> >> Good luck >> >> Giannis >> ps. This configuration works for me, >> Apply at your own risk. > > > Thank you for your prompt and informative reply! Unfortunately, it "didn't work". :( I followed all of the steps, including the wrapper, lint, and debug tests, and everything appeared to be ok. > > When I restarted MailScanner with "clamd" as the Virus Scanner, all continued to appear well. Messages were coming in, getting processed, ostensibly scanned, and passed along. However, the load had dropped /so much/ compared to clamscan that I became suspicious. I sent a handful of messages with either the Eicar test string, or the Eicar zip file, through the mail server. They passed through cleanly, without so much as a warning. > > Clearly, messages were /not/ getting scanned by clamd. I re-enabled clamscan, and sent the same Eicar test messages again; this time, they were indentified as normal. > > After some investigation, I noticed that the Incoming Work Dir was not owned by the proper group, as defined by: Incoming Work Group = clamv > I chgrp -R'd the directory, and tried again, but to my surprise, when I restarted MailScanner, ownership reverted to postfix.root ! > > Does anybody have any idea why the permissions on the Incoming Work Dir are not being set properly, and what might be changing them? Furthermore, does this even seem to be the reason why clamd wasn't able to scan incoming mail? > > As always, I appreciate any commentary or feedback. Thank you. > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. Probably the user that provided the patches is running sendmail, and you are running postfix. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From daniel.maher at ubisoft.com Wed Apr 25 21:08:45 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Apr 25 21:08:48 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CA7CE7@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: April 25, 2007 3:52 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > Probably the user that provided the patches is running sendmail, and you > are > running postfix. Having examined the patche, there does not appear to be anything that is sendmail-specific. In fact, it is quite a simple patch which adds "clamd" as a valid virus scanner, and nothing else. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From dan.farmer at phonedir.com Wed Apr 25 21:47:29 2007 From: dan.farmer at phonedir.com (Dan Farmer) Date: Wed Apr 25 21:47:57 2007 Subject: ClamAVModule Oversized.Zip Message-ID: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> Hello all, I've got an issue with Oversized.Zip infections that I'm trying to disable and can't seem to nail down the correct settings. I've been using clamav for our virus scanning for longer than I care to recall and just this morning switched the setting over to clamavmodule to reduce the load on our relay. It reduced the load and everything is working but we get a lot of zip files (artwork) that compress very well and they are getting detected as viruses (Oversized.Zip) I've searched the Mailscanner list and the ClamAV list and tried the following: /usr/local/etc/clamd.conf: ArchiveMaxCompressionRatio 0 /etc/MailScanner/Mailscanner.conf: ClamAVmodule Maximum Compression Ratio = 0 installed versions (i know they're a bit behind): MailScanner-4.58.9-1 install-Clam-0.88.7-SA-3.1.8 0.17 Mail::ClamAV I reloaded MailScanner, start/stopped it, and finally rebooted the machine each time, to no avail. I created a 1MB file that zips to 4k and it gets detected everytime. Virus scanning doesn't get cached like SA results, so I figure I don't have to keep changing the file each test. Is there a way to determine what config file clamavmodule is using and/or what current settings are? Where else should I be looking? Thanks, Dan From ssilva at sgvwater.com Wed Apr 25 22:07:00 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 22:07:16 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA7CE7@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7CE7@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher spake the following on 4/25/2007 1:08 PM: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Scott Silva >> Sent: April 25, 2007 3:52 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow >> >> Probably the user that provided the patches is running sendmail, and you >> are >> running postfix. > > Having examined the patche, there does not appear to be anything that is sendmail-specific. In fact, it is quite a simple patch which adds "clamd" as a valid virus scanner, and nothing else. I think the problem with postfix is that its settings in mailscanner are re-setting the permissions on the working directory to what postfix needs. Sendmail, running as root, can go wherever it wants to go in the filesystem within limits. Maybe if clamav can be in the postfix group, or postfix be a secondary group for clam. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Apr 25 22:08:41 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 25 22:10:07 2007 Subject: ClamAVModule Oversized.Zip In-Reply-To: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> References: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> Message-ID: Dan Farmer spake the following on 4/25/2007 1:47 PM: > Hello all, > > I've got an issue with Oversized.Zip infections that I'm trying to > disable and can't seem to nail down the correct settings. I've been > using clamav for our virus scanning for longer than I care to recall and > just this morning switched the setting over to clamavmodule to reduce > the load on our relay. It reduced the load and everything is working but > we get a lot of zip files (artwork) that compress very well and they are > getting detected as viruses (Oversized.Zip) > > I've searched the Mailscanner list and the ClamAV list and tried the > following: > > /usr/local/etc/clamd.conf: > ArchiveMaxCompressionRatio 0 > > /etc/MailScanner/Mailscanner.conf: > ClamAVmodule Maximum Compression Ratio = 0 Try something like 900 or 1000. I don't think a "0" disables this setting. > > installed versions (i know they're a bit behind): > MailScanner-4.58.9-1 > install-Clam-0.88.7-SA-3.1.8 > 0.17 Mail::ClamAV > > I reloaded MailScanner, start/stopped it, and finally rebooted the > machine each time, to no avail. I created a 1MB file that zips to 4k and > it gets detected everytime. Virus scanning doesn't get cached like SA > results, so I figure I don't have to keep changing the file each test. > > Is there a way to determine what config file clamavmodule is using > and/or what current settings are? Where else should I be looking? > > Thanks, > Dan > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dan.farmer at phonedir.com Wed Apr 25 22:10:23 2007 From: dan.farmer at phonedir.com (Dan Farmer) Date: Wed Apr 25 22:11:56 2007 Subject: ClamAVModule Oversized.Zip In-Reply-To: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> References: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> Message-ID: <7C39A4A7-F416-4A3E-89EA-A499757B4FCE@phonedir.com> On Apr 25, 2007, at 2:47 PM, Dan Farmer wrote: > installed versions (i know they're a bit behind): > MailScanner-4.58.9-1 > install-Clam-0.88.7-SA-3.1.8 > 0.17 Mail::ClamAV Well, as I was fishing around more I just hit a whole mess of messages from people having this issue with 0.88.7 when it came out and they did not find any solution (other than reverting back to 0.88.6) in the threads. I've reverted back to clamav for now until I can upgrade to the newer versions. Thanks, Dan From bart at zokahn.com Wed Apr 25 23:04:59 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Wed Apr 25 23:05:49 2007 Subject: quarantined HAM in queue files Message-ID: <00a801c78785$c40c77a0$0202fea9@zokahnt42> Hi! Made a bit of a mistake, I stated: Quarantine Whole Messages As Queue Files = Yes I should have stated it as a No. Now I have several HAM messages in quarantine and I cannot send them to their proper destination. I?ve seen other answers in the list and I have tried those: While i?m in /var/spool/MailScanner/quarantine/DATE/spam do this cp -p 742CB1012B.812D8 /var/spool/postfix/incoming/7/742CB1012B and then I check postfix in webmin to see if there are any mails in the queue, but it claims there are non. If I go to this dir and do an ls I see the file then I do: postfix check And the file disappears into nothingness. No explaining error message, nothing! Postfix does not deliver the file, as there is no mention of anything in the log (/var/log/mail.log) Anyone any idea on how to get those messages back in route? I use Ubuntu, postfix, mailscanner Thanks, Bart van den Heuvel From bilias at edu.physics.uoc.gr Wed Apr 25 23:43:38 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 23:44:01 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> Message-ID: On Wed, 25 Apr 2007, Daniel Maher wrote: > Thank you for your prompt and informative reply! Unfortunately, it "didn't work". :( I followed all of the steps, including the wrapper, lint, and debug tests, and everything appeared to be ok. > > When I restarted MailScanner with "clamd" as the Virus Scanner, all continued to appear well. Messages were coming in, getting processed, ostensibly scanned, and passed along. However, the load had dropped /so much/ compared to clamscan that I became suspicious. I sent a handful of messages with either the Eicar test string, or the Eicar zip file, through the mail server. They passed through cleanly, without so much as a warning. > > Clearly, messages were /not/ getting scanned by clamd. I re-enabled clamscan, and sent the same Eicar test messages again; this time, they were indentified as normal. > > After some investigation, I noticed that the Incoming Work Dir was not owned by the proper group, as defined by: Incoming Work Group = clamv > I chgrp -R'd the directory, and tried again, but to my surprise, when I restarted MailScanner, ownership reverted to postfix.root ! > > Does anybody have any idea why the permissions on the Incoming Work Dir are not being set properly, and what might be changing them? Furthermore, does this even seem to be the reason why clamd wasn't able to scan incoming mail? Clamd must have access to files you want to scan. I have Incoming Work Permissions = 0640 Incoming Work Group = clamav Incoming Work User = Does the user and the group clamav exist in your system? Under what privileges does clamd runs? Don't have a clue of what might changing the permission back to clamav:root Giannis From bilias at edu.physics.uoc.gr Wed Apr 25 23:47:06 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Wed Apr 25 23:47:26 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA7CE7@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7CE7@UBIMAIL1.ubisoft.org> Message-ID: On Wed, 25 Apr 2007, Daniel Maher wrote: >> >> Probably the user that provided the patches is running sendmail, and you >> are >> running postfix. > > Having examined the patche, there does not appear to be anything that is sendmail-specific. In fact, it is quite a simple patch which adds "clamd" as a valid virus scanner, and nothing else. > > ?v? Daniel Maher I run postfix as well with clamd Giannis From itdept at fractalweb.com Thu Apr 26 01:33:49 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Apr 26 01:34:24 2007 Subject: joe-jobbed, block 'undeliverable' messages? Message-ID: <462FF36D.5020608@fractalweb.com> Hi Guys and Gals, One of our domains has been joe-jobbed, big time. We're seeing multiple "undelilverable" messages per minute, and in some cases many from the same IP. This is the worst I've ever seen it. Short of sitting here adding each IP to a block list, is there any way I can filter these things out, tag them as spam, anything? Thanks, Chris From am.lists at gmail.com Thu Apr 26 05:11:02 2007 From: am.lists at gmail.com (am.lists) Date: Thu Apr 26 05:11:05 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <462FF36D.5020608@fractalweb.com> References: <462FF36D.5020608@fractalweb.com> Message-ID: <25a66d840704252111q736d3c35lf13afedd35890242@mail.gmail.com> On 4/25/07, Chris Yuzik wrote: > Hi Guys and Gals, > > One of our domains has been joe-jobbed, big time. We're seeing multiple > "undelilverable" messages per minute, and in some cases many from the > same IP. This is the worst I've ever seen it. Short of sitting here > adding each IP to a block list, is there any way I can filter these > things out, tag them as spam, anything? > > Thanks, > Chris > Typically, these joe-jobs are from non-existing email addresses (e.g. asdfasdf at victimdomain.tld). When the non-delivery report is returned, it's attempted to be sent to that address, which doesn't exist. If you were using Postfix, you could use reject_unverified_recipient in the smtpd_recipient_restrictions section of main.cf. This way, you'd flat out reject any message to asdfasdf at the MTA, keeping your MailScanner from never even seeing it. If you this might work for you (e.g. you are using Postfix) I can give you more info about my particular setup (there's a little more to it than that one line). Angelo From dhawal at netmagicsolutions.com Thu Apr 26 08:30:20 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Apr 26 08:30:43 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <462FF36D.5020608@fractalweb.com> References: <462FF36D.5020608@fractalweb.com> Message-ID: <20070426130020.1zkijj7nuo8gk8o4@mail.netmagicsolutions.com> Quoting Chris Yuzik : > Hi Guys and Gals, > > One of our domains has been joe-jobbed, big time. We're seeing multiple > "undelilverable" messages per minute, and in some cases many from the > same IP. This is the worst I've ever seen it. Short of sitting here > adding each IP to a block list, is there any way I can filter these > things out, tag them as spam, anything? For postfix: See http://www.postfix.org/BACKSCATTER_README.html For sendmail: Julian suggested 'milter-null' a few days back to someone with a similar problem.. From alex at skynet-srl.com Thu Apr 26 08:32:40 2007 From: alex at skynet-srl.com (Alex) Date: Thu Apr 26 08:32:42 2007 Subject: Ignoring last received from In-Reply-To: <200704242050.l3OKogO9010548@safir.blacknight.ie> References: <200704242050.l3OKogO9010548@safir.blacknight.ie> Message-ID: <46305598.1000200@skynet-srl.com> > > On 24/04/07, Alex wrote: >> > Hi guys >> > >> > I'm playing with a damned configuration I cant' figure how to have i t >> > working. >> > >> > THE PROBLEM >> > ============= >> > All the mail that comes on some servere passes on STMP servers that >> > are behind a firewall. >> > >> > Those servers are placed in a DMZ and use Postfix with load balancing. >> > >> > Those SMTP servers decide where to send their mail on different mail >> > servers using sendmail AND Mailscanner. >> > >> > >> > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to >> > SMTP using MS -->Mailscanner >> > >> > If I set up a wihitelist like the following >> > >> > From: 1.2.3.4 and To: address@domain yes >> > >> > it will never match since the headers of the received mail on the >> > Mailscanner servers look like >> > >> > Received from: 10.0.0.55 <----- this is the internal IP of the last >> > passed trough SMTP server >> > Received from : 1.2.3.4 <---- this is the public INTERNET server who >> > sent the mail and I cant' match to... >> > >> > THE SOLUTIONS I TRIED (with no success) >> > ===================== >> > a) used the Remove Header in MS configuration, but this seems to only >> > match complete headers. >> > >> > I cannote remove >> > Received from : 10.0.0. >> > >> > but I can remove all the Received from headers (uselsess for my >> problem) >> > >> > b) It seems I cant find a m4 macro to tell sendmail not to add the >> > Received from header (it's so easy in Postfix) >> > >> > I don't think I'm the only one with this problem. >> > >> > How did you guys solved this? >> > >> > >> First of all thanks to all the guys who answered this (I discovered not >> so) simple question, >> >> Someone suggested to change the network architecture. >> >> This is not a choice, since not all the domains we manage have to pass >> through MS, so only specific ones are routed to the servers running MS. > > Someone would be me then:-). > Of course you can change the topology. > You can let MailScanner avoid all non-managed domains. > Or you could manage them via a separate set of MX:s (instead of having > all going through the same set of servers)... The posibilities are > well-nigh endless:-D. > Would likely simplify your topology a whiole lot, removing a (then not > needed) layer of indirection;-). > >> Furthermore it is not a spam detection problem, so writing a specific SA >> rules won't help since the spam detection works fine. >> >> The problem only arises when I to write a MS rule where the from IP >> address is involved, since MS seems to only consider the very last >> (indeed top-first) Received from header. >> >> From: 1.2.3.4 and From *@mydomain.com yes <--- never matches >> >> The Header says the last server the message passed through is our DMZ >> server (10.0.0.55) so it never matches the above From rule. > > You might actually have more problems than that (in SA, no less), but > lets not go there:-). > What do you mean?? Please enlight me! Is there something important i missed? >> >> I think this damned thing may be managed in two ways: >> >> - Instructing sendmail on the private servers to not add the Received >> from header but don't know how to do that. In Postfix this is very easy: >> write a header_check rule that simply ignores the matching header so it >> doesn't get added to the final message and BANG it works! > > This break one of the few MUST statements in the RFC. Not really a > good thing, even though you can do it with PF. > >> - Instructing MS to match the second Received from: header instead of >> the first one (?????) > > There is no provision for this in MS. > >> I see someone else is having the same problem (may I say Welcome??) >> >> I have searched the internet for the IP hiding problem in Sendmail >> (usually used to hide internal private IP's and names from the external) >> but I came to a lot of infos (milter, voodoo and so on) but no specific >> ideas. >> >> Using procmail with formail may be a way, but it looks very complicated >> since the recipe's formail action should do a complete rewrite of the >> received from header, and to accomplish that I suspect it needs an >> external PERL/BASH/other scripting langiage that may lead to system >> vulnerabilities or instability. >> >> Any ideas out there?? >> > As said, I think you are going at this a bit backward, trying to > defeat the standard instead of working with it. Sure, you might find a > solution eventually... Like, for example, not using Sendmail with the > "backend MS servers"... As you say, breaking the RFC in this > particular way is rather easy in Postfix... And Postfix works nice > with MailScanner....;-). > > Cheers Thanks. it has been a long time since I started thinking about moving my sendmail servers to postfix and this may be the right time... >> >> You can look at all headers in a Custom Function. Very simple with >> MailScanner. IIRC, Julian said something about being able to call >> custom functions from within rulesets too, which I have not played >> with but sounded intriguing! >> See my basic example custom function posted here a few weeks ago. >> >> Ken Anderson >> Pacific.Net >> >> Good suggestion. I'll give it a try Thanks to everyone and best regards Alessandro From paul.hutchings at mira.co.uk Thu Apr 26 08:33:10 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Apr 26 08:33:34 2007 Subject: Fast Dual Core or slower Quad Core..? Message-ID: As subject, I'm speccing up a box and am now looking at the DL360 G5 range. Given the box should only be running OpenSuse/Postfix/MailScanner with ClamAV and SpamAssassin would people suggest a faster dual core CPU i.e. 2.3Ghz or a slower Quad Core CPU i.e. 1.6Ghz? I'm not familiar enough with how linux and the applications mentioned interact to know which would be of the most use and why. Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From glenn.steen at gmail.com Thu Apr 26 08:59:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 08:59:34 2007 Subject: quarantined HAM in queue files In-Reply-To: <00a801c78785$c40c77a0$0202fea9@zokahnt42> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> Message-ID: <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> On 26/04/07, Bart van den Heuvel wrote: > Hi! > > Made a bit of a mistake, I stated: Quarantine Whole Messages As Queue Files > = Yes > > I should have stated it as a No. Now I have several HAM messages in > quarantine and I cannot send them to their proper destination. I?ve seen > other answers in the list and I have tried those: > > While i?m in /var/spool/MailScanner/quarantine/DATE/spam do this > cp -p 742CB1012B.812D8 /var/spool/postfix/incoming/7/742CB1012B > and then I check postfix in webmin to see if there are any mails in the > queue, but it claims there are non. If I go to this dir and do an ls I see > the file then I do: > postfix check > And the file disappears into nothingness. No explaining error message, > nothing! Postfix does not deliver the file, as there is no mention of > anything in the log (/var/log/mail.log) > > Anyone any idea on how to get those messages back in route? I use Ubuntu, > postfix, mailscanner > > Thanks, > > Bart van den Heuvel > There is an excellent article on all types/forms/shapes/whatever of releasing messages in the MailScanner wiki... Go look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail (watch the wrapping). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bart at zokahn.com Thu Apr 26 09:10:36 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Thu Apr 26 09:10:42 2007 Subject: quarantined HAM in queue files In-Reply-To: <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> Message-ID: <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> Thank you for pointing me to that document. It is indeed excelent, however the procedure is not working (for me). When i do: # cp ?p C071E3679B2 /var/spool/postfix/incoming/C I run into 2 problems, First my files have an extention: 6BC5E368497.3C3A6 and the files moved have none. I don't see how the files are changed or were different files are used. secondly when i rename the files and place them in the incoming queue they disappear. I might need some clarification on the article. Thanks again! Bart On Thu, April 26, 2007 9:59 am, Glenn Steen wrote: > On 26/04/07, Bart van den Heuvel wrote: > >> Hi! >> >> >> Made a bit of a mistake, I stated: Quarantine Whole Messages As Queue >> Files >> = Yes >> >> >> I should have stated it as a No. Now I have several HAM messages in >> quarantine and I cannot send them to their proper destination. I?ve seen >> other answers in the list and I have tried those: >> >> While i?m in /var/spool/MailScanner/quarantine/DATE/spam do this >> cp -p 742CB1012B.812D8 /var/spool/postfix/incoming/7/742CB1012B and then >> I check postfix in webmin to see if there are any mails in the >> queue, but it claims there are non. If I go to this dir and do an ls I >> see the file then I do: postfix check And the file disappears into >> nothingness. No explaining error message, nothing! Postfix does not >> deliver the file, as there is no mention of anything in the log >> (/var/log/mail.log) >> >> >> Anyone any idea on how to get those messages back in route? I use >> Ubuntu, >> postfix, mailscanner >> >> Thanks, >> >> >> Bart van den Heuvel >> >> > There is an excellent article on all types/forms/shapes/whatever of > releasing messages in the MailScanner wiki... Go look at > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta: > postfix:how_to:release_quarantined_mail > (watch the wrapping). > > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From martinh at solidstatelogic.com Thu Apr 26 09:10:30 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 26 09:10:48 2007 Subject: sendmail vuln Message-ID: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> All For those running sendmail as their MTA be aware that HP have found a remote DOS vulnerability in 8.9.3 and 8.11.1. No mention of 8.12 but 8.13.3 is shown as OK.. http://www.securityfocus.com/bid/23606 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Apr 26 09:14:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:14:47 2007 Subject: Ignoring last received from In-Reply-To: <46305598.1000200@skynet-srl.com> References: <200704242050.l3OKogO9010548@safir.blacknight.ie> <46305598.1000200@skynet-srl.com> Message-ID: <223f97700704260114j30051a1bs2f07ffd3a63a7ab@mail.gmail.com> On 26/04/07, Alex wrote: (snip) > > You might actually have more problems than that (in SA, no less), but > > lets not go there:-). > > > What do you mean?? Please enlight me! Is there something important i missed? Might be that ALL_TRUSTED is firing when it shouldn't... Check that it only fires for hosts you really do trust. If it does fire for messages other than those it should fire for, it indicates you have a broken trust path and should set trusted_networks accordingly (to _not_ trust the frontend servers/IP-range). But then again, you might have fixed this already:-). There is some nice article on the subject in the SpamAssassin wiki... http://wiki.apache.org/spamassassin/TrustPath (snip) > >> > >> Any ideas out there?? > >> > > As said, I think you are going at this a bit backward, trying to > > defeat the standard instead of working with it. Sure, you might find a > > solution eventually... Like, for example, not using Sendmail with the > > "backend MS servers"... As you say, breaking the RFC in this > > particular way is rather easy in Postfix... And Postfix works nice > > with MailScanner....;-). > > > > Cheers > > Thanks. it has been a long time since I started thinking about moving my > sendmail servers to postfix and this may be the right time... Perhaps not the reason for a switch I would prefer, but ... WTH, go for it;-). > >> > >> You can look at all headers in a Custom Function. Very simple with > >> MailScanner. IIRC, Julian said something about being able to call > >> custom functions from within rulesets too, which I have not played > >> with but sounded intriguing! > >> See my basic example custom function posted here a few weeks ago. > >> > >> Ken Anderson > >> Pacific.Net > >> > >> > Good suggestion. I'll give it a try Ken giving the lie to my assertion there is no provision for this in MS... Then again, with a Custom Function... anything goes:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Apr 26 09:15:59 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 26 09:16:25 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: Message-ID: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> Paul How many messages per day, and what sort of size? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 26 April 2007 08:33 > To: MailScanner discussion > Subject: Fast Dual Core or slower Quad Core..? > > As subject, I'm speccing up a box and am now looking at the DL360 G5 > range. > > Given the box should only be running OpenSuse/Postfix/MailScanner with > ClamAV and SpamAssassin would people suggest a faster dual core CPU i.e. > 2.3Ghz or a slower Quad Core CPU i.e. 1.6Ghz? > > I'm not familiar enough with how linux and the applications mentioned > interact to know which would be of the most use and why. > > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Apr 26 09:19:33 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:19:36 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: References: Message-ID: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> On 26/04/07, Paul Hutchings wrote: > As subject, I'm speccing up a box and am now looking at the DL360 G5 > range. > > Given the box should only be running OpenSuse/Postfix/MailScanner with > ClamAV and SpamAssassin would people suggest a faster dual core CPU i.e. > 2.3Ghz or a slower Quad Core CPU i.e. 1.6Ghz? > > I'm not familiar enough with how linux and the applications mentioned > interact to know which would be of the most use and why. > > Cheers, > Paul Depends on a few things... Like the volume you anticipate to handle with them. Things to keep in mind: You need lots of RAM. At least 1 GiB/CPU ... Well, RAM is cheap these days:-). Also, there is a tradeoff between faster CPUs and more utnits (CPUs) to schedule work on. If you have massive amounts of messages/day I'd recommend the more units. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul.hutchings at mira.co.uk Thu Apr 26 09:23:35 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Apr 26 09:24:10 2007 Subject: Fast Dual Core or slower Quad Core..? References: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> Message-ID: I think the realistic answer is "not enough for it to matter" (approx 30k a week of all shapes and sized), but I'm thinking if MailScanner runs X processes it might be better to have several slower cores than 2 fast cores? Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 26 April 2007 09:16 To: MailScanner discussion Subject: RE: Fast Dual Core or slower Quad Core..? Paul How many messages per day, and what sort of size? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 26 April 2007 08:33 > To: MailScanner discussion > Subject: Fast Dual Core or slower Quad Core..? > > As subject, I'm speccing up a box and am now looking at the DL360 G5 > range. > > Given the box should only be running OpenSuse/Postfix/MailScanner with > ClamAV and SpamAssassin would people suggest a faster dual core CPU i.e. > 2.3Ghz or a slower Quad Core CPU i.e. 1.6Ghz? > > I'm not familiar enough with how linux and the applications mentioned > interact to know which would be of the most use and why. > > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From glenn.steen at gmail.com Thu Apr 26 09:26:24 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:26:27 2007 Subject: quarantined HAM in queue files In-Reply-To: <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> Message-ID: <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> On 26/04/07, Bart van den Heuvel wrote: > Thank you for pointing me to that document. It is indeed excelent, however > the procedure is not working (for me). When i do: > > # cp ?p C071E3679B2 /var/spool/postfix/incoming/C > > I run into 2 problems, First my files have an extention: > > 6BC5E368497.3C3A6 and the files moved have none. I don't see how the files > are changed or were different files are used. The extra five hex values added after the dot is placed there by MailScanner to avoid problems (duplicates) when logging messages to SQL (typically MailWatch). When MailScanner is done with a message it requeues the file (actually a completely new queue file) with another name (this has to do with how Postfix assigns queue filenames based on i-node and microseconds...). So just remove them when releasing messages. Oh, and as you can guess, Postfix is really picky about permissions and such. > secondly when i rename the files and place them in the incoming queue they > disappear. ... and get delivered somewhere ... Check your (mail) logs. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From oliver at linux-kernel.at Thu Apr 26 09:27:38 2007 From: oliver at linux-kernel.at (Oliver Falk) Date: Thu Apr 26 09:27:53 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> Message-ID: <4630627A.3080602@linux-kernel.at> On 04/26/2007 10:19 AM, Glenn Steen wrote: [ ... ] > Things to keep in mind: You need lots of RAM. At least 1 GiB/CPU ... > Well, RAM is cheap these days:-). You know? He was talking 'bout a Compaq Maschine; So RAM isn't cheap. :-P > Also, there is a tradeoff between faster CPUs and more utnits (CPUs) > to schedule work on. If you have massive amounts of messages/day I'd > recommend the more units. However. I would also recommend more processors... Just my personal experience... -of From glenn.steen at gmail.com Thu Apr 26 09:31:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:31:29 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: References: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> Message-ID: <223f97700704260131r67963e05h7a9d16bfab536bbb@mail.gmail.com> On 26/04/07, Paul Hutchings wrote: > I think the realistic answer is "not enough for it to matter" (approx > 30k a week of all shapes and sized), but I'm thinking if MailScanner > runs X processes it might be better to have several slower cores than 2 > fast cores? > > Paul > More or less ... Depends on _how much_ slower...:-) It is likely not the "big thing" one might think though... I/O and RAM is far more important, IMO. Personally I still like the DL3X5 variants better, but that is neither here nor there (oh how all the Intel fans will bash me now:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From oliver at linux-kernel.at Thu Apr 26 09:47:00 2007 From: oliver at linux-kernel.at (Oliver Falk) Date: Thu Apr 26 09:47:17 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <223f97700704260131r67963e05h7a9d16bfab536bbb@mail.gmail.com> References: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> <223f97700704260131r67963e05h7a9d16bfab536bbb@mail.gmail.com> Message-ID: <46306704.3010701@linux-kernel.at> On 04/26/2007 10:31 AM, Glenn Steen wrote: [ ... ] > Personally I still like the DL3X5 variants better, but that is neither > here nor there (oh how all the Intel fans will bash me now:-) Don't want to flame war here. But actual benchmarks showed me, that DL380 is about 30 % faster than a DL385. OK, it was an Apache Benchmark, but however... -of From glenn.steen at gmail.com Thu Apr 26 09:49:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:49:20 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <4630627A.3080602@linux-kernel.at> References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> <4630627A.3080602@linux-kernel.at> Message-ID: <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> On 26/04/07, Oliver Falk wrote: > On 04/26/2007 10:19 AM, Glenn Steen wrote: > [ ... ] > > Things to keep in mind: You need lots of RAM. At least 1 GiB/CPU ... > > Well, RAM is cheap these days:-). > > You know? He was talking 'bout a Compaq Maschine; So RAM isn't cheap. :-P Taking the relativity of everything into account.... those buggers have gone down too (at least here in Sweden:). Since Paul is thinking HP from the outset, he must have a budget to cover it... I hope:-D. > > Also, there is a tradeoff between faster CPUs and more utnits (CPUs) > > to schedule work on. If you have massive amounts of messages/day I'd > > recommend the more units. > > However. I would also recommend more processors... Just my personal > experience... > If they are exorbitantly more expensive though... As it is, I handle that amount (approximately) with a tired old DL380G2 ... 1.266 GHz single PIII with 1.5 GiB RAM... So any of them would be perfectly fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Apr 26 09:51:56 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 09:51:59 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <46306704.3010701@linux-kernel.at> References: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> <223f97700704260131r67963e05h7a9d16bfab536bbb@mail.gmail.com> <46306704.3010701@linux-kernel.at> Message-ID: <223f97700704260151l581ad523m210ffc993d3c863d@mail.gmail.com> On 26/04/07, Oliver Falk wrote: > On 04/26/2007 10:31 AM, Glenn Steen wrote: > [ ... ] > > Personally I still like the DL3X5 variants better, but that is neither > > here nor there (oh how all the Intel fans will bash me now:-) > > Don't want to flame war here. But actual benchmarks showed me, that > DL380 is about 30 % faster than a DL385. OK, it was an Apache Benchmark, > but however... > .... Yeah, I know. It is a tighter race these days, with Intel more often than not winning the day. You compared machines of "equal" age and resources? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul.hutchings at mira.co.uk Thu Apr 26 09:59:20 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Apr 26 10:00:05 2007 Subject: Fast Dual Core or slower Quad Core..? References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com><4630627A.3080602@linux-kernel.at> <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> Message-ID: For the Dual Core I'd likely be looking at one of these "as is" plus a couple of 10k SAS drives: http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/521-525-358263-358263-1208 3449-12569852-78138665.html I'm sure Quad Core is total overkill, and of course the machine is twin-socket so can always have a second CPU added. The thing needs to last three years minimum that's all, hence the query as I have no idea of Linux/MailScanner/Clam "roadmaps" assuming MailScanner remains the ideal tool for the job. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 26 April 2007 09:49 To: MailScanner discussion Subject: Re: Fast Dual Core or slower Quad Core..? On 26/04/07, Oliver Falk wrote: > On 04/26/2007 10:19 AM, Glenn Steen wrote: > [ ... ] > > Things to keep in mind: You need lots of RAM. At least 1 GiB/CPU ... > > Well, RAM is cheap these days:-). > > You know? He was talking 'bout a Compaq Maschine; So RAM isn't cheap. :-P Taking the relativity of everything into account.... those buggers have gone down too (at least here in Sweden:). Since Paul is thinking HP from the outset, he must have a budget to cover it... I hope:-D. > > Also, there is a tradeoff between faster CPUs and more utnits (CPUs) > > to schedule work on. If you have massive amounts of messages/day I'd > > recommend the more units. > > However. I would also recommend more processors... Just my personal > experience... > If they are exorbitantly more expensive though... As it is, I handle that amount (approximately) with a tired old DL380G2 ... 1.266 GHz single PIII with 1.5 GiB RAM... So any of them would be perfectly fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From oliver at linux-kernel.at Thu Apr 26 10:10:36 2007 From: oliver at linux-kernel.at (Oliver Falk) Date: Thu Apr 26 10:10:42 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <223f97700704260151l581ad523m210ffc993d3c863d@mail.gmail.com> References: <771041fc52566440bf01ca2ef5ed7541@solidstatelogic.com> <223f97700704260131r67963e05h7a9d16bfab536bbb@mail.gmail.com> <46306704.3010701@linux-kernel.at> <223f97700704260151l581ad523m210ffc993d3c863d@mail.gmail.com> Message-ID: <46306C8C.4060906@linux-kernel.at> On 04/26/2007 10:51 AM, Glenn Steen wrote: > On 26/04/07, Oliver Falk wrote: >> On 04/26/2007 10:31 AM, Glenn Steen wrote: >> [ ... ] >> > Personally I still like the DL3X5 variants better, but that is neither >> > here nor there (oh how all the Intel fans will bash me now:-) >> >> Don't want to flame war here. But actual benchmarks showed me, that >> DL380 is about 30 % faster than a DL385. OK, it was an Apache Benchmark, >> but however... >> > .... Yeah, I know. It is a tighter race these days, with Intel more > often than not winning the day. You compared machines of "equal" age > and resources? Yes. Both where bought in the same month... :-) I don't remember the exact Ghz any more, but both where 'state-of-the-art' dual-core, dual-processor with 4 GB memory. -of From martinh at solidstatelogic.com Thu Apr 26 10:15:50 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 26 10:16:20 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: Message-ID: Paul More to the point is amount of spam increase over the three years. In the in the 7.5 years since I've been here we've gone from from 6-7000 messages per month in total to 19,000 per day! Now of the 19,000 something like 1,700 are legitimate emails. If I look at inbound only emails the results are even more scarey. I *THINK* about 3 years ago we where doing something like 6,000 messages per day, so over the last 3 years email traffic has more or less tripled and the vast majority of that increase is spam. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 26 April 2007 09:59 > To: MailScanner discussion > Subject: RE: Fast Dual Core or slower Quad Core..? > > For the Dual Core I'd likely be looking at one of these "as is" plus a > couple of 10k SAS drives: > > http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/521-525-358263-358263-1208 > 3449-12569852-78138665.html > > I'm sure Quad Core is total overkill, and of course the machine is > twin-socket so can always have a second CPU added. > > The thing needs to last three years minimum that's all, hence the query > as I have no idea of Linux/MailScanner/Clam "roadmaps" assuming > MailScanner remains the ideal tool for the job. > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: 26 April 2007 09:49 > To: MailScanner discussion > Subject: Re: Fast Dual Core or slower Quad Core..? > > On 26/04/07, Oliver Falk wrote: > > On 04/26/2007 10:19 AM, Glenn Steen wrote: > > [ ... ] > > > Things to keep in mind: You need lots of RAM. At least 1 GiB/CPU ... > > > Well, RAM is cheap these days:-). > > > > You know? He was talking 'bout a Compaq Maschine; So RAM isn't cheap. > :-P > > Taking the relativity of everything into account.... those buggers > have gone down too (at least here in Sweden:). > > Since Paul is thinking HP from the outset, he must have a budget to > cover it... I hope:-D. > > > > Also, there is a tradeoff between faster CPUs and more utnits (CPUs) > > > to schedule work on. If you have massive amounts of messages/day I'd > > > recommend the more units. > > > > However. I would also recommend more processors... Just my personal > > experience... > > > > If they are exorbitantly more expensive though... As it is, I handle > that amount (approximately) with a tired old DL380G2 ... 1.266 GHz > single PIII with 1.5 GiB RAM... So any of them would be perfectly > fine. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From bart at zokahn.com Thu Apr 26 10:16:52 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Thu Apr 26 10:16:55 2007 Subject: quarantined HAM in queue files In-Reply-To: <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> Message-ID: <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> OK, so i can leave the extention out when i copy the queue file. The main problem is that if i requeue the file in the respective queue the message stands there until i do a (in webmin it is also not mentioned as a queued message): postfix check then the file disapeares into nothingness, it is never mentioned in any log (/var/log/mail.log) even postfix -vv check never mentionds the queue file operation. Thanks for your input On Thu, April 26, 2007 10:26 am, Glenn Steen wrote: > On 26/04/07, Bart van den Heuvel wrote: > >> Thank you for pointing me to that document. It is indeed excelent, >> however the procedure is not working (for me). When i do: >> >> # cp ?p C071E3679B2 /var/spool/postfix/incoming/C >> >> >> I run into 2 problems, First my files have an extention: >> >> >> 6BC5E368497.3C3A6 and the files moved have none. I don't see how the >> files are changed or were different files are used. > > The extra five hex values added after the dot is placed there by > MailScanner to avoid problems (duplicates) when logging messages to > SQL (typically MailWatch). When MailScanner is done with a message it > requeues the file (actually a completely new queue file) with another name > (this has to do with how Postfix assigns queue filenames based on > i-node and microseconds...). So just remove them when releasing messages. > Oh, and as you can guess, Postfix is really picky about > permissions and such. > >> secondly when i rename the files and place them in the incoming queue >> they disappear. > > ... and get delivered somewhere ... Check your (mail) logs. > > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From oliver at linux-kernel.at Thu Apr 26 10:21:17 2007 From: oliver at linux-kernel.at (Oliver Falk) Date: Thu Apr 26 10:21:21 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com><4630627A.3080602@linux-kernel.at> <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> Message-ID: <46306F0D.8060405@linux-kernel.at> On 04/26/2007 10:59 AM, Paul Hutchings wrote: > For the Dual Core I'd likely be looking at one of these "as is" plus a > couple of 10k SAS drives: > > http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/521-525-358263-358263-12083449-12569852-78138665.html > > I'm sure Quad Core is total overkill, and of course the machine is > twin-socket so can always have a second CPU added. You maybe think about the raid controller cache to speed up your write-operations - on a mailserver you will have a lot of :-) > The thing needs to last three years minimum that's all, hence the query > as I have no idea of Linux/MailScanner/Clam "roadmaps" assuming > MailScanner remains the ideal tool for the job. Usual IT. Planning for 3 years. We always try to plan for 3 - 5 years and then change machines after 1 or 2 years. :-) Will the machine only do the incoming/outgoing (smtp), or also the imap/pop3 stuff? I believe for smtp only it's enough. -of From glenn.steen at gmail.com Thu Apr 26 10:26:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 10:27:03 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> <4630627A.3080602@linux-kernel.at> <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> Message-ID: <223f97700704260226kfbba0e5p706b797ec83539dc@mail.gmail.com> On 26/04/07, Paul Hutchings wrote: > For the Dual Core I'd likely be looking at one of these "as is" plus a > couple of 10k SAS drives: > > http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/521-525-358263-358263-1208 > 3449-12569852-78138665.html > > I'm sure Quad Core is total overkill, and of course the machine is > twin-socket so can always have a second CPU added. > > The thing needs to last three years minimum that's all, hence the query > as I have no idea of Linux/MailScanner/Clam "roadmaps" assuming > MailScanner remains the ideal tool for the job. > The three-year-perspective is hard to assess... It _might_ mean you have to size it for huge increases in volume (mainly spam), but again... "huge" is a relative thing. IMO you would be more than fine in the short term (next year) with that machine, and it would very likely be enough for the duration. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul.hutchings at mira.co.uk Thu Apr 26 10:29:59 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Apr 26 10:31:05 2007 Subject: Fast Dual Core or slower Quad Core..? References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com><4630627A.3080602@linux-kernel.at> <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> <46306F0D.8060405@linux-kernel.at> Message-ID: Yeah I figured with that RAID card with Cache it's plenty quick enough. This is literally only for inbound and outbound SMTP, nothing more. I'll work off the linked server as my base model I think, there's a point where the bottom line is "it's plenty". Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Oliver Falk Sent: 26 April 2007 10:21 To: MailScanner discussion Subject: Re: Fast Dual Core or slower Quad Core..? On 04/26/2007 10:59 AM, Paul Hutchings wrote: > For the Dual Core I'd likely be looking at one of these "as is" plus a > couple of 10k SAS drives: > > http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/521-525-358263-358263-1208 3449-12569852-78138665.html > > I'm sure Quad Core is total overkill, and of course the machine is > twin-socket so can always have a second CPU added. You maybe think about the raid controller cache to speed up your write-operations - on a mailserver you will have a lot of :-) > The thing needs to last three years minimum that's all, hence the query > as I have no idea of Linux/MailScanner/Clam "roadmaps" assuming > MailScanner remains the ideal tool for the job. Usual IT. Planning for 3 years. We always try to plan for 3 - 5 years and then change machines after 1 or 2 years. :-) Will the machine only do the incoming/outgoing (smtp), or also the imap/pop3 stuff? I believe for smtp only it's enough. -of -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From tgc at statsbiblioteket.dk Thu Apr 26 11:45:57 2007 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Thu Apr 26 11:46:00 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> References: <223f97700704260119y30e5884aua5c778db66c14fd1@mail.gmail.com> <4630627A.3080602@linux-kernel.at> <223f97700704260149h6c1d924co9f1debd648e69e34@mail.gmail.com> Message-ID: <463082E5.1060903@statsbiblioteket.dk> Glenn Steen wrote: > If they are exorbitantly more expensive though... As it is, I handle > that amount (approximately) with a tired old DL380G2 ... 1.266 GHz > single PIII with 1.5 GiB RAM... So any of them would be perfectly > fine. > I handle 10-14K a *day* on a DL360G1 ... single PIII/1266 with 640MiB RAM. For the amount of work the OP needs done I'd go with the faster CPUs. -tgc From paul at blacknight.ie Thu Apr 26 11:54:51 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight Solutions) Date: Thu Apr 26 11:54:21 2007 Subject: Fast Dual Core or slower Quad Core..? In-Reply-To: References: Message-ID: <463084FB.6000204@blacknight.ie> Paul Hutchings wrote: > As subject, I'm speccing up a box and am now looking at the DL360 G5 > range. > > Given the box should only be running OpenSuse/Postfix/MailScanner with > ClamAV and SpamAssassin would people suggest a faster dual core CPU i.e. > 2.3Ghz or a slower Quad Core CPU i.e. 1.6Ghz? > > I'm not familiar enough with how linux and the applications mentioned > interact to know which would be of the most use and why. FYI, we've a dual xeon 3Ghz doing on average 150k messages a day without issue. It has 4GB of ram and has software raid. 1 dual core CPU or 1 quad core CPU no matter what the speed, should be enough for what you want. Paul > > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From res at ausics.net Thu Apr 26 11:55:23 2007 From: res at ausics.net (Res) Date: Thu Apr 26 11:55:54 2007 Subject: sendmail vuln In-Reply-To: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If your runing anything that old then you deserve trouble (and to lose your damn job) On Thu, 26 Apr 2007, Martin.Hepworth wrote: > All > > For those running sendmail as their MTA be aware that HP have found a > remote DOS vulnerability in 8.9.3 and 8.11.1. No mention of 8.12 but > 8.13.3 is shown as OK.. > > http://www.securityfocus.com/bid/23606 > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMIUdsWhAmSIQh7MRArUoAJ44exAhBRcWKmrM5tJ2FMLJEtp6oQCggBQh hLXemzSO+3bj7gFXLTJDT68= =eC6Q -----END PGP SIGNATURE----- From housey at sme-ecom.co.uk Thu Apr 26 12:43:51 2007 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Thu Apr 26 12:43:57 2007 Subject: User Preferences Message-ID: Hi Im just trying to spec out a web interface im going to put together to allow editing/amending of various MailScanner preferences. At the moment ive got a basic PHP setup that writes info to a Mysql DB. At 5 minute intervals a perl script connects to the DB checks for any changes and rewrites the ruleset files. So for example in MailScanner.conf I have Virus Scanning = %rules-dir%/virus.scanning.rules I have a Mysql table with columns Direction Domain Value With values like - FromOrTo --- example.com --- yes My perl script just loops round all the values and writes the flat file "virus.scanning.rules" - changes take affect based on the MailScanner.conf "Restart Every" directive. This kind of worked ok with 1 MailScanner server but ive now introduced another for load balancing/resilience and wanted to put together a more sophisticated system. I was intending writing custom functions for all my rulesets by following the examples in /usr/lib/MailScanner/MailScanner/CustomFunctions/ and also the SQLSpamSettings.pm and SQLBlackWhiteList.pm done for the mailwatch project. I would consider myself very much an amatuer programmer and was looking for opinions and advice on the following:- - Would there be much performance impact on using Custom Functions that read from a (potentially remote) database, rather than a flat file on the system? I can see myself writing custom functions for quite a number of the MailScanner.conf directives - Any problems using LDAP instead of Mysql? The reason im thinking of LDAP was im looking to move all my sendmail routing info to LDAP and would be nice to just maintain 1 system? Any advice appreciated. Kind Regards Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070426/de1e52db/attachment.html From drew at technologytiger.net Thu Apr 26 13:12:14 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Apr 26 13:12:23 2007 Subject: quarantined HAM in queue files In-Reply-To: <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> Message-ID: <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> On Thu, April 26, 2007 10:16, Bart van den Heuvel wrote: > OK, so i can leave the extention out when i copy the queue file. Well sort of. You shouldn't be copying anything with that extension. if you cd /var/spool/MailScanner/quarantine//.<4digits> and list the contents, what do you get? You should see another file just called this is the one to change the permissions, owner (If required) and copy to the relevent queue. > The main problem is that if i requeue the file in the respective queue the > message stands there until i do a (in webmin it is also not mentioned as a > queued message): > > postfix check > > then the file disapeares into nothingness, it is never mentioned in any > log (/var/log/mail.log) even postfix -vv check never mentionds the queue > file operation. The reason the file you are copying will go is that Postfix will recreate the hashed queue directories if it detects no mail in the queue. The file you have been moving about can't be a queue file (As Postfix knows it) or it would have been detected and processed. Hope this helps. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From glenn.steen at gmail.com Thu Apr 26 13:33:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 26 13:33:20 2007 Subject: quarantined HAM in queue files In-Reply-To: <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> Message-ID: <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> On 26/04/07, Drew Marshall wrote: > On Thu, April 26, 2007 10:16, Bart van den Heuvel wrote: > > OK, so i can leave the extention out when i copy the queue file. > > Well sort of. You shouldn't be copying anything with that extension. if > you cd /var/spool/MailScanner/quarantine//.<4digits> and > list the contents, what do you get? > > You should see another file just called this is the one to > change the permissions, owner (If required) and copy to the relevent > queue. True for the "normal" quarantine Drew... But I think Bart is looking at the spam quarantine, where he just has the queue file (if quarantining non-queue files, it'd be the RFC822-decoded message in a file named .). So... We're not (hopefully) completely wrong:-). > > The main problem is that if i requeue the file in the respective queue the > > message stands there until i do a (in webmin it is also not mentioned as a > > queued message): > > > > postfix check > > > > then the file disapeares into nothingness, it is never mentioned in any > > log (/var/log/mail.log) even postfix -vv check never mentionds the queue > > file operation. > > The reason the file you are copying will go is that Postfix will recreate > the hashed queue directories if it detects no mail in the queue. The file > you have been moving about can't be a queue file (As Postfix knows it) or > it would have been detected and processed. > Hm. Might it actually be an RFC822 file? Easy enough to check with a regular pager like less, and possibly postcat. ... In which case the advice about using sendmail (the conveniance command) or similar tool would come into play (from the wiki doc). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Apr 26 13:44:04 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 26 13:44:10 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: Message-ID: <48a8423663c33244b6cd03e47f3cd057@solidstatelogic.com> Bjorgen Dues to the main MailScanner developer being extremely busy with his day job (hence the delay between 4.57 and 4.58) and then him being extremely sick in hospital for several weeks (hence no sign of a 4.59 release). Anything you'd like to see in a future release when Julian's feeling up to it? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Bjorgen T. Eatinger > Sent: 25 April 2007 19:39 > To: mailscanner@lists.mailscanner.info > Subject: RE: MailScanner Digest, Vol 16, Issue 38 > > > Why haven't there been any updates to MailScanner for a long time? > Bjorgen > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of mailscanner- > request@lists.mailscanner.info > Sent: Wednesday, April 25, 2007 4:00 AM > To: mailscanner@lists.mailscanner.info > Subject: MailScanner Digest, Vol 16, Issue 38 > > Send MailScanner mailing list submissions to > mailscanner@lists.mailscanner.info > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.mailscanner.info/mailman/listinfo/mailscanner > or, via email, send a message with subject or body 'help' to > mailscanner-request@lists.mailscanner.info > > You can reach the person managing the list at > mailscanner-owner@lists.mailscanner.info > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of MailScanner digest..." > > > Today's Topics: > > 1. RE: Coming from everywhere (James R. Stevens) > 2. RE: Coming from everywhere (Stephen Swaney) > 3. No sendmail processes start when MS starts ( Alden Levy ) > 4. RE: No sendmail processes start when MS starts (Mike Kercher) > 5. RE: No sendmail processes start when MS starts (Mike Kercher) > 6. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Kapetanakis Giannis) > 7. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Kapetanakis Giannis) > 8. RE: No sendmail processes start when MS starts (Alden Levy) > 9. RE: No sendmail processes start when MS starts (Mike Kercher) > 10. RE: No sendmail processes start when MS starts (Alden Levy) > 11. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Michael Mansour) > 12. RE: No sendmail processes start when MS starts (Martin.Hepworth) > 13. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Julian Field) > 14. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Julian Field) > 15. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Julian Field) > 16. Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > (Mogens Melander) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 24 Apr 2007 15:49:17 -0500 > From: "James R. Stevens" > Subject: RE: Coming from everywhere > To: "MailScanner discussion" > Message-ID: > <1A65E6BAEADF9B4F865314484A13ECF160885D@atlas.athensdistributing.com > > > Content-Type: text/plain; charset="utf-8" > > Ok, I've been working on this for a few days and keep getting build errors > on libsnert. > Trying to install Libsnert1.63 and milter-null. > Working with RedHat 9 box and RH ES and get the same issue when issue > 'make build' of libsnert... > sendmail-8.12.8-9.90 which I understand already has libmilter compiled. > > cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER > > returns > > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 > > After configure (No options) of libsnert I get this this after make > build...Anyone hve clear directions to install milters on RH 9 and RHES? > > gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 - > Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o > smtpout smtpout.c -lsnert -lpthread -ldl > ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function > `socketAddressCreate': > : undefined reference to `VectorGet' > .. > [Snipit] > .. > collect2: ld returned 1 exit status > make[1]: *** [smtpout] Error 1 > make[1]: Leaving directory `/usr/local/com/snert/src/tools' > make: *** [build] Error 2 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, April 20, 2007 12:11 PM > To: MailScanner discussion > Subject: Re: Coming from everywhere > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Kettler wrote: > > James R. Stevens wrote: > > > >> Have we already addressed these ?EUR~Failure notice?EUR(tm) , > >> ?EUR~Undeliverable?EUR(tm) ?EUR"mails that are coming from everywhere. > It > >> seems to be more and more users are seeing these messages getting > through. Some 100 per day. > >> > >> > >> > >> Anyone else seeing these things? Different subjects etc.. > >> > > > > http://www.google.com/search?hl=en&q=backscatter+email&btnG=Search > > > If you haven't got it installed already, grab a copy of milter-null. > Kills these things dead instantly. And you still get the delivery failure > messages that were actually caused by you mistyping addresses, it doesn't > just ditch all delivery failure reports. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > your IT requirements visit www.transtec.co.uk > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: UTF-8 > > wj8DBQFGKPUsEfZZRxQVtlQRAtqlAJ9rE1wJ6zM5SPW2hMxAjFZeEnOydgCgia76 > J+SPMS4iVyJIU9evgwIKT2E= > =GygJ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by Athens > Hyperion Scanner, and is believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by Athens Hyperion Scanner, and is > believed to be clean. > > > ------------------------------ > > Message: 2 > Date: Tue, 24 Apr 2007 17:14:52 -0400 > From: "Stephen Swaney" > Subject: RE: Coming from everywhere > To: "'MailScanner discussion'" > Message-ID: <075e01c786b5$996f28b0$cc4d7a10$@swaney@fsl.com> > Content-Type: text/plain; charset="utf-8" > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of James R. Stevens > > Sent: Tuesday, April 24, 2007 4:49 PM > > To: MailScanner discussion > > Subject: RE: Coming from everywhere > > > > Ok, I've been working on this for a few days and keep getting build > > errors on libsnert. > > Trying to install Libsnert1.63 and milter-null. > > Working with RedHat 9 box and RH ES and get the same issue when issue > > 'make build' of libsnert... > > sendmail-8.12.8-9.90 which I understand already has libmilter compiled. > > > > cli->/usr/sbin/sendmail -d0.1 -bv root | grep MILTER > > > > returns > > > > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 > > > > After configure (No options) of libsnert I get this this after make > > build...Anyone hve clear directions to install milters on RH 9 and > > RHES? > > > > gcc -I/usr/include/db4 -I/usr/local/org/sqlite/include -D_REENTRANT -O2 > > -Wall -I./../../include -L/usr/local/org/sqlite/lib -L./../../lib -o > > smtpout smtpout.c -lsnert -lpthread -ldl > > ./../../lib/libsnert.a(socket2.o)(.text+0x3ee): In function > > `socketAddressCreate': > > : undefined reference to `VectorGet' > > .. > > [Snipit] > > .. > > collect2: ld returned 1 exit status > > make[1]: *** [smtpout] Error 1 > > make[1]: Leaving directory `/usr/local/com/snert/src/tools' > > make: *** [build] Error 2 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Julian Field > > Sent: Friday, April 20, 2007 12:11 PM > > To: MailScanner discussion > > Subject: Re: Coming from everywhere > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Matt Kettler wrote: > > > James R. Stevens wrote: > > > > > You're better off going to www.snertsoft .com for support. Anthony Howe > does not monitor this list although I've bcc'd him on this response. > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > > > > ------------------------------ > > Message: 3 > Date: Tue, 24 Apr 2007 22:38:23 +0000 > From: " Alden Levy " > Subject: No sendmail processes start when MS starts > To: mailscanner@lists.mailscanner.info > Message-ID: > <329319901-1177455456-cardhu_blackberry.rim.net-1466958025-@bwe026- > cell00.bisx.prod.on.blackberry> > > Content-Type: text/plain > > I've been using MS for a few years now with very few problems. However, my > old server is on its last legs, so I've decided to migrate to a shiny new > box. I've moved my /etc/MailScanner conf, prefs, rules, etc. files from > the old box to the new. I've not yet moved bayes, but I assume that > shouldn't be a problem (right?) > > The new OS is CentOS 4.4, and I've upgraded MS to the latest version. I'm > unsure if MS worked properly before the upgrade. I am also using sendmail > 8.13 (the old server was 8.10), and I changed the Lock Type. I've upgraded > sa to 3.18 and clamav to 0.92, but I'm using clamav, not clamavmodule, so > that should work. > > After I installed, I went through the routine of chkconfig sendmail > off..... > > When I start up MS, I get notification "starting MailScanner [OK]" (or > similar--I'm not in front of a console now), but no sendmail processes are > started. My maillog files seem to be okay, all the children start, sa is > okay as is clam; but of course, there are no sendmail processes. > > When I lint sa, everything's okay. I can't seem to debug MS; it hangs, > because there's no mail--or is my assumption incorrect? I'm not sure > where to look, though. Any suggestions would be appreciated. > > Thanks, > Alden > > Alden Levy > Engine No. 9, Inc. > 130 West 57th Street, Suite 2F > New York, NY 10019 > (212) 981-1122 > (212) 504-9598 (fax) > > www.engineno9inc.com > > > > ------------------------------ > > Message: 4 > Date: Tue, 24 Apr 2007 18:02:46 -0500 > From: "Mike Kercher" > Subject: RE: No sendmail processes start when MS starts > To: "MailScanner discussion" > Message-ID: > <6115482898C59848B35DB9D491C9A28E4D87@srv1.home.middlefinger.net> > Content-Type: text/plain; charset="us-ascii" > > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > : I've been using MS for a few years now with very few > : problems. However, my old server is on its last legs, so I've > : decided to migrate to a shiny new box. I've moved my > : /etc/MailScanner conf, prefs, rules, etc. files from the old > : box to the new. I've not yet moved bayes, but I assume that > : shouldn't be a problem (right?) > : > : The new OS is CentOS 4.4, and I've upgraded MS to the latest > : version. I'm unsure if MS worked properly before the upgrade. > : I am also using sendmail 8.13 (the old server was 8.10), and > : I changed the Lock Type. I've upgraded sa to 3.18 and clamav > : to 0.92, but I'm using clamav, not clamavmodule, so that should work. > : > : After I installed, I went through the routine of chkconfig > : sendmail off..... > : > : When I start up MS, I get notification "starting MailScanner > : [OK]" (or similar--I'm not in front of a console now), but no > : sendmail processes are started. My maillog files seem to be > : okay, all the children start, sa is okay as is clam; but of > : course, there are no sendmail processes. > : > : When I lint sa, everything's okay. I can't seem to debug MS; > : it hangs, because there's no mail--or is my assumption > : incorrect? I'm not sure where to look, though. Any > : suggestions would be appreciated. > : > : Thanks, > : Alden > : > > Did you STOP sendmail before starting MS? > > Mike > > > ------------------------------ > > Message: 5 > Date: Tue, 24 Apr 2007 18:12:08 -0500 > From: "Mike Kercher" > Subject: RE: No sendmail processes start when MS starts > To: "MailScanner discussion" > Message-ID: > <6115482898C59848B35DB9D491C9A28E4D88@srv1.home.middlefinger.net> > Content-Type: text/plain; charset="us-ascii" > > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > : I've been using MS for a few years now with very few > : problems. However, my old server is on its last legs, so I've > : decided to migrate to a shiny new box. I've moved my > : /etc/MailScanner conf, prefs, rules, etc. files from the old > : box to the new. I've not yet moved bayes, but I assume that > : shouldn't be a problem (right?) > : > : The new OS is CentOS 4.4, and I've upgraded MS to the latest > : version. I'm unsure if MS worked properly before the upgrade. > : I am also using sendmail 8.13 (the old server was 8.10), and > : I changed the Lock Type. I've upgraded sa to 3.18 and clamav > : to 0.92, but I'm using clamav, not clamavmodule, so that should work. > : > : After I installed, I went through the routine of chkconfig > : sendmail off..... > : > : When I start up MS, I get notification "starting MailScanner > : [OK]" (or similar--I'm not in front of a console now), but no > : sendmail processes are started. My maillog files seem to be > : okay, all the children start, sa is okay as is clam; but of > : course, there are no sendmail processes. > : > : When I lint sa, everything's okay. I can't seem to debug MS; > : it hangs, because there's no mail--or is my assumption > : incorrect? I'm not sure where to look, though. Any > : suggestions would be appreciated. > : > : Thanks, > : Alden > > > I'd also look in other logs...could this be an SELinux problem? > > Mike > > > > > ------------------------------ > > Message: 6 > Date: Wed, 25 Apr 2007 02:14:11 +0300 (EEST) > From: Kapetanakis Giannis > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: > > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Tue, 24 Apr 2007, Julian Field wrote: > > > Kapetanakis Giannis wrote: > >> > >> Clamd works fast on the other hand. > >> Maybe it should be included officialy (clamdscan) > >> in MailScanner's the next version. > > Why? I already support the "clamavmodule" which is faster than clamd > anyway. > > > > Jules > > > > I haven't tried clamavmodule. > > I took the wrapper for clamd and the modified VirusSweep.pm > and it works sweet. I'll also check clamavmodule to see what's going on :) > > Giannis > > > ------------------------------ > > Message: 7 > Date: Wed, 25 Apr 2007 02:19:23 +0300 (EEST) > From: Kapetanakis Giannis > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: > > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Tue, 24 Apr 2007, Ed Bruce wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Julian Field wrote: > >> > >> > >> Kapetanakis Giannis wrote: > >>> On Mon, 23 Apr 2007, Martin wrote: > >> > >>> Clamd works fast on the other hand. > >>> Maybe it should be included officialy (clamdscan) > >>> in MailScanner's the next version. > >> Why? I already support the "clamavmodule" which is faster than clamd > anyway. > >> > >> Jules > >> > > > > And I haven't noticed any performance degradation with clamavmodule > > since upgrading to 0.90.2. > > Same for me... > > I remembered now that I did try clamavmodule. > The load now is seen in the MailScanner but I guess it is > the perl module that is being loaded. > > >From a little debug I did in clamavscan > what it does and takes so long is: > > Loading the database > copying the database to /tmp/ > loading the database from /tmp > > It does this for every mail it comes in. > > How does clamavmodule handle the db? > > Clamd only loads the db once. > > Giannis > > > ------------------------------ > > Message: 8 > Date: Tue, 24 Apr 2007 21:43:45 -0400 > From: "Alden Levy" > Subject: RE: No sendmail processes start when MS starts > To: > Message-ID: <000601c786db$2ac2ae70$5e01a8c0@AldenLap> > Content-Type: text/plain; charset="us-ascii" > > -----Original Message----- > From: Alden Levy [mailto:alden@engineno9inc.com] > Sent: Tuesday, April 24, 2007 6:38 PM > To: mailscanner@lists.mailscanner.info > Subject: No sendmail processes start when MS starts > > : I've been using MS for a few years now with very few > : problems. However, my old server is on its last legs, so I've > : decided to migrate to a shiny new box. I've moved my > : /etc/MailScanner conf, prefs, rules, etc. files from the old > : box to the new. I've not yet moved bayes, but I assume that > : shouldn't be a problem (right?) > : > : The new OS is CentOS 4.4, and I've upgraded MS to the latest > : version. I'm unsure if MS worked properly before the upgrade. > : I am also using sendmail 8.13 (the old server was 8.10), and > : I changed the Lock Type. I've upgraded sa to 3.18 and clamav > : to 0.92, but I'm using clamav, not clamavmodule, so that should work. > : > : After I installed, I went through the routine of chkconfig > : sendmail off..... > : > : When I start up MS, I get notification "starting MailScanner > : [OK]" (or similar--I'm not in front of a console now), but no > : sendmail processes are started. My maillog files seem to be > : okay, all the children start, sa is okay as is clam; but of > : course, there are no sendmail processes. > : > : When I lint sa, everything's okay. I can't seem to debug MS; > : it hangs, because there's no mail--or is my assumption > : incorrect? I'm not sure where to look, though. Any > : suggestions would be appreciated. > : > : Thanks, > : Alden > > : I've been using MS for a few years now with very few > : problems. However, my old server is on its last legs, so I've > : decided to migrate to a shiny new box. I've moved my > : /etc/MailScanner conf, prefs, rules, etc. files from the old > : box to the new. I've not yet moved bayes, but I assume that > : shouldn't be a problem (right?) > : > : The new OS is CentOS 4.4, and I've upgraded MS to the latest > : version. I'm unsure if MS worked properly before the upgrade. > : I am also using sendmail 8.13 (the old server was 8.10), and > : I changed the Lock Type. I've upgraded sa to 3.18 and clamav > : to 0.92, but I'm using clamav, not clamavmodule, so that should work. > : > : After I installed, I went through the routine of chkconfig > : sendmail off..... > : > : When I start up MS, I get notification "starting MailScanner > : [OK]" (or similar--I'm not in front of a console now), but no > : sendmail processes are started. My maillog files seem to be > : okay, all the children start, sa is okay as is clam; but of > : course, there are no sendmail processes. > : > : When I lint sa, everything's okay. I can't seem to debug MS; > : it hangs, because there's no mail--or is my assumption > : incorrect? I'm not sure where to look, though. Any > : suggestions would be appreciated. > : > : Thanks, > : Alden > > I'd also look in other logs...could this be an SELinux problem? > > Mike > > SELinux is disabled. And, yes, I restarted MailScanner after the install. > Would that it were so easy! Please keep the ideas and suggestions coming. > > Thanks, > Alden > > > > ------------------------------ > > Message: 9 > Date: Tue, 24 Apr 2007 21:05:45 -0500 > From: "Mike Kercher" > Subject: RE: No sendmail processes start when MS starts > To: "MailScanner discussion" > Message-ID: > <6115482898C59848B35DB9D491C9A28E4D8A@srv1.home.middlefinger.net> > Content-Type: text/plain; charset="us-ascii" > > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > : > : I'd also look in other logs...could this be an SELinux problem? > : > : Mike > : > : SELinux is disabled. And, yes, I restarted MailScanner after > : the install. > : Would that it were so easy! Please keep the ideas and > : suggestions coming. > : > : Thanks, > : Alden > : > > How about some log entries from /var/log/maillog and /var/log/messages > at the time of a 'service MailScanner restart'. Just do this: > > # service MailScanner restart;tail -f /var/log/maillog /var/log/message > > Paste a bit of those logs and also a ps -ef Might as well throw a > chkconfig sendmail --list in there too. > > Mike > > > > > ------------------------------ > > Message: 10 > Date: Tue, 24 Apr 2007 22:29:31 -0400 > From: "Alden Levy" > Subject: RE: No sendmail processes start when MS starts > To: > Message-ID: <001101c786e1$900b6d20$5e01a8c0@AldenLap> > Content-Type: text/plain; charset="us-ascii" > > : > : I'd also look in other logs...could this be an SELinux problem? > : > : Mike > : > : SELinux is disabled. And, yes, I restarted MailScanner after > : the install. > : Would that it were so easy! Please keep the ideas and > : suggestions coming. > : > : Thanks, > : Alden > : > > How about some log entries from /var/log/maillog and /var/log/messages > at the time of a 'service MailScanner restart'. Just do this: > > # service MailScanner restart;tail -f /var/log/maillog /var/log/message > > Paste a bit of those logs and also a ps -ef Might as well throw a > chkconfig sendmail --list in there too. > > Mike > > Here you go: > service MailScanner restart;tail -f /var/log/maillog /var/log/messages > Shutting down MailScanner: [ OK ] > Starting MailScanner: [ OK ] > ==> /var/log/maillog <== > Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results cache > Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache > database > Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix > Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a SIGHUP > Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a SIGHUP > > ==> /var/log/messages <== > Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. > Apr 24 22:10:02 E9 logger: weblogs: (14070) done. > Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. > Apr 24 22:20:02 E9 logger: weblogs: (14080) done. > Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root by > root(uid=0) > Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed > Apr 24 22:25:35 E9 MailScanner: succeeded > Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded > Apr 24 22:26:36 E9 MailScanner: succeeded > > ==> /var/log/maillog <== > Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results cache > Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache > database > Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix > Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results cache > Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache > database > Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix > Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results cache > Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache > database > Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix > Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus Scanner > version 4.58.9 starting... > Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the > phishing > whitelist > Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results cache > Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache > database > Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix > Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > > > > chkconfig sendmail --list > sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > Thanks, > Alden > > > > ------------------------------ > > Message: 11 > Date: Wed, 25 Apr 2007 16:35:02 +1000 (EST) > From: Michael Mansour > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: <989725.51785.qm@web33303.mail.mud.yahoo.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Ed, > > Ed Bruce wrote:Julian Field wrote: > > > > Kapetanakis Giannis wrote: > >> On Mon, 23 Apr 2007, Martin wrote: > > > >>> Arto wrote: > >>> > >>>> We had this too. Uninstalling clamav* and installing it again helped. > >>>> > >>>> -arto > >>>> > >>> Thanks for all replies. Read about this issue on the clamav-list and > >>> hopefully it will be fixed in the next version. > >> I have similar problems with clamav myself. > > > >> What I did that improved a little bit > >> was deleting the virus database in /var/lib/clamav/* > >> and running freshclam again. > > > >> Still is very slow. If you try clamscan -debug you will > >> find out why it is so damn slow.... > > > >> Clamd works fast on the other hand. > >> Maybe it should be included officialy (clamdscan) > >> in MailScanner's the next version. > > Why? I already support the "clamavmodule" which is faster than clamd > anyway. > > > > Jules > > And I haven't noticed any performance degradation with clamavmodule > since upgrading to 0.90.2. > Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just use > the clamscan approach and have also experienced the load shoot up since > updating to 0.90.2. > > Are there any instructions on installing clamavmodule? > > If that fixes the load problem I'll be happy to do it. > > Thanks. > > Michael. > > > Send instant messages to your online friends > http://au.messenger.yahoo.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070425 /d > 577b665/attachment-0001.html > > ------------------------------ > > Message: 12 > Date: Wed, 25 Apr 2007 09:07:11 +0100 > From: "Martin.Hepworth" > Subject: RE: No sendmail processes start when MS starts > To: "MailScanner discussion" > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > Alden > > Try "service MailScanner startin" > > This starts the incoming sendmail. Have a look for errors In the logs - > /var/log/messages and /var/log/maillog. > > Also have a look at the mailscanner rc script and make sure things are > pointing at the correct sendmail configs/binaries etc... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Alden Levy > > Sent: 25 April 2007 03:30 > > To: mailscanner@lists.mailscanner.info > > Subject: RE: No sendmail processes start when MS starts > > > > : > > : I'd also look in other logs...could this be an SELinux problem? > > : > > : Mike > > : > > : SELinux is disabled. And, yes, I restarted MailScanner after > > : the install. > > : Would that it were so easy! Please keep the ideas and > > : suggestions coming. > > : > > : Thanks, > > : Alden > > : > > > > How about some log entries from /var/log/maillog and /var/log/messages > > at the time of a 'service MailScanner restart'. Just do this: > > > > # service MailScanner restart;tail -f /var/log/maillog > /var/log/message > > > > Paste a bit of those logs and also a ps -ef Might as well throw a > > chkconfig sendmail --list in there too. > > > > Mike > > > > Here you go: > > service MailScanner restart;tail -f /var/log/maillog /var/log/messages > > Shutting down MailScanner: [ OK ] > > Starting MailScanner: [ OK ] > > ==> /var/log/maillog <== > > Apr 24 22:25:55 E9 MailScanner[14241]: Read 764 hostnames from the > > phishing > > whitelist > > Apr 24 22:25:55 E9 MailScanner[14241]: Using SpamAssassin results > cache > > Apr 24 22:25:55 E9 MailScanner[14241]: Connected to SpamAssassin cache > > database > > Apr 24 22:25:57 E9 MailScanner[14241]: Using locktype = posix > > Apr 24 22:25:57 E9 MailScanner[14241]: Creating hardcoded struct_flock > > subroutine for linux (Linux-type) > > Apr 24 22:26:21 E9 MailScanner[14239]: MailScanner child caught a > SIGHUP > > Apr 24 22:26:21 E9 MailScanner[14229]: MailScanner child caught a > SIGHUP > > Apr 24 22:26:21 E9 MailScanner[14237]: MailScanner child caught a > SIGHUP > > Apr 24 22:26:21 E9 MailScanner[14241]: MailScanner child caught a > SIGHUP > > Apr 24 22:26:21 E9 MailScanner[14235]: MailScanner child caught a > SIGHUP > > > > ==> /var/log/messages <== > > Apr 24 22:10:01 E9 logger: weblogs: (14070) starting. > > Apr 24 22:10:02 E9 logger: weblogs: (14070) done. > > Apr 24 22:20:01 E9 logger: weblogs: (14080) starting. > > Apr 24 22:20:02 E9 logger: weblogs: (14080) done. > > Apr 24 22:24:14 E9 sshd(pam_unix)[14089]: session opened for user root > by > > root(uid=0) > > Apr 24 22:24:49 E9 MailScanner: MailScanner -15 succeeded > > Apr 24 22:25:19 E9 MailScanner: MailScanner shutdown failed > > Apr 24 22:25:35 E9 MailScanner: succeeded > > Apr 24 22:26:21 E9 MailScanner: MailScanner -15 succeeded > > Apr 24 22:26:36 E9 MailScanner: succeeded > > > > ==> /var/log/maillog <== > > Apr 24 22:26:36 E9 MailScanner[14316]: MailScanner E-Mail Virus > Scanner > > version 4.58.9 starting... > > Apr 24 22:26:36 E9 MailScanner[14316]: Read 764 hostnames from the > > phishing > > whitelist > > Apr 24 22:26:37 E9 MailScanner[14316]: Using SpamAssassin results > cache > > Apr 24 22:26:37 E9 MailScanner[14316]: Connected to SpamAssassin cache > > database > > Apr 24 22:26:38 E9 MailScanner[14316]: Using locktype = posix > > Apr 24 22:26:38 E9 MailScanner[14316]: Creating hardcoded struct_flock > > subroutine for linux (Linux-type) > > Apr 24 22:26:41 E9 MailScanner[14322]: MailScanner E-Mail Virus > Scanner > > version 4.58.9 starting... > > Apr 24 22:26:41 E9 MailScanner[14322]: Read 764 hostnames from the > > phishing > > whitelist > > Apr 24 22:26:42 E9 MailScanner[14322]: Using SpamAssassin results > cache > > Apr 24 22:26:42 E9 MailScanner[14322]: Connected to SpamAssassin cache > > database > > Apr 24 22:26:43 E9 MailScanner[14322]: Using locktype = posix > > Apr 24 22:26:43 E9 MailScanner[14322]: Creating hardcoded struct_flock > > subroutine for linux (Linux-type) > > Apr 24 22:26:46 E9 MailScanner[14324]: MailScanner E-Mail Virus > Scanner > > version 4.58.9 starting... > > Apr 24 22:26:46 E9 MailScanner[14324]: Read 764 hostnames from the > > phishing > > whitelist > > Apr 24 22:26:47 E9 MailScanner[14324]: Using SpamAssassin results > cache > > Apr 24 22:26:47 E9 MailScanner[14324]: Connected to SpamAssassin cache > > database > > Apr 24 22:26:48 E9 MailScanner[14324]: Using locktype = posix > > Apr 24 22:26:48 E9 MailScanner[14324]: Creating hardcoded struct_flock > > subroutine for linux (Linux-type) > > Apr 24 22:26:51 E9 MailScanner[14326]: MailScanner E-Mail Virus > Scanner > > version 4.58.9 starting... > > Apr 24 22:26:51 E9 MailScanner[14326]: Read 764 hostnames from the > > phishing > > whitelist > > Apr 24 22:26:52 E9 MailScanner[14326]: Using SpamAssassin results > cache > > Apr 24 22:26:52 E9 MailScanner[14326]: Connected to SpamAssassin cache > > database > > Apr 24 22:26:53 E9 MailScanner[14326]: Using locktype = posix > > Apr 24 22:26:53 E9 MailScanner[14326]: Creating hardcoded struct_flock > > subroutine for linux (Linux-type) > > > > > > > > chkconfig sendmail --list > > sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > > > Thanks, > > Alden > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > > > ------------------------------ > > Message: 13 > Date: Wed, 25 Apr 2007 10:49:22 +0100 > From: Julian Field > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: <462F2422.7060508@ecs.soton.ac.uk> > Content-Type: text/plain; charset="UTF-8" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Paul Hutchings wrote: > > Newbie talking so feel free to shoot me down in flames :-) > > > > My understanding (from clamscan --debug) is that each time you run > clamscan it appears it has to read the virus patterns, unpack them (to > /tmp), scan the files, remove the files. > > > Correct. > > This is the "probably talking out my bum" bit, but that sounds less > efficient than clamd where (I assume) the daemon loads the definitions > once and each child process doesn't have to do this? > > > The "clamavmodule" method is more efficient as it just communicates > directly with the clam function library and doesn't involve any external > processes at all. The definitions are loaded up once and kept in memory > by the function library. This is also more reliable as there is no > external daemon (clamd) which might crash, or leak memory or other > resources. > > The signature files are monitored and if any of them change at all then > the library is immediately told to re-load the new definitions so it is > always using up to date signatures. > > If you use my latest ClamAV+SA package from www.mailscanner.info, that > will install everything needed to use the "clamavmodule" method and will > even do the configuration for you. > > I hope that explains it to you :-) > > Jules. > > > Cheers, > > Paul > > > > Paul Hutchings > > Network Administrator, MIRA Ltd. > > Tel: 44 (0)24 7635 5378 > > Fax: 44 (0)24 7635 8378 > > mailto:paul.hutchings@mira.co.uk > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > > Sent: 24 April 2007 17:09 > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > > > Julian Field spake the following on 4/24/2007 8:52 AM: > > > >> Kapetanakis Giannis wrote: > >> > >>> On Mon, 23 Apr 2007, Martin wrote: > >>> > >>>> Arto wrote: > >>>> > >>>> > >>>>> We had this too. Uninstalling clamav* and installing it again > helped. > >>>>> > >>>>> -arto > >>>>> > >>>>> > >>>> Thanks for all replies. Read about this issue on the clamav-list and > >>>> hopefully it will be fixed in the next version. > >>>> > >>> I have similar problems with clamav myself. > >>> > >>> What I did that improved a little bit > >>> was deleting the virus database in /var/lib/clamav/* > >>> and running freshclam again. > >>> > >>> Still is very slow. If you try clamscan -debug you will > >>> find out why it is so damn slow.... > >>> > >>> Clamd works fast on the other hand. > >>> Maybe it should be included officialy (clamdscan) > >>> in MailScanner's the next version. > >>> > >> Why? I already support the "clamavmodule" which is faster than clamd > anyway. > >> > >> Jules > >> > >> > > Are there any tips on commandline diagnostics for the clamavmodule? > > I have a system that has been choking with the module for 2 weeks, and > the > > mailscanner.conf fix isn't working with it. > > I am running clamav now, but the load is much higher. > > > > I am going to try the tip of clearing the definitions and re-running > freshclam > > to see if that helps. > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: UTF-8 > > wj8DBQFGLyUjEfZZRxQVtlQRAgHmAKDicios1jDH3ARV1ICK/aFwvNhxGQCeLwST > aSDBRADTfsx8XmrCUPCKfIw= > =sWwm > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > > ------------------------------ > > Message: 14 > Date: Wed, 25 Apr 2007 10:53:12 +0100 > From: Julian Field > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: <462F2508.3000505@ecs.soton.ac.uk> > Content-Type: text/plain; charset="ISO-8859-1" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Kapetanakis Giannis wrote: > > On Tue, 24 Apr 2007, Ed Bruce wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Julian Field wrote: > >>> > >>> > >>> Kapetanakis Giannis wrote: > >>>> On Mon, 23 Apr 2007, Martin wrote: > >>> > >>>> Clamd works fast on the other hand. > >>>> Maybe it should be included officialy (clamdscan) > >>>> in MailScanner's the next version. > >>> Why? I already support the "clamavmodule" which is faster than clamd > >>> anyway. > >>> > >>> Jules > >>> > >> > >> And I haven't noticed any performance degradation with clamavmodule > >> since upgrading to 0.90.2. > > > > Same for me... > > > > I remembered now that I did try clamavmodule. > > The load now is seen in the MailScanner but I guess it is > > the perl module that is being loaded. > > > >> From a little debug I did in clamavscan > > what it does and takes so long is: > > > > Loading the database > > copying the database to /tmp/ > > loading the database from /tmp > > > > It does this for every mail it comes in. > Slight correction: it does it once for every batch. > > > > How does clamavmodule handle the db? > > > > Clamd only loads the db once. > clamavmodule loads the db once at startup. It then monitors the > signature files and instantly reloads the db if the signatures files > change at all. > > > > Giannis > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGLyUlEfZZRxQVtlQRAhm5AJ4p6bnCBNLPT8vl8aDKsfxBRrxPqACgnHxB > 8yt9xZuLY9J8fq6e0jv2E0M= > =Ot+1 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > > ------------------------------ > > Message: 15 > Date: Wed, 25 Apr 2007 10:54:32 +0100 > From: Julian Field > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: MailScanner discussion > Message-ID: <462F2558.3060802@ecs.soton.ac.uk> > Content-Type: text/plain; charset="ISO-8859-1" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Michael Mansour wrote: > > Hi Ed, > > > > */Ed Bruce /* wrote: > > > > Julian Field wrote: > > > > > > Kapetanakis Giannis wrote: > > >> On Mon, 23 Apr 2007, Martin wrote: > > > > > >>> Arto wrote: > > >>> > > >>>> We had this too. Uninstalling clamav* and installing it again > > helped. > > >>>> > > >>>> -arto > > >>>> > > >>> Thanks for all replies. Read about this issue on the > > clamav-list and > > >>> hopefully it will be fixed in the next version. > > >> I have similar problems with clamav myself. > > > > > >> What I did that improved a little bit > > >> was deleting the virus database in /var/lib/clamav/* > > >> and running freshclam again. > > > > > >> Still is very slow. If you try clamscan -debug you will > > >> find out why it is so damn slow.... > > > > > >> Clamd works fast on the other hand. > > >> Maybe it should be included officialy (clamdscan) > > >> in MailScanner's the next version. > > > Why? I already support the "clamavmodule" which is faster than > > clamd anyway. > > > > > > Jules > > > > And I haven't noticed any performance degradation with clamavmodule > > since upgrading to 0.90.2. > > > > Pardon my ignorance Ed, but I'm unfamiliar with clamavmodule, I just > > use the clamscan approach and have also experienced the load shoot up > > since updating to 0.90.2. > > > > Are there any instructions on installing clamavmodule? > Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead > simple. > > > > If that fixes the load problem I'll be happy to do it. > > > > Thanks. > > > > Michael. > > > > Send instant messages to your online friends > > http://au.messenger.yahoo.com > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGLyVlEfZZRxQVtlQRAmBuAJ0YKR63Xsqlk9+XxqKnMkQqcOF41ACeKKeP > wAk5atE53YSjXciVUNDdYTs= > =YhPX > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > > ------------------------------ > > Message: 16 > Date: Wed, 25 Apr 2007 12:26:58 +0200 (CEST) > From: "Mogens Melander" > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > To: "MailScanner discussion" > Message-ID: > <1202.90.184.17.152.1177496818.squirrel@mail.fumlersoft.dk> > Content-Type: text/plain;charset=utf-8 > > Hi all, > > >> Are there any instructions on installing clamavmodule? > > Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead > > simple. > > I'm using openprotect w/ clamav. Would i be able to install > this "easy-to-use ClamAV+SA package" on top of openprotect, > and live to tell about it ? > > > -- > Later > > Mogens Melander > +45 40 85 71 38 > +66 870 133 224 > > > > > -- > This message has been scanned for viruses and > dangerous content by OpenProtect(http://www.openprotect.com), and is > believed to be clean. > > > > ------------------------------ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read the Wiki (http://wiki.mailscanner.info/). > > Support MailScanner development - buy the book off the website! > > > End of MailScanner Digest, Vol 16, Issue 38 > ******************************************* > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew at technologytiger.net Thu Apr 26 13:47:44 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Apr 26 13:47:52 2007 Subject: quarantined HAM in queue files In-Reply-To: <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> Message-ID: <35730.194.70.180.170.1177591664.squirrel@www.technologytiger.net> On Thu, April 26, 2007 13:33, Glenn Steen wrote: > True for the "normal" quarantine Drew... But I think Bart is looking > at the spam quarantine, where he just has the queue file (if > quarantining non-queue files, it'd be the RFC822-decoded message in a > file named .). So... We're not (hopefully) > completely wrong:-). Ooops Spam quarantine not virus. Fair point. > > Hm. Might it actually be an RFC822 file? Easy enough to check with a > regular pager like less, and possibly postcat. ... In which case the > advice about using sendmail (the conveniance command) or similar tool > would come into play (from the wiki doc). I was wondering that too... Time will tell me thinks :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From jan-peter at koopmann.eu Thu Apr 26 14:41:13 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Apr 26 14:39:09 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: <48a8423663c33244b6cd03e47f3cd057@solidstatelogic.com> References: <48a8423663c33244b6cd03e47f3cd057@solidstatelogic.com> Message-ID: On Thursday, April 26, 2007 2:44 PM Martin.Hepworth wrote: > Dues to the main MailScanner developer being extremely busy with his > day job (hence the delay between 4.57 and 4.58) and then him being > extremely sick in hospital for several weeks (hence no sign of a 4.59 > release). Are there MailScanner developers besides Julian? :-) Kind regards, Jan-Peter Koopmann From Richard.Frovarp at sendit.nodak.edu Thu Apr 26 14:40:27 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Apr 26 14:40:31 2007 Subject: ClamAVModule Oversized.Zip In-Reply-To: <7C39A4A7-F416-4A3E-89EA-A499757B4FCE@phonedir.com> References: <2F944552-8F2B-4D53-A69D-6D3D83B4F1CE@phonedir.com> <7C39A4A7-F416-4A3E-89EA-A499757B4FCE@phonedir.com> Message-ID: <4630ABCB.30704@sendit.nodak.edu> Dan Farmer wrote: > On Apr 25, 2007, at 2:47 PM, Dan Farmer wrote: > >> installed versions (i know they're a bit behind): >> MailScanner-4.58.9-1 >> install-Clam-0.88.7-SA-3.1.8 >> 0.17 Mail::ClamAV > > Well, as I was fishing around more I just hit a whole mess of messages > from people having this issue with 0.88.7 when it came out and they > did not find any solution (other than reverting back to 0.88.6) in the > threads. > > I've reverted back to clamav for now until I can upgrade to the newer > versions. I ran into this problem as well. The ratio that clamscan was reporting was only 3, and I was using defaults from clamavmodule. My solution was to go back to clamav. Upgrading to 0.90.2 fixed the problem and I am using clamavmodule again. There is a security issue scanning .cab files with pretty much everything before 0.90.2, which is what prompted me to do the upgrade. From daniel.maher at ubisoft.com Thu Apr 26 15:32:31 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Apr 26 15:32:36 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CA80BC@UBIMAIL1.ubisoft.org> > Clamd must have access to files you want to scan. > I have > Incoming Work Permissions = 0640 > Incoming Work Group = clamav > Incoming Work User = > > Does the user and the group clamav exist in your system? > Under what privileges does clamd runs? > > Don't have a clue of what might changing the permission back > to clamav:root > I have: Incoming Work Permissions = 0640 Incoming Work User = postfix Incoming Work Group = clamv The clamav user and group both exist. As well, postfix and clamav are in each other's groups. Clamd runs as clamav. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From rob at dido.ca Thu Apr 26 16:11:04 2007 From: rob at dido.ca (Rob Morin) Date: Thu Apr 26 16:11:08 2007 Subject: Slow batch processing Message-ID: <4630C108.9050300@dido.ca> Hello all, it seems MS takes about 488 seconds to process a batch of 30 messages, do not know why its taking long now... i removed one of the RBLs to speed it up i have a backup of emails now... any idea.....??? I am running the latest MS Thanks.... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From edward.prendergast at netring.co.uk Thu Apr 26 16:20:41 2007 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Thu Apr 26 16:20:51 2007 Subject: Slow batch processing In-Reply-To: <4630C108.9050300@dido.ca> Message-ID: <200704261520.l3QFKmpA030530@safir.blacknight.ie> How many MailScanner processes are you running? What hardware are you on? How many messages do you process a day on average? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin Sent: 26 April 2007 16:11 To: MailScanner discussion Subject: Slow batch processing Hello all, it seems MS takes about 488 seconds to process a batch of 30 messages, do not know why its taking long now... i removed one of the RBLs to speed it up i have a backup of emails now... any idea.....??? I am running the latest MS Thanks.... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. From uxbod at splatnix.net Thu Apr 26 16:24:31 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 26 16:24:59 2007 Subject: Slow batch processing In-Reply-To: <200704261520.l3QFKmpA030530@safir.blacknight.ie> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> Message-ID: <50f2414b17a20f7f935061b226627cf7@62.49.223.244> Are you using FuzzyOCR or any other Spam Image recognition software ? On Thu, 26 Apr 2007 16:20:41 +0100, "Edward Prendergast" wrote: > How many MailScanner processes are you running? What hardware are you on? > How many messages do you process a day on average? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 16:11 > To: MailScanner discussion > Subject: Slow batch processing > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > > I am running the latest MS > > Thanks.... > > -- > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > > The information in this email is confidential and may be legally > privileged. > It is intended solely for the addressee. Access to this email by anyone > else > is unauthorised. If you are not the intended recipient, any action taken > or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please notify > us immediately. Please also destroy and delete the message from your > computer. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at blacknight.ie Thu Apr 26 16:28:21 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight Solutions) Date: Thu Apr 26 16:27:48 2007 Subject: Slow batch processing In-Reply-To: <4630C108.9050300@dido.ca> References: <4630C108.9050300@dido.ca> Message-ID: <4630C515.7030400@blacknight.ie> Rob Morin wrote: > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > Are you using sendmail? Have you got milter-ahead? Are you using greylisting? Are all the mails or a large percentage of them heading for 1 domain name or 1 e-mail address? Is your name server that is set in /etc/resolv.conf slow to do dns lookups? What rules have you got in SA? You can run: iptables -A INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 25 -j REJECT to stop inbound mail for a time while mailscanner gets on with its job. iptables -D INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 25 -j REJECT will remove the rule. How much mail is there in the back log? Most I've ever had to deal with was around 240k messages .... Paul > I am running the latest MS > > Thanks.... > -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From rob at dido.ca Thu Apr 26 16:46:18 2007 From: rob at dido.ca (Rob Morin) Date: Thu Apr 26 16:46:22 2007 Subject: Slow batch processing In-Reply-To: <200704261520.l3QFKmpA030530@safir.blacknight.ie> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> Message-ID: <4630C94A.40904@dido.ca> I run the default set up when i installed MS, It runs on a AND 3500 with 1 gig of ram we process about 10,000 emails a day.... I did have a problem with RBL for SBL+XBL, getting 7 0f 10 tries i can not get to that site for some reason, so now i just have this one in it.... NJABL However its still kind of slow... i did not have this issue in the past.... it always ran just fine as MS normally does! :) Thanks for replying so quickly.. Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Edward Prendergast wrote: > How many MailScanner processes are you running? What hardware are you on? > How many messages do you process a day on average? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 16:11 > To: MailScanner discussion > Subject: Slow batch processing > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > > I am running the latest MS > > Thanks.... > > From bilias at edu.physics.uoc.gr Thu Apr 26 16:48:13 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Thu Apr 26 16:48:27 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA80BC@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA80BC@UBIMAIL1.ubisoft.org> Message-ID: On Thu, 26 Apr 2007, Daniel Maher wrote: > Incoming Work Permissions = 0640 > Incoming Work User = postfix > Incoming Work Group = clamv Is this ok ? ^^^^^ It should be clamav instead of clamv Giannis From rob at dido.ca Thu Apr 26 16:57:00 2007 From: rob at dido.ca (Rob Morin) Date: Thu Apr 26 16:57:03 2007 Subject: Slow batch processing In-Reply-To: <200704261520.l3QFKmpA030530@safir.blacknight.ie> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> Message-ID: <4630CBCC.4040505@dido.ca> It seems MS is silently dying.... there will be nothing in the logs that shows its working... only incoming connections.... i see MS in a ps like this... MailScanner: master waiting for children, sleeping 6785 ? S 0:09 MailScanner: cleaning messages 6815 ? Ss 0:00 /var/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID 6816 ? Sl 0:00 /var/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID 6853 ? S 0:08 MailScanner: cleaning messages 6904 ? S 0:09 MailScanner: cleaning messages 6929 ? S 0:08 MailScanner: cleaning messages 7022 ? S 0:07 MailScanner: cleaning messages However there is nothing going on .... i ran the check_mailscanner and still nothing, any ideas? Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Edward Prendergast wrote: > How many MailScanner processes are you running? What hardware are you on? > How many messages do you process a day on average? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 16:11 > To: MailScanner discussion > Subject: Slow batch processing > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > > I am running the latest MS > > Thanks.... > > From Richard.Frovarp at sendit.nodak.edu Thu Apr 26 16:59:43 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Apr 26 16:59:47 2007 Subject: Slow batch processing In-Reply-To: <4630C94A.40904@dido.ca> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> <4630C94A.40904@dido.ca> Message-ID: <4630CC6F.2050402@sendit.nodak.edu> Rob Morin wrote: > I run the default set up when i installed MS, It runs on a AND 3500 > with 1 gig of ram we process about 10,000 emails a day.... > > I did have a problem with RBL for SBL+XBL, getting 7 0f 10 tries i can > not get to that site for some reason, so now i just have this one in > it.... NJABL > > However its still kind of slow... i did not have this issue in the > past.... it always ran just fine as MS normally does! :) > > Thanks for replying so quickly.. > > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Edward Prendergast wrote: >> How many MailScanner processes are you running? What hardware are you >> on? >> How many messages do you process a day on average? >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob >> Morin >> Sent: 26 April 2007 16:11 >> To: MailScanner discussion >> Subject: Slow batch processing >> >> Hello all, it seems MS takes about 488 seconds to process a batch of >> 30 messages, do not know why its taking long now... i removed one of >> the RBLs to speed it up >> >> i have a backup of emails now... any idea.....??? >> >> I am running the latest MS >> >> Thanks.... >> >> Are you actively swapping? Run vmstat 5 I take it you don't run Razor, Pyzor, or DCC? I would check the status of your caching name server. From rob at dido.ca Thu Apr 26 17:01:43 2007 From: rob at dido.ca (Rob Morin) Date: Thu Apr 26 17:01:47 2007 Subject: Slow batch processing In-Reply-To: <200704261520.l3QFKmpA030530@safir.blacknight.ie> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> Message-ID: <4630CCE7.6050908@dido.ca> If i kill -9 all processes i see in a PS and then run check_mailscanner i see it come up in the logs and it starts processing .... Apr 26 12:04:33 peter MailScanner[9079]: MailScanner E-Mail Virus Scanner version 4.53.3 starting... Apr 26 12:04:33 peter MailScanner[9079]: Read 764 hostnames from the phishing whitelist Apr 26 12:04:34 peter MailScanner[9079]: Using SpamAssassin results cache Apr 26 12:04:34 peter MailScanner[9079]: Connected to SpamAssassin cache database Apr 26 12:04:34 peter MailScanner[9079]: Expired 203 records from the SpamAssassin cache Apr 26 12:04:34 peter MailScanner[9079]: Enabling SpamAssassin auto-whitelist functionality... Apr 26 12:04:39 peter MailScanner[9079]: I have found clamavmodule scanners installed, and will use them all by default. Apr 26 12:04:42 peter MailScanner[9079]: Using locktype = flock Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Found 269 messages waiting Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Scanning 30 messages, 1090577 bytes Apr 26 12:04:42 peter MailScanner[9079]: Spam Checks: Starting Any ideas as to why it gets stuck? or dies? Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Edward Prendergast wrote: > How many MailScanner processes are you running? What hardware are you on? > How many messages do you process a day on average? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 16:11 > To: MailScanner discussion > Subject: Slow batch processing > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > > I am running the latest MS > > Thanks.... > > From martinh at solidstatelogic.com Thu Apr 26 17:05:36 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Apr 26 17:05:59 2007 Subject: Slow batch processing In-Reply-To: <4630CCE7.6050908@dido.ca> Message-ID: <39fde75169a87d44893e9649f8b46c89@solidstatelogic.com> Rob Sendmail MTA? If you're using sendmail 8.13 the lock type should be posix.... Also try lowering the batch size... Another thing to try is stop mailscanner then run "mailscanner -debug" and it may some more clues as to whats going on. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 17:02 > To: MailScanner discussion > Subject: Re: Slow batch processing > > If i kill -9 all processes i see in a PS and then run check_mailscanner > i see it come up in the logs and it starts processing .... > > Apr 26 12:04:33 peter MailScanner[9079]: MailScanner E-Mail Virus > Scanner version 4.53.3 starting... > Apr 26 12:04:33 peter MailScanner[9079]: Read 764 hostnames from the > phishing whitelist > Apr 26 12:04:34 peter MailScanner[9079]: Using SpamAssassin results cache > Apr 26 12:04:34 peter MailScanner[9079]: Connected to SpamAssassin cache > database > Apr 26 12:04:34 peter MailScanner[9079]: Expired 203 records from the > SpamAssassin cache > Apr 26 12:04:34 peter MailScanner[9079]: Enabling SpamAssassin > auto-whitelist functionality... > Apr 26 12:04:39 peter MailScanner[9079]: I have found clamavmodule > scanners installed, and will use them all by default. > Apr 26 12:04:42 peter MailScanner[9079]: Using locktype = flock > Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Found 269 messages > waiting > Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Scanning 30 > messages, 1090577 bytes > Apr 26 12:04:42 peter MailScanner[9079]: Spam Checks: Starting > > Any ideas as to why it gets stuck? or dies? > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Edward Prendergast wrote: > > How many MailScanner processes are you running? What hardware are you > on? > > How many messages do you process a day on average? > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob > Morin > > Sent: 26 April 2007 16:11 > > To: MailScanner discussion > > Subject: Slow batch processing > > > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > > messages, do not know why its taking long now... i removed one of the > > RBLs to speed it up > > > > i have a backup of emails now... any idea.....??? > > > > I am running the latest MS > > > > Thanks.... > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From daniel.maher at ubisoft.com Thu Apr 26 17:15:01 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Apr 26 17:15:07 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CA82B0@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kapetanakis Giannis > Sent: April 26, 2007 11:48 AM > To: MailScanner discussion > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > On Thu, 26 Apr 2007, Daniel Maher wrote: > > > Incoming Work Permissions = 0640 > > Incoming Work User = postfix > > Incoming Work Group = clamv > Is this ok ? ^^^^^ > It should be clamav instead of clamv > Well, colour me embarrassed. That's clearly the problem. Let this be a lesson to all: double-check your syntax. :P -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. - buy the book off the website! From steve.freegard at fsl.com Thu Apr 26 17:41:26 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Apr 26 17:41:29 2007 Subject: Slow batch processing In-Reply-To: <4630CBCC.4040505@dido.ca> References: <200704261520.l3QFKmpA030530@safir.blacknight.ie> <4630CBCC.4040505@dido.ca> Message-ID: <4630D636.7000608@fsl.com> Rob Morin wrote: > It seems MS is silently dying.... there will be nothing in the logs that > shows its working... only incoming connections.... i see MS in a ps like > this... > > MailScanner: master waiting for children, sleeping > 6785 ? S 0:09 MailScanner: cleaning messages > 6815 ? Ss 0:00 /var/dcc/libexec/dccifd -tCMN,5, -llog > -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID > 6816 ? Sl 0:00 /var/dcc/libexec/dccifd -tCMN,5, -llog > -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID > 6853 ? S 0:08 MailScanner: cleaning messages > 6904 ? S 0:09 MailScanner: cleaning messages > 6929 ? S 0:08 MailScanner: cleaning messages > 7022 ? S 0:07 MailScanner: cleaning messages > > However there is nothing going on .... i ran the check_mailscanner and > still nothing, any ideas? Post the output of 'MailScanner --debug' - that will most likely show what is going wrong here. Kind regards, Steve. From ssilva at sgvwater.com Thu Apr 26 18:15:08 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 26 18:15:31 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: References: <48a8423663c33244b6cd03e47f3cd057@solidstatelogic.com> Message-ID: Koopmann, Jan-Peter spake the following on 4/26/2007 6:41 AM: > On Thursday, April 26, 2007 2:44 PM Martin.Hepworth wrote: > >> Dues to the main MailScanner developer being extremely busy with his >> day job (hence the delay between 4.57 and 4.58) and then him being >> extremely sick in hospital for several weeks (hence no sign of a 4.59 >> release). > > Are there MailScanner developers besides Julian? :-) > There are contributors, but Julian is the developer. All additions to the official code go through him. Patches -- That is another matter. You can add or change anything you want in "your" copy of the code... The beauty of open source software. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dnsadmin at 1bigthink.com Thu Apr 26 18:24:48 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Thu Apr 26 18:25:07 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA82B0@UBIMAIL1.ubisoft. org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA82B0@UBIMAIL1.ubisoft.org> Message-ID: <200704261725.l3QHP51X025680@mxt.1bigthink.com> At 12:15 PM 4/26/2007, you wrote: > > On Thu, 26 Apr 2007, Daniel Maher wrote: > > > > > Incoming Work Permissions = 0640 > > > Incoming Work User = postfix > > > Incoming Work Group = clamv > > Is this ok ? ^^^^^ > > It should be clamav instead of clamv > > > >Well, colour me embarrassed. That's clearly the problem. > >Let this be a lesson to all: double-check your syntax. :P Bin Dere! Dun dat! Cheers, Glenn From itdept at fractalweb.com Thu Apr 26 18:31:25 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Apr 26 18:31:54 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <25a66d840704252111q736d3c35lf13afedd35890242@mail.gmail.com> References: <462FF36D.5020608@fractalweb.com> <25a66d840704252111q736d3c35lf13afedd35890242@mail.gmail.com> Message-ID: <4630E1ED.80900@fractalweb.com> am.lists wrote: > Typically, these joe-jobs are from non-existing email addresses (e.g. > asdfasdf at victimdomain.tld). When the non-delivery report is > returned, it's attempted to be sent to that address, which doesn't > exist. If you were using Postfix, you could use > reject_unverified_recipient in the smtpd_recipient_restrictions > section of main.cf. > > This way, you'd flat out reject any message to asdfasdf at the MTA, > keeping your MailScanner from never even seeing it. > > If you this might work for you (e.g. you are using Postfix) I can give > you more info about my particular setup (there's a little more to it > than that one line). Angelo, Thanks for the response, but unfortunately, this one was people's real email addresses (several of them) that were joe-jobbed. The web designer thought it would be a "good idea" to have a company directory and post everyone's email addresses for this domain on the company's website and did so in plain text using the dave@exampledomain.com format, without even attempting to obfuscate the links. He's been appropriately whipped by management. Thanks though. Chris From itdept at fractalweb.com Thu Apr 26 18:32:03 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Apr 26 18:32:34 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <20070426130020.1zkijj7nuo8gk8o4@mail.netmagicsolutions.com> References: <462FF36D.5020608@fractalweb.com> <20070426130020.1zkijj7nuo8gk8o4@mail.netmagicsolutions.com> Message-ID: <4630E213.7070203@fractalweb.com> Dhawal Doshy wrote: > For sendmail: > Julian suggested 'milter-null' a few days back to someone with a > similar problem.. Hi Dhawal, I'll look in to milter-null. Thanks. Chris From itdept at fractalweb.com Thu Apr 26 18:39:35 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Apr 26 18:40:00 2007 Subject: sendmail vuln In-Reply-To: References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> Message-ID: <4630E3D7.5030202@fractalweb.com> Res wrote: > If your runing anything that old then you deserve trouble (and to lose > your damn job) Res, I bet there are an unbelievable number of servers out there still running very old stuff. Pretty much anything where people rent a "dedicated server" from an ISP that comes with a friendly gui control panel (ensim, cpanel, plesk, etc.) is likely never updated. Chris From ssilva at sgvwater.com Thu Apr 26 19:38:34 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 26 19:38:57 2007 Subject: sendmail vuln In-Reply-To: <4630E3D7.5030202@fractalweb.com> References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> <4630E3D7.5030202@fractalweb.com> Message-ID: Chris Yuzik spake the following on 4/26/2007 10:39 AM: > Res wrote: >> If your runing anything that old then you deserve trouble (and to lose >> your damn job) > Res, > > I bet there are an unbelievable number of servers out there still > running very old stuff. Pretty much anything where people rent a > "dedicated server" from an ISP that comes with a friendly gui control > panel (ensim, cpanel, plesk, etc.) is likely never updated. > > Chris > But those are the people that don't read the security announcements! They also probably have Windows spambots running on their home broadband. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Thu Apr 26 20:43:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 26 20:44:07 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> Message-ID: <463100D8.4040706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What's wrong with just using clamavmodule? You need to use Mail::ClamAV 0.20 with ClamAV 0.90 and later, which is all included in my ClamAV+SA package. I don't understand the sudden rush to clamd at all. Can someone explain to me please? Jules. Daniel Maher wrote: >> I think I discovered the patches in this same list. >> Anyway I'll post them again (wrapper might be slightly >> modified -- I don't remember) >> >> Apply SweepViruses.patch: >> > > > > >> clamav-0.90.2/contrib/clamdwatch >> There are install instructions there >> >> That's all. >> I don't remember doing something else, >> apart from telling the system that clamd >> should be running on system reboot. >> >> Good luck >> >> Giannis >> ps. This configuration works for me, >> Apply at your own risk. >> > > > Thank you for your prompt and informative reply! Unfortunately, it "didn't work". :( I followed all of the steps, including the wrapper, lint, and debug tests, and everything appeared to be ok. > > When I restarted MailScanner with "clamd" as the Virus Scanner, all continued to appear well. Messages were coming in, getting processed, ostensibly scanned, and passed along. However, the load had dropped /so much/ compared to clamscan that I became suspicious. I sent a handful of messages with either the Eicar test string, or the Eicar zip file, through the mail server. They passed through cleanly, without so much as a warning. > > Clearly, messages were /not/ getting scanned by clamd. I re-enabled clamscan, and sent the same Eicar test messages again; this time, they were indentified as normal. > > After some investigation, I noticed that the Incoming Work Dir was not owned by the proper group, as defined by: Incoming Work Group = clamv > I chgrp -R'd the directory, and tried again, but to my surprise, when I restarted MailScanner, ownership reverted to postfix.root ! > > Does anybody have any idea why the permissions on the Incoming Work Dir are not being set properly, and what might be changing them? Furthermore, does this even seem to be the reason why clamd wasn't able to scan incoming mail? > > As always, I appreciate any commentary or feedback. Thank you. > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: ISO-8859-1 wj8DBQFGMQDoEfZZRxQVtlQRAn24AKDvOTrRWjRHvomuAo1wlm7JMNJPggCeLqiR q21vz1UsL5M/xdrS0QwU/9w= =P6hp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Apr 26 20:46:10 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 26 20:48:53 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <989725.51785.qm@web33303.mail.mud.yahoo.com> <462F2558.3060802@ecs.soton.ac.uk> Message-ID: <46310182.8010905@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: >>> Are there any instructions on installing clamavmodule? >>> >> Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead >> simple. >> >>> If that fixes the load problem I'll be happy to do it. >>> > Anybody have any commandline tests for clamavmodule? I have a system that it > isn't working on since the last upgrade. > Have you upgraded the Mail::ClamAV module as well to 0.20?; Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) Charset: UTF-8 wj8DBQFGMQIUEfZZRxQVtlQRAk/BAJ9l4zulL6iA05+Fg5ArZnbiAmwtpgCfYgHB Yc/E3DfcVw3IgCFkH4T5cCw= =LCWb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rich at mail.wvnet.edu Thu Apr 26 21:27:02 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Apr 26 21:27:06 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <463100D8.4040706@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> Message-ID: <46310B16.50603@mail.wvnet.edu> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What's wrong with just using clamavmodule? You need to use Mail::ClamAV > 0.20 with ClamAV 0.90 and later, which is all included in my ClamAV+SA > package. > > I don't understand the sudden rush to clamd at all. Can someone explain > to me please? > > Jules. > The only advantage I see is that it's all maintained by a single source. That is, the ClamAV team maintains clamd and clamdscan together. There's no third party perl package that may not be up to date. I don't know if there's a performance improvement one way or the other. It's conceivable that clamdscan/clamd performs better in a multiprocessor environment by spreading the load across other processors. It's just as possible that the overhead of the communications between the two costs too much to justify doing it that way. I would probably suggest that clamdscan/clamd always be used instead of just clamscan. From what I've seen using clamscan alone is the worst possible case performance wise. Rich > > Daniel Maher wrote: > >>> I think I discovered the patches in this same list. >>> Anyway I'll post them again (wrapper might be slightly >>> modified -- I don't remember) >>> >>> Apply SweepViruses.patch: >>> >>> >> >> >> >> >>> clamav-0.90.2/contrib/clamdwatch >>> There are install instructions there >>> >>> That's all. >>> I don't remember doing something else, >>> apart from telling the system that clamd >>> should be running on system reboot. >>> >>> Good luck >>> >>> Giannis >>> ps. This configuration works for me, >>> Apply at your own risk. >>> >>> >> Thank you for your prompt and informative reply! Unfortunately, it "didn't work". :( I followed all of the steps, including the wrapper, lint, and debug tests, and everything appeared to be ok. >> >> When I restarted MailScanner with "clamd" as the Virus Scanner, all continued to appear well. Messages were coming in, getting processed, ostensibly scanned, and passed along. However, the load had dropped /so much/ compared to clamscan that I became suspicious. I sent a handful of messages with either the Eicar test string, or the Eicar zip file, through the mail server. They passed through cleanly, without so much as a warning. >> >> Clearly, messages were /not/ getting scanned by clamd. I re-enabled clamscan, and sent the same Eicar test messages again; this time, they were indentified as normal. >> >> After some investigation, I noticed that the Incoming Work Dir was not owned by the proper group, as defined by: Incoming Work Group = clamv >> I chgrp -R'd the directory, and tried again, but to my surprise, when I restarted MailScanner, ownership reverted to postfix.root ! >> >> Does anybody have any idea why the permissions on the Incoming Work Dir are not being set properly, and what might be changing them? Furthermore, does this even seem to be the reason why clamd wasn't able to scan incoming mail? >> >> As always, I appreciate any commentary or feedback. Thank you. >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.0 (Build 214) > Charset: ISO-8859-1 > > wj8DBQFGMQDoEfZZRxQVtlQRAn24AKDvOTrRWjRHvomuAo1wlm7JMNJPggCeLqiR > q21vz1UsL5M/xdrS0QwU/9w= > =P6hp > -----END PGP SIGNATURE----- > > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 296 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070426/59173655/rich.vcf From ssilva at sgvwater.com Thu Apr 26 22:00:18 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 26 22:00:39 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <46310182.8010905@ecs.soton.ac.uk> References: <989725.51785.qm@web33303.mail.mud.yahoo.com> <462F2558.3060802@ecs.soton.ac.uk> <46310182.8010905@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 4/26/2007 12:46 PM: > > > Scott Silva wrote: >>>> Are there any instructions on installing clamavmodule? >>>> >>> Install the easy-to-use ClamAV+SA package on www.mailscanner.info. Dead >>> simple. >>> >>>> If that fixes the load problem I'll be happy to do it. >>>> >> Anybody have any commandline tests for clamavmodule? I have a system that it >> isn't working on since the last upgrade. > > Have you upgraded the Mail::ClamAV module as well to 0.20?; > > Jules > Yes. I ran your tarball and didn't see any errors. I will have to try again and watch closer. Will install.sh >textfile capture the logs, or will I need to redirect? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From am.lists at gmail.com Thu Apr 26 22:07:00 2007 From: am.lists at gmail.com (am.lists) Date: Thu Apr 26 22:07:02 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <4630E1ED.80900@fractalweb.com> References: <462FF36D.5020608@fractalweb.com> <25a66d840704252111q736d3c35lf13afedd35890242@mail.gmail.com> <4630E1ED.80900@fractalweb.com> Message-ID: <25a66d840704261407q4c4d3c1bu8338f4b48bf0394a@mail.gmail.com> On 4/26/07, Chris Yuzik wrote: > am.lists wrote: > > Typically, these joe-jobs are from non-existing email addresses (e.g. > > asdfasdf at victimdomain.tld). When the non-delivery report is > > returned, it's attempted to be sent to that address, which doesn't > > exist. If you were using Postfix, you could use > > reject_unverified_recipient in the smtpd_recipient_restrictions > > section of main.cf. > > > > This way, you'd flat out reject any message to asdfasdf at the MTA, > > keeping your MailScanner from never even seeing it. > > > > If you this might work for you (e.g. you are using Postfix) I can give > > you more info about my particular setup (there's a little more to it > > than that one line). > Angelo, > > Thanks for the response, but unfortunately, this one was people's real > email addresses (several of them) that were joe-jobbed. The web designer > thought it would be a "good idea" to have a company directory and post > everyone's email addresses for this domain on the company's website and > did so in plain text using the href="mailto:dave@exampledomain.com">dave@exampledomain.com format, > without even attempting to obfuscate the links. He's been appropriately > whipped by management. > > Thanks though. > > Chris > Wow, this should be a crime punishable by death. I'm sorry to hear that you have to deal with such a situation. Looking back through, I think you're a sendmail guy anyway, and as the other potentates say, Milter-null is a good solution. Angelo From dave.list at pixelhammer.com Thu Apr 26 22:06:19 2007 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 26 22:07:17 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <46310B16.50603@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> Message-ID: <4631144B.40108@pixelhammer.com> Richard Lynch wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What's wrong with just using clamavmodule? You need to use >> Mail::ClamAV 0.20 with ClamAV 0.90 and later, which is all included in >> my ClamAV+SA package. >> >> I don't understand the sudden rush to clamd at all. Can someone >> explain to me please? >> >> Jules. >> > The only advantage I see is that it's all maintained by a single > source. That is, the ClamAV team maintains clamd and clamdscan > together. There's no third party perl package that may not be up to > date. I don't know if there's a performance improvement one way or the > other. It's conceivable that clamdscan/clamd performs better in a > multiprocessor environment by spreading the load across other > processors. It's just as possible that the overhead of the > communications between the two costs too much to justify doing it that way. > > I would probably suggest that clamdscan/clamd always be used instead of > just clamscan. From what I've seen using clamscan alone is the worst > possible case performance wise. > > Rich I can't disagree with that but I can say performance is not unreasonable using clamscan. Messages for us take from 2 to 6 seconds to process in batches from 1 to 4 messages. We stop most of our messages long before they ever hit AV scanning. Not using clamdscan or clamavmodule leaves us with one less process to monitor on our MS servers, and changes/updates made by the ClamAV team have never adversely affected us (so far...). We may move up to clamdscan or clamavmodule in the near future when we upgrade the MS servers, but right now I can see no compelling reason to do so. I tend to always favor stability over performance, and I abhor surprises on Monday mornings. Call me a Luddite, but new ain't always better. Also, it's not like we don't process a few connections either, here are a single days stats for one of our servers. Rejected by Greylisting 196,047 Blocked for Pipelining 11,072 Blocked for RFC 18,528 Blocked for RBL 94,857 Blocked for Bad Sender 2,746 Blocked for No Account 12,000 Found Spam Message 18,778 Messages Delivered 33,840 DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From daniel.maher at ubisoft.com Thu Apr 26 22:08:47 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Apr 26 22:08:51 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <463100D8.4040706@ecs.soton.ac.uk> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CD35BF@UBIMAIL1.ubisoft.org> > What's wrong with just using clamavmodule? You need to use Mail::ClamAV > 0.20 with ClamAV 0.90 and later, which is all included in my ClamAV+SA > package. > > I don't understand the sudden rush to clamd at all. Can someone explain > to me please? > > Jules. > Hello, While I certainly cannot speak for everybody who is using clamd, my reason for going this route is simple: I don't want to deal with the Mail::ClamAV module. Period. Having to update it via CPAN is a bit of a pain. We have our own distribution which we use internally, and running CPAN _at all_ basically breaks every rule we have concerning package management and maintenance; therefore, if I can avoid doing it, I will. There's also the peace of mind in knowing that if the clam package is updated, I don't have to worry about a newly deprecated Perl module preventing me from scanning mail - a situation for which there is relatively recent precedent. A happy side-effect of using clamd, in my personal experience today, has been reduced resource utilisation - beyond even that of clamavmodule(!). Of course, I'd never be so bold as to suggest that clamd is "the way it should be"; but for my environment specifically, it's the better of the three clam-related options. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From rich at mail.wvnet.edu Thu Apr 26 22:26:05 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Apr 26 22:26:09 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <4631144B.40108@pixelhammer.com> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> Message-ID: <463118ED.4090405@mail.wvnet.edu> DAve wrote: > Richard Lynch wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> What's wrong with just using clamavmodule? You need to use >>> Mail::ClamAV 0.20 with ClamAV 0.90 and later, which is all included >>> in my ClamAV+SA package. >>> >>> I don't understand the sudden rush to clamd at all. Can someone >>> explain to me please? >>> >>> Jules. >>> >> The only advantage I see is that it's all maintained by a single >> source. That is, the ClamAV team maintains clamd and clamdscan >> together. There's no third party perl package that may not be up to >> date. I don't know if there's a performance improvement one way or >> the other. It's conceivable that clamdscan/clamd performs better in >> a multiprocessor environment by spreading the load across other >> processors. It's just as possible that the overhead of the >> communications between the two costs too much to justify doing it >> that way. >> >> I would probably suggest that clamdscan/clamd always be used instead >> of just clamscan. From what I've seen using clamscan alone is the >> worst possible case performance wise. >> >> Rich > > I can't disagree with that but I can say performance is not > unreasonable using clamscan. Messages for us take from 2 to 6 seconds > to process in batches from 1 to 4 messages. We stop most of our > messages long before they ever hit AV scanning. Not using clamdscan or > clamavmodule leaves us with one less process to monitor on our MS > servers, and changes/updates made by the ClamAV team have never > adversely affected us (so far...). > > We may move up to clamdscan or clamavmodule in the near future when we > upgrade the MS servers, but right now I can see no compelling reason > to do so. I tend to always favor stability over performance, and I > abhor surprises on Monday mornings. Call me a Luddite, but new ain't > always better. > > Also, it's not like we don't process a few connections either, here > are a single days stats for one of our servers. > > Rejected by Greylisting 196,047 > Blocked for Pipelining 11,072 > Blocked for RFC 18,528 > Blocked for RBL 94,857 > Blocked for Bad Sender 2,746 > Blocked for No Account 12,000 > Found Spam Message 18,778 > Messages Delivered 33,840 > > DAve > > I understand completely. I'm sure that for many the clamscan approach is satisfactory -- clean and simple. My situation is such that I can't use clamscan at all. We process nearly 2 million messages per day and clamscan can't keep up. If we want to use ClamAV at all then clamavmodule is our only choice. In a high volume environment small performance improvements make huge differences overall. ~rich -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 296 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070426/3bdadca8/rich.vcf From jtm.koekkoek at home.nl Thu Apr 26 23:47:43 2007 From: jtm.koekkoek at home.nl (Jeroen Koekkoek) Date: Thu Apr 26 23:48:34 2007 Subject: User Preferences In-Reply-To: References: Message-ID: <003001c78854$e7193dd0$b54bb970$@koekkoek@home.nl> Hi Wouldn't it just be easier to use LDAP with MailScanner? You could just write a PHP script to update the LDAP tree, I believe MailScanner itself uses a pretty clever way of checking for modifications. Of course if using MySQL is a requirement you should update MailScanner J to support it. If you continue to use the method you described you should implement a priority column, MailScanner goes through the rules and uses the first one it finds. Because of this it's very important to use the following order: local_part@domain.tld @domain.tld default Please correct me if I'm wrong. Also it would be nice if some released a MailScanner PHP class that can be included and takes care of automatically determining in what order to place the rules. Kind Regards, Jeroen Koekkoek From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Houselander Sent: Thursday, April 26, 2007 1:44 PM To: MailScanner discussion Subject: User Preferences Hi Im just trying to spec out a web interface im going to put together to allow editing/amending of various MailScanner preferences. At the moment ive got a basic PHP setup that writes info to a Mysql DB. At 5 minute intervals a perl script connects to the DB checks for any changes and rewrites the ruleset files. So for example in MailScanner.conf I have Virus Scanning = %rules-dir%/virus.scanning.rules I have a Mysql table with columns Direction Domain Value With values like - FromOrTo --- example.com --- yes My perl script just loops round all the values and writes the flat file "virus.scanning.rules" - changes take affect based on the MailScanner.conf "Restart Every" directive. This kind of worked ok with 1 MailScanner server but ive now introduced another for load balancing/resilience and wanted to put together a more sophisticated system. I was intending writing custom functions for all my rulesets by following the examples in /usr/lib/MailScanner/MailScanner/CustomFunctions/ and also the SQLSpamSettings.pm and SQLBlackWhiteList.pm done for the mailwatch project. I would consider myself very much an amatuer programmer and was looking for opinions and advice on the following:- - Would there be much performance impact on using Custom Functions that read from a (potentially remote) database, rather than a flat file on the system? I can see myself writing custom functions for quite a number of the MailScanner.conf directives - Any problems using LDAP instead of Mysql? The reason im thinking of LDAP was im looking to move all my sendmail routing info to LDAP and would be nice to just maintain 1 system? Any advice appreciated. Kind Regards Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/488e8d59/attachment.html From seamus at rheelweb.co.nz Thu Apr 26 23:51:00 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Apr 26 23:49:42 2007 Subject: Slow batch processing In-Reply-To: <4630CCE7.6050908@dido.ca> Message-ID: <003601c78855$5c219190$5e01a8c0@seamoose> I found when I was running up a new MailScanner install on a machine with dual cpu's and not much ram, that my MailScanner processes just became defunct after a while. I could slow the process down by decreasing things like no. of children and the like, but the problem was instantly solved when I bumped the ram up. (We had some on order). Seamus Allan Network Engineer Rheel Electronics Ltd -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin Sent: Friday, 27 April 2007 4:02 a.m. To: MailScanner discussion Subject: Re: Slow batch processing If i kill -9 all processes i see in a PS and then run check_mailscanner i see it come up in the logs and it starts processing .... Apr 26 12:04:33 peter MailScanner[9079]: MailScanner E-Mail Virus Scanner version 4.53.3 starting... Apr 26 12:04:33 peter MailScanner[9079]: Read 764 hostnames from the phishing whitelist Apr 26 12:04:34 peter MailScanner[9079]: Using SpamAssassin results cache Apr 26 12:04:34 peter MailScanner[9079]: Connected to SpamAssassin cache database Apr 26 12:04:34 peter MailScanner[9079]: Expired 203 records from the SpamAssassin cache Apr 26 12:04:34 peter MailScanner[9079]: Enabling SpamAssassin auto-whitelist functionality... Apr 26 12:04:39 peter MailScanner[9079]: I have found clamavmodule scanners installed, and will use them all by default. Apr 26 12:04:42 peter MailScanner[9079]: Using locktype = flock Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Found 269 messages waiting Apr 26 12:04:42 peter MailScanner[9079]: New Batch: Scanning 30 messages, 1090577 bytes Apr 26 12:04:42 peter MailScanner[9079]: Spam Checks: Starting Any ideas as to why it gets stuck? or dies? Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Edward Prendergast wrote: > How many MailScanner processes are you running? What hardware are you on? > How many messages do you process a day on average? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: 26 April 2007 16:11 > To: MailScanner discussion > Subject: Slow batch processing > > Hello all, it seems MS takes about 488 seconds to process a batch of 30 > messages, do not know why its taking long now... i removed one of the > RBLs to speed it up > > i have a backup of emails now... any idea.....??? > > I am running the latest MS > > Thanks.... > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jtm.koekkoek at home.nl Fri Apr 27 00:04:31 2007 From: jtm.koekkoek at home.nl (Jeroen Koekkoek) Date: Fri Apr 27 00:05:23 2007 Subject: FW: User Preferences Message-ID: <003b01c78857$3fa7ead0$bef7c070$@koekkoek@home.nl> Hi Wouldn?t it just be easier to use LDAP with MailScanner? You could just write a PHP script to update the LDAP tree, I believe MailScanner itself uses a pretty clever way of checking for modifications. Of course if using MySQL is a requirement you should update MailScanner ? to support it. If you continue to use the method you described you should implement a priority column, MailScanner goes through the rules and uses the first one it finds. Because of this it?s very important to use the following order: local_part@domain.tld @domain.tld default Please correct me if I?m wrong. Also it would be nice if some released a MailScanner PHP class that can be included and takes care of automatically determining in what order to place the rules. Kind Regards, Jeroen Koekkoek From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Houselander Sent: Thursday, April 26, 2007 1:44 PM To: MailScanner discussion Subject: User Preferences Hi Im just trying to spec out a web interface im going to put together to allow editing/amending of various MailScanner preferences. At the moment ive got a basic PHP setup that writes info to a Mysql DB. At 5 minute intervals a perl script connects to the DB checks for any changes and rewrites the ruleset files. So for example in MailScanner.conf I have Virus Scanning = %rules-dir%/virus.scanning.rules I have a Mysql table with columns Direction Domain Value With values like - FromOrTo --- example.com --- yes My perl script just loops round all the values and writes the flat file "virus.scanning.rules" - changes take affect based on the MailScanner.conf "Restart Every" directive. This kind of worked ok with 1 MailScanner server but ive now introduced another for load balancing/resilience and wanted to put together a more sophisticated system. I was intending writing custom functions for all my rulesets by following the examples in /usr/lib/MailScanner/MailScanner/CustomFunctions/ and also the SQLSpamSettings.pm and SQLBlackWhiteList.pm done for the mailwatch project. I would consider myself very much an amatuer programmer and was looking for opinions and advice on the following:- - Would there be much performance impact on using Custom Functions that read from a (potentially remote) database, rather than a flat file on the system? I can see myself writing custom functions for quite a number of the MailScanner.conf directives - Any problems using LDAP instead of Mysql? The reason im thinking of LDAP was im looking to move all my sendmail routing info to LDAP and would be nice to just maintain 1 system? Any advice appreciated. Kind Regards Paul From steve.swaney at fsl.com Fri Apr 27 00:09:23 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Apr 27 00:09:29 2007 Subject: Off topic - Slow batch processing In-Reply-To: <003601c78855$5c219190$5e01a8c0@seamoose> References: <4630CCE7.6050908@dido.ca> <003601c78855$5c219190$5e01a8c0@seamoose> Message-ID: <005601c78857$edd4d870$c97e8950$@swaney@fsl.com> > I found when I was running up a new MailScanner install on a machine > with > dual cpu's and not much ram, that my MailScanner processes just became > defunct after a while. I could slow the process down by decreasing > things > like no. of children and the like, but the problem was instantly solved > when > I bumped the ram up. (We had some on order). > > Seamus Allan > Network Engineer > Rheel Electronics Ltd This reminds me of a story that is way off topic but some of you might need a laff today. Many years ago I worked for a large NY firm that had a overseas office. The overseas office started having a problems with Sybase servers running slowly. The Sybase experts? were called in and could not resolve the problem. After a little over 30 days! someone noticed that there was very little memory in the systems. A check the data center access records, system reboots and data center cameras showed that a contractor had been systematically removing memory from many systems for LONG time. A check of the contractor's apartment found a lot of memory and other kibbles and bits :( Sometimes it not always a configuration or application problem :) Best regards, Steve Steve Swaney steve@fsl.com From ssilva at sgvwater.com Fri Apr 27 00:23:37 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 27 00:23:51 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <463118ED.4090405@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> <463118ED.4090405@mail.wvnet.edu> Message-ID: Richard Lynch spake the following on 4/26/2007 2:26 PM: > DAve wrote: >> Richard Lynch wrote: >>> Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> What's wrong with just using clamavmodule? You need to use >>>> Mail::ClamAV 0.20 with ClamAV 0.90 and later, which is all included >>>> in my ClamAV+SA package. >>>> >>>> I don't understand the sudden rush to clamd at all. Can someone >>>> explain to me please? >>>> >>>> Jules. >>>> >>> The only advantage I see is that it's all maintained by a single >>> source. That is, the ClamAV team maintains clamd and clamdscan >>> together. There's no third party perl package that may not be up to >>> date. I don't know if there's a performance improvement one way or >>> the other. It's conceivable that clamdscan/clamd performs better in >>> a multiprocessor environment by spreading the load across other >>> processors. It's just as possible that the overhead of the >>> communications between the two costs too much to justify doing it >>> that way. >>> >>> I would probably suggest that clamdscan/clamd always be used instead >>> of just clamscan. From what I've seen using clamscan alone is the >>> worst possible case performance wise. >>> >>> Rich >> >> I can't disagree with that but I can say performance is not >> unreasonable using clamscan. Messages for us take from 2 to 6 seconds >> to process in batches from 1 to 4 messages. We stop most of our >> messages long before they ever hit AV scanning. Not using clamdscan or >> clamavmodule leaves us with one less process to monitor on our MS >> servers, and changes/updates made by the ClamAV team have never >> adversely affected us (so far...). >> >> We may move up to clamdscan or clamavmodule in the near future when we >> upgrade the MS servers, but right now I can see no compelling reason >> to do so. I tend to always favor stability over performance, and I >> abhor surprises on Monday mornings. Call me a Luddite, but new ain't >> always better. >> >> Also, it's not like we don't process a few connections either, here >> are a single days stats for one of our servers. >> >> Rejected by Greylisting 196,047 >> Blocked for Pipelining 11,072 >> Blocked for RFC 18,528 >> Blocked for RBL 94,857 >> Blocked for Bad Sender 2,746 >> Blocked for No Account 12,000 >> Found Spam Message 18,778 >> Messages Delivered 33,840 >> >> DAve >> >> > I understand completely. I'm sure that for many the clamscan approach > is satisfactory -- clean and simple. My situation is such that I can't > use clamscan at all. We process nearly 2 million messages per day and > clamscan can't keep up. If we want to use ClamAV at all then > clamavmodule is our only choice. In a high volume environment small > performance improvements make huge differences overall. > > ~rich > Maybe Julian can be convinced to add it as an option. The patches are already out there, and when he gets to feeling better, maybe a quick scan to see if it will break something, and then off to SVN. What is one more option to the dozen supported virus scanning solutions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mgt at stellarcore.net Fri Apr 27 03:25:06 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Apr 27 03:25:13 2007 Subject: Corrupt SpamAssassin Cache Message-ID: <46315F02.4010907@stellarcore.net> Just FYI, I had corrupt SpamAssassin.db.cache file that made the entire MailScanner stack slow down to a crawl. The only warning that this was going on was the occasional database is locked(5) at dbdimp.c line 398 Once I figure out what was going on and removed the bad cache and restarted the stack and everything was good. -Mike From bilias at edu.physics.uoc.gr Fri Apr 27 07:29:25 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 07:29:34 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CD35BF@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CD35BF@UBIMAIL1.ubisoft.org> Message-ID: On Thu, 26 Apr 2007, Daniel Maher wrote: > ... > > There's also the peace of mind in knowing that if the > clam package is updated, I don't have to worry about a > newly deprecated Perl module preventing me from scanning mail - > a situation for which there is relatively recent precedent. > ... > > ?v? Daniel Maher Correct me on this Julian, but if I'm not wrong the perl package is using libclamav. So it's not a matter of being outdated, unless clamav package itself is outdated. Giannis From saumya.mehra at in.mghgroup.com Fri Apr 27 08:47:01 2007 From: saumya.mehra at in.mghgroup.com (Saumya Mehra) Date: Fri Apr 27 08:47:33 2007 Subject: MailScanner sending Blank Emails Message-ID: <010301c788a0$3d997300$b8cc5900$@mehra@in.mghgroup.com> Hi: I have configured and installed the MailScanner with Sendmail but somehow time to time it is sending "Blank Emails to the Users". Any resolution for this.. Regards, Saumya Mehra ----------------------------------------------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by MGH MailScanner, and is believed to be clean. ------------------------------------------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/45219da3/attachment.html From bilias at edu.physics.uoc.gr Fri Apr 27 09:02:13 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 09:02:23 2007 Subject: Disable virus checks for high spam Message-ID: I was wondering if there is such an option or a way someone could perform such a tactic (order) in MailScanner. Searching in the conf file didn't ring any bell. I believe most of us do not deliver high spam, and either store it or delete it. We could save a lot of system resources if we didn't scan for virus the mails that are tagged as high spam. They could be scanned later incase they are released from quarantine. Giannis From res at ausics.net Fri Apr 27 09:02:55 2007 From: res at ausics.net (Res) Date: Fri Apr 27 09:03:05 2007 Subject: sendmail vuln In-Reply-To: <4630E3D7.5030202@fractalweb.com> References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com> <4630E3D7.5030202@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 26 Apr 2007, Chris Yuzik wrote: Chris, yeah managed by part-time wannabies that have no idea what a command line is, in fact probably would not even know what MTA they run anyway, hell they possible wouldnt even know what an 'MTA' was! > I bet there are an unbelievable number of servers out there still running > very old stuff. Pretty much anything where people rent a "dedicated server" > from an ISP that comes with a friendly gui control panel (ensim, cpanel, > plesk, etc.) is likely never updated. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMa4ysWhAmSIQh7MRAscYAKCDjas3OHGFc/nuSxxwIku5Rx3ddwCglpsZ lkjHdY3iIMhuxKF3DRNVBbU= =60dx -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Fri Apr 27 09:13:33 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Apr 27 09:13:57 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <4631144B.40108@pixelhammer.com> Message-ID: <83009be8a09f8442a7df634bcbc57244@solidstatelogic.com> Also worth noting is that people who've have installed 0.90.2 buy hand don't seem to be having the trouble. I had to compile without the pthread support as my O/S doesn't support them and I have no speed issues. Maybe this suddent pthreads implementation in clamav is the cause??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 26 April 2007 22:06 > To: MailScanner discussion > Subject: Re: Upgrade to clamav 0.90.2 makes scanning extremely slow > > Richard Lynch wrote: > > Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> What's wrong with just using clamavmodule? You need to use > >> Mail::ClamAV 0.20 with ClamAV 0.90 and later, which is all included in > >> my ClamAV+SA package. > >> > >> I don't understand the sudden rush to clamd at all. Can someone > >> explain to me please? > >> > >> Jules. > >> > > The only advantage I see is that it's all maintained by a single > > source. That is, the ClamAV team maintains clamd and clamdscan > > together. There's no third party perl package that may not be up to > > date. I don't know if there's a performance improvement one way or the > > other. It's conceivable that clamdscan/clamd performs better in a > > multiprocessor environment by spreading the load across other > > processors. It's just as possible that the overhead of the > > communications between the two costs too much to justify doing it that > way. > > > > I would probably suggest that clamdscan/clamd always be used instead of > > just clamscan. From what I've seen using clamscan alone is the worst > > possible case performance wise. > > > > Rich > > I can't disagree with that but I can say performance is not unreasonable > using clamscan. Messages for us take from 2 to 6 seconds to process in > batches from 1 to 4 messages. We stop most of our messages long before > they ever hit AV scanning. Not using clamdscan or clamavmodule leaves us > with one less process to monitor on our MS servers, and changes/updates > made by the ClamAV team have never adversely affected us (so far...). > > We may move up to clamdscan or clamavmodule in the near future when we > upgrade the MS servers, but right now I can see no compelling reason to > do so. I tend to always favor stability over performance, and I abhor > surprises on Monday mornings. Call me a Luddite, but new ain't always > better. > > Also, it's not like we don't process a few connections either, here are > a single days stats for one of our servers. > > Rejected by Greylisting 196,047 > Blocked for Pipelining 11,072 > Blocked for RFC 18,528 > Blocked for RBL 94,857 > Blocked for Bad Sender 2,746 > Blocked for No Account 12,000 > Found Spam Message 18,778 > Messages Delivered 33,840 > > DAve > > > -- > Three years now I've asked Google why they don't have a > logo change for Memorial Day. Why do they choose to do logos > for other non-international holidays, but nothing for > Veterans? > > Maybe they forgot who made that choice possible. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Fri Apr 27 09:15:29 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 27 09:15:33 2007 Subject: Disable virus checks for high spam In-Reply-To: References: Message-ID: <1177661729.5136.1.camel@gblades-suse.linguaphone-intranet.co.uk> On Fri, 2007-04-27 at 09:02, Kapetanakis Giannis wrote: > I was wondering if there is such an option > or a way someone could perform such a tactic (order) > in MailScanner. > > Searching in the conf file didn't ring any bell. > > I believe most of us do not deliver high spam, > and either store it or delete it. > > We could save a lot of system resources > if we didn't scan for virus the mails that are tagged > as high spam. > > They could be scanned later incase they are released > from quarantine. > > Giannis The problem is that to make sure you are protected from viruses you would also have to delete and not quarantine high scoring spam. This is because messages released from quaranteen are normally delivered without furthur scanning. From bilias at edu.physics.uoc.gr Fri Apr 27 09:29:45 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 09:30:01 2007 Subject: Disable virus checks for high spam In-Reply-To: <1177661729.5136.1.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1177661729.5136.1.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: On Fri, 27 Apr 2007, Gareth wrote: > The problem is that to make sure you are protected from viruses you > would also have to delete and not quarantine high scoring spam. > This is because messages released from quaranteen are normally delivered > without furthur scanning. You are right, but my incoming mail, 80% is high scored spam and my virus ratio is only 0.2%. Maybe an ideal solution would be to put a box in front to do spam checks only, then forward it to virus checking machine, then to incoming MX. I can't affort to have seperate systems for virus/spam checking... Maybe I'll try to use a second IP on an alias interface and bind there a seperate postfix/MailScanner to forward from 1 to 2 . That would be fun :) Giannis From glenn.steen at gmail.com Fri Apr 27 09:42:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 09:42:33 2007 Subject: Off topic - Slow batch processing In-Reply-To: <8184822137658927276@unknownmsgid> References: <4630CCE7.6050908@dido.ca> <003601c78855$5c219190$5e01a8c0@seamoose> <8184822137658927276@unknownmsgid> Message-ID: <223f97700704270142l6b1dfd7ak5e82dfbfa53c1071@mail.gmail.com> On 27/04/07, Stephen Swaney wrote: > > I found when I was running up a new MailScanner install on a machine > > with > > dual cpu's and not much ram, that my MailScanner processes just became > > defunct after a while. I could slow the process down by decreasing > > things > > like no. of children and the like, but the problem was instantly solved > > when > > I bumped the ram up. (We had some on order). > > > > Seamus Allan > > Network Engineer > > Rheel Electronics Ltd > > This reminds me of a story that is way off topic but some of you might need > a laff today. > > Many years ago I worked for a large NY firm that had a overseas office. The > overseas office started having a problems with Sybase servers running > slowly. The Sybase experts? were called in and could not resolve the > problem. After a little over 30 days! someone noticed that there was very > little memory in the systems. > > A check the data center access records, system reboots and data center > cameras showed that a contractor had been systematically removing memory > from many systems for LONG time. A check of the contractor's apartment found > a lot of memory and other kibbles and bits :( > > Sometimes it not always a configuration or application problem :) > > Best regards, > > Steve LOL, thanks Steve... Really needed a good start on the day, and that did it:-). Reminds me of a not that distant (approx.7 years) incident where we took a not-that-new server out of storage, for doing some tests, and it just didn't want to boot... Beeped a bit, but never got to begin the POST at all... Turned out that there wasn't any CPU under the meticulously replaced cooler... If it had been something nice, one could have understood the act of theft, but IIRC it was some P133 or similar, so why anyone would go to all the trouble... This was back when it took some tinkering to get at the HW, no snap on/off thingies, so the thief had to have been working at it for at least 30-40 minutes... As far as we know, the temp janitor (with keys to go _everywhere_) was the culprit. 've always wondered who does the security check on people like that (janitors, cleaners etc etc:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Apr 27 09:47:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 09:48:03 2007 Subject: MailScanner sending Blank Emails In-Reply-To: <-7597288950877807263@unknownmsgid> References: <-7597288950877807263@unknownmsgid> Message-ID: <223f97700704270147h19f97ad3n1a7738b923ed46d9@mail.gmail.com> On 27/04/07, Saumya Mehra wrote: > > > > > Hi: > > I have configured and installed the MailScanner with Sendmail but somehow > time to time it is sending "Blank Emails to the Users"? Any resolution for > this?. > What version of Sendmail? If prior to 8.13.x (more or less) you should have "Lock Type" set to flock (in MailScanner.conf)... If more modern, and assuming a relatively up-to-date MailScanner, it should default to posix ... no harm in being explicit though. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From list-mailscanner at linguaphone.com Fri Apr 27 09:55:14 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Apr 27 09:55:19 2007 Subject: Disable virus checks for high spam In-Reply-To: References: <1177661729.5136.1.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <1177664114.5135.6.camel@gblades-suse.linguaphone-intranet.co.uk> On Fri, 2007-04-27 at 09:29, Kapetanakis Giannis wrote: > On Fri, 27 Apr 2007, Gareth wrote: > > > The problem is that to make sure you are protected from viruses you > > would also have to delete and not quarantine high scoring spam. > > This is because messages released from quaranteen are normally delivered > > without furthur scanning. > > You are right, > > but my incoming mail, 80% is high scored spam > and my virus ratio is only 0.2%. > > Maybe an ideal solution would be to put a box > in front to do spam checks only, then forward it > to virus checking machine, then to incoming MX. > > I can't affort to have seperate systems > for virus/spam checking... > > Maybe I'll try to use a second IP on an alias interface > and bind there a seperate postfix/MailScanner > to forward from 1 to 2 . > > That would be fun :) > > Giannis Just had a look and there may be a way around the quaranteen issue. Normally when you quaranteen something you have a rule in 'scan messages#' to skip messages coming from 127.0.0.1 so that messages released are not scanned and quaranteened again. However if you were not do do this but instead set a similar rule in 'spam checks =' any messages released from quaranteen would not be spam checked again but would still be passed through the virus scanner and re-quaranteed in infected. I am not sure how to bypass virus scanning for high scoring spam though. From glenn.steen at gmail.com Fri Apr 27 10:05:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 10:05:09 2007 Subject: Disable virus checks for high spam In-Reply-To: References: Message-ID: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> On 27/04/07, Kapetanakis Giannis wrote: > > I was wondering if there is such an option > or a way someone could perform such a tactic (order) > in MailScanner. > > Searching in the conf file didn't ring any bell. > > I believe most of us do not deliver high spam, > and either store it or delete it. > > We could save a lot of system resources > if we didn't scan for virus the mails that are tagged > as high spam. > > They could be scanned later incase they are released > from quarantine. > > Giannis Eh, not scanning things destined for the quarantine is the default. You need have set "Keep Spam And MCP Archive Clean = yes", or deliver the message somewhere (perhaps a "forward spam-archive@some.whe.re" in "High Scoring Spam Actions") for it to actually scan things... I truly see no problem here, apart from your local configuration... perhaps:-). Then again, I might be wrong:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bilias at edu.physics.uoc.gr Fri Apr 27 10:21:15 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 10:21:33 2007 Subject: Disable virus checks for high spam In-Reply-To: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> Message-ID: On Fri, 27 Apr 2007, Glenn Steen wrote: > Eh, not scanning things destined for the quarantine is the default. > You need have set "Keep Spam And MCP Archive Clean = yes", or > deliver > the message somewhere (perhaps a "forward spam-archive@some.whe.re" > in > "High Scoring Spam Actions") for it to actually scan things... > I truly see no problem here, apart from your local configuration... > perhaps:-). > Then again, I might be wrong:-). > > Cheers My config is: High Scoring Spam Actions = store Keep Spam And MCP Archive Clean = no However I don't seem to understand that last option. I have it to 'no' cause "there is small hit in performance", as it listed in the conf. By setting it to yes you don't put viruses in the quarantine? Users cannot release mails from quarantine. I do it through the MailWatch for them. So you're telling me that by default it does NOT scan messages for viruses if I haven't got any deliver/forward rule in actions? Giannis From glenn.steen at gmail.com Fri Apr 27 10:34:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 10:34:29 2007 Subject: Disable virus checks for high spam In-Reply-To: References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> Message-ID: <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> On 27/04/07, Kapetanakis Giannis wrote: > On Fri, 27 Apr 2007, Glenn Steen wrote: > > > Eh, not scanning things destined for the quarantine is the default. > > You need have set "Keep Spam And MCP Archive Clean = yes", or > > deliver > > the message somewhere (perhaps a "forward spam-archive@some.whe.re" > > in > > "High Scoring Spam Actions") for it to actually scan things... > > I truly see no problem here, apart from your local configuration... > > perhaps:-). > > Then again, I might be wrong:-). > > > > Cheers > > My config is: > > High Scoring Spam Actions = store > Keep Spam And MCP Archive Clean = no > > However I don't seem to understand that last option. > I have it to 'no' cause "there is small hit in performance", as > it listed in the conf. By setting it to yes you don't > put viruses in the quarantine? Exactly. Before Jules added that option, you had to forward spam to (an alias leading to) /dev/null to get an approximation of the functionality (Then you got the message in both virus and spam quarantine... With the above setting you just store it once, either in spam _or_ virus quarantine). > Users cannot release mails from quarantine. > I do it through the MailWatch for them. The "problem" is that you generally might whitelist localhost (127.0.0.1) to eb able to deliver messages... One can get around that too (just whitelisting for spam etc etc), but that is why some of us thought it a good thing to have (a clean quarantine, that is:-). > So you're telling me that by default > it does NOT scan messages for viruses > if I haven't got any deliver/forward rule in actions? Yes. That is how it has been for as long as I can remember... I don't recall any changes to this policy, although I might have missed it:-):-)... Don't think I did though;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bilias at edu.physics.uoc.gr Fri Apr 27 11:02:43 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 11:02:54 2007 Subject: Disable virus checks for high spam In-Reply-To: <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> Message-ID: On Fri, 27 Apr 2007, Glenn Steen wrote: >> So you're telling me that by default >> it does NOT scan messages for viruses >> if I haven't got any deliver/forward rule in actions? > > Yes. > That is how it has been for as long as I can remember... I don't > recall any changes to this policy, although I might have missed > it:-):-)... Don't think I did though;-). > > Cheers Well that's good news then :) I wanted an extra option and you're telling me that it's the default :)) Don't mind having a dirty quarantine. Sometimes I get unacceptable attachments, blocked filenames or filetypes, or other non-delivered infections which some times are valid mail and want to be able to release them. Giannis ps. I did a check on the logs for a high spam Apr 27 12:49:49 server MailScanner[26273]: New Batch: Scanning 1 messages, 34221 bytes Apr 27 12:49:52 server MailScanner[26273]: Spam Checks: Found 1 spam messages Apr 27 12:49:52 server MailScanner[26273]: Virus and Content Scanning: Starting Apr 27 12:49:56 server MailScanner[26273]: Logging message 3038F1008A.374C1 to SQL SpamAssassin Score: 36.88 (high enough) It looks like it does scan high scored spam although my conf is Spam Actions = deliver store header "X-Spam-Status: Yes" High Scoring Spam Actions = store Does 'Spam Action' count for high spam as well? From glenn.steen at gmail.com Fri Apr 27 11:16:19 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 11:16:25 2007 Subject: Disable virus checks for high spam In-Reply-To: References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> Message-ID: <223f97700704270316j48ce2cfbmbf3adcc2a5c7a50b@mail.gmail.com> On 27/04/07, Kapetanakis Giannis wrote: > On Fri, 27 Apr 2007, Glenn Steen wrote: > > >> So you're telling me that by default > >> it does NOT scan messages for viruses > >> if I haven't got any deliver/forward rule in actions? > > > > Yes. > > That is how it has been for as long as I can remember... I don't > > recall any changes to this policy, although I might have missed > > it:-):-)... Don't think I did though;-). > > > > Cheers > > Well that's good news then :) > I wanted an extra option and you're telling me > that it's the default :)) > > Don't mind having a dirty quarantine. > Sometimes I get unacceptable attachments, blocked filenames > or filetypes, or other non-delivered infections which some times > are valid mail and want to be able to release them. > > Giannis > ps. I did a check on the logs for a high spam > > Apr 27 12:49:49 server MailScanner[26273]: > New Batch: Scanning 1 messages, 34221 bytes > Apr 27 12:49:52 server MailScanner[26273]: > Spam Checks: Found 1 spam messages > Apr 27 12:49:52 server MailScanner[26273]: > Virus and Content Scanning: Starting > Apr 27 12:49:56 server MailScanner[26273]: > Logging message 3038F1008A.374C1 to SQL > > SpamAssassin Score: 36.88 (high enough) > > It looks like it does scan high scored spam although my conf is > > Spam Actions = deliver store header "X-Spam-Status: Yes" > High Scoring Spam Actions = store > > Does 'Spam Action' count for high spam as well? It shouldn't. What happens if you run a GTUBE+EICAR message through? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Fri Apr 27 11:30:13 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 27 11:30:18 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: Message-ID: <00b101c788b7$0ab5d570$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Kapetanakis Giannis > Sent: Friday, April 27, 2007 2:29 AM > To: MailScanner discussion > Subject: RE: Upgrade to clamav 0.90.2 makes scanning extremely slow > > On Thu, 26 Apr 2007, Daniel Maher wrote: > > > ... > > > > There's also the peace of mind in knowing that if the > > clam package is updated, I don't have to worry about a > > newly deprecated Perl module preventing me from scanning mail - > > a situation for which there is relatively recent precedent. > > ... > > > > ?v? Daniel Maher > > Correct me on this Julian, > but if I'm not wrong the perl package > is using libclamav. > > So it's not a matter of being outdated, > unless clamav package itself is outdated. > > Giannis > The last two major upgrades of libclamav resulted in the removal and addition of several symbols used by Mail::ClamAV and these changes were not backward compatible so as to allow for 3d part developers time to modify their software. This brought Mail::ClamAV to a halt until the developer could make the required changes and the time required was measured in weeks in both incidents. Rick From bilias at edu.physics.uoc.gr Fri Apr 27 11:42:18 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 11:42:32 2007 Subject: Disable virus checks for high spam In-Reply-To: <223f97700704270316j48ce2cfbmbf3adcc2a5c7a50b@mail.gmail.com> References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> <223f97700704270316j48ce2cfbmbf3adcc2a5c7a50b@mail.gmail.com> Message-ID: On Fri, 27 Apr 2007, Glenn Steen wrote: >> Spam Actions = deliver store header "X-Spam-Status: Yes" >> High Scoring Spam Actions = store >> >> Does 'Spam Action' count for high spam as well? > > It shouldn't. > What happens if you run a GTUBE+EICAR message through? > > Cheers Apr 27 13:27:04 server MailScanner[9629]: New Batch: Scanning 1 messages, 1406 bytes Apr 27 13:27:04 server MailScanner[9629]: SpamAssassin cache hit for message 9345310087.1D438 Apr 27 13:27:04 server MailScanner[9629]: Spam Checks: Found 1 spam messages Apr 27 13:27:04 server MailScanner[9629]: Virus and Content Scanning: Starting Apr 27 13:27:08 server MailScanner[9629]: Logging message 9345310087.1D438 to SQL It seems it scans the mail. But you might be right cause I don't see anything about the EICAR virus being detected. If I send EICAR alone, all virus scanners shout in the logs. That Virus and Content Scanning: Starting is somehow misleading. Probably only content checking is done. Take care Giannis From glenn.steen at gmail.com Fri Apr 27 12:25:53 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 12:25:56 2007 Subject: Disable virus checks for high spam In-Reply-To: References: <223f97700704270205u782e49dcrab4c6df799ee713c@mail.gmail.com> <223f97700704270234n627d748aub4cb609bde3e906c@mail.gmail.com> <223f97700704270316j48ce2cfbmbf3adcc2a5c7a50b@mail.gmail.com> Message-ID: <223f97700704270425h6266606ob39ee5bbe7ba8106@mail.gmail.com> On 27/04/07, Kapetanakis Giannis wrote: > On Fri, 27 Apr 2007, Glenn Steen wrote: > >> Spam Actions = deliver store header "X-Spam-Status: Yes" > >> High Scoring Spam Actions = store > >> > >> Does 'Spam Action' count for high spam as well? > > > > It shouldn't. > > What happens if you run a GTUBE+EICAR message through? > > > > Cheers > > Apr 27 13:27:04 server MailScanner[9629]: > New Batch: Scanning 1 messages, 1406 bytes > Apr 27 13:27:04 server MailScanner[9629]: > SpamAssassin cache hit for message 9345310087.1D438 > Apr 27 13:27:04 server MailScanner[9629]: > Spam Checks: Found 1 spam messages > Apr 27 13:27:04 server MailScanner[9629]: > Virus and Content Scanning: Starting > Apr 27 13:27:08 server MailScanner[9629]: > Logging message 9345310087.1D438 to SQL > > It seems it scans the mail. > > But you might be right cause I don't see anything about > the EICAR virus being detected. > If I send EICAR alone, all virus scanners shout in the logs. > > That Virus and Content Scanning: Starting > is somehow misleading. Probably only content checking > is done. Indeed. I suspect you should read it more like "Starting ... and CONTENT SCANNING":-). > Take care Always...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Fri Apr 27 13:19:49 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Apr 27 13:19:52 2007 Subject: Off topic - Slow batch processing In-Reply-To: <005601c78857$edd4d870$c97e8950$@swaney@fsl.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CD36CC@UBIMAIL1.ubisoft.org> > This reminds me of a story that is way off topic but some of you might > need > a laff today. > > Many years ago I worked for a large NY firm that had a overseas office. > The > overseas office started having a problems with Sybase servers running > slowly. The Sybase experts? were called in and could not resolve the > problem. After a little over 30 days! someone noticed that there was very > little memory in the systems. > > A check the data center access records, system reboots and data center > cameras showed that a contractor had been systematically removing memory > from many systems for LONG time. A check of the contractor's apartment > found > a lot of memory and other kibbles and bits :( > > Sometimes it not always a configuration or application problem :) > > Best regards, Early on in my system administration career, I was brought into an office to determine why their primary fileserver would become intensely slow /at night/. During the day, when "everybody was using it", it ran at a good pace - but at night, when only a handful of satellite offices accessed the data, it operated at a snails pace. Many diagnostics were run and metrics were gathered. For some reason, the CPU would spike about 30 minutes after everybody left for the day, and wouldn't drop again until the first people came back the next morning. Oddly enough, it seemed to exhibit this behaviour ALL day on Sunday as well! Has anybody guessed what it is yet? :) That's right - it was the Windows "pipes" screensaver. Somebody had turned on the maximum number of joints, colours, and pipes; and it ate all of the CPU power just to render the graphics when nobody was around. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From glenn.steen at gmail.com Fri Apr 27 13:31:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 13:31:58 2007 Subject: Off topic - Slow batch processing In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CD36CC@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CD36CC@UBIMAIL1.ubisoft.org> Message-ID: <223f97700704270531m2b8599e0nec2d0313b3f3ea8d@mail.gmail.com> On 27/04/07, Daniel Maher wrote: > > This reminds me of a story that is way off topic but some of you might > > need > > a laff today. > > > > Many years ago I worked for a large NY firm that had a overseas office. > > The > > overseas office started having a problems with Sybase servers running > > slowly. The Sybase experts? were called in and could not resolve the > > problem. After a little over 30 days! someone noticed that there was very > > little memory in the systems. > > > > A check the data center access records, system reboots and data center > > cameras showed that a contractor had been systematically removing memory > > from many systems for LONG time. A check of the contractor's apartment > > found > > a lot of memory and other kibbles and bits :( > > > > Sometimes it not always a configuration or application problem :) > > > > Best regards, > > Early on in my system administration career, I was brought into an office to determine why their primary fileserver would become intensely slow /at night/. During the day, when "everybody was using it", it ran at a good pace - but at night, when only a handful of satellite offices accessed the data, it operated at a snails pace. > > Many diagnostics were run and metrics were gathered. For some reason, the CPU would spike about 30 minutes after everybody left for the day, and wouldn't drop again until the first people came back the next morning. Oddly enough, it seemed to exhibit this behaviour ALL day on Sunday as well! > > Has anybody guessed what it is yet? :) That's right - it was the Windows "pipes" screensaver. Somebody had turned on the maximum number of joints, colours, and pipes; and it ate all of the CPU power just to render the graphics when nobody was around. > That's a classic one... My previous employers windoze admins had a similar experience with another opengl "screensaver". Guess which Unix-admin laughed his rear end off when they shamefacedly admitted their error....:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Fri Apr 27 13:36:16 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 27 13:36:41 2007 Subject: Corrupt SpamAssassin Cache References: <46315F02.4010907@stellarcore.net> Message-ID: <004b01c788c8$a67d1340$0705000a@ddf5dw71> ----- Original Message ----- From: "Mike Tremaine" To: Sent: Thursday, April 26, 2007 10:25 PM Subject: Corrupt SpamAssassin Cache > > Just FYI, I had corrupt SpamAssassin.db.cache file that made the entire > MailScanner stack slow down to a crawl. The only warning that this was > going on was the occasional > > database is locked(5) at dbdimp.c line 398 > > Once I figure out what was going on and removed the bad cache and > restarted the stack and everything was good. > > -Mike > Mike, Where did this error message show up? Maillog, Messages, ?? Thanks Steve From campbell at cnpapers.com Fri Apr 27 13:55:48 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 27 13:56:12 2007 Subject: sendmail vuln References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com><4630E3D7.5030202@fractalweb.com> Message-ID: <00aa01c788cb$60ffbd60$0705000a@ddf5dw71> OK, it's Friday, What's a wannabie? Sounds Austrailian. That one of those things that looks like a 'roo? Steve ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Friday, April 27, 2007 4:02 AM Subject: Re: sendmail vuln > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Thu, 26 Apr 2007, Chris Yuzik wrote: > > > Chris, yeah managed by part-time wannabies that have no idea what a > command line is, in fact probably would not even know what MTA they run > anyway, hell they possible wouldnt even know what an 'MTA' was! > > >> I bet there are an unbelievable number of servers out there still running >> very old stuff. Pretty much anything where people rent a "dedicated >> server" from an ISP that comes with a friendly gui control panel (ensim, >> cpanel, plesk, etc.) is likely never updated. > > > > - -- > > Cheers > Res > > Vote for your favourite MTA at http://polls.ausics.net/v3.php > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGMa4ysWhAmSIQh7MRAscYAKCDjas3OHGFc/nuSxxwIku5Rx3ddwCglpsZ > lkjHdY3iIMhuxKF3DRNVBbU= > =60dx > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From bart at zokahn.com Fri Apr 27 14:21:56 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Fri Apr 27 14:21:59 2007 Subject: (conversion possible?) quarantined HAM in queue files In-Reply-To: <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> Message-ID: <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> is there any way to convert these RFC822 files to something usefull. I can open them with postcat and that seems display the file ok. I read somewhere that you can also use postcat to convert the files into eml files of maybe even use a combo postcat and a mail program to send the files on their way. Any pointers on this? The files are still stuck i'm affraid... On Thu, April 26, 2007 2:33 pm, Glenn Steen wrote: > On 26/04/07, Drew Marshall wrote: > >> On Thu, April 26, 2007 10:16, Bart van den Heuvel wrote: >> >>> OK, so i can leave the extention out when i copy the queue file. >>> >> >> Well sort of. You shouldn't be copying anything with that extension. if >> you cd /var/spool/MailScanner/quarantine//.<4digits> >> and list the contents, what do you get? >> >> You should see another file just called this is the one to >> change the permissions, owner (If required) and copy to the relevent >> queue. > > True for the "normal" quarantine Drew... But I think Bart is looking > at the spam quarantine, where he just has the queue file (if quarantining > non-queue files, it'd be the RFC822-decoded message in a file named ID>.). So... We're not (hopefully) > completely wrong:-). > >>> The main problem is that if i requeue the file in the respective >>> queue the message stands there until i do a (in webmin it is also not >>> mentioned as a queued message): >>> >>> postfix check >>> >>> then the file disapeares into nothingness, it is never mentioned in >>> any log (/var/log/mail.log) even postfix -vv check never mentionds the >>> queue file operation. >> >> The reason the file you are copying will go is that Postfix will >> recreate the hashed queue directories if it detects no mail in the >> queue. The file you have been moving about can't be a queue file (As >> Postfix knows it) or >> it would have been detected and processed. >> > > Hm. Might it actually be an RFC822 file? Easy enough to check with a > regular pager like less, and possibly postcat. ... In which case the advice > about using sendmail (the conveniance command) or similar tool would come > into play (from the wiki doc). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From rich at mail.wvnet.edu Fri Apr 27 14:51:28 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Fri Apr 27 14:51:35 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> <463118ED.4090405@mail.wvnet.edu> Message-ID: <4631FFE0.8020700@mail.wvnet.edu> Out of curiosity I decided to do a little testing of the performance of the three ClamAV methods: clamscan, clamdscan, and clamavmodule. This is not meant to be a full blown scientific test, merely a quick "rough idea" measurement. I have a directory with over 300 virus infected files in it. Running the three methods shows... clamscan: 11.68 seconds clamdscan: 6.56 seconds clamavmodule: 4.50 seconds Results for clamscan and clamdscan we obtained using the "time" command. Results for clamavmodule were obtained using the perl Time::HiRes module. I had to use that to avoid adding in the time for the initial database load. This is pretty much what I expected. Clamavmodle is the quickest since it doesn't have to load the database on every scan and it calls the ClamAV libraries directly. Clamdscan is next since it doesn't have to load the DB every time but it does have the overhead of the communications with the clamd process. And clamscan is slowest (by a significant margin) since it has to load the database on every batch. So, performance wise, clamavmodule is the best. However, it does have the problem with being kept up to date with ClamAV changes. Clamdscan is a little slower but avoids the problem with development changes in ClamAV. ~rich -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/21f06710/rich.vcf From glenn.steen at gmail.com Fri Apr 27 15:09:29 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 15:09:32 2007 Subject: (conversion possible?) quarantined HAM in queue files In-Reply-To: <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> Message-ID: <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> On 27/04/07, Bart van den Heuvel wrote: > is there any way to convert these RFC822 files to something usefull. > I can open them with postcat and that seems display the file ok. > > I read somewhere that you can also use postcat to convert the files into > eml files of maybe even use a combo postcat and a mail program to send the > files on their way. > > Any pointers on this? The files are still stuck i'm affraid... If they are indeed the rfc822 file format, then they already are in what you'd call .eml format, more or less. If so, then you can read them with more (or less;-), feed them into sendmail (the command) as detailed in the wiki (I should know this, I wrote that entry;-) ... If you do file /path/to/spam/ what does it say? It should be something like: # file /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E: RFC 822 mail text # Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Apr 27 15:13:26 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 27 15:13:29 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <4631FFE0.8020700@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> <463118ED.4090405@mail.wvnet.edu> <4631FFE0.8020700@mail.wvnet.edu> Message-ID: <223f97700704270713ubb35fd1q4c8374a9d8fd62b0@mail.gmail.com> On 27/04/07, Richard Lynch wrote: > Out of curiosity I decided to do a little testing of the performance of > the three ClamAV methods: clamscan, clamdscan, and clamavmodule. This > is not meant to be a full blown scientific test, merely a quick "rough > idea" measurement. > > I have a directory with over 300 virus infected files in it. Running > the three methods shows... > > clamscan: 11.68 seconds > > clamdscan: 6.56 seconds > > clamavmodule: 4.50 seconds > > > Results for clamscan and clamdscan we obtained using the "time" > command. Results for clamavmodule were obtained using the perl > Time::HiRes module. I had to use that to avoid adding in the time for > the initial database load. > > > This is pretty much what I expected. Clamavmodle is the quickest since > it doesn't have to load the database on every scan and it calls the > ClamAV libraries directly. Clamdscan is next since it doesn't have to > load the DB every time but it does have the overhead of the > communications with the clamd process. And clamscan is slowest (by a Don't forget the additional fork/exec bit either... Every cycle counts:-). > significant margin) since it has to load the database on every batch. > > So, performance wise, clamavmodule is the best. However, it does have > the problem with being kept up to date with ClamAV changes. Clamdscan > is a little slower but avoids the problem with development changes in > ClamAV. > Yes, byt basically you are showing that Jules is right that there is no real big performance reason to implement clamdscan in MS... Then again, if enough people want it, he'll likely add it just to keep 'em quiet:-):-). ... Once he's well enough, of course. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bart at zokahn.com Fri Apr 27 15:27:08 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Fri Apr 27 15:27:14 2007 Subject: (conversion possible?) quarantined HAM in queue files In-Reply-To: <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> Message-ID: <37578.145.78.21.6.1177684028.squirrel@grover.zokahn.com> Hmm... luck does not seem to be on my side... If i file the file it states: "data" does not seem helpfull. i just now tried the sendmail < file thing with an alteratif recipient but it comes in all messed up. So i guess that this is not a RFC822 format. I wonder what it is then, and if there is any change in getting the quarantines out. On Fri, April 27, 2007 4:09 pm, Glenn Steen wrote: > On 27/04/07, Bart van den Heuvel wrote: > >> is there any way to convert these RFC822 files to something usefull. I >> can open them with postcat and that seems display the file ok. >> >> I read somewhere that you can also use postcat to convert the files >> into eml files of maybe even use a combo postcat and a mail program to >> send the files on their way. >> >> Any pointers on this? The files are still stuck i'm affraid... >> > > If they are indeed the rfc822 file format, then they already are in > what you'd call .eml format, more or less. If so, then you can read them > with more (or less;-), feed them into sendmail (the command) as detailed > in the wiki (I should know this, I wrote that entry;-) ... If you do file > /path/to/spam/ > what does it say? It should be something like: # file > /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E > /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E: RFC > 822 mail text > # > > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From bart at zokahn.com Fri Apr 27 15:28:56 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Fri Apr 27 15:28:56 2007 Subject: (conversion possible?) quarantined HAM in queue files In-Reply-To: <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> Message-ID: <39476.145.78.21.6.1177684136.squirrel@grover.zokahn.com> Oh and postcat does display the queue files like they should, at least thats what i think.. On Fri, April 27, 2007 4:09 pm, Glenn Steen wrote: > On 27/04/07, Bart van den Heuvel wrote: > >> is there any way to convert these RFC822 files to something usefull. I >> can open them with postcat and that seems display the file ok. >> >> I read somewhere that you can also use postcat to convert the files >> into eml files of maybe even use a combo postcat and a mail program to >> send the files on their way. >> >> Any pointers on this? The files are still stuck i'm affraid... >> > > If they are indeed the rfc822 file format, then they already are in > what you'd call .eml format, more or less. If so, then you can read them > with more (or less;-), feed them into sendmail (the command) as detailed > in the wiki (I should know this, I wrote that entry;-) ... If you do file > /path/to/spam/ > what does it say? It should be something like: # file > /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E > /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E: RFC > 822 mail text > # > > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From daniel.maher at ubisoft.com Fri Apr 27 15:51:53 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Apr 27 15:51:56 2007 Subject: how to block mail where From and To are the same? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CD3925@UBIMAIL1.ubisoft.org> Hello all, Lately I have been receiving an increasingly large amount of spam where both the From and To fields are identical (and, of course, forged). The net result is that many of my users appear to be receiving spam from themselves, which is causing some distress amongst the user base. Now, there are a handful of ways to deal with this situation; however, like always, the community probably already knows the best way to block - or at least add SA points to - such spam. I'm using Postfix 2.0 (yes, I know), and the newest MailScanner & SpamAssassin. Thank you all for your comments and suggestions. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/5b867e6b/attachment.html From MailScanner at ecs.soton.ac.uk Fri Apr 27 15:54:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 15:56:29 2007 Subject: Clamd as scan option [patches included] In-Reply-To: <462238AD.6000509@stellarcore.net> References: <462238AD.6000509@stellarcore.net> Message-ID: <46320E88.90608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a beta with this functionality included. Mike Tremaine wrote: > > Overview: So I starting thinking about what it would take to get > clamdscan working with MailScanner. The results are included below. > First and foremost you must have clamd running, if you run as root > then you don't have to worry about any permission problems. If you run > clamd as "clamav" then you need to set > > ###### IF YOU ARE RUNNING MAILSCANNER AS ROOT ###### > # You need to set the following in MailScanner.conf so that external > # unpackers can be used... > # Incoming Work Group = clamav > # Incoming Work Permissions = 0640 > > So that clamd can scan in the directories. Otherwise here goes. > > Steps: > > 1) Install clamd-wrapper in your MailScanner/lib/ directory > > 2) Patch MailScanner/lib/MailScanner/SweepViruses.pm > > 3) In MailScanner.conf set > Virus Scanners = clamd > > 4) In virus.scanners.conf set [This is on a Solaris 10 host so do the > right thing with your OWN PATH Options!] > clamd /opt/MailScanner/lib/clamd-wrapper /usr/local > > > Notes: > > Internally this approach uses most of the clamav [aka clamscan] > options, if it turns out there are major differences then a new parse > function can easily be added to SweepViruses.pm, otherwise my biggest > concern would be what happens if clamd dies, perhaps the clamd-wrapper > can have some processes/error checking that can restart clamd. > > I only tested this out on a development box but it did scan txt zip > and tar.gz as attachments with no problem. The speed difference is > pretty good here is an example on my spoolfile [1.77MB] > > [root@neutron ~]# clamscan /var/mail/mgt > /var/mail/mgt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 108394 > Engine version: 0.90.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 1.77 MB > Time: 25.755 sec (0 m 25 s) > > [root@neutron ~]# clamdscan /var/mail/mgt > /var/mail/mgt: OK > > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Time: 10.260 sec (0 m 10 s) > > -Mike > ------------------------------------------------------------------------ > > #!/bin/sh > > # clamd-wrapper -- invoke ClamAV for use with mailscanner > # > # MailScanner - SMTP E-Mail Virus Scanner > # Copyright (C) 2001 Julian Field > # > # $Id: clamd-wrapper 3184 2005-09-28 11:13:40Z jkf $ > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by > # the Free Software Foundation; either version 2 of the License, or > # (at your option) any later version. > # > # This program is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > # GNU General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, write to the Free Software > # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > # > # The author, Julian Field, can be contacted by email at > # Jules@JulianField.net > # or by paper mail at > # Julian Field > # Dept of Electronics & Computer Science > # University of Southampton > # Southampton > # SO17 1BJ > # United Kingdom > # > # > ###### IF YOU ARE RUNNING MAILSCANNER AS ROOT ###### > # You need to set the following in MailScanner.conf so that external > # unpackers can be used... > # Incoming Work Group = clamav > # Incoming Work Permissions = 0640 > > #ClamUser="clamav" > #ClamGroup="clamav" > > ScanOptions="" > > ClamdScan=$1/bin/clamdscan > shift > > if [ ! -x $ClamdScan ]; then > ClamdScan=/usr/bin/clamdscan > fi > > if [ "x$1" = "x-IsItInstalled" ]; then > [ -x $ClamdScan ] && exit 0 > exit 1 > fi > > # Add this for Solaris users so they can find whoami > PATH=$PATH:/usr/ucb > export PATH > > $ClamdScan $ScanOptions "$@" > > retval=$? > > exit $retval > > > ------------------------------------------------------------------------ > > [root@neutron MailScanner]# diff -u SweepViruses.pm SweepViruses.pm.OLD > --- SweepViruses.pm Sun Apr 15 06:38:56 2007 > +++ SweepViruses.pm.OLD Sat Apr 14 19:19:26 2007 > @@ -301,17 +301,6 @@ > SupportScanning => $S_SUPPORTED, > SupportDisinfect => $S_NONE, > }, > - "clamd" => { > - Name => 'ClamAV', > - Lock => 'ClamAVBusy.lock', > - CommonOptions => '--disable-summary --stdout', > - DisinfectOptions => '', > - ScanOptions => '', > - InitParser => \&InitClamAVParser, > - ProcessOutput => \&ProcessClamAVOutput, > - SupportScanning => $S_SUPPORTED, > - SupportDisinfect => $S_NONE, > - }, > "trend" => { > Name => 'Trend', > Lock => 'TrendBusy.lock', > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGMg8CEfZZRxQVtlQRAno5AKC/amRvxWFhceCpGbNLqMPKePy0OQCdHz8q 2K11bOpvPNS+ugVlx/F11zw= =nVcJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From bilias at edu.physics.uoc.gr Fri Apr 27 15:58:41 2007 From: bilias at edu.physics.uoc.gr (Kapetanakis Giannis) Date: Fri Apr 27 15:58:55 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <223f97700704270713ubb35fd1q4c8374a9d8fd62b0@mail.gmail.com> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> <463118ED.4090405@mail.wvnet.edu> <4631FFE0.8020700@mail.wvnet.edu> <223f97700704270713ubb35fd1q4c8374a9d8fd62b0@mail.gmail.com> Message-ID: On Fri, 27 Apr 2007, Glenn Steen wrote: > Yes, byt basically you are showing that Jules is right that there is > no real big performance reason to implement clamdscan in MS... Then > again, if enough people want it, he'll likely add it just to keep > 'em > quiet:-):-). ... Once he's well enough, of course. > > Cheers I'm not saying that something is wrong with MailScanner or clamav module, but ase both this list and the clamav list shows, a lot of people are complaining right now about clamscan and it's performance since 0.90.2 (not everbody) This is not a fact yet, since not everyone experiencing the same performance downgrade. Performance downgrade also exists with clamavmodule. Clamd on the other hand works fast. This is at least what is going on with my setup. Maybe it has to do with comilation and pthreads as someone said. Maybe is something else. I don't have a clue :) In the last message I saw, a clamav developer said that they know about it and that they'll fix it in the next version... Giannis From bart at zokahn.com Fri Apr 27 16:05:44 2007 From: bart at zokahn.com (Bart van den Heuvel) Date: Fri Apr 27 16:05:46 2007 Subject: (Solved) Re: (conversion possible?) quarantined HAM in queue files In-Reply-To: <39476.145.78.21.6.1177684136.squirrel@grover.zokahn.com> References: <00a801c78785$c40c77a0$0202fea9@zokahnt42> <223f97700704260059xa244936rf22b9da5d71a2e9d@mail.gmail.com> <52477.145.78.21.6.1177575036.squirrel@grover.zokahn.com> <223f97700704260126x40682067w8b0895fd0352bbbc@mail.gmail.com> <53697.145.78.21.6.1177579012.squirrel@grover.zokahn.com> <34891.194.70.180.170.1177589534.squirrel@www.technologytiger.net> <223f97700704260533p24796c41w8d0775765f75b7e2@mail.gmail.com> <53632.145.78.21.6.1177680116.squirrel@grover.zokahn.com> <223f97700704270709m3ed0e1f1o67706c4490a5a15c@mail.gmail.com> <39476.145.78.21.6.1177684136.squirrel@grover.zokahn.com> Message-ID: <39755.145.78.21.6.1177686344.squirrel@grover.zokahn.com> Hi, Someone from the list supplied me with the info (and some handy work) needed to clear this problem. I'm sure that he will post the info to the list when he thinks it is post worthy. Thanks to you all! Bart van den Heuvel On Fri, April 27, 2007 4:28 pm, Bart van den Heuvel wrote: > Oh and postcat does display the queue files like they should, at least > thats what i think.. > > > On Fri, April 27, 2007 4:09 pm, Glenn Steen wrote: > >> On 27/04/07, Bart van den Heuvel wrote: >> >> >>> is there any way to convert these RFC822 files to something usefull. >>> I >>> can open them with postcat and that seems display the file ok. >>> >>> I read somewhere that you can also use postcat to convert the files >>> into eml files of maybe even use a combo postcat and a mail program to >>> send the files on their way. >>> >>> Any pointers on this? The files are still stuck i'm affraid... >>> >>> >> >> If they are indeed the rfc822 file format, then they already are in >> what you'd call .eml format, more or less. If so, then you can read them >> with more (or less;-), feed them into sendmail (the command) as >> detailed in the wiki (I should know this, I wrote that entry;-) ... If >> you do file /path/to/spam/ >> what does it say? It should be something like: # file >> /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E >> /var/spool/MailScanner/quarantine/20070427/spam/A0613CCB0B.3AA2E: RFC >> 822 mail text >> # >> >> >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > From MailScanner at ecs.soton.ac.uk Fri Apr 27 16:08:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 16:11:21 2007 Subject: Announcement: New beta 4.59.2 released Message-ID: <46321205.1020007@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I have just released a new beta 4.59.2 which includes the support for clamd, using the patches provided earlier on this list. If you use clamd and are running MailScanner as root (or have not specified the Run As User at all), then it is vital that you read the notes just above the "Incoming Work Group" setting in order to get the ownership and permissions correct so that clamd can read them. Download as usual from www.mailscanner.info. Please test this release for me! The Change Log for 4.59 so far is this: * New Features and Improvements * 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 layout. 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". * Fixes * 1 Exim fix by Debian Maintainer: Simon Walter. 1 Incoming Work Group not honoured for files with a leading dot in their filename. Again, fix by Simon Walter. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGMhKGEfZZRxQVtlQRAsWAAJ9NjvtZlcEsG6AyJur5CjvhBjgyDwCfaLxq HC38ZCHSZm3P61bQEEAJfV4= =2zEH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rich at mail.wvnet.edu Fri Apr 27 16:12:50 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Fri Apr 27 16:12:53 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <223f97700704270713ubb35fd1q4c8374a9d8fd62b0@mail.gmail.com> References: <1E293D3FF63A3740B10AD5AAD88535D204CA7B46@UBIMAIL1.ubisoft.org> <463100D8.4040706@ecs.soton.ac.uk> <46310B16.50603@mail.wvnet.edu> <4631144B.40108@pixelhammer.com> <463118ED.4090405@mail.wvnet.edu> <4631FFE0.8020700@mail.wvnet.edu> <223f97700704270713ubb35fd1q4c8374a9d8fd62b0@mail.gmail.com> Message-ID: <463212F2.5030402@mail.wvnet.edu> Glenn Steen wrote: > On 27/04/07, Richard Lynch wrote: >> Out of curiosity I decided to do a little testing of the performance of >> the three ClamAV methods: clamscan, clamdscan, and clamavmodule. This >> is not meant to be a full blown scientific test, merely a quick "rough >> idea" measurement. >> >> I have a directory with over 300 virus infected files in it. Running >> the three methods shows... >> >> clamscan: 11.68 seconds >> >> clamdscan: 6.56 seconds >> >> clamavmodule: 4.50 seconds >> >> >> Results for clamscan and clamdscan we obtained using the "time" >> command. Results for clamavmodule were obtained using the perl >> Time::HiRes module. I had to use that to avoid adding in the time for >> the initial database load. >> >> >> This is pretty much what I expected. Clamavmodle is the quickest since >> it doesn't have to load the database on every scan and it calls the >> ClamAV libraries directly. Clamdscan is next since it doesn't have to >> load the DB every time but it does have the overhead of the >> communications with the clamd process. And clamscan is slowest (by a > > Don't forget the additional fork/exec bit either... Every cycle > counts:-). > >> significant margin) since it has to load the database on every batch. >> >> So, performance wise, clamavmodule is the best. However, it does have >> the problem with being kept up to date with ClamAV changes. Clamdscan >> is a little slower but avoids the problem with development changes in >> ClamAV. >> > Yes, byt basically you are showing that Jules is right that there is > no real big performance reason to implement clamdscan in MS... Then > again, if enough people want it, he'll likely add it just to keep 'em > quiet:-):-). ... Once he's well enough, of course. > > Cheers Yes, Jules is correct from a performance perspective. The issue then becomes clamavmodule being kept up to date. The question is... "Is the loss in performance worth the benefit of not being dependent on a third party package???". I can't answer that. It depends! From my perspective, clamscan is only worthwhile for low volume setups. For high volume situations only clamdscan or clamavmodule can keep up. My 2c. ~rich -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 296 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/45fe0fa8/rich.vcf From MailScanner at ecs.soton.ac.uk Fri Apr 27 16:25:22 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 16:26:48 2007 Subject: how to block mail where From and To are the same? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CD3925@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CD3925@UBIMAIL1.ubisoft.org> Message-ID: <463215E2.4060402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could do this with a very simple Custom Function. It would just check to see if 1) There is only 1 recipient 2) The recipient address @{$message->{from}}[0] eq the sender address $message->{from}. Don't trust the syntax is 100% accurate, my Perl is a bit rusty due to my hospital stay. Quite which configuration option you would attach this to is left as an exercise for the reader :-) Jules. Daniel Maher wrote: > > Hello all, > > Lately I have been receiving an increasingly large amount of spam > where both the From and To fields are identical (and, of course, > forged). The net result is that many of my users appear to be > receiving spam /from themselves/, which is causing some distress > amongst the user base. > > Now, there are a handful of ways to deal with this situation; however, > like always, the community probably already knows the best way to > block ? or at least add SA points to ? such spam. > > I?m using Postfix 2.0 (yes, I know), and the newest MailScanner & > SpamAssassin. Thank you all for your comments and suggestions. > > -- > > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > //?How can a man choose between Fresh and Fly? And believe me, there > IS a difference.? ? Crack Stuntman, 2007.//// > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: windows-1252 wj8DBQFGMhYMEfZZRxQVtlQRAlhSAJsEYUkTK0EpuiQw4g5r8aICLEcWgACZAc1K +qxaacs+nk0jHtE0tSkRE2c= =WpyW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Fri Apr 27 16:35:46 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Fri Apr 27 16:33:25 2007 Subject: MailScanner Digest, Vol 16, Issue 38 In-Reply-To: References: <48a8423663c33244b6cd03e47f3cd057@solidstatelogic.com> Message-ID: On Thursday, April 26, 2007 7:15 PM Scott Silva wrote: >> Are there MailScanner developers besides Julian? :-) >> > There are contributors, but Julian is the developer. All additions to > the official code go through him. > > Patches -- That is another matter. You can add or change anything you > want in "your" copy of the code... The beauty of open source software. You did notice the ":-)" in my message? Just checking. From snifer_ at hotmail.com Fri Apr 27 16:40:29 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Fri Apr 27 16:41:06 2007 Subject: Announcement: New beta 4.59.2 released References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: Julian Field ecs.soton.ac.uk> writes: > > > Hi folks, > > I have just released a new beta 4.59.2 which includes the support for > clamd, using the patches provided earlier on this list. > > If you use clamd and are running MailScanner as root (or have not > specified the Run As User at all), then it is vital that you read the > notes just above the "Incoming Work Group" setting in order to get the > ownership and permissions correct so that clamd can read them. > > Download as usual from www.mailscanner.info. > > Please test this release for me! > > The Change Log for 4.59 so far is this: > > * New Features and Improvements * > 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > layout. > 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > > * Fixes * > 1 Exim fix by Debian Maintainer: Simon Walter. > 1 Incoming Work Group not honoured for files with a leading dot in their > filename. Again, fix by Simon Walter. > > Jules > Hi Julian, I've been trying to find out why some phishing is being undetected by MailScanner. I think it's due to line 5581 in Message.pm. I'm receiving phishing like this: http://www.santandersantiago.cl/canales/empresas/index.asp So, as they're not using double quotes, MailScanner thinks it's an empty A tag. I think a better way of guessing if it's an empty A tag would be to check if href is empty, something like replacing: $DisarmInsideLink = 0 if $text =~ /\/\>$/; # JKF Catch /> empty A tags with: $DisarmInsideLink = 0 if $DisarmLinkURL eq ''; # JPSB empty A tags I've tested this in a development box against some phishing and it works. I'd like you to tell us if this change doesn't have any drawback, so we can safely patch production servers, and may be it's included in this new version. Thanks. PS: You can get a sample phishing message at http://www.divshare.com/download/498395-7da From chris at bluecobras.com Fri Apr 27 16:40:36 2007 From: chris at bluecobras.com (chris@bluecobras.com) Date: Fri Apr 27 16:41:30 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <46321205.1020007@ecs.soton.ac.uk> References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: <20070427114036.dyhsyzw4e8cw888s@www.bluecobras.com> Quoting Julian Field : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I have just released a new beta 4.59.2 which includes the support for > clamd, using the patches provided earlier on this list. > > If you use clamd and are running MailScanner as root (or have not > specified the Run As User at all), then it is vital that you read the > notes just above the "Incoming Work Group" setting in order to get the > ownership and permissions correct so that clamd can read them. Julian, don't push yourself too hard. You've been spending alot of time on the list and now a new beta. Take it easy man! :) From derek at csolve.net Fri Apr 27 16:49:37 2007 From: derek at csolve.net (Derek Buttineau) Date: Fri Apr 27 16:50:20 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <46321205.1020007@ecs.soton.ac.uk> References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: <7EE67294-02D6-4A05-9545-BCE1CABBDF8E@csolve.net> On 2007-Apr-27, at 11:08 AM, Julian Field wrote: > The Change Log for 4.59 so far is this: > > * New Features and Improvements * > 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > layout. > 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > > * Fixes * > 1 Exim fix by Debian Maintainer: Simon Walter. > 1 Incoming Work Group not honoured for files with a leading dot in > their > filename. Again, fix by Simon Walter. Hi Jules, Glad to see you back. I submitted a patch awhile back to move the Black List check ahead of the Max Spam Check size (I've included it again), is there any chance of getting this incorporated with this release? If a user has blacklisted an address, they shouldn't get mail from that address just because the sender sent a large e-mail :) Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.4.58.9.patch Type: application/octet-stream Size: 2021 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070427/bd28ce7c/Message.pm.4.58.9.obj -------------- next part -------------- -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: derek@csolve.net From MailScanner at ecs.soton.ac.uk Fri Apr 27 18:11:02 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 18:13:23 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: <46322EA6.8080809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Juan Pablo Salazar Bert?n wrote: > Julian Field ecs.soton.ac.uk> writes: > > >> Hi folks, >> >> I have just released a new beta 4.59.2 which includes the support for >> clamd, using the patches provided earlier on this list. >> >> If you use clamd and are running MailScanner as root (or have not >> specified the Run As User at all), then it is vital that you read the >> notes just above the "Incoming Work Group" setting in order to get the >> ownership and permissions correct so that clamd can read them. >> >> Download as usual from www.mailscanner.info. >> >> Please test this release for me! >> >> The Change Log for 4.59 so far is this: >> >> * New Features and Improvements * >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 >> layout. >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". >> >> * Fixes * >> 1 Exim fix by Debian Maintainer: Simon Walter. >> 1 Incoming Work Group not honoured for files with a leading dot in their >> filename. Again, fix by Simon Walter. >> >> Jules >> >> > > > Hi Julian, I've been trying to find out why some phishing is being undetected by > MailScanner. I think it's due to line 5581 in Message.pm. I'm receiving phishing > like this: > > color=blue font size=4> > http://www.santandersantiago.cl/canales/empresas/index.asp > > So, as they're not using double quotes, MailScanner thinks it's an empty A tag. > I think a better way of guessing if it's an empty A tag would be to check if > href is empty, something like replacing: > > $DisarmInsideLink = 0 if $text =~ /\/\>$/; # JKF Catch /> empty A tags > > with: > > $DisarmInsideLink = 0 if $DisarmLinkURL eq ''; # JPSB empty A tags > > I've tested this in a development box against some phishing and it works. I'd > like you to tell us if this change doesn't have any drawback, so we can safely > patch production servers, and may be it's included in this new version. Thanks. > > PS: You can get a sample phishing message at > http://www.divshare.com/download/498395-7da > > I have added your patch and it will be in the next release. I would be most grateful if other people could test this patch as well! Thanks. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGMi8fEfZZRxQVtlQRAgfuAJoCEDiE10WdNEqfkWdv6/YxS/EI8ACgl5H5 Nq8SwrZD6kQUz+wQwTN1eQI= =UOI9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Apr 27 18:12:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 18:13:33 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <7EE67294-02D6-4A05-9545-BCE1CABBDF8E@csolve.net> References: <46321205.1020007@ecs.soton.ac.uk> <7EE67294-02D6-4A05-9545-BCE1CABBDF8E@csolve.net> Message-ID: <46322EFC.5020603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Buttineau wrote: > On 2007-Apr-27, at 11:08 AM, Julian Field wrote: > >> The Change Log for 4.59 so far is this: >> >> * New Features and Improvements * >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 >> layout. >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". >> >> * Fixes * >> 1 Exim fix by Debian Maintainer: Simon Walter. >> 1 Incoming Work Group not honoured for files with a leading dot in their >> filename. Again, fix by Simon Walter. > > Hi Jules, > > Glad to see you back. > > I submitted a patch awhile back to move the Black List check ahead of > the Max Spam Check size (I've included it again), is there any chance > of getting this incorporated with this release? If a user has > blacklisted an address, they shouldn't get mail from that address just > because the sender sent a large e-mail :) > Good point. I have incorporated your patch and it will be in the next release. Please can other people test this too? Thanks. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGMi8gEfZZRxQVtlQRAoSaAJ91rPd17EUClfMWY/YtIv0xsebaTQCfYJei vvEbrKm33jNbxprIrGRfXW8= =naEo -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From arto.saraniva at artio.net Fri Apr 27 18:15:28 2007 From: arto.saraniva at artio.net (Arto) Date: Fri Apr 27 19:01:44 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <46321205.1020007@ecs.soton.ac.uk> References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I have just released a new beta 4.59.2 which includes the support for > clamd, using the patches provided earlier on this list. > > If you use clamd and are running MailScanner as root (or have not > specified the Run As User at all), then it is vital that you read the > notes just above the "Incoming Work Group" setting in order to get the > ownership and permissions correct so that clamd can read them. > > Download as usual from www.mailscanner.info. > > Please test this release for me! Apr 27 20:07:38 lambic MailScanner[5454]: Virus scanner "clamd" not found in virus.scanners.conf file. Please check your spelling in "Virus Scanners =" line of MailScanner.conf -arto From snifer_ at hotmail.com Fri Apr 27 18:10:45 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Fri Apr 27 19:03:07 2007 Subject: Announcement: New beta 4.59.2 released References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: Juan Pablo Salazar Bert?n hotmail.com> writes: > Hi Julian, I've been trying to find out why some phishing is being undetected by > MailScanner. I think it's due to line 5581 in Message.pm. I'm receiving phishing > like this: > > color=blue font size=4> > http://www.santandersantiago.cl/canales/empresas/index.asp > > So, as they're not using double quotes, MailScanner thinks it's an empty A tag. > I think a better way of guessing if it's an empty A tag would be to check if > href is empty, something like replacing: > > $DisarmInsideLink = 0 if $text =~ /\/\>$/; # JKF Catch /> empty A tags > > with: > > $DisarmInsideLink = 0 if $DisarmLinkURL eq ''; # JPSB empty A tags > > I've tested this in a development box against some phishing and it works. I'd > like you to tell us if this change doesn't have any drawback, so we can safely > patch production servers, and may be it's included in this new version. Thanks. > > PS: You can get a sample phishing message at > http://www.divshare.com/download/498395-7da > In the same file (Message.pm), in line 5889, it should be checked if we're inside a link. Something like replacing: } else { # It is not a tag we worry about, so just print the text and continue. print $text; } with: } elsif ($DisarmInsideLink) { # if we're inside a link, we should add the text so we'll have all in order $DisarmLinkText .= $text; } else { # It is not a tag we worry about, so just print the text and continue. print $text; } I hope it helps, thanks. From mgt at stellarcore.net Fri Apr 27 19:28:35 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Apr 27 19:28:43 2007 Subject: Corrupt SpamAssassin Cache In-Reply-To: <46315F02.4010907@stellarcore.net> References: <46315F02.4010907@stellarcore.net> Message-ID: <463240D3.7050403@stellarcore.net> > > Just FYI, I had corrupt SpamAssassin.db.cache file that made the entire > MailScanner stack slow down to a crawl. The only warning that this was > going on was the occasional > > database is locked(5) at dbdimp.c line 398 > > Once I figure out what was going on and removed the bad cache and > restarted the stack and everything was good. > > -Mike > > > Mike, > > Where did this error message show up? Maillog, Messages, ?? > > Thanks > > Steve It was in the maillog looks like Apr 26 18:52:16 general MailScanner[17284]: database is locked(5) at dbdimp.c line 398 I had 127 of this yesterday before I fixed it. The command /usr/sbin/analyze_SpamAssassin_cache Also showed there was a problem. [It froze for a little bit then spit out a couple errors and then completed. I forgot to save the output, sorry.] -Mike From MailScanner at ecs.soton.ac.uk Fri Apr 27 20:22:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 27 20:23:26 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: <46324D90.2090907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arto wrote: > > Apr 27 20:07:38 lambic MailScanner[5454]: Virus scanner "clamd" not > found in virus.scanners.conf file. Please check your spelling in > "Virus Scanners =" line of MailScanner.conf See 4.59.3. Sorry :-( > > -arto > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGMk2bEfZZRxQVtlQRAm5zAKDqcaqFIbXCTy/F491Z7D2zEhs+ngCg7eG0 3jG2+bhvXR1yRt7RJCEb8qM= =VxLO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel.maher at ubisoft.com Fri Apr 27 20:25:11 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Apr 27 20:25:15 2007 Subject: how to block mail where From and To are the same? In-Reply-To: <463215E2.4060402@ecs.soton.ac.uk> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204CD3D07@UBIMAIL1.ubisoft.org> > > You could do this with a very simple Custom Function. It would just > check to see if > 1) There is only 1 recipient > 2) The recipient address @{$message->{from}}[0] eq the sender address > $message->{from}. > > Don't trust the syntax is 100% accurate, my Perl is a bit rusty due to > my hospital stay. > > Quite which configuration option you would attach this to is left as an > exercise for the reader :-) Thank you for the response! A wild guess at an appropriate config option would be "Use Custom Spam Scanner". My question is this: which comes first, SpamAssassin, or Custom Spam Scanner, in the actual process? Also, does the reported "score" from Custom Spam Scanner get applied to the SpamAssassin Score (i.e. for calculating spam actions)? If not, how is the reported Custom score used by MailScanner in determining an action? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "How can a man choose between Fresh and Fly? And believe me, there IS a difference." - Crack Stuntman, 2007. From steve.freegard at fsl.com Fri Apr 27 20:41:50 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Apr 27 20:41:53 2007 Subject: how to block mail where From and To are the same? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CD3D07@UBIMAIL1.ubisoft.org> References: <463215E2.4060402@ecs.soton.ac.uk> <1E293D3FF63A3740B10AD5AAD88535D204CD3D07@UBIMAIL1.ubisoft.org> Message-ID: <463251FE.1020303@fsl.com> Hi Daniel, Daniel Maher wrote: >> You could do this with a very simple Custom Function. It would just >> check to see if >> 1) There is only 1 recipient >> 2) The recipient address @{$message->{from}}[0] eq the sender address >> $message->{from}. >> >> Don't trust the syntax is 100% accurate, my Perl is a bit rusty due to >> my hospital stay. >> >> Quite which configuration option you would attach this to is left as an >> exercise for the reader :-) > > Thank you for the response! > > A wild guess at an appropriate config option would be "Use Custom Spam Scanner". My question is this: which comes first, SpamAssassin, or Custom Spam Scanner, in the actual process? > > Also, does the reported "score" from Custom Spam Scanner get applied to the SpamAssassin Score (i.e. for calculating spam actions)? If not, how is the reported Custom score used by MailScanner in determining an action? > Actually - if it were me, I'd put this into the 'Is Definitely Spam' option. Then the custom function can return true for these messages and they'll simply be blacklisted. Much easier than trying to do it elsewhere. Kind regards, Steve. From campbell at cnpapers.com Fri Apr 27 21:06:38 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 27 21:06:45 2007 Subject: how to block mail where From and To are the same? References: <463215E2.4060402@ecs.soton.ac.uk><1E293D3FF63A3740B10AD5AAD88535D204CD3D07@UBIMAIL1.ubisoft.org> <463251FE.1020303@fsl.com> Message-ID: <004201c78907$90c0cf80$0705000a@ddf5dw71> ----- Original Message ----- From: "Steve Freegard" To: "MailScanner discussion" Sent: Friday, April 27, 2007 3:41 PM Subject: Re: how to block mail where From and To are the same? > Hi Daniel, > > Daniel Maher wrote: >>> You could do this with a very simple Custom Function. It would just >>> check to see if >>> 1) There is only 1 recipient >>> 2) The recipient address @{$message->{from}}[0] eq the sender address >>> $message->{from}. >>> >>> Don't trust the syntax is 100% accurate, my Perl is a bit rusty due to >>> my hospital stay. >>> >>> Quite which configuration option you would attach this to is left as an >>> exercise for the reader :-) >> >> Thank you for the response! >> >> A wild guess at an appropriate config option would be "Use Custom Spam >> Scanner". My question is this: which comes first, SpamAssassin, or >> Custom Spam Scanner, in the actual process? >> >> Also, does the reported "score" from Custom Spam Scanner get applied to >> the SpamAssassin Score (i.e. for calculating spam actions)? If not, how >> is the reported Custom score used by MailScanner in determining an >> action? >> > > Actually - if it were me, I'd put this into the 'Is Definitely Spam' > option. Then the custom function can return true for these messages and > they'll simply be blacklisted. > > Much easier than trying to do it elsewhere. > > Kind regards, > Steve. > -- Our system was being hit by this also for a while, but putting the IP in whitelist rules instead of our domains seemed to catch most of this. Of course, we didn't let roaming users (that said they were from our domains) send to the servers, so this worked very well. If they needed the return address to be from our domain, they were forced to use webmail, and that IP was in whitelist rules, also. The occasional 'clean' spam would get through, but nothing of the order we used to get. Steve From campbell at cnpapers.com Fri Apr 27 21:17:15 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 27 21:17:27 2007 Subject: how to block mail where From and To are the same? References: <463215E2.4060402@ecs.soton.ac.uk><1E293D3FF63A3740B10AD5AAD88535D204CD3D07@UBIMAIL1.ubisoft.org><463251FE.1020303@fsl.com> <004201c78907$90c0cf80$0705000a@ddf5dw71> Message-ID: <004d01c78909$0c7677f0$0705000a@ddf5dw71> ----- Original Message ----- From: "Steve Campbell" To: "MailScanner discussion" Sent: Friday, April 27, 2007 4:06 PM Subject: Re: how to block mail where From and To are the same? > > ----- Original Message ----- > From: "Steve Freegard" > To: "MailScanner discussion" > Sent: Friday, April 27, 2007 3:41 PM > Subject: Re: how to block mail where From and To are the same? > > >> Hi Daniel, >> >> Daniel Maher wrote: >>>> You could do this with a very simple Custom Function. It would just >>>> check to see if >>>> 1) There is only 1 recipient >>>> 2) The recipient address @{$message->{from}}[0] eq the sender address >>>> $message->{from}. >>>> >>>> Don't trust the syntax is 100% accurate, my Perl is a bit rusty due to >>>> my hospital stay. >>>> >>>> Quite which configuration option you would attach this to is left as an >>>> exercise for the reader :-) >>> >>> Thank you for the response! >>> >>> A wild guess at an appropriate config option would be "Use Custom Spam >>> Scanner". My question is this: which comes first, SpamAssassin, or >>> Custom Spam Scanner, in the actual process? >>> >>> Also, does the reported "score" from Custom Spam Scanner get applied to >>> the SpamAssassin Score (i.e. for calculating spam actions)? If not, how >>> is the reported Custom score used by MailScanner in determining an >>> action? >>> >> >> Actually - if it were me, I'd put this into the 'Is Definitely Spam' >> option. Then the custom function can return true for these messages and >> they'll simply be blacklisted. >> >> Much easier than trying to do it elsewhere. >> >> Kind regards, >> Steve. >> -- > Our system was being hit by this also for a while, but putting the IP in > whitelist rules instead of our domains seemed to catch most of this. Of > course, we didn't let roaming users (that said they were from our domains) > send to the servers, so this worked very well. If they needed the return > address to be from our domain, they were forced to use webmail, and that > IP was in whitelist rules, also. The occasional 'clean' spam would get > through, but nothing of the order we used to get. > > Steve It's amazing how a sent message turns into gibberish after you hit the Send button. What I meant to indicate was that after adding the IPs to the whitelist, the normal scans and virus checks would usually pick out the crap and throw it away on these duplicate from/to emails. Steve From ssilva at sgvwater.com Fri Apr 27 21:17:28 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 27 21:17:42 2007 Subject: Clamd as scan option [patches included] In-Reply-To: <46320E88.90608@ecs.soton.ac.uk> References: <462238AD.6000509@stellarcore.net> <46320E88.90608@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 4/27/2007 7:54 AM: > I have just released a beta with this functionality included. > I knew you couldn't wait to get back into the code! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Fri Apr 27 22:05:26 2007 From: res at ausics.net (Res) Date: Fri Apr 27 22:05:36 2007 Subject: sendmail vuln In-Reply-To: <00aa01c788cb$60ffbd60$0705000a@ddf5dw71> References: <9cc4c72a189cd641acb1987a76a379b4@solidstatelogic.com><4630E3D7.5030202@fractalweb.com> <00aa01c788cb$60ffbd60$0705000a@ddf5dw71> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 27 Apr 2007, Steve Campbell wrote: > OK, it's Friday, > > What's a wannabie? Sounds Austrailian. That one of those things that looks > like a 'roo? lol, thats a wallabie :) uummm, its a try-hard type of thing, like... a security guard who thinks hes got police powers, simply because he has a badge and uniform (ask em for their warrant card and they go blank)... or... like a 16yo winblows weenie who gets a few of his friends domains on a plesk box somewhere where he hosts his 'l337 h4ck3r' site and becomes a sub reseller of 3 domains and thinks he/she is the new mega hosting company of the world (no offence to any 16 yo's :) I'm sure there are even some of them who agree with me) - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMmWYsWhAmSIQh7MRAqeTAKCIuglqTjhVEwMnpGGLkrD3BkdsgwCfWLGS rbQHC7zZlzTKDV/hKoxUbm0= =u5ed -----END PGP SIGNATURE----- From ssilva at sgvwater.com Fri Apr 27 22:41:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 27 22:42:14 2007 Subject: Off topic - Slow batch processing In-Reply-To: <223f97700704270142l6b1dfd7ak5e82dfbfa53c1071@mail.gmail.com> References: <4630CCE7.6050908@dido.ca> <003601c78855$5c219190$5e01a8c0@seamoose> <8184822137658927276@unknownmsgid> <223f97700704270142l6b1dfd7ak5e82dfbfa53c1071@mail.gmail.com> Message-ID: Glenn Steen spake the following on 4/27/2007 1:42 AM: > On 27/04/07, Stephen Swaney wrote: >> > I found when I was running up a new MailScanner install on a machine >> > with >> > dual cpu's and not much ram, that my MailScanner processes just became >> > defunct after a while. I could slow the process down by decreasing >> > things >> > like no. of children and the like, but the problem was instantly solved >> > when >> > I bumped the ram up. (We had some on order). >> > >> > Seamus Allan >> > Network Engineer >> > Rheel Electronics Ltd >> >> This reminds me of a story that is way off topic but some of you might >> need >> a laff today. >> >> Many years ago I worked for a large NY firm that had a overseas >> office. The >> overseas office started having a problems with Sybase servers running >> slowly. The Sybase experts? were called in and could not resolve the >> problem. After a little over 30 days! someone noticed that there was very >> little memory in the systems. >> >> A check the data center access records, system reboots and data center >> cameras showed that a contractor had been systematically removing memory >> from many systems for LONG time. A check of the contractor's apartment >> found >> a lot of memory and other kibbles and bits :( >> >> Sometimes it not always a configuration or application problem :) >> >> Best regards, >> >> Steve > > LOL, thanks Steve... Really needed a good start on the day, and that did > it:-). > > Reminds me of a not that distant (approx.7 years) incident where we > took a not-that-new server out of storage, for doing some tests, and > it just didn't want to boot... Beeped a bit, but never got to begin > the POST at all... > Turned out that there wasn't any CPU under the meticulously replaced > cooler... > If it had been something nice, one could have understood the act of > theft, but IIRC it was some P133 or similar, so why anyone would go to > all the trouble... This was back when it took some tinkering to get at > the HW, no snap on/off thingies, so the thief had to have been working > at it for at least 30-40 minutes... > As far as we know, the temp janitor (with keys to go _everywhere_) was > the culprit. 've always wondered who does the security check on people > like that (janitors, cleaners etc etc:-). > > Cheers You would be surprised at how many companies neglect to check cleaning people for security. They hire a "cleaning service" and expect them to do the checks. Many cleaning companies will grab temps when they are short staffed, sometimes even "friends of friends" just to get the work done. Our company had a service that was caught bringing their kids in with them and letting them run loose while they worked. Luckily, we have a 24 hour dispatcher on duty, and he caught them in the cameras as soon as they let their kids in. Bye bye to that company!! The owner was quite miffed at his employees for loosing the contract. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From markee at bandwidthco.com Sat Apr 28 00:10:00 2007 From: markee at bandwidthco.com (markee) Date: Sat Apr 28 00:14:53 2007 Subject: Clamd as scan option [patches included] In-Reply-To: Message-ID: <001201c78921$2e285630$0300a8c0@bandwidthco.com> Julian Field spake the following on 4/27/2007 7:54 AM: > I have just released a beta with this functionality included. > I knew you couldn't wait to get back into the code! ;-) Yeah, my thoughts as well - but this might be a good thing. Since this is the "Love of Julian's Life", getting back to work at this point may be the best therapy for a complete & speedy recovery. Just don't push too hard Julian. ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From ssilva at sgvwater.com Sat Apr 28 00:28:50 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Apr 28 00:28:58 2007 Subject: Clamd as scan option [patches included] In-Reply-To: <001201c78921$2e285630$0300a8c0@bandwidthco.com> References: <001201c78921$2e285630$0300a8c0@bandwidthco.com> Message-ID: markee spake the following on 4/27/2007 4:10 PM: > > Julian Field spake the following on 4/27/2007 7:54 AM: >> I have just released a beta with this functionality included. >> > I knew you couldn't wait to get back into the code! ;-) > > Yeah, my thoughts as well - but this might be a good thing. Since this is > the "Love of Julian's Life", getting back to work at this point may be the > best therapy for a complete & speedy recovery. Just don't push too hard > Julian. > I'm sure that his parents are watching out for him if they are still there. No one wants a scolding from mom at any age! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From andy.mac at global-domination.org Sat Apr 28 02:19:32 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Sat Apr 28 02:19:48 2007 Subject: $datenumber and $hostname for inline.sig Message-ID: <3399.192.168.169.102.1177723172.squirrel@mail-gw.global-domination.org> X- andy.mac@global-domination.org X-Spam-Status: No I have a need to capture the $datenumber and $hostname variables so that they can be used to build up a simple url in the inline signature for clean messages so end-users can easily report a message as spam. I have written the cgi - which works just fine, however from the release notes and from experience I know that only $from, $id and $subject are available here (unlike recipient.spam.report.txt). Is there any workaround for this? Is this something that would benefit others? inline.sig.txt: Click here to report this message as spam. http://$hostname/cgi-bin/learn-msg.cgi?datenumber=$datenumber&id=$id learn-msg.cgi (please excuse the horrible code): #!/usr/bin/perl use CGI::Carp qw(fatalsToBrowser); use CGI qw(:standard); print "Content-type: text/html \n\n"; $query = new CGI; $salearn = "/usr/bin/sa-learn --spam"; $id = param("id"); $datenumber = param("datenumber"); $msgtolearn = "/var/spool/MailScanner/quarantine/$datenumber/nonspam/$id"; open(MAIL, "|$salearn $msgtolearn") or die "Cannot open $salearn: $!"; close(MAIL); # redirect to success page print ""; Any suggestions welcome! Regards, Andrew MacLachlan http://www.global-domination.org/ From grpprod at gmail.com Sat Apr 28 05:29:38 2007 From: grpprod at gmail.com (G P) Date: Sat Apr 28 05:29:40 2007 Subject: Announcement: New beta 4.59.2 released Message-ID: <773fecad0704272129we94dcdfyddf03c24ebd6ccc8@mail.gmail.com> > > I have just released a new beta 4.59.2 which includes the support for > clamd, using the patches provided earlier on this list. > So should this be faster than clamavmodule? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070428/4ddeace2/attachment.html From hvdkooij at vanderkooij.org Sat Apr 28 09:33:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 28 09:34:36 2007 Subject: OT: FYI: [SPAM] from sam@bbcpa.com (fwd) Message-ID: Hi, For those that enjoy blacklisting these system here is one you may not have encountered yet. It is a nice example of backscatter I would not see if they used a better system to control spam. I have no clue who this person is. Hugo. ---------- Forwarded message ---------- Date: Sat, 28 Apr 2007 03:54:16 -0400 (EDT) From: messenger@ipermitmail.com To: hvdkooij@vanderkooij.org Subject: [SPAM] from sam@bbcpa.com Please click the link below so that I can receive your message. Your message is being held by my anti-spam system, iPermitMail. http://www.ipermitmail.com/ipm/Messages/rp.cfm?ln=56045297&rpk=3014159742805 Thank-you, sam@bbcpa.com ______________________________________________________________________________ Receive spam free email with iPermitMail, the most advanced email firewall solution available. Please click http://www.ipermitmail.com/ to learn how to take control of your inbox and sign up for a 60-day free, no-risk trial. Copyright 2002-2005 ILAP www.ipermitmail.com From drew at technologytiger.net Sat Apr 28 10:24:33 2007 From: drew at technologytiger.net (Drew Marshall) Date: Sat Apr 28 14:40:56 2007 Subject: Password Protected .rar files Message-ID: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> Hi all One of my clients has recently been sent a password protected rar file. The body of the mail is a gif image which uses social engineering (Based on the user having a virus and the attached file has the miracle cure) to open this file. This went sailing through MailScanner, passed F-Prot, Clam & Bitdefender and passed the option to not allow password protected archive files. I have checked my path to unrar, which is fine and all the other parameters are all ok too. First question: Any one else seen these? Second: Are they being stopped by anything (Messagelabs detected this as a virus, hence my concern)? Finally: Shouldn't MailScanner have stopped this or is it only password protected zip files that it stops (And in turn shouldn't this be extended to cover all unscannable files?) I have blocked all rar files now in the file type rules until I can get to the bottom of this. I have also sent a copy to the nice folks at ClamAV for good measure. Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From alex at nkpanama.com Sat Apr 28 15:48:20 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Apr 28 15:49:06 2007 Subject: Password Protected .rar files In-Reply-To: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> References: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> Message-ID: <46335EB4.60005@nkpanama.com> Drew Marshall wrote: > Hi all > > One of my clients has recently been sent a password protected rar > file. The body of the mail is a gif image which uses social > engineering (Based on the user having a virus and the attached file > has the miracle cure) to open this file. > > This went sailing through MailScanner, passed F-Prot, Clam & > Bitdefender and passed the option to not allow password protected > archive files. I have checked my path to unrar, which is fine and all > the other parameters are all ok too. > I believe it would help a lot if you sent along a log snippet detailing the ingestion, digestion, and excretion (to put it in biological terms) of this message. It also helps if you can reproduce the problem. Can you send the rarfile through again? Same results? If so, try to turn on all logging features in MailScanner and copy the relevant bits to the list ... I'm sure someone will be able to help. You also have to make sure some easy-to-overlook things haven't happened, such as "scan messages = no" triggered by a ruleset, your MTA running by itself for whatever reason (instead of "in tandem" with MailScanner), etc. From drew at technologytiger.net Sat Apr 28 21:21:02 2007 From: drew at technologytiger.net (Drew Marshall) Date: Sat Apr 28 21:21:46 2007 Subject: Password Protected .rar files In-Reply-To: <46335EB4.60005@nkpanama.com> References: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> <46335EB4.60005@nkpanama.com> Message-ID: <7756B46F-14E1-4C68-8248-D1C5B3C729BA@technologytiger.net> On 28 Apr 2007, at 15:48, Alex Neuman van der Hans wrote: > Drew Marshall wrote: >> Hi all >> >> One of my clients has recently been sent a password protected rar >> file. The body of the mail is a gif image which uses social >> engineering (Based on the user having a virus and the attached >> file has the miracle cure) to open this file. >> >> This went sailing through MailScanner, passed F-Prot, Clam & >> Bitdefender and passed the option to not allow password protected >> archive files. I have checked my path to unrar, which is fine and >> all the other parameters are all ok too. >> > I believe it would help a lot if you sent along a log snippet > detailing the ingestion, digestion, and excretion (to put it in > biological terms) of this message. Logs are: Apr 28 21:10:59 mx1 MailScanner[64228]: MailScanner E-Mail Virus Scanner version 4.58.9 starting... Apr 28 21:10:59 mx1 MailScanner[64228]: Read 766 hostnames from the phishing whitelist Apr 28 21:11:00 mx1 MailScanner[64228]: Using SpamAssassin results cache Apr 28 21:11:00 mx1 MailScanner[64228]: Connected to SpamAssassin cache database Apr 28 21:11:10 mx1 MailScanner[64228]: I have found bitdefender f- prot clamav scanners installed, and will use them all by default Apr 28 21:11:10 mx1 MailScanner[64228]: ClamAV scanner using unrar command /usr/local/bin/unrar Apr 28 21:11:10 mx1 MailScanner[64228]: Using locktype = flock Apr 28 21:11:10 mx1 MailScanner[64228]: New Batch: Scanning 1 messages, 96537 bytes Apr 28 21:11:10 mx1 MailScanner[64228]: Spam Checks: Starting Apr 28 21:11:10 mx1 MailScanner[64228]: SpamAssassin cache hit for message 3244233C40.B1672 Apr 28 21:11:11 mx1 MailScanner[64228]: Virus and Content Scanning: Starting Apr 28 21:11:43 mx1 MailScanner[64228]: Requeue: 8BF3933C9B.0C3E3 to B69D033CDA Apr 28 21:11:43 mx1 MailScanner[64228]: Uninfected: Delivered 1 messages Apr 28 21:11:43 mx1 MailScanner[64228]: MailScanner child dying of old age Apr 28 21:11:43 mx1 postfix/qmgr[852]: B69D033CDA: from=, size=93454, nrcpt=1 (queue active) Apr 28 21:11:43 mx1 postfix/virtual[65956]: B69D033CDA: to=, relay=virtual, delay=57, delays=57/0.05/0/0. Apr 28 21:11:43 mx1 postfix/qmgr[852]: B69D033CDA: removed > > It also helps if you can reproduce the problem. Can you send the > rarfile through again? Yes and I can send it to any one who fancies :-) or just put the files up for download, depending if they are of use. > Same results? Yes > If so, try to turn on all logging features in MailScanner and copy > the relevant bits to the list ... I'm sure someone will be able to > help. Here from debug mode (No point in debugging SA as that's not an issue!) Starting mailscanner. In Debugging mode, not forking... max message size is '41000 trackback' Line is ****-------------------------------1177790949-- **** Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 DisarmPhishingFound = 0 on message 8BF3933C9B.0C3E3 Stopping now as you are debugging me. > > You also have to make sure some easy-to-overlook things haven't > happened, such as "scan messages = no" triggered by a ruleset, your > MTA running by itself for whatever reason (instead of "in tandem" > with MailScanner), etc. No such issue. FreeBSD here and that always starts the process separately for Postfix (Which suits me well!) and it's Postfix so no worries about by passing second instances and such like. No rulesets for file type scanning. so that should be ok. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From hvdkooij at vanderkooij.org Sat Apr 28 22:07:14 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 28 22:07:49 2007 Subject: Password Protected .rar files In-Reply-To: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> References: <5B3115A8-BCF9-4B53-883E-A29FC4AF899E@technologytiger.net> Message-ID: On Sat, 28 Apr 2007, Drew Marshall wrote: > One of my clients has recently been sent a password protected rar file. The > body of the mail is a gif image which uses social engineering (Based on the > user having a virus and the attached file has the miracle cure) to open this > file. > > This went sailing through MailScanner, passed F-Prot, Clam & Bitdefender and > passed the option to not allow password protected archive files. I have > checked my path to unrar, which is fine and all the other parameters are all > ok too. > > First question: Any one else seen these? I am not sure if rar is not a bit peculiar about password protected files. BitDefender allows no explicit blocking of password protected files. f-prot does not have a commandline option for this either. clamscan has the --block-encrypted option but I am not aware of an equivalent for the module configuration. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From amaclach at yahoo.co.uk Sat Apr 28 22:30:42 2007 From: amaclach at yahoo.co.uk (Andrew MacLachlan) Date: Sat Apr 28 22:30:48 2007 Subject: Password Protected .rar files Message-ID: <89501.19163.qm@web26307.mail.ukl.yahoo.com> I have a copy forwarded from one of my customers - I can forward it on request. Interestingly Yahoo missed it too. Regards, Andrew MacLachlan H: +44 20 84677939 M: +44 7900 980314 E: amaclach@yahoo.co.uk ----- Original Message ---- From: Alex Neuman van der Hans To: MailScanner discussion Sent: Saturday, 28 April, 2007 3:48:20 PM Subject: Re: Password Protected .rar files Drew Marshall wrote: > Hi all > > One of my clients has recently been sent a password protected rar > file. The body of the mail is a gif image which uses social > engineering (Based on the user having a virus and the attached file > has the miracle cure) to open this file. > > This went sailing through MailScanner, passed F-Prot, Clam & > Bitdefender and passed the option to not allow password protected > archive files. I have checked my path to unrar, which is fine and all > the other parameters are all ok too. > I believe it would help a lot if you sent along a log snippet detailing the ingestion, digestion, and excretion (to put it in biological terms) of this message. It also helps if you can reproduce the problem. Can you send the rarfile through again? Same results? If so, try to turn on all logging features in MailScanner and copy the relevant bits to the list ... I'm sure someone will be able to help. You also have to make sure some easy-to-overlook things haven't happened, such as "scan messages = no" triggered by a ruleset, your MTA running by itself for whatever reason (instead of "in tandem" with MailScanner), etc. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sat Apr 28 22:40:58 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 28 22:41:26 2007 Subject: FME: No bayesian value ==> incorrect scores Message-ID: hi, This is one that might classify as Frequently Made Error. I noticed that messages no longer had the Bayesian count present. So some messages started to slip through. I then noticed two anomalies. 1. The owner of one of the bayesian file was incorrect. 2. There were a number of score in my config file for where the rules no longer existed. Item 2 was spotted with `mailscanner --lint` under the SA section. Only after fixing item 2 did I see the issue for item 1. Item 1 was the problem but it did not show to well untill i fixed the other issue. I hope this will save someone some time when they are in a similar situation. In my case they should be: -rw-rw---- 1 postfix apache 14040 Apr 28 23:38 bayes_journal -rw-rw---- 1 postfix apache 948 Apr 28 23:27 bayes.mutex -rw-rw---- 1 postfix apache 1347584 Apr 28 23:27 bayes_seen -rw-rw---- 1 postfix apache 5369856 Apr 28 23:27 bayes_toks (The apache group is just to satisfy MailWatch.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From amaclach at yahoo.co.uk Sun Apr 29 02:02:17 2007 From: amaclach at yahoo.co.uk (Andrew MacLachlan) Date: Sun Apr 29 02:02:24 2007 Subject: Avast support? Message-ID: <472342.61341.qm@web26312.mail.ukl.yahoo.com> This question has been asked before (http://thread.gmane.org/gmane.mail.virus.mailscanner/27068/focus=31924) but it didn't seem to go anywhere. I have a customer that requires Avast support and I don't really want to use amavis (which does support Avast). Is there much appetite for this? Regards, Andrew MacLachlan From itdept at fractalweb.com Sun Apr 29 05:51:37 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sun Apr 29 05:51:59 2007 Subject: joe-jobbed, block 'undeliverable' messages? In-Reply-To: <4630E213.7070203@fractalweb.com> References: <462FF36D.5020608@fractalweb.com> <20070426130020.1zkijj7nuo8gk8o4@mail.netmagicsolutions.com> <4630E213.7070203@fractalweb.com> Message-ID: <46342459.1080604@fractalweb.com> Chris Yuzik wrote: > Dhawal Doshy wrote: >> For sendmail: >> Julian suggested 'milter-null' a few days back to someone with a >> similar problem.. > I'll look in to milter-null. Thanks. > I now have milter-null installed, configured, and running. All I can say is, great piece of code. A few stats. As of 8am this morning, this poor domain had already received 499 bounce messages for mail that didn't actually originate from our server. A few minutes later, I flipped the switch on milter-null's configuration file to tell it to reject these invalid DSN messages and "poof". Not a single one since then! This thing works great! Highly recommended for anyone who hosts domains that get "joe-jobbed." Thanks Dhawal and Julian for the recommendation. Chris From MailScanner at ecs.soton.ac.uk Sun Apr 29 09:54:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Apr 29 09:54:36 2007 Subject: Avast support? In-Reply-To: <472342.61341.qm@web26312.mail.ukl.yahoo.com> References: <472342.61341.qm@web26312.mail.ukl.yahoo.com> Message-ID: <46345D30.3080001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Send me a fully working copy of Avast and I'll take a look into it for you. Talk to me off-list. Andrew MacLachlan wrote: > This question has been asked before (http://thread.gmane.org/gmane.mail.virus.mailscanner/27068/focus=31924) but it didn't seem to go anywhere. > I have a customer that requires Avast support and I don't really want to use amavis (which does support Avast). > Is there much appetite for this? > > Regards, > > Andrew MacLachlan > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNF02EfZZRxQVtlQRAj54AJ4qztZXcFA4qtZ6uj/qSbVrwN1PZQCfX4DE e4pe8OUrUBsIdMnAcj44Xx0= =1tvr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Sun Apr 29 10:36:42 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Apr 29 10:37:14 2007 Subject: Avast support? In-Reply-To: <46345D30.3080001@ecs.soton.ac.uk> References: <472342.61341.qm@web26312.mail.ukl.yahoo.com> <46345D30.3080001@ecs.soton.ac.uk> Message-ID: On Sun, 29 Apr 2007, Julian Field wrote: > Send me a fully working copy of Avast and I'll take a look into it for > you. Talk to me off-list. There are propably multiple ways of calling on Avast. This may depend a bit on the exact version and product installed. I happen to test a load of them because I want to get their names for all the samples I collect. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From amaclach at yahoo.co.uk Sun Apr 29 12:28:55 2007 From: amaclach at yahoo.co.uk (Andrew MacLachlan) Date: Sun Apr 29 12:28:57 2007 Subject: Avast support? Message-ID: <599212.86620.qm@web26310.mail.ukl.yahoo.com> Avast for Linux servers... - You are correct in saying there are many ways of calling the software, most existing methods are either milter (for sendmail only), content filters (for most MTAs) and obviously the amavisd-new plugin and commandline. What's missing is MS support :-( Regards, Andrew MacLachlan H: +44 20 84677939 M: +44 7900 980314 E: amaclach@yahoo.co.uk ----- Original Message ---- From: Hugo van der Kooij To: MailScanner discussion Sent: Sunday, 29 April, 2007 10:36:42 AM Subject: Re: Avast support? On Sun, 29 Apr 2007, Julian Field wrote: > Send me a fully working copy of Avast and I'll take a look into it for > you. Talk to me off-list. There are propably multiple ways of calling on Avast. This may depend a bit on the exact version and product installed. I happen to test a load of them because I want to get their names for all the samples I collect. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Sun Apr 29 19:58:41 2007 From: rcooper at dwford.com (Rick Cooper) Date: Sun Apr 29 19:58:53 2007 Subject: Avast support? In-Reply-To: <46345D30.3080001@ecs.soton.ac.uk> References: <472342.61341.qm@web26312.mail.ukl.yahoo.com> <46345D30.3080001@ecs.soton.ac.uk> Message-ID: <028101c78a90$67f1ebe0$0301a8c0@SAHOMELT> Julian, I have attached information for adding avast to MailScanner. I didn't send a diff because my MailScanner installs still have patches that are not in the MailScanner releases. I also didn't do an avast-autoupdate because when you install the avast it installs a cron job, and scripts to run in. It apparently can be either a perl or .sh script depending on what the rpm install script decides is right for your system. They are fairly complex scripts but you could call them from an avast-autoupdate script by adding: /usr/bin/avastvpsupdate.pl or /usr/bin/avastvpsupdate.sh To the autoupdate script There is also a note in the avast-wrapper script about changing the prog= line from avastcmd to avast if you are using the workstation version. Other than that this will work for both as they share options and output. Hope it saves you some trouble, and sorry about not having a diff, but the AvastForMailScanner.txt contains everything you need to add to each of the related files (including MailWatch-> functions.php if using it) Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Sunday, April 29, 2007 4:54 AM > To: MailScanner discussion > Subject: Re: Avast support? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Send me a fully working copy of Avast and I'll take a look > into it for > you. Talk to me off-list. > > Andrew MacLachlan wrote: > > This question has been asked before > (http://thread.gmane.org/gmane.mail.virus.mailscanner/27068/fo > cus=31924) but it didn't seem to go anywhere. > > I have a customer that requires Avast support and I don't > really want to use amavis (which does support Avast). > > Is there much appetite for this? > > > > Regards, > > > > Andrew MacLachlan > > > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.1 (Build 1012) > Charset: ISO-8859-1 > > wj8DBQFGNF02EfZZRxQVtlQRAj54AJ4qztZXcFA4qtZ6uj/qSbVrwN1PZQCfX4DE > e4pe8OUrUBsIdMnAcj44Xx0= > =1tvr > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- Update MailScanner.conf # Which Virus Scanning package to use: # avast from www.avast.com Add to virus.scanners.conf avast /opt/MailScanner/lib/avast-wrapper /usr/bin Add to SweepViruses My $Scanners = ( "avast" => { Name => 'Avast', Lock => 'Avastbusy.lock', CommonOptions => '-t A -n --testfull', DisinfectOptions => '', ScanOptions => '', InitParser => \&InitAvastParser, ProcessOutput => \&ProcessAvastOutput, SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_NONE, }, # Initialise any state variables the AVAST output parser uses sub InitAvastParser { ; } sub ProcessAvastOutput { my($line, $infections, $types, $BaseDir, $Name) = @_; chomp $line; # Remove all the carriage-returns from the line $line =~ s/[\r\n]//g; # Convert tabs to a space $line =~ s/\t/ /; #print STDERR "Line: $line\n"; # return 0 unless $line =~ /\[infected by: (.+?)\]$/i; return 0 unless $line =~ /\[infected by: (.+?)\]$/i; my $virus = $1; # Remove Archived and/or BasDir from the line $line =~ s/^.*?$BaseDir\///; # Now remove the virus found string since we have the virus name already $line =~ s/^(.*?)\s.+$/$1/; MailScanner::Log::DebugLog("%s", "AVAST : Remove BaseDir $BaseDir/\n"); # Now create the standard log line of ID/filename my $logout = $line; MailScanner::Log::DebugLog("%s", "AVAST : Changed Output to $line\n"); # Remove redundant whitespace from log line $logout =~ s/\s{2,}/ /g; MailScanner::Log::InfoLog("%s", $logout); # The format would now be: # single file infection ID/filename # Archive file with infection ID/ArchiveName/FileName # Get the ID, the file to remove and the infected file name if an archive my ($id,$part,$file) = split(/\//,$line); MailScanner::Log::DebugLog("%s", "AVAST : id:$id:part = $part: File = $file\n"); $infections->{$id}{$part} .= $Name . ': ' if $Name; # Avast checks the archived file before the archive it's self so # we skip the archive if we have already recorded it with the filename # so the user report only displays archivefile => filename but the # postmaster message will still show both. unless (defined $infections->{$id}{$file}) { $infections->{$id}{$part} .= "Found virus ($virus) in file $part\n" if $file eq ''; $infections->{$id}{$part} .= "Found virus ($virus) in Archive $part => $file\n" if $file ne ''; $types->{$id}{$part} .= "v"; # so we know what to tell sender } return 1; } IF YOU ARE USING MAILWATCH FOR MAILSCANNER NEED TO ADD (ABOVE default:) case 'avast': define(VIRUS_REGEX, '/\[infected by: (.+?)\]$/i'); break; TO THE if(!defined(VIRUS_REGEX) || !DISTRIBUTED_SETUP) { SECTION -------------- next part -------------- A non-text attachment was scrubbed... Name: avast-wrapper Type: application/octet-stream Size: 1481 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070429/a9ee1c98/avast-wrapper.obj From MailScanner at ecs.soton.ac.uk Sun Apr 29 20:59:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Apr 29 21:00:06 2007 Subject: Avast support? In-Reply-To: <028101c78a90$67f1ebe0$0301a8c0@SAHOMELT> References: <472342.61341.qm@web26312.mail.ukl.yahoo.com> <46345D30.3080001@ecs.soton.ac.uk> <028101c78a90$67f1ebe0$0301a8c0@SAHOMELT> Message-ID: <4634F921.6080102@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry Rick, I beat you to it. Support for both "avastcmd" command-line scanner and the "avastd" daemon are done and tested. It's up on the web site as 4.59.4, I just haven't updated the HTML to point to it yet. I'll do that tomorrow. I've done quite enough for 1 day, I'm supposed to be resting after all :-) Jules. Rick Cooper wrote: > Julian, > > I have attached information for adding avast to MailScanner. I didn't send a > diff because my MailScanner installs still have patches that are not in the > MailScanner releases. I also didn't do an avast-autoupdate because when you > install the avast it installs a cron job, and scripts to run in. It > apparently can be either a perl or .sh script depending on what the rpm > install script decides is right for your system. They are fairly complex > scripts but you could call them from an avast-autoupdate script by adding: > > /usr/bin/avastvpsupdate.pl or /usr/bin/avastvpsupdate.sh > To the autoupdate script > > There is also a note in the avast-wrapper script about changing the prog= > line from avastcmd to avast if you are using the workstation version. Other > than that this will work for both as they share options and output. > > Hope it saves you some trouble, and sorry about not having a diff, but the > AvastForMailScanner.txt contains everything you need to add to each of the > related files (including MailWatch-> functions.php if using it) > > Rick > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: Sunday, April 29, 2007 4:54 AM >> To: MailScanner discussion >> Subject: Re: Avast support? >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Send me a fully working copy of Avast and I'll take a look >> into it for >> you. Talk to me off-list. >> >> Andrew MacLachlan wrote: >> >>> This question has been asked before >>> >> (http://thread.gmane.org/gmane.mail.virus.mailscanner/27068/fo >> cus=31924) but it didn't seem to go anywhere. >> >>> I have a customer that requires Avast support and I don't >>> >> really want to use amavis (which does support Avast). >> >>> Is there much appetite for this? >>> >>> Regards, >>> >>> Andrew MacLachlan >>> >>> >>> >>> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.1 (Build 1012) >> Charset: ISO-8859-1 >> >> wj8DBQFGNF02EfZZRxQVtlQRAj54AJ4qztZXcFA4qtZ6uj/qSbVrwN1PZQCfX4DE >> e4pe8OUrUBsIdMnAcj44Xx0= >> =1tvr >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> ------------------------------------------------------------------------ >> >> >> Update MailScanner.conf >> >> # Which Virus Scanning package to use: >> # avast from www.avast.com >> >> Add to virus.scanners.conf >> >> avast /opt/MailScanner/lib/avast-wrapper /usr/bin >> >> Add to SweepViruses >> >> My $Scanners = ( >> >> "avast" => { >> Name => 'Avast', >> Lock => 'Avastbusy.lock', >> CommonOptions => '-t A -n --testfull', >> DisinfectOptions => '', >> ScanOptions => '', >> InitParser => \&InitAvastParser, >> ProcessOutput => \&ProcessAvastOutput, >> SupportScanning => $S_SUPPORTED, >> SupportDisinfect => $S_NONE, >> }, >> >> >> # Initialise any state variables the AVAST output parser uses >> sub InitAvastParser { >> ; >> } >> >> >> sub ProcessAvastOutput { >> my($line, $infections, $types, $BaseDir, $Name) = @_; >> chomp $line; >> >> # Remove all the carriage-returns from the line >> $line =~ s/[\r\n]//g; >> # Convert tabs to a space >> $line =~ s/\t/ /; >> #print STDERR "Line: $line\n"; >> # return 0 unless $line =~ /\[infected by: (.+?)\]$/i; >> return 0 unless $line =~ /\[infected by: (.+?)\]$/i; >> my $virus = $1; >> # Remove Archived and/or BasDir from the line >> $line =~ s/^.*?$BaseDir\///; >> >> # Now remove the virus found string since we have the virus name already >> $line =~ s/^(.*?)\s.+$/$1/; >> MailScanner::Log::DebugLog("%s", "AVAST : Remove BaseDir $BaseDir/\n"); >> >> # Now create the standard log line of ID/filename >> my $logout = $line; >> MailScanner::Log::DebugLog("%s", "AVAST : Changed Output to $line\n"); >> # Remove redundant whitespace from log line >> $logout =~ s/\s{2,}/ /g; >> MailScanner::Log::InfoLog("%s", $logout); >> >> # The format would now be: >> # single file infection ID/filename >> # Archive file with infection ID/ArchiveName/FileName >> # Get the ID, the file to remove and the infected file name if an archive >> my ($id,$part,$file) = split(/\//,$line); >> >> >> MailScanner::Log::DebugLog("%s", "AVAST : id:$id:part = $part: File = $file\n"); >> $infections->{$id}{$part} .= $Name . ': ' if $Name; >> >> # Avast checks the archived file before the archive it's self so >> # we skip the archive if we have already recorded it with the filename >> # so the user report only displays archivefile => filename but the >> # postmaster message will still show both. >> >> unless (defined $infections->{$id}{$file}) { >> $infections->{$id}{$part} .= "Found virus ($virus) in file $part\n" if $file eq ''; >> $infections->{$id}{$part} .= "Found virus ($virus) in Archive $part => $file\n" if $file ne ''; >> $types->{$id}{$part} .= "v"; # so we know what to tell sender >> } >> return 1; >> } >> >> IF YOU ARE USING MAILWATCH FOR MAILSCANNER NEED TO ADD (ABOVE default:) >> >> case 'avast': >> define(VIRUS_REGEX, '/\[infected by: (.+?)\]$/i'); >> break; >> >> TO THE if(!defined(VIRUS_REGEX) || !DISTRIBUTED_SETUP) { SECTION >> >> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNPkkEfZZRxQVtlQRAm6kAKDR7N1RHn/1g4sSbOSAC1vVpa2S5ACg5VLo P7Xy7igo2qM22bgs++a99AQ= =cXF2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rcooper at dwford.com Sun Apr 29 21:10:16 2007 From: rcooper at dwford.com (Rick Cooper) Date: Sun Apr 29 21:10:21 2007 Subject: Avast support? In-Reply-To: <4634F921.6080102@ecs.soton.ac.uk> References: <472342.61341.qm@web26312.mail.ukl.yahoo.com> <46345D30.3080001@ecs.soton.ac.uk><028101c78a90$67f1ebe0$0301a8c0@SAHOMELT> <4634F921.6080102@ecs.soton.ac.uk> Message-ID: <029601c78a9a$67cc08d0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Sunday, April 29, 2007 3:59 PM > To: MailScanner discussion > Subject: Re: Avast support? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry Rick, I beat you to it. Support for both "avastcmd" > command-line > scanner and the "avastd" daemon are done and tested. It's up > on the web > site as 4.59.4, I just haven't updated the HTML to point to > it yet. I'll > do that tomorrow. I've done quite enough for 1 day, I'm > supposed to be > resting after all :-) > > Jules. > That's cool with me. This was the first Sunday (actually *day*) in months that I have had any time to do anything but work so I enjoyed doing it anyway. Rick From glenn.steen at gmail.com Mon Apr 30 00:12:12 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 30 00:12:18 2007 Subject: how to block mail where From and To are the same? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204CD3925@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204CD3925@UBIMAIL1.ubisoft.org> Message-ID: <223f97700704291612q31033b6cs3753c9143cde50c@mail.gmail.com> On 27/04/07, Daniel Maher wrote: > > > > > Hello all, > > > > Lately I have been receiving an increasingly large amount of spam where both > the From and To fields are identical (and, of course, forged). The net > result is that many of my users appear to be receiving spam from themselves, > which is causing some distress amongst the user base. > > > > Now, there are a handful of ways to deal with this situation; however, like > always, the community probably already knows the best way to block ? or at > least add SA points to ? such spam. > > > > I'm using Postfix 2.0 (yes, I know), and the newest MailScanner & > SpamAssassin. Thank you all for your comments and suggestions. > One could probably solve this in a few ways, but.... since you use Postfix, I'd guess that using an access thingie would be the way to go... Don't handle these forgeries more than necessary. I never see these anymore (apart from the odd bit of backscatter...:) since I have the luxury of being able to deny any _outside_ sender claiming to be from my domain (very simple check.. IIRC, 2.0 should be able to do that;). Combine with a header check and you're all set:) (Yeah, I'm low on detail.... have a few days of, due to labour day... If you like some details, we can have 'em off-list come wednesday) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Apr 30 00:17:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 30 00:17:30 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <773fecad0704272129we94dcdfyddf03c24ebd6ccc8@mail.gmail.com> References: <773fecad0704272129we94dcdfyddf03c24ebd6ccc8@mail.gmail.com> Message-ID: <223f97700704291617t24abbfc0hfdcbe49ec6a33da5@mail.gmail.com> On 28/04/07, G P wrote: > > > > I have just released a new beta 4.59.2 which includes the support for > > clamd, using the patches provided earlier on this list. > > > So should this be faster than clamavmodule? > No it should be slightly slower. Whether it is in your particular setup... I couldn't begin to guess:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Apr 30 00:26:48 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 30 00:26:51 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <46321205.1020007@ecs.soton.ac.uk> References: <46321205.1020007@ecs.soton.ac.uk> Message-ID: <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> On 27/04/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks, > > I have just released a new beta 4.59.2 which includes the support for > clamd, using the patches provided earlier on this list. > (snip) What!? Aren't you supposed to be installed in the sofa getting bored by diverse movies and complete sets of west wing and whatnot? And to release a beta without the p record patches.... Scandalous ... Well, not really:-D. If you're well enough, and only if mind you, did you ever get to look at them? We should get something for those full body edits of Postfix 2.4 (milter support only), seeing as it's stable now... Worst case is implemented in my testbed, meaning a full spin-through, and I do believe I have the slightly updated patches somewhere... Give a shout if you need a new set and I'll dig 'em up/make some new ones... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From snifer_ at hotmail.com Mon Apr 30 03:54:10 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Mon Apr 30 03:54:34 2007 Subject: MS 4.59.4-1: phishing filter: tags inside links Message-ID: In MailScanner 4.59.4-1, if someone send us a link like this: http://www.somesite.tld We'll get something like this: http://www.somesite.tld That's because we're adding opening tags inside links text to $DisarmLinkText, and instead of adding ending tags to $DisarmLinkText, we're printing them. I'm not sure if the objective is not to allow tags inside links (why would we want that?), so in case that's not the objective, I think a possible solution is that, in file Message.pm, the function DisarmEndtagCallback should use some output var (like DisarmTagCallback does), and at the end of the function, to use something like: if ($DisarmInsideLink) { $DisarmLinkText .= $output; } else { print $output; } Also, something I noticed is that, at the end of function DisarmTagCallback, the following is checked: if ($DisarmInsideLink && ($tagname ne 'a' || !$DisarmPhishing)) but every time $DisarmInsideLink is true, $DisarmPhishing is true also. So may be this could be shortened to: if ($DisarmInsideLink && $tagname ne 'a') That's all for now, I hope this helps to the MailScanner development. From res at ausics.net Mon Apr 30 04:41:50 2007 From: res at ausics.net (Res) Date: Mon Apr 30 04:42:04 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Glenn Steen wrote: > And to release a beta without the p record patches.... Scandalous ... > Well, not really:-D. I....... no, I wont say it :) By the way your lagging way behind in a survey I been running for a week or so :) postmix only has 1 more user than exchange :D I guess that sums it all up doesnt it muwhahahaha - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNWWBsWhAmSIQh7MRAqwNAJ9P3ZKYnwBotGqvezZrzRg5Qi4JAQCeM6mi MXtLb5YSFlaVfaVKAXoVE0E= =zZjY -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Apr 30 07:55:42 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 30 07:56:12 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: On Mon, 30 Apr 2007, Res wrote: > By the way your lagging way behind in a survey I been running for a week > or so :) postmix only has 1 more user than exchange :D I guess that sums it > all up doesnt it muwhahahaha I guess it is almost as representative as walking into a pub in Manchester and holding a poll on their favorite football club. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From martin.lyberg at gmail.com Mon Apr 30 08:18:15 2007 From: martin.lyberg at gmail.com (Martin) Date: Mon Apr 30 08:18:41 2007 Subject: Upgrade to clamav 0.90.2 makes scanning extremely slow In-Reply-To: <462E27AD.7080703@ecs.soton.ac.uk> References: <1735.172.16.1.34.1176973497.squirrel@www.caleotech.com> <462E27AD.7080703@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Why? I already support the "clamavmodule" which is faster than clamd anyway. > > Jules How can i change from clamd to clamavmodule to speed things up? I'm on Debian and use apt-get to install clamav. Thank you From z at ziff.net Mon Apr 30 08:27:00 2007 From: z at ziff.net (Zivago Lee) Date: Mon Apr 30 08:27:23 2007 Subject: beta 4.59.3 and clamd In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: <1177918021.26935.2.camel@miyagip.ziff.net.> Hello, I just tried upgrading to 4.59.3 and I keep getting these errors: Apr 30 00:24:07 www MailScanner[16967]: Virus and Content Scanning: Starting Apr 30 00:24:08 www MailScanner[16967]: /var/spool/MailScanner/incoming/16967/.: lstat() failed. ERROR Any ideas on what that means? The permissions for these dirs are as follows: drwx------ 9 postfix clamav 4096 Apr 30 00:25 incoming in the incoming dir: drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16563 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:20 16576 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16588 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16949 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16957 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:25 16967 drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16979 Did I set the permissions incorrectly in the run as user section? Thanks, Zivago -- Zivago Lee From res at ausics.net Mon Apr 30 08:51:26 2007 From: res at ausics.net (Res) Date: Mon Apr 30 08:51:36 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Hugo van der Kooij wrote: > On Mon, 30 Apr 2007, Res wrote: > >> By the way your lagging way behind in a survey I been running for a week >> or so :) postmix only has 1 more user than exchange :D I guess that sums it >> all up doesnt it muwhahahaha > > I guess it is almost as representative as walking into a pub in Manchester > and holding a poll on their favorite football club. It was thrown about, and decided on an Australian network admin mailing list that we should have a quick tally, I was asked to host it, but I guess if you want to liken all of Australia to a Manchester pub, then you're probably right :) afterall the list has only about 900 members and I'm damn sure that represents about 0.00001% of network admins in this country. Most the guys and gals on that list are sendmail and qmail users, though the fact some of them admit to using exchange is scarey, I suspect (hope) they are more the small private company folk and not from the more well known ones, though there are a couple of federal govt techs on there, and we all know how govts love m$. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNaABsWhAmSIQh7MRAv58AKCvu/kIQi16lDOTcHHpT1XwOpO+/wCgsTBg WOn2NePDg7QwKoVPXPS9mUg= =UgHd -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Apr 30 09:30:40 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 30 09:31:08 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: On Mon, 30 Apr 2007, Res wrote: > On Mon, 30 Apr 2007, Hugo van der Kooij wrote: > >> On Mon, 30 Apr 2007, Res wrote: >> >> > By the way your lagging way behind in a survey I been running for a week >> > or so :) postmix only has 1 more user than exchange :D I guess that sums >> > it all up doesnt it muwhahahaha >> >> I guess it is almost as representative as walking into a pub in Manchester >> and holding a poll on their favorite football club. > > It was thrown about, and decided on an Australian network admin mailing list > that we should have a quick tally, I was asked to host it, but I guess if you > want to liken all of Australia to a Manchester pub, then you're > probably right :) afterall the list has only about 900 members and I'm damn > sure that represents about 0.00001% of network admins in this country. > > Most the guys and gals on that list are sendmail and qmail users, though the > fact some of them admit to using exchange is scarey, I suspect (hope) > they are more the small private company folk and not from the more well known > ones, though there are a couple of federal govt techs on there, and we all > know how govts love m$. The main thing is that .gov likes to play blame games. And how do you blame a company if there is no company but just a bunch of people doing as good a job as any company but without a target they can blame if anything goes wrong. And many of the .com's are just as bad in this blame game. More important then being Australian is the fact that it is a mailinglist. Mailinglist people are not your average group. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From drew at technologytiger.net Mon Apr 30 09:39:49 2007 From: drew at technologytiger.net (Drew Marshall) Date: Mon Apr 30 09:40:31 2007 Subject: OT: Re: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: On 30 Apr 2007, at 04:41, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 30 Apr 2007, Glenn Steen wrote: > >> And to release a beta without the p record patches.... Scandalous ... >> Well, not really:-D. > > I....... no, I wont say it :) > > By the way your lagging way behind in a survey I been running for a > week > or so :) postmix only has 1 more user than exchange :D I guess that > sums it all up doesnt it muwhahahaha Now it's working properly (Last time I tried it wanted authentication and I could be bothered to guess you password :-) ) I have now voted to rebalance things a bit. Leave you to guess which way ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From b.eidenschink at kinetiqa.de Mon Apr 30 09:55:31 2007 From: b.eidenschink at kinetiqa.de (Bernd Eidenschink) Date: Mon Apr 30 09:55:35 2007 Subject: MailScanner on Ubuntu 6.06 Message-ID: <200704301055.31964.b.eidenschink@kinetiqa.de> Hi! I'm going to set up a new MailScanner environment on Ubuntu 6.06 and wonder what's the recommended package to use. Would one prefer the Debian one: http://packages.debian.org/unstable/mail/mailscanner.html (4.58.9-2) Or the one that is found in the Universe repository: 4.46.2-3 (dapper_universe / 6.06) (Feisty is not an option (albeit it has a newer release:) 4.57.6-2ubuntu1 (feisty_universe / 7.04)) Would you, in order to stay with the latest development, recommend the Debian package? Would it be more "stable/reliable" to use the Universe-maintained one? Regards, Bernd. From MailScanner at ecs.soton.ac.uk Mon Apr 30 09:59:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 10:01:39 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: <4635AFF3.30505@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 They will have to go in the next stable release after this one. I want to get a stable release out now to prove I'm still alive! :-) Glenn Steen wrote: > On 27/04/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi folks, >> >> I have just released a new beta 4.59.2 which includes the support for >> clamd, using the patches provided earlier on this list. >> > (snip) > What!? Aren't you supposed to be installed in the sofa getting bored > by diverse movies and complete sets of west wing and whatnot? > > And to release a beta without the p record patches.... Scandalous ... > Well, not really:-D. > > If you're well enough, and only if mind you, did you ever get to look > at them? > We should get something for those full body edits of Postfix 2.4 > (milter support only), seeing as it's stable now... Worst case is > implemented in my testbed, meaning a full spin-through, and I do > believe I have the slightly updated patches somewhere... Give a shout > if you need a new set and I'll dig 'em up/make some new ones... > > Cheers Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNbAXEfZZRxQVtlQRAk3VAJ9+oTgrfuwlZVZkgLfy/ci3irVIMACdEsMH VYnkm3ZB6fxhBHMZCWvbv1w= =AdoD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Apr 30 10:11:57 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Apr 30 10:12:01 2007 Subject: MailScanner on Ubuntu 6.06 In-Reply-To: <200704301055.31964.b.eidenschink@kinetiqa.de> References: <200704301055.31964.b.eidenschink@kinetiqa.de> Message-ID: <7333fd9f43b203ffd2cc61239f71ecf4@62.49.223.244> I have installed on Ubuntu 6.06 and to be honest in the end I just compiled from source. A lot of the packages required were behind on release, especially if you want to use things like FuzzyOCR aswell. I have just built a new server on RHES4_X86-64 and have gone down the same route of compiling MailScanner, SpamAssassin etc directly from source. Provides a lot more control IMHO. On Mon, 30 Apr 2007 10:55:31 +0200, Bernd Eidenschink wrote: > > Hi! > > I'm going to set up a new MailScanner environment on Ubuntu 6.06 and > wonder > what's the recommended package to use. > > Would one prefer the Debian one: > http://packages.debian.org/unstable/mail/mailscanner.html > (4.58.9-2) > > Or the one that is found in the Universe repository: > 4.46.2-3 > (dapper_universe / 6.06) > > (Feisty is not an option (albeit it has a newer release:) > 4.57.6-2ubuntu1 > (feisty_universe / 7.04)) > > Would you, in order to stay with the latest development, recommend the > Debian > package? Would it be more "stable/reliable" to use the Universe-maintained > one? > > Regards, > Bernd. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Apr 30 10:11:32 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 10:12:45 2007 Subject: ANNOUNCE: MailScanner stable 4.59 Message-ID: <4635B2C4.50004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new stable version, 4.59. The main new features this month are - - support for the clamd virus scanner, with the result that you can have fast virus scanning without relying on the 3rd party Mail::ClamAV perl module. - - support for the Avast virus scanner, in both forms (command-line scanner and daemon). Download it as usual from www.mailscanner.info. The full Change Log for this version is: * New Features and Improvements * 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 layout. 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". 3 Changed check ordering so that mail from blacklisted addresses is still marked as spam even its size exceeds the max spam message size check. 3 Improved detection of empty References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Hugo van der Kooij wrote: > The main thing is that .gov likes to play blame games. And how do you blame a > company if there is no company but just a bunch of people doing as good a job Thats actually changing :) some Fed Govt depts are using linux not only in servers, but desktops, some of the councils are moving to it and other open source, and I think I heard one or two of the state govts have made it known that OS should be considered, even preferential, regrettably not in my state, the current labour state govt lives in dark ages, so much so we have a police minister who doesnt believe our police service needs a helicopter, because " it has fixed wing planes " ... I laughed so hard at that :P I never knew we had harrier jets, or umm ospreys, no other fixed wing aircraft can hover whilst directing ground troops to get the bad guys :D > More important then being Australian is the fact that it is a mailinglist. > Mailinglist people are not your average group. The list is verified as industry network admins, closed subscription where you have to supply your employers details, a couple lists over here are like that now days to stop end users subbing and hounding their ISP's. of course there is still no checks as to the curency of that. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNbMSsWhAmSIQh7MRArKVAKCWa8tPKoIBPOPLftWM3uPwE47bFgCdESDM y1VKrDqNU087eg0/gRkUOVQ= =4KHr -----END PGP SIGNATURE----- From res at ausics.net Mon Apr 30 10:16:40 2007 From: res at ausics.net (Res) Date: Mon Apr 30 10:16:51 2007 Subject: OT: Re: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Drew Marshall wrote: > Now it's working properly (Last time I tried it wanted authentication and I > could be bothered to guess you password :-) ) I have now voted to rebalance it was password protected when it was first setup, the password was announced on the local list :) but then they changed their mind and wanted it open slather, which is what I wanted in the first place :) > things a bit. Leave you to guess which way ;-) So you voted for exchange hey Drewy ? :P - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNbP6sWhAmSIQh7MRAnDQAJ0VgpmkO1fJfBmfw7r9nwZSr5HtMwCeITVA Bm8pc7FdtZiMKccbqoUA9wE= =x5wO -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Mon Apr 30 10:18:48 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 10:18:56 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <4635B2C4.50004@ecs.soton.ac.uk> Message-ID: <8b04dc77d94a3442b65371d0a40ad7af@solidstatelogic.com> Jules Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. Messages arrive OK, but mailscanner's logging is off -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 30 April 2007 10:12 > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: ANNOUNCE: MailScanner stable 4.59 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just released a new stable version, 4.59. The main new features > this month are > > - - support for the clamd virus scanner, with the result that you can have > fast virus scanning without relying on the 3rd party Mail::ClamAV perl > module. > - - support for the Avast virus scanner, in both forms (command-line > scanner and daemon). > > Download it as usual from www.mailscanner.info. > > The full Change Log for this version is: > > * New Features and Improvements * > 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > layout. > 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > 3 Changed check ordering so that mail from blacklisted addresses is still > marked as spam even its size exceeds the max spam message size check. > 3 Improved detection of empty to > snifer_@hotmail.com for this. > 4 Added support for Avast "avastcmd" virus scanner. Use > "Virus Scanners = avast" to use it. > 4 Added support for Avast "avastd" virus scanning daemon, which must be > configured and running first. Use "Virus Scanners = avastd" to use it. > In /etc/avastd.conf, be sure to set "archivetype = A", in all the > sections > of the file where the setting appears. > > * Fixes * > 1 Exim fix by Debian Maintainer: Simon Walter. > 1 Incoming Work Group not honoured for files with a leading dot in their > filename. Again, fix by Simon Walter. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.1 (Build 1012) > Charset: ISO-8859-1 > > wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ > lm7K35s1rQqEynxIezssppk= > =msTx > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Mon Apr 30 10:32:28 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 10:32:50 2007 Subject: beta 4.59.3 and clamd In-Reply-To: <1177918021.26935.2.camel@miyagip.ziff.net.> Message-ID: You need to make sure the clamav user can read the files/dirs.. The top level incoming dir can't be read by 'group' clamav. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Zivago Lee > Sent: 30 April 2007 08:27 > To: MailScanner discussion > Subject: beta 4.59.3 and clamd > > Hello, > > I just tried upgrading to 4.59.3 and I keep getting these errors: > > Apr 30 00:24:07 www MailScanner[16967]: Virus and Content Scanning: > Starting > Apr 30 00:24:08 www > MailScanner[16967]: /var/spool/MailScanner/incoming/16967/.: lstat() > failed. ERROR > > Any ideas on what that means? The permissions for these dirs are as > follows: > > drwx------ 9 postfix clamav 4096 Apr 30 00:25 incoming > > in the incoming dir: > > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16563 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:20 16576 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16588 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16949 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16957 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:25 16967 > drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16979 > > Did I set the permissions incorrectly in the run as user section? > > Thanks, > Zivago > > -- > Zivago Lee > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From res at ausics.net Mon Apr 30 11:13:11 2007 From: res at ausics.net (Res) Date: Mon Apr 30 11:13:23 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <4635B2C4.50004@ecs.soton.ac.uk> References: <4635B2C4.50004@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Julian Field wrote: > > I have just released a new stable version, 4.59. The main new features > this month are Seems all good with Sendmail and Qmail You may now retire back to bed :) - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNcE6sWhAmSIQh7MRAjVaAJ46G6pi5H24xMKsEg0RviJKN1OcFACeIIV9 SYH3WyN1CnowcQz+Mzkiz30= =5fk/ -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Mon Apr 30 12:28:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 12:29:40 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <8b04dc77d94a3442b65371d0a40ad7af@solidstatelogic.com> References: <8b04dc77d94a3442b65371d0a40ad7af@solidstatelogic.com> Message-ID: <4635D2EE.5030205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you give me more details? In what way are they wrong? What version of Exim are you running? I put in a "fix" by Simon Walter for Exim 4.10 that is this: # Patch contributed by Simon Walter. # strips new "special" content >= 4.10 $line =~ s/ (\d+),\d+#1$//; $line = substr($line, 0, length($line)-$1-1) if defined $1; It then adds $line to the "to" list of addresses. Try commenting out those 2 lines and let me know what happens a.s.a.please. Jules. Martin.Hepworth wrote: > Jules > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > Messages arrive OK, but mailscanner's logging is off > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: 30 April 2007 10:12 >> To: MailScanner discussion; MailScanner-Announce mailing list list >> Subject: ANNOUNCE: MailScanner stable 4.59 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new stable version, 4.59. The main new features >> this month are >> >> - - support for the clamd virus scanner, with the result that you can >> > have > >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl >> module. >> - - support for the Avast virus scanner, in both forms (command-line >> scanner and daemon). >> >> Download it as usual from www.mailscanner.info. >> >> The full Change Log for this version is: >> >> * New Features and Improvements * >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 >> layout. >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". >> 3 Changed check ordering so that mail from blacklisted addresses is >> > still > >> marked as spam even its size exceeds the max spam message size >> > check. > >> 3 Improved detection of empty > > Thanks > >> to >> snifer_@hotmail.com for this. >> 4 Added support for Avast "avastcmd" virus scanner. Use >> "Virus Scanners = avast" to use it. >> 4 Added support for Avast "avastd" virus scanning daemon, which must >> > be > >> configured and running first. Use "Virus Scanners = avastd" to use >> > it. > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the >> sections >> of the file where the setting appears. >> >> * Fixes * >> 1 Exim fix by Debian Maintainer: Simon Walter. >> 1 Incoming Work Group not honoured for files with a leading dot in >> > their > >> filename. Again, fix by Simon Walter. >> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.1 (Build 1012) >> Charset: ISO-8859-1 >> >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ >> lm7K35s1rQqEynxIezssppk= >> =msTx >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNdL6EfZZRxQVtlQRAqHsAKDz3FgX+J2anky0b24wapI4afzGzgCg6rec jrc5Jie6uJUF/yduBtWTr/4= =E39M -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Mon Apr 30 12:37:38 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 12:37:30 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <4635D2EE.5030205@ecs.soton.ac.uk> Message-ID: <2efe1be8b648af4ab30216985ed0978d@solidstatelogic.com> Jules Ok I'll test this after lunch.... I'm running exim 4.43 and the to line either gets truncated in mailwatch, or is 2-3 blank lines...or a combination of the two....ie truncated to & 2-3 blanks lines after... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 30 April 2007 12:29 > To: MailScanner discussion > Subject: Re: ANNOUNCE: MailScanner stable 4.59 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you give me more details? > In what way are they wrong? > What version of Exim are you running? > > I put in a "fix" by Simon Walter for Exim 4.10 that is this: > > # Patch contributed by Simon Walter. > # strips new "special" content >= 4.10 > $line =~ s/ (\d+),\d+#1$//; > $line = substr($line, 0, length($line)-$1-1) if defined $1; > > It then adds $line to the "to" list of addresses. > > Try commenting out those 2 lines and let me know what happens > a.s.a.please. > > Jules. > > Martin.Hepworth wrote: > > Jules > > > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > > > Messages arrive OK, but mailscanner's logging is off > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Julian Field > >> Sent: 30 April 2007 10:12 > >> To: MailScanner discussion; MailScanner-Announce mailing list list > >> Subject: ANNOUNCE: MailScanner stable 4.59 > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I have just released a new stable version, 4.59. The main new features > >> this month are > >> > >> - - support for the clamd virus scanner, with the result that you can > >> > > have > > > >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl > >> module. > >> - - support for the Avast virus scanner, in both forms (command-line > >> scanner and daemon). > >> > >> Download it as usual from www.mailscanner.info. > >> > >> The full Change Log for this version is: > >> > >> * New Features and Improvements * > >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > >> layout. > >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > >> 3 Changed check ordering so that mail from blacklisted addresses is > >> > > still > > > >> marked as spam even its size exceeds the max spam message size > >> > > check. > > > >> 3 Improved detection of empty >> > > Thanks > > > >> to > >> snifer_@hotmail.com for this. > >> 4 Added support for Avast "avastcmd" virus scanner. Use > >> "Virus Scanners = avast" to use it. > >> 4 Added support for Avast "avastd" virus scanning daemon, which must > >> > > be > > > >> configured and running first. Use "Virus Scanners = avastd" to use > >> > > it. > > > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the > >> sections > >> of the file where the setting appears. > >> > >> * Fixes * > >> 1 Exim fix by Debian Maintainer: Simon Walter. > >> 1 Incoming Work Group not honoured for files with a leading dot in > >> > > their > > > >> filename. Again, fix by Simon Walter. > >> > >> Jules > >> > >> - -- > >> Julian Field MEng CITP > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> MailScanner customisation, or any advanced system administration help? > >> Contact me at Jules@Jules.FM > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> For all your IT requirements visit www.transtec.co.uk > >> > >> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP Desktop 9.6.1 (Build 1012) > >> Charset: ISO-8859-1 > >> > >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ > >> lm7K35s1rQqEynxIezssppk= > >> =msTx > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.1 (Build 1012) > Charset: ISO-8859-1 > > wj8DBQFGNdL6EfZZRxQVtlQRAqHsAKDz3FgX+J2anky0b24wapI4afzGzgCg6rec > jrc5Jie6uJUF/yduBtWTr/4= > =E39M > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Mon Apr 30 12:46:32 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 12:46:36 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <4635D2EE.5030205@ecs.soton.ac.uk> Message-ID: <804d04538f794f46b267ddf96294c135@solidstatelogic.com> Jules That worked......the patch is bad...I wonder why Simon needed to do this??? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 30 April 2007 12:29 > To: MailScanner discussion > Subject: Re: ANNOUNCE: MailScanner stable 4.59 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you give me more details? > In what way are they wrong? > What version of Exim are you running? > > I put in a "fix" by Simon Walter for Exim 4.10 that is this: > > # Patch contributed by Simon Walter. > # strips new "special" content >= 4.10 > $line =~ s/ (\d+),\d+#1$//; > $line = substr($line, 0, length($line)-$1-1) if defined $1; > > It then adds $line to the "to" list of addresses. > > Try commenting out those 2 lines and let me know what happens > a.s.a.please. > > Jules. > > Martin.Hepworth wrote: > > Jules > > > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > > > Messages arrive OK, but mailscanner's logging is off > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Julian Field > >> Sent: 30 April 2007 10:12 > >> To: MailScanner discussion; MailScanner-Announce mailing list list > >> Subject: ANNOUNCE: MailScanner stable 4.59 > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I have just released a new stable version, 4.59. The main new features > >> this month are > >> > >> - - support for the clamd virus scanner, with the result that you can > >> > > have > > > >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl > >> module. > >> - - support for the Avast virus scanner, in both forms (command-line > >> scanner and daemon). > >> > >> Download it as usual from www.mailscanner.info. > >> > >> The full Change Log for this version is: > >> > >> * New Features and Improvements * > >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > >> layout. > >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > >> 3 Changed check ordering so that mail from blacklisted addresses is > >> > > still > > > >> marked as spam even its size exceeds the max spam message size > >> > > check. > > > >> 3 Improved detection of empty >> > > Thanks > > > >> to > >> snifer_@hotmail.com for this. > >> 4 Added support for Avast "avastcmd" virus scanner. Use > >> "Virus Scanners = avast" to use it. > >> 4 Added support for Avast "avastd" virus scanning daemon, which must > >> > > be > > > >> configured and running first. Use "Virus Scanners = avastd" to use > >> > > it. > > > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the > >> sections > >> of the file where the setting appears. > >> > >> * Fixes * > >> 1 Exim fix by Debian Maintainer: Simon Walter. > >> 1 Incoming Work Group not honoured for files with a leading dot in > >> > > their > > > >> filename. Again, fix by Simon Walter. > >> > >> Jules > >> > >> - -- > >> Julian Field MEng CITP > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> MailScanner customisation, or any advanced system administration help? > >> Contact me at Jules@Jules.FM > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> For all your IT requirements visit www.transtec.co.uk > >> > >> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP Desktop 9.6.1 (Build 1012) > >> Charset: ISO-8859-1 > >> > >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ > >> lm7K35s1rQqEynxIezssppk= > >> =msTx > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.1 (Build 1012) > Charset: ISO-8859-1 > > wj8DBQFGNdL6EfZZRxQVtlQRAqHsAKDz3FgX+J2anky0b24wapI4afzGzgCg6rec > jrc5Jie6uJUF/yduBtWTr/4= > =E39M > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Mon Apr 30 12:50:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 12:51:54 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <8b04dc77d94a3442b65371d0a40ad7af@solidstatelogic.com> References: <8b04dc77d94a3442b65371d0a40ad7af@solidstatelogic.com> Message-ID: <4635D7FF.2090008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try 4.59.4-2. It was a bug in a patch I was given. I thought I had some Exim beta-testers... Guess they didn't get around to trying it. Jules. Martin.Hepworth wrote: > Jules > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > Messages arrive OK, but mailscanner's logging is off > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: 30 April 2007 10:12 >> To: MailScanner discussion; MailScanner-Announce mailing list list >> Subject: ANNOUNCE: MailScanner stable 4.59 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new stable version, 4.59. The main new features >> this month are >> >> - - support for the clamd virus scanner, with the result that you can >> > have > >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl >> module. >> - - support for the Avast virus scanner, in both forms (command-line >> scanner and daemon). >> >> Download it as usual from www.mailscanner.info. >> >> The full Change Log for this version is: >> >> * New Features and Improvements * >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 >> layout. >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". >> 3 Changed check ordering so that mail from blacklisted addresses is >> > still > >> marked as spam even its size exceeds the max spam message size >> > check. > >> 3 Improved detection of empty > > Thanks > >> to >> snifer_@hotmail.com for this. >> 4 Added support for Avast "avastcmd" virus scanner. Use >> "Virus Scanners = avast" to use it. >> 4 Added support for Avast "avastd" virus scanning daemon, which must >> > be > >> configured and running first. Use "Virus Scanners = avastd" to use >> > it. > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the >> sections >> of the file where the setting appears. >> >> * Fixes * >> 1 Exim fix by Debian Maintainer: Simon Walter. >> 1 Incoming Work Group not honoured for files with a leading dot in >> > their > >> filename. Again, fix by Simon Walter. >> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.1 (Build 1012) >> Charset: ISO-8859-1 >> >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ >> lm7K35s1rQqEynxIezssppk= >> =msTx >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNdhGEfZZRxQVtlQRAhF+AKCsN7OWb5pmBmn+gUPMFkTXQ43HeQCfcXSc jYMfc5a2WaG7a10WHocTQi4= =6al4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Apr 30 12:53:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 12:54:13 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <804d04538f794f46b267ddf96294c135@solidstatelogic.com> References: <804d04538f794f46b267ddf96294c135@solidstatelogic.com> Message-ID: <4635D8B9.1010202@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you try 4.49.4-2 and see if this still works for you. It still includes the patch but is wrapped up so the truncation only happens if his regexp matches. Many thanks, Jules. Martin.Hepworth wrote: > Jules > > > That worked......the patch is bad...I wonder why Simon needed to do > this??? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: 30 April 2007 12:29 >> To: MailScanner discussion >> Subject: Re: ANNOUNCE: MailScanner stable 4.59 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Please can you give me more details? >> In what way are they wrong? >> What version of Exim are you running? >> >> I put in a "fix" by Simon Walter for Exim 4.10 that is this: >> >> # Patch contributed by Simon Walter. >> # strips new "special" content >= 4.10 >> $line =~ s/ (\d+),\d+#1$//; >> $line = substr($line, 0, length($line)-$1-1) if defined $1; >> >> It then adds $line to the "to" list of addresses. >> >> Try commenting out those 2 lines and let me know what happens >> a.s.a.please. >> >> Jules. >> >> Martin.Hepworth wrote: >> >>> Jules >>> >>> Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. >>> >>> Messages arrive OK, but mailscanner's logging is off >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> > [mailto:mailscanner- > >>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>> Sent: 30 April 2007 10:12 >>>> To: MailScanner discussion; MailScanner-Announce mailing list list >>>> Subject: ANNOUNCE: MailScanner stable 4.59 >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> I have just released a new stable version, 4.59. The main new >>>> > features > >>>> this month are >>>> >>>> - - support for the clamd virus scanner, with the result that you >>>> > can > >>> have >>> >>> >>>> fast virus scanning without relying on the 3rd party Mail::ClamAV >>>> > perl > >>>> module. >>>> - - support for the Avast virus scanner, in both forms >>>> > (command-line > >>>> scanner and daemon). >>>> >>>> Download it as usual from www.mailscanner.info. >>>> >>>> The full Change Log for this version is: >>>> >>>> * New Features and Improvements * >>>> 2 Changed locations monitored for ClamAV updates to fit new ClamAV >>>> > 0.9 > >>>> layout. >>>> 2 Added support for clamdscan and clamd. Use "Virus Scanners = >>>> > clamd". > >>>> 3 Changed check ordering so that mail from blacklisted addresses is >>>> >>>> >>> still >>> >>> >>>> marked as spam even its size exceeds the max spam message size >>>> >>>> >>> check. >>> >>> >>>> 3 Improved detection of empty >>> >>>> >>> Thanks >>> >>> >>>> to >>>> snifer_@hotmail.com for this. >>>> 4 Added support for Avast "avastcmd" virus scanner. Use >>>> "Virus Scanners = avast" to use it. >>>> 4 Added support for Avast "avastd" virus scanning daemon, which >>>> > must > >>> be >>> >>> >>>> configured and running first. Use "Virus Scanners = avastd" to >>>> > use > >>> it. >>> >>> >>>> In /etc/avastd.conf, be sure to set "archivetype = A", in all the >>>> sections >>>> of the file where the setting appears. >>>> >>>> * Fixes * >>>> 1 Exim fix by Debian Maintainer: Simon Walter. >>>> 1 Incoming Work Group not honoured for files with a leading dot in >>>> >>>> >>> their >>> >>> >>>> filename. Again, fix by Simon Walter. >>>> >>>> Jules >>>> >>>> - -- >>>> Julian Field MEng CITP >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> MailScanner customisation, or any advanced system administration >>>> > help? > >>>> Contact me at Jules@Jules.FM >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> For all your IT requirements visit www.transtec.co.uk >>>> >>>> >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: PGP Desktop 9.6.1 (Build 1012) >>>> Charset: ISO-8859-1 >>>> >>>> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ >>>> lm7K35s1rQqEynxIezssppk= >>>> =msTx >>>> -----END PGP SIGNATURE----- >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> For all your IT requirements visit www.transtec.co.uk >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> >>> >>> > ********************************************************************** > >>> Confidentiality : This e-mail and any attachments are intended for >>> > the > >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show >>> > them > >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> >>> Opinion : Any opinions expressed in this e-mail are entirely those >>> > of > >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We >>> > advise > >>> that you consider this fact when e-mailing us. >>> >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> >>> > ********************************************************************** > >>> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.1 (Build 1012) >> Charset: ISO-8859-1 >> >> wj8DBQFGNdL6EfZZRxQVtlQRAqHsAKDz3FgX+J2anky0b24wapI4afzGzgCg6rec >> jrc5Jie6uJUF/yduBtWTr/4= >> =E39M >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNdi8EfZZRxQVtlQRAgoCAKD1fwSbI2LLAB64OV8+5wO3hGffDACePy24 +4QIhcsM4iOuc13yopzCFLM= =R7I0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From sailer at bnl.gov Mon Apr 30 13:55:53 2007 From: sailer at bnl.gov (Tim Sailer) Date: Mon Apr 30 13:56:02 2007 Subject: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: <20070430125553.GB16244@bnl.gov> On Mon, Apr 30, 2007 at 10:30:40AM +0200, Hugo van der Kooij wrote: > The main thing is that .gov likes to play blame games. And how do you > blame a company if there is no company but just a bunch of people doing as > good a job as any company but without a target they can blame if anything > goes wrong. And many of the .com's are just as bad in this blame game. Hey hey hey... I resemble that remark! Yeah, I work for a .gov (US). But, when I ran Cyber Security, we stood up an SMTP gateway to filter our mail, and the first thing we installed was MailScanner, because it worked! Besides, since I was running it on my ISP (buoy.com), I had direct knowledge of how well it worked, and had the track record to prove it! Tim -- Tim Sailer DoE Intelligence and Counterintelligence - Cyber Division Brookhaven National Laboratory (631) 344-3001 From martinh at solidstatelogic.com Mon Apr 30 14:08:22 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 14:08:23 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: <4635D7FF.2090008@ecs.soton.ac.uk> Message-ID: Jules OK - the exim beta test is usually me ;-) and I didn't get chance to do anything over the weekend. I'll try 4.49.4.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 30 April 2007 12:50 > To: MailScanner discussion > Subject: Re: ANNOUNCE: MailScanner stable 4.59 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Try 4.59.4-2. It was a bug in a patch I was given. > I thought I had some Exim beta-testers... > Guess they didn't get around to trying it. > > Jules. > > Martin.Hepworth wrote: > > Jules > > > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > > > Messages arrive OK, but mailscanner's logging is off > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Julian Field > >> Sent: 30 April 2007 10:12 > >> To: MailScanner discussion; MailScanner-Announce mailing list list > >> Subject: ANNOUNCE: MailScanner stable 4.59 > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I have just released a new stable version, 4.59. The main new features > >> this month are > >> > >> - - support for the clamd virus scanner, with the result that you can > >> > > have > > > >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl > >> module. > >> - - support for the Avast virus scanner, in both forms (command-line > >> scanner and daemon). > >> > >> Download it as usual from www.mailscanner.info. > >> > >> The full Change Log for this version is: > >> > >> * New Features and Improvements * > >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 > >> layout. > >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd". > >> 3 Changed check ordering so that mail from blacklisted addresses is > >> > > still > > > >> marked as spam even its size exceeds the max spam message size > >> > > check. > > > >> 3 Improved detection of empty >> > > Thanks > > > >> to > >> snifer_@hotmail.com for this. > >> 4 Added support for Avast "avastcmd" virus scanner. Use > >> "Virus Scanners = avast" to use it. > >> 4 Added support for Avast "avastd" virus scanning daemon, which must > >> > > be > > > >> configured and running first. Use "Virus Scanners = avastd" to use > >> > > it. > > > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the > >> sections > >> of the file where the setting appears. > >> > >> * Fixes * > >> 1 Exim fix by Debian Maintainer: Simon Walter. > >> 1 Incoming Work Group not honoured for files with a leading dot in > >> > > their > > > >> filename. Again, fix by Simon Walter. > >> > >> Jules > >> > >> - -- > >> Julian Field MEng CITP > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> MailScanner customisation, or any advanced system administration help? > >> Contact me at Jules@Jules.FM > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> For all your IT requirements visit www.transtec.co.uk > >> > >> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP Desktop 9.6.1 (Build 1012) > >> Charset: ISO-8859-1 > >> > >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ > >> lm7K35s1rQqEynxIezssppk= > >> =msTx > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.1 (Build 1012) > Charset: ISO-8859-1 > > wj8DBQFGNdhGEfZZRxQVtlQRAhF+AKCsN7OWb5pmBmn+gUPMFkTXQ43HeQCfcXSc > jYMfc5a2WaG7a10WHocTQi4= > =6al4 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From root at doctor.nl2k.ab.ca Mon Apr 30 14:22:22 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Apr 30 14:24:43 2007 Subject: {Spam?} Re: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> Message-ID: <20070430132221.GC20369@doctor.nl2k.ab.ca> On Mon, Apr 30, 2007 at 08:55:42AM +0200, Hugo van der Kooij wrote: > On Mon, 30 Apr 2007, Res wrote: > > >By the way your lagging way behind in a survey I been running for a week > >or so :) postmix only has 1 more user than exchange :D I guess that sums > >it all up doesnt it muwhahahaha > > I guess it is almost as representative as walking into a pub in Manchester > and holding a poll on their favorite football club. > > Hugo. > With the local Hooligans enforcing the result. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Apr 30 14:31:58 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 30 14:32:32 2007 Subject: {Spam?} Re: Announcement: New beta 4.59.2 released In-Reply-To: <20070430132221.GC20369@doctor.nl2k.ab.ca> References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> <20070430132221.GC20369@doctor.nl2k.ab.ca> Message-ID: On Mon, 30 Apr 2007, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Apr 30, 2007 at 08:55:42AM +0200, Hugo van der Kooij wrote: >> On Mon, 30 Apr 2007, Res wrote: >> >>> By the way your lagging way behind in a survey I been running for a week >>> or so :) postmix only has 1 more user than exchange :D I guess that sums >>> it all up doesnt it muwhahahaha >> >> I guess it is almost as representative as walking into a pub in Manchester >> and holding a poll on their favorite football club. > > With the local Hooligans enforcing the result. I see you know Res ;-) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From martinh at solidstatelogic.com Mon Apr 30 14:35:43 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Apr 30 14:35:48 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: Message-ID: <9e3219788105214681630203cc99d1ab@solidstatelogic.com> Jules That seems to work.......I'll keep a close eye on it.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth > Sent: 30 April 2007 14:08 > To: MailScanner discussion > Subject: RE: ANNOUNCE: MailScanner stable 4.59 > > Jules > > OK - the exim beta test is usually me ;-) and I didn't get chance to do > anything over the weekend. > > I'll try 4.49.4.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Julian Field > > Sent: 30 April 2007 12:50 > > To: MailScanner discussion > > Subject: Re: ANNOUNCE: MailScanner stable 4.59 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Try 4.59.4-2. It was a bug in a patch I was given. > > I thought I had some Exim beta-testers... > > Guess they didn't get around to trying it. > > > > Jules. > > > > Martin.Hepworth wrote: > > > Jules > > > > > > Running 4.59.3 with exim and the 'to' in mailscanner is corrupt. > > > > > > Messages arrive OK, but mailscanner's logging is off > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > > >> -----Original Message----- > > >> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > >> bounces@lists.mailscanner.info] On Behalf Of Julian Field > > >> Sent: 30 April 2007 10:12 > > >> To: MailScanner discussion; MailScanner-Announce mailing list list > > >> Subject: ANNOUNCE: MailScanner stable 4.59 > > >> > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> I have just released a new stable version, 4.59. The main new > features > > >> this month are > > >> > > >> - - support for the clamd virus scanner, with the result that you > can > > >> > > > have > > > > > >> fast virus scanning without relying on the 3rd party Mail::ClamAV > perl > > >> module. > > >> - - support for the Avast virus scanner, in both forms > (command-line > > >> scanner and daemon). > > >> > > >> Download it as usual from www.mailscanner.info. > > >> > > >> The full Change Log for this version is: > > >> > > >> * New Features and Improvements * > > >> 2 Changed locations monitored for ClamAV updates to fit new ClamAV > 0.9 > > >> layout. > > >> 2 Added support for clamdscan and clamd. Use "Virus Scanners = > clamd". > > >> 3 Changed check ordering so that mail from blacklisted addresses is > > >> > > > still > > > > > >> marked as spam even its size exceeds the max spam message size > > >> > > > check. > > > > > >> 3 Improved detection of empty > >> > > > Thanks > > > > > >> to > > >> snifer_@hotmail.com for this. > > >> 4 Added support for Avast "avastcmd" virus scanner. Use > > >> "Virus Scanners = avast" to use it. > > >> 4 Added support for Avast "avastd" virus scanning daemon, which > must > > >> > > > be > > > > > >> configured and running first. Use "Virus Scanners = avastd" to > use > > >> > > > it. > > > > > >> In /etc/avastd.conf, be sure to set "archivetype = A", in all the > > >> sections > > >> of the file where the setting appears. > > >> > > >> * Fixes * > > >> 1 Exim fix by Debian Maintainer: Simon Walter. > > >> 1 Incoming Work Group not honoured for files with a leading dot in > > >> > > > their > > > > > >> filename. Again, fix by Simon Walter. > > >> > > >> Jules > > >> > > >> - -- > > >> Julian Field MEng CITP > > >> www.MailScanner.info > > >> Buy the MailScanner book at www.MailScanner.info/store > > >> > > >> MailScanner customisation, or any advanced system administration > help? > > >> Contact me at Jules@Jules.FM > > >> > > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >> For all your IT requirements visit www.transtec.co.uk > > >> > > >> > > >> > > >> -----BEGIN PGP SIGNATURE----- > > >> Version: PGP Desktop 9.6.1 (Build 1012) > > >> Charset: ISO-8859-1 > > >> > > >> wj8DBQFGNbLzEfZZRxQVtlQRAr3wAKC7aPegBm6eH/qcEpQvOMfa5kOESwCeNVmJ > > >> lm7K35s1rQqEynxIezssppk= > > >> =msTx > > >> -----END PGP SIGNATURE----- > > >> > > >> -- > > >> This message has been scanned for viruses and > > >> dangerous content by MailScanner, and is > > >> believed to be clean. > > >> For all your IT requirements visit www.transtec.co.uk > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner@lists.mailscanner.info > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> Before posting, read http://wiki.mailscanner.info/posting > > >> > > >> Support MailScanner development - buy the book off the website! > > >> > > > > > > > > > > > > > > > > ********************************************************************** > > > Confidentiality : This e-mail and any attachments are intended for > the > > > addressee only and may be confidential. If they come to you in error > > > you must take no action based on them, nor must you copy or show > them > > > to anyone. Please advise the sender by replying to this e-mail > > > immediately and then delete the original from your computer. > > > > > > Opinion : Any opinions expressed in this e-mail are entirely those > of > > > the author and unless specifically stated to the contrary, are not > > > necessarily those of the author's employer. > > > > > > Security Warning : Internet e-mail is not necessarily a secure > > > communications medium and can be subject to data corruption. We > advise > > > that you consider this fact when e-mailing us. > > > > > > Viruses : We have taken steps to ensure that this e-mail and any > > > attachments are free from known viruses but in keeping with good > > > computing practice, you should ensure that they are virus free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > > United Kingdom > > > > ********************************************************************** > > > > > > > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.1 (Build 1012) > > Charset: ISO-8859-1 > > > > wj8DBQFGNdhGEfZZRxQVtlQRAhF+AKCsN7OWb5pmBmn+gUPMFkTXQ43HeQCfcXSc > > jYMfc5a2WaG7a10WHocTQi4= > > =6al4 > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From paul.hutchings at mira.co.uk Mon Apr 30 15:02:06 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Apr 30 15:02:51 2007 Subject: New Stable Release, Clamd and Postfix? Message-ID: My MailScanner box runs quite nicely running the previous stable version 4.58.9. I'm suffering from the slow clamscan performance issue, and noticed the new stable release supports clamd (which I'm running). Having looked at the manual it appears it should simply be a case of run the installer script, then use upgrade_MailScanner_conf to update MailScanner.conf with the new settings. Not having ever upgraded MailScanner before, I'd sooner ask the question than get caught out - is this all there is to it (barring something totally unforeseen happening)? Also as I run Postfix I have my MailScanner set to run as user "postfix" as per the docs. Will this cause me a problem (or can someone point me where to go to RTFM?) Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From dominian at slackadelic.com Mon Apr 30 15:09:18 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Apr 30 15:09:34 2007 Subject: New Stable Release, Clamd and Postfix? In-Reply-To: References: Message-ID: <4635F88E.4040509@slackadelic.com> Paul Hutchings wrote: > My MailScanner box runs quite nicely running the previous stable version > 4.58.9. > > I'm suffering from the slow clamscan performance issue, and noticed the > new stable release supports clamd (which I'm running). > > Having looked at the manual it appears it should simply be a case of run > the installer script, then use upgrade_MailScanner_conf to update > MailScanner.conf with the new settings. > > Not having ever upgraded MailScanner before, I'd sooner ask the question > than get caught out - is this all there is to it (barring something > totally unforeseen happening)? > > Also as I run Postfix I have my MailScanner set to run as user "postfix" > as per the docs. Will this cause me a problem (or can someone point me > where to go to RTFM?) > > Cheers, > Paul > Paul, That is basically all there is to it. However, if you are like me, anything custom that you've added like %rules-dir% files will more than likely have to be re-entered in. If you use Mailwatch, some things with quarantine configuration to allow for released messages to bypass spam checks may have to be reconfigured. The great thing about the upgrade of mailscanner.. it leaves your old installation in place :) -Matt From snifer_ at hotmail.com Mon Apr 30 15:23:48 2007 From: snifer_ at hotmail.com (Juan Pablo Salazar =?utf-8?b?QmVydMOtbg==?=) Date: Mon Apr 30 15:24:02 2007 Subject: ANNOUNCE: MailScanner stable 4.59 References: <4635B2C4.50004@ecs.soton.ac.uk> Message-ID: Julian Field ecs.soton.ac.uk> writes: > > > I have just released a new stable version, 4.59. The main new features > this month are > > support for the clamd virus scanner, with the result that you can have > fast virus scanning without relying on the 3rd party Mail::ClamAV perl > module. > support for the Avast virus scanner, in both forms (command-line > scanner and daemon). > > Download it as usual from www.mailscanner.info. > > > Jules > Hi Julian, thanks for releasing a new version with new features. However, the problem I stated in a previous post (http://article.gmane.org/gmane.mail.virus.mailscanner/51651) is still present in 4.59.4-2. I've uploaded a patch file for you to review it. You can get it at http://www.divshare.com/download/525994-456 Please let me know what do you think. Regards. From claude.gagne at multitech.qc.ca Mon Apr 30 15:38:17 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Mon Apr 30 15:36:22 2007 Subject: clamav 0.90.2 problem Message-ID: <4635FF59.5050102@multitech.qc.ca> Hi, I've got a little problem with clamav. Freshclam seems to update just fine but I got this error message at the end of the update when running it with root: ClamAV update process started at Mon Apr 30 10:30:55 2007 main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) daily.inc is up to date (version: 3184, sigs: 8782, f-level: 15, builder: sven) LibClamAV Error: Database Directory: /usr/local/share/clamav not locked The permissions on /usr/local/share/clamav: drwxrwxr-x 3 clamav clamav 4096 2007-04-30 10:29 clamav I installed clamav with the package install-Clam-0.90.2-SA-3.1.8.tar.gz found on MailScanner website. Anyone knows what's the problem ? Thanks ! -- Claude From uxbod at splatnix.net Mon Apr 30 15:36:31 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Apr 30 15:36:34 2007 Subject: New Stable Release, Clamd and Postfix? In-Reply-To: References: Message-ID: Paul, In MailScanner.conf you can set the permissions for when using clamd. Cannot get to my installation at the moment, but upgraded at the weekend and set the perms too 660. Shutdown MailScanner, deleted the existing directories (as they were empty) under /var/spool/MailScanner/incoming and restarted. Perms were applied correctly. Regards. On Mon, 30 Apr 2007 15:02:06 +0100, "Paul Hutchings" wrote: > My MailScanner box runs quite nicely running the previous stable version > 4.58.9. > > I'm suffering from the slow clamscan performance issue, and noticed the > new stable release supports clamd (which I'm running). > > Having looked at the manual it appears it should simply be a case of run > the installer script, then use upgrade_MailScanner_conf to update > MailScanner.conf with the new settings. > > Not having ever upgraded MailScanner before, I'd sooner ask the question > than get caught out - is this all there is to it (barring something > totally unforeseen happening)? > > Also as I run Postfix I have my MailScanner set to run as user "postfix" > as per the docs. Will this cause me a problem (or can someone point me > where to go to RTFM?) > > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonbjorn at mbl.is Mon Apr 30 15:47:48 2007 From: jonbjorn at mbl.is (Jon Bjorn Njalsson) Date: Mon Apr 30 15:48:04 2007 Subject: clamav 0.90.2 problem In-Reply-To: <4635FF59.5050102@multitech.qc.ca> References: <4635FF59.5050102@multitech.qc.ca> Message-ID: <1177944468.14147.8.camel@viper.mbl.is> Perhaps you need to delete .dbLock in /usr/local/share/clamav and run freshclam again. On m?n, 2007-04-30 at 10:38 -0400, Claude Gagn? wrote: > Hi, > > I've got a little problem with clamav. Freshclam seems to update just > fine but I got this error message at the end of the update when running > it with root: > ClamAV update process started at Mon Apr 30 10:30:55 2007 > main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: > sven) > daily.inc is up to date (version: 3184, sigs: 8782, f-level: 15, > builder: sven) > LibClamAV Error: Database Directory: /usr/local/share/clamav not locked > > The permissions on /usr/local/share/clamav: > drwxrwxr-x 3 clamav clamav 4096 2007-04-30 10:29 clamav > > I installed clamav with the package install-Clam-0.90.2-SA-3.1.8.tar.gz > found on MailScanner website. Anyone knows what's the problem ? > > Thanks ! > -- > Claude > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mgt at stellarcore.net Mon Apr 30 16:24:05 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Mon Apr 30 16:24:17 2007 Subject: clamav 0.90.2 problem In-Reply-To: <200704301440.l3UEeHAM028274@safir.blacknight.ie> References: <200704301440.l3UEeHAM028274@safir.blacknight.ie> Message-ID: <46360A15.1090007@stellarcore.net> > Hi, > > I've got a little problem with clamav. Freshclam seems to update just > fine but I got this error message at the end of the update when running > it with root: > ClamAV update process started at Mon Apr 30 10:30:55 2007 > main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: > sven) > daily.inc is up to date (version: 3184, sigs: 8782, f-level: 15, > builder: sven) > LibClamAV Error: Database Directory: /usr/local/share/clamav not locked > > The permissions on /usr/local/share/clamav: > drwxrwxr-x 3 clamav clamav 4096 2007-04-30 10:29 clamav > > I installed clamav with the package install-Clam-0.90.2-SA-3.1.8.tar.gz > found on MailScanner website. Anyone knows what's the problem ? > > Thanks ! > -- > Claude It means there was a lockfile left hanging when you did the install. Just remove it and everything should be ok. [Look in /usr/local/share/clamav/ for the lock.] -Mike From claude.gagne at multitech.qc.ca Mon Apr 30 16:53:51 2007 From: claude.gagne at multitech.qc.ca (=?ISO-8859-1?Q?Claude_Gagn=E9?=) Date: Mon Apr 30 16:51:54 2007 Subject: clamav 0.90.2 problem In-Reply-To: <1177944468.14147.8.camel@viper.mbl.is> References: <4635FF59.5050102@multitech.qc.ca> <1177944468.14147.8.camel@viper.mbl.is> Message-ID: <4636110F.9060307@multitech.qc.ca> Jon Bjorn Njalsson a ?crit : > Perhaps you need to delete .dbLock in /usr/local/share/clamav and run > freshclam again. > > On m?n, 2007-04-30 at 10:38 -0400, Claude Gagn? wrote: > >> Hi, >> >> I've got a little problem with clamav. Freshclam seems to update just >> fine but I got this error message at the end of the update when running >> it with root: >> ClamAV update process started at Mon Apr 30 10:30:55 2007 >> main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: >> sven) >> daily.inc is up to date (version: 3184, sigs: 8782, f-level: 15, >> builder: sven) >> LibClamAV Error: Database Directory: /usr/local/share/clamav not locked >> >> The permissions on /usr/local/share/clamav: >> drwxrwxr-x 3 clamav clamav 4096 2007-04-30 10:29 clamav >> >> I installed clamav with the package install-Clam-0.90.2-SA-3.1.8.tar.gz >> found on MailScanner website. Anyone knows what's the problem ? >> >> Thanks ! >> -- >> Claude >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > It works :) Thank you ! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070430/54fd6124/attachment.html From MailScanner at ecs.soton.ac.uk Mon Apr 30 17:19:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 30 17:20:06 2007 Subject: ANNOUNCE: MailScanner stable 4.59 In-Reply-To: References: <4635B2C4.50004@ecs.soton.ac.uk> Message-ID: <4636171A.3040909@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Juan Pablo Salazar Bert?n wrote: > Julian Field ecs.soton.ac.uk> writes: > > >> I have just released a new stable version, 4.59. The main new features >> this month are >> >> support for the clamd virus scanner, with the result that you can have >> fast virus scanning without relying on the 3rd party Mail::ClamAV perl >> module. >> support for the Avast virus scanner, in both forms (command-line >> scanner and daemon). >> >> Download it as usual from www.mailscanner.info. >> >> >> Jules >> >> > > > Hi Julian, thanks for releasing a new version with new features. However, the > problem I stated in a previous post > (http://article.gmane.org/gmane.mail.virus.mailscanner/51651) is still present > in 4.59.4-2. > > I've uploaded a patch file for you to review it. You can get it at > http://www.divshare.com/download/525994-456 > Please let me know what do you think. Regards. > Can you give me a simple example (preferably not a Postfix queue file) that shows what is wrong with my current code and why I need your addition? Just an HTML example snippet would do, no need for a whole message. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) Charset: ISO-8859-1 wj8DBQFGNhceEfZZRxQVtlQRAnPSAJ9PS+Cthyixz77bG8xFZ7ZCTsAE0QCbBeqB qKAlq7OCSwjwN9GCe5NQlro= =CvAD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From z at ziff.net Mon Apr 30 18:05:45 2007 From: z at ziff.net (Zivago Lee) Date: Mon Apr 30 18:05:50 2007 Subject: beta 4.59.3 and clamd In-Reply-To: References: Message-ID: <25119.209.104.55.7.1177952745.squirrel@mail.ziff.net> > You need to make sure the clamav user can read the files/dirs.. > > The top level incoming dir can't be read by 'group' clamav. Yep, that fixed it. chmod 770 on that directory... Thanks! > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> I just tried upgrading to 4.59.3 and I keep getting these errors: >> >> Apr 30 00:24:07 www MailScanner[16967]: Virus and Content Scanning: >> Starting >> Apr 30 00:24:08 www >> MailScanner[16967]: /var/spool/MailScanner/incoming/16967/.: lstat() >> failed. ERROR >> >> Any ideas on what that means? The permissions for these dirs are as >> follows: >> >> drwx------ 9 postfix clamav 4096 Apr 30 00:25 incoming >> >> in the incoming dir: >> >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16563 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:20 16576 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:21 16588 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16949 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16957 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:25 16967 >> drwxr-x--- 2 postfix clamav 4096 Apr 30 00:23 16979 >> >> Did I set the permissions incorrectly in the run as user section? -- Zivago Lee z@ziff.net From bpumphrey at woodmclaw.com Mon Apr 30 19:14:56 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Apr 30 19:14:59 2007 Subject: A lot of spam getting through Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> Hello everyone. I am having quite a few spam get through. I thought that I had quite a few things installed and configured correctly. Actually they used to work really well then when I had to rebuild bayes as there were too many FP and turn off RBL's, then a lot of spam are getting through. Somewhere around 50-100 per user are seemingly getting through on a weekend. I have put down as much information as I thought about for my configuration. I am looking for recommendations to recrease my block rate. Please let me know if I left any information out. jThank you. Spamassassin: 3.1.8 MailScanner: 4.58.9 Perl: 5.8.5 DCC: 1.3.30 Razor: 2.80 Pyzor: ??? Disabled? [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [29269] dbg: pyzor: local tests only, disabling Pyzor I have attached my lint test. RBL Checks are off because of FP's. I could not find a good RBL. I did try using the ones that were suggested on the board, but hotmail and yahoo email kept getting tagged as spam. Settings from MailScanner.conf: Require SpamAssassin Score = 6 Sa-learn --dump magic: 0.000 0 3 0 non-token data: bayes db version 0.000 0 93282 0 non-token data: nspam 0.000 0 329 0 non-token data: nham 0.000 0 250559 0 non-token data: ntokens 0.000 0 1177529793 0 non-token data: oldest atime 0.000 0 1177953747 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1177702647 0 non-token data: last expiry atime 0.000 0 172800 0 non-token data: last expire atime delta 0.000 0 338424 0 non-token data: last expire reduction count /etc/mail/spamassassin directory: 70_sare_adult.cf 70_sare_bayes_poison_nxm.cf 70_sare_evilnum0.cf 70_sare_evilnum1.cf 70_sare_evilnum2.cf 70_sare_genlsubj0.cf 70_sare_genlsubj1.cf 70_sare_genlsubj2.cf 70_sare_genlsubj3.cf 70_sare_header0.cf 70_sare_header1.cf 70_sare_header.cf 70_sare_html0.cf 70_sare_html1.cf 70_sare_html2.cf 70_sare_html3.cf 70_sare_html.cf 70_sare_obfu.cf 70_sare_oem.cf 70_sare_random.cf 70_sare_specific.cf 70_sare_spoof.cf 70_sare_stocks.cf 70_sare_unsub.cf 70_sare_uri0.cf 70_sare_uri1.cf 70_sare_uri3.cf 70_sare_uri_eng.cf 70_sare_whitelist_rcvd.cf 70_sare_whitelist_spf.cf 70_sc_top200.cf 72_sare_bml_post25x.cf 72_sare_redirect_post3.0.0.cf 88_FVGT_body.cf 88_FVGT_headers.cf 88_FVGT_rawbody.cf 88_FVGT_subject.cf 88_FVGT_uri.cf 88_FVGT_uri.cf.1 99_sare_fraud_post25x.cf backhair.cf bogus-virus-warnings.cf chickenpox.cf imageinfo.cf init.pre local.cf mailscanner.cf mangled.cf old random.cf RulesDuJour sa-update-keys spamassassin-default.rc spamassassin-helper.sh spamassassin-spamc.rc tripwire.cf v310.pre v310.pre.rpmnew v312.pre v312.pre.rpmnew weeds.cf After looking at a few emails I can see that pyzor and DCC and bayes are scoring: Score Matching Rule Description cached not score=24.094 6 required autolearn=spam 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.33 FH_DATE_ISNT_2006 0.77 FH_DATE_ISNT_200X 0.40 FH_LEADINGPREP 0.71 FS_START_BUY 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.61 SARE_SXLIFE Talks about your sex life 3.81 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 4.09 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 3.01 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 4.50 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist Billy Pumphrey IT Manager Wooden & McLaughlin -------------- next part -------------- [29269] dbg: logger: adding facilities: all 0 [29269] dbg: logger: logging level is DBG 0.0001 [29269] dbg: generic: SpamAssassin version 3.1.8 6E-05 [29269] dbg: config: score set 0 chosen. 0.00099 [29269] dbg: util: running in taint mode? yes 0.00032 [29269] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH 7E-05 [29269] dbg: util: PATH included '/sbin', keeping 0.00018 [29269] dbg: util: PATH included '/usr/sbin', keeping 0.0001 [29269] dbg: util: PATH included '/bin', keeping 9E-05 [29269] dbg: util: PATH included '/usr/bin', keeping 0.0001 [29269] dbg: util: PATH included '/usr/X11R6/bin', keeping 0.0001 [29269] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin 0.0001 [29269] dbg: message: ---- MIME PARSER START ---- 0.00628 [29269] dbg: message: main message type: text/plain 0.00015 [29269] dbg: message: parsing normal part 7E-05 [29269] dbg: message: added part, type: text/plain 0.00013 [29269] dbg: message: ---- MIME PARSER END ---- 7E-05 [29269] dbg: dns: is Net::DNS::Resolver available? yes 0.00055 [29269] dbg: dns: Net::DNS version: 0.48 7E-05 [29269] dbg: diag: perl platform: 5.008005 linux 0.25394 [29269] dbg: diag: module installed: Digest::SHA1, version 2.07 0.00016 [29269] dbg: diag: module installed: LWP::UserAgent, version 2.031 0.0001 [29269] dbg: diag: module installed: HTTP::Date, version 1.46 0.00029 [29269] dbg: diag: module installed: Archive::Tar, version 1.29 9E-05 [29269] dbg: diag: module installed: IO::Zlib, version 1.04 9E-05 [29269] dbg: diag: module installed: DB_File, version 1.809 9E-05 [29269] dbg: diag: module installed: HTML::Parser, version 3.54 9E-05 [29269] dbg: diag: module installed: MIME::Base64, version 3.01 8E-05 [29269] dbg: diag: module installed: Net::DNS, version 0.48 8E-05 [29269] dbg: diag: module installed: Net::SMTP, version 2.29 9E-05 [29269] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) 0.0001 [29269] dbg: diag: module not installed: IP::Country::Fast ('require' failed) 9E-05 [29269] dbg: diag: module installed: Razor2::Client::Agent, version 2.80 9E-05 [29269] dbg: diag: module not installed: Net::Ident ('require' failed) 9E-05 [29269] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) 9E-05 [29269] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) 9E-05 [29269] dbg: diag: module installed: Time::HiRes, version 1.86 9E-05 [29269] dbg: diag: module installed: DBI, version 1.50 8E-05 [29269] dbg: diag: module installed: Getopt::Long, version 2.34 8E-05 [29269] dbg: ignore: using a test message to lint rules 8E-05 [29269] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 0.0001 [29269] dbg: config: read file /etc/mail/spamassassin/init.pre 0.0001 [29269] dbg: config: read file /etc/mail/spamassassin/v310.pre 9E-05 [29269] dbg: config: read file /etc/mail/spamassassin/v312.pre 0.00013 [29269] dbg: config: using "/var/lib/spamassassin/3.001008" for sys rules pre files 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.pre 0.00025 [29269] dbg: config: using "/var/lib/spamassassin/3.001008" for default rules dir 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.cf 0.00032 [29269] dbg: config: using "/etc/mail/spamassassin" for site rules dir 0.00029 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf 0.00365 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf 0.00057 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf 0.00081 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf 0.00034 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf 0.00045 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf 0.00178 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf 0.00322 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf 0.0013 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf 0.00211 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header.cf 0.01877 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header0.cf 0.00657 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header1.cf 0.00614 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html.cf 0.00469 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf 0.00164 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf 0.00185 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf 0.00116 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf 0.00094 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf 0.00527 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf 0.00153 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf 0.00132 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf 0.00354 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf 0.00147 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf 0.00267 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 0.00153 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf 0.00094 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf 0.00115 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf 0.00061 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri_eng.cf 0.00041 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf 0.00152 [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf 0.00149 [29269] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf 0.00058 [29269] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf 0.00077 [29269] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf 0.00077 [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_body.cf 0.00405 [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_headers.cf 0.00291 [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_rawbody.cf 0.00189 [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_subject.cf 0.00282 [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_uri.cf 0.00126 [29269] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf 0.00046 [29269] dbg: config: read file /etc/mail/spamassassin/backhair.cf 0.00065 [29269] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf 0.00619 [29269] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf 0.00144 [29269] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf 0.00049 [29269] dbg: config: read file /etc/mail/spamassassin/local.cf 0.0002 [29269] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 0.00071 [29269] dbg: config: read file /etc/mail/spamassassin/mangled.cf 0.00249 [29269] dbg: config: read file /etc/mail/spamassassin/random.cf 0.00108 [29269] dbg: config: read file /etc/mail/spamassassin/tripwire.cf 0.00272 [29269] dbg: config: read file /etc/mail/spamassassin/weeds.cf 0.00066 [29269] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file 0.00816 [29269] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf 0.00077 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.08558 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) 0.0161 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 0.00027 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa375c5c) 0.00421 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 0.0002 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa3c4af0) 0.00621 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC 0.00039 [29269] dbg: dcc: local tests only, disabling DCC 0.01016 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0xa3792d4) 0.0003 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 0.00021 [29269] dbg: pyzor: local tests only, disabling Pyzor 0.00426 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa42932c) 0.00025 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 0.00027 [29269] dbg: reporter: local tests only, disabling SpamCop 0.00505 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa39b118) 0.00021 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC 0.00024 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa4359f4) 0.00594 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC 0.00021 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa44ea74) 0.00191 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC 0.00026 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa443d80) 0.00189 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC 0.00027 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa461690) 0.00225 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC 0.0002 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa3ef9a8) 0.0027 [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC 0.00018 [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0xa3efdec) 0.00464 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/empty.pre 0.00051 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/empty.pre" for included file 0.00012 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf 0.00026 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf 0.00086 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf 0.01655 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf" for included file 0.00014 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf 0.00117 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf 0.02436 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf" for included file 0.00014 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf 0.00144 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf 0.00829 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf 0.00026 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf 0.00115 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf 0.00032 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf 0.00217 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf 0.00028 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf 0.00125 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf 0.00044 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf 0.00314 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf 0.00059 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf 0.00231 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf 0.00197 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf 0.00892 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf 0.00087 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf 0.01719 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf 0.00181 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf 0.05813 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf" for included file 0.00014 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf 0.00017 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf 0.00058 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf 0.00045 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf 0.00555 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf 0.00028 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf 0.00102 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf 0.00026 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf 0.00107 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf 0.00016 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf 0.00062 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf 0.00023 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf 0.0008 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf 0.00023 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf 0.00056 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf" for included file 0.00011 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf 0.00103 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf 0.01859 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf 0.00017 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf 0.00062 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf 0.00061 [29269] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i 0.00083 [29269] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i 0.00023 [29269] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i 0.00024 [29269] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i 0.00022 [29269] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i 0.00025 [29269] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i 0.00027 [29269] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i 0.00024 [29269] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i 0.0003 [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i 0.00039 [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i 0.00037 [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i 0.00039 [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i 0.00031 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf 0.00659 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf 0.00043 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf 0.00987 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf 0.00179 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf 0.00881 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf 0.00027 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf 0.00202 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf 0.00067 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf 0.00705 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf 0.00031 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf 0.00536 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf" for included file 0.00015 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf 0.00026 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf 0.00115 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf 0.00075 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf 0.00748 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf 0.00027 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf 0.00191 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf" for included file 0.00011 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf 0.00022 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf 0.0009 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf 0.00166 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf 0.03575 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf 0.00089 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf 0.01752 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf 0.00067 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf 0.01034 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf 0.00018 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf 0.00061 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf 0.00033 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf 0.00325 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf 0.00038 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf 0.00374 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf 0.00035 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf 0.00444 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf 0.00093 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf 0.00893 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf 0.00028 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf 0.00109 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf 0.00026 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf 0.00127 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf 0.00106 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf 0.00563 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf" for included file 0.00011 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf 0.0021 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf 0.01253 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf 0.00024 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf 0.00128 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf" for included file 0.00013 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf 0.00026 [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf 0.0011 [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf" for included file 0.00012 [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf 0.0005 [29269] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa3ef9a8) implements 'finish_parsing_end' 1.48345 [29269] dbg: replacetags: replacing tags 0.00016 [29269] dbg: replacetags: done replacing tags 0.03226 [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.03705 [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00081 [29269] dbg: bayes: untie-ing DB file toks 0.00012 [29269] dbg: config: score set 0 chosen. 0.0001 [29269] dbg: message: ---- MIME PARSER START ---- 0.00045 [29269] dbg: message: main message type: text/plain 0.00017 [29269] dbg: message: parsing normal part 0.0001 [29269] dbg: message: added part, type: text/plain 0.00017 [29269] dbg: message: ---- MIME PARSER END ---- 0.0001 [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.00063 [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00038 [29269] dbg: bayes: untie-ing DB file toks 0.00011 [29269] dbg: dns: is DNS available? 0 0.0001 [29269] dbg: metadata: X-Spam-Relays-Trusted: 0.00046 [29269] dbg: metadata: X-Spam-Relays-Untrusted: 0.00011 [29269] dbg: metadata: X-Spam-Relays-Internal: 0.0001 [29269] dbg: metadata: X-Spam-Relays-External: 8E-05 [29269] dbg: message: no encoding detected 0.00039 [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'parsed_metadata' 0.00026 [29269] dbg: rules: local tests only, ignoring RBL eval 0.00022 [29269] dbg: check: running tests for priority: 0 0.00126 [29269] dbg: rules: running header regexp tests; score so far=0 0.00012 [29269] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" 0.64813 [29269] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1177953262@lint_rules> 0.00084 [29269] dbg: rules: " 7E-05 [29269] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" 0.00083 [29269] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" 0.01107 [29269] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1177953262" 0.00799 [29269] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org 0.00311 [29269] dbg: eval: all '*To' addrs: 0.00156 [29269] dbg: rules: ran eval rule NO_RELAYS ======> got hit 0.00081 [29269] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit 0.00186 [29269] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 0.00043 [29269] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" 0.77554 [29269] dbg: uri: running uri tests; score so far=-0.001 0.05781 [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.07064 [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00078 [29269] dbg: bayes: untie-ing DB file toks 0.00021 [29269] dbg: bayes: not scoring message, returning undef 0.00024 [29269] dbg: bayes: opportunistic call attempt failed, DB not readable 0.00024 [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=-0.001 0.00911 [29269] dbg: rules: running full-text regexp tests; score so far=-0.001 0.17779 [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'check_tick' 0.01835 [29269] dbg: check: running tests for priority: 500 0.00022 [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'check_post_dnsbl' 0.0001 [29269] dbg: rules: running meta tests; score so far=-0.001 0.00017 [29269] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' 0.0015 [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' 0.02145 [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' 8E-05 [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has dependency 'X_AUTH_WARN_FAKED' with a zero score 7E-05 [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' 0.00969 [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' 7E-05 [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' 7E-05 [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' 0.01129 [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' 7E-05 [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' 7E-05 [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' 7E-05 [29269] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' 0.00031 [29269] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' 0.0022 [29269] dbg: rules: running header regexp tests; score so far=1.866 0.14259 [29269] dbg: rules: running body-text per-line regexp tests; score so far=1.866 0.00011 [29269] dbg: uri: running uri tests; score so far=1.866 0.0001 [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 9E-05 [29269] dbg: rules: running full-text regexp tests; score so far=1.866 9E-05 [29269] dbg: check: running tests for priority: 1000 0.00013 [29269] dbg: rules: running meta tests; score so far=1.866 7E-05 [29269] dbg: rules: running header regexp tests; score so far=1.866 0.00012 [29269] dbg: rules: running body-text per-line regexp tests; score so far=1.866 0.00044 [29269] dbg: uri: running uri tests; score so far=1.866 7E-05 [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 8E-05 [29269] dbg: rules: running full-text regexp tests; score so far=1.866 0.00012 [29269] dbg: check: is spam? score=1.866 required=5 0.00027 [29269] dbg: check: tests=MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE 8E-05 [29269] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID 8E-05 From alex at nkpanama.com Mon Apr 30 19:21:51 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Apr 30 19:22:50 2007 Subject: A lot of spam getting through In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> Message-ID: <463633BF.9060100@nkpanama.com> Billy A. Pumphrey wrote: > Hello everyone. I am having quite a few spam get through. I thought > that I had quite a few things installed and configured correctly. > Actually they used to work really well then when I had to rebuild bayes > as there were too many FP and turn off RBL's, then a lot of spam are > getting through. Somewhere around 50-100 per user are seemingly getting > through on a weekend. I have put down as much information as I thought > about for my configuration. I am looking for recommendations to > recrease my block rate. Please let me know if I left any information > out. jThank you. > > You should use RBL's within spamassassin (as you have it set now) since RBL's within spamassassin count towards the score and aren't a pass-fail situation that can lead to FP's in your particular case. I, for one, use RBL's at the MTA with few (if any) FPs, but rbl's are one of those things where your mileage *will* vary, and a lot. You don't seem to mention running a local caching DNS server. SA could be failing to find stuff on RBL's, for example. You can try using Rules_du_Jour as well, that should kick your scores up a few notches. > Spamassassin: 3.1.8 > MailScanner: 4.58.9 > Perl: 5.8.5 > DCC: 1.3.30 > Razor: 2.80 > Pyzor: ??? > Disabled? > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor > from @INC > [29269] dbg: pyzor: local tests only, disabling Pyzor > > > I have attached my lint test. > > RBL Checks are off because of FP's. I could not find a good RBL. I did > try using the ones that were suggested on the board, but hotmail and > yahoo email kept getting tagged as spam. > > Settings from MailScanner.conf: > Require SpamAssassin Score = 6 > > Sa-learn --dump magic: > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 93282 0 non-token data: nspam > 0.000 0 329 0 non-token data: nham > 0.000 0 250559 0 non-token data: ntokens > 0.000 0 1177529793 0 non-token data: oldest atime > 0.000 0 1177953747 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal > sync atime > 0.000 0 1177702647 0 non-token data: last expiry > atime > 0.000 0 172800 0 non-token data: last expire > atime delta > 0.000 0 338424 0 non-token data: last expire > reduction count > > > > /etc/mail/spamassassin directory: > > 70_sare_adult.cf > 70_sare_bayes_poison_nxm.cf > 70_sare_evilnum0.cf > 70_sare_evilnum1.cf > 70_sare_evilnum2.cf > 70_sare_genlsubj0.cf > 70_sare_genlsubj1.cf > 70_sare_genlsubj2.cf > 70_sare_genlsubj3.cf > 70_sare_header0.cf > 70_sare_header1.cf > 70_sare_header.cf > 70_sare_html0.cf > 70_sare_html1.cf > 70_sare_html2.cf > 70_sare_html3.cf > 70_sare_html.cf > 70_sare_obfu.cf > 70_sare_oem.cf > 70_sare_random.cf > 70_sare_specific.cf > 70_sare_spoof.cf > 70_sare_stocks.cf > 70_sare_unsub.cf > 70_sare_uri0.cf > 70_sare_uri1.cf > 70_sare_uri3.cf > 70_sare_uri_eng.cf > 70_sare_whitelist_rcvd.cf > 70_sare_whitelist_spf.cf > 70_sc_top200.cf > 72_sare_bml_post25x.cf > 72_sare_redirect_post3.0.0.cf > 88_FVGT_body.cf > 88_FVGT_headers.cf > 88_FVGT_rawbody.cf > 88_FVGT_subject.cf > 88_FVGT_uri.cf > 88_FVGT_uri.cf.1 > 99_sare_fraud_post25x.cf > backhair.cf > bogus-virus-warnings.cf > chickenpox.cf > imageinfo.cf > init.pre > local.cf > mailscanner.cf > mangled.cf > old > random.cf > RulesDuJour > sa-update-keys > spamassassin-default.rc > spamassassin-helper.sh > spamassassin-spamc.rc > tripwire.cf > v310.pre > v310.pre.rpmnew > v312.pre > v312.pre.rpmnew > weeds.cf > > After looking at a few emails I can see that pyzor and DCC and bayes are > scoring: > Score Matching Rule Description > cached not > score=24.094 > 6 required > autolearn=spam > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.33 FH_DATE_ISNT_2006 > 0.77 FH_DATE_ISNT_200X > 0.40 FH_LEADINGPREP > 0.71 FS_START_BUY > 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) > 0.61 SARE_SXLIFE Talks about your sex life > 3.81 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist > 4.09 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist > 3.01 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > 4.50 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist > > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > > ------------------------------------------------------------------------ > > [29269] dbg: logger: adding facilities: all 0 > [29269] dbg: logger: logging level is DBG 0.0001 > [29269] dbg: generic: SpamAssassin version 3.1.8 6E-05 > [29269] dbg: config: score set 0 chosen. 0.00099 > [29269] dbg: util: running in taint mode? yes 0.00032 > [29269] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH 7E-05 > [29269] dbg: util: PATH included '/sbin', keeping 0.00018 > [29269] dbg: util: PATH included '/usr/sbin', keeping 0.0001 > [29269] dbg: util: PATH included '/bin', keeping 9E-05 > [29269] dbg: util: PATH included '/usr/bin', keeping 0.0001 > [29269] dbg: util: PATH included '/usr/X11R6/bin', keeping 0.0001 > [29269] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin 0.0001 > [29269] dbg: message: ---- MIME PARSER START ---- 0.00628 > [29269] dbg: message: main message type: text/plain 0.00015 > [29269] dbg: message: parsing normal part 7E-05 > [29269] dbg: message: added part, type: text/plain 0.00013 > [29269] dbg: message: ---- MIME PARSER END ---- 7E-05 > [29269] dbg: dns: is Net::DNS::Resolver available? yes 0.00055 > [29269] dbg: dns: Net::DNS version: 0.48 7E-05 > [29269] dbg: diag: perl platform: 5.008005 linux 0.25394 > [29269] dbg: diag: module installed: Digest::SHA1, version 2.07 0.00016 > [29269] dbg: diag: module installed: LWP::UserAgent, version 2.031 0.0001 > [29269] dbg: diag: module installed: HTTP::Date, version 1.46 0.00029 > [29269] dbg: diag: module installed: Archive::Tar, version 1.29 9E-05 > [29269] dbg: diag: module installed: IO::Zlib, version 1.04 9E-05 > [29269] dbg: diag: module installed: DB_File, version 1.809 9E-05 > [29269] dbg: diag: module installed: HTML::Parser, version 3.54 9E-05 > [29269] dbg: diag: module installed: MIME::Base64, version 3.01 8E-05 > [29269] dbg: diag: module installed: Net::DNS, version 0.48 8E-05 > [29269] dbg: diag: module installed: Net::SMTP, version 2.29 9E-05 > [29269] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) 0.0001 > [29269] dbg: diag: module not installed: IP::Country::Fast ('require' failed) 9E-05 > [29269] dbg: diag: module installed: Razor2::Client::Agent, version 2.80 9E-05 > [29269] dbg: diag: module not installed: Net::Ident ('require' failed) 9E-05 > [29269] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) 9E-05 > [29269] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) 9E-05 > [29269] dbg: diag: module installed: Time::HiRes, version 1.86 9E-05 > [29269] dbg: diag: module installed: DBI, version 1.50 8E-05 > [29269] dbg: diag: module installed: Getopt::Long, version 2.34 8E-05 > [29269] dbg: ignore: using a test message to lint rules 8E-05 > [29269] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 0.0001 > [29269] dbg: config: read file /etc/mail/spamassassin/init.pre 0.0001 > [29269] dbg: config: read file /etc/mail/spamassassin/v310.pre 9E-05 > [29269] dbg: config: read file /etc/mail/spamassassin/v312.pre 0.00013 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008" for sys rules pre files 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.pre 0.00025 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008" for default rules dir 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.cf 0.00032 > [29269] dbg: config: using "/etc/mail/spamassassin" for site rules dir 0.00029 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf 0.00365 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf 0.00057 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf 0.00081 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf 0.00034 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf 0.00045 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf 0.00178 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf 0.00322 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf 0.0013 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf 0.00211 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header.cf 0.01877 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header0.cf 0.00657 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_header1.cf 0.00614 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html.cf 0.00469 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf 0.00164 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf 0.00185 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf 0.00116 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf 0.00094 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf 0.00527 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf 0.00153 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf 0.00132 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf 0.00354 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf 0.00147 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf 0.00267 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 0.00153 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf 0.00094 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf 0.00115 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf 0.00061 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_uri_eng.cf 0.00041 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf 0.00152 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf 0.00149 > [29269] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf 0.00058 > [29269] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf 0.00077 > [29269] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf 0.00077 > [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_body.cf 0.00405 > [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_headers.cf 0.00291 > [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_rawbody.cf 0.00189 > [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_subject.cf 0.00282 > [29269] dbg: config: read file /etc/mail/spamassassin/88_FVGT_uri.cf 0.00126 > [29269] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf 0.00046 > [29269] dbg: config: read file /etc/mail/spamassassin/backhair.cf 0.00065 > [29269] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf 0.00619 > [29269] dbg: config: read file /etc/mail/spamassassin/chickenpox.cf 0.00144 > [29269] dbg: config: read file /etc/mail/spamassassin/imageinfo.cf 0.00049 > [29269] dbg: config: read file /etc/mail/spamassassin/local.cf 0.0002 > [29269] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 0.00071 > [29269] dbg: config: read file /etc/mail/spamassassin/mangled.cf 0.00249 > [29269] dbg: config: read file /etc/mail/spamassassin/random.cf 0.00108 > [29269] dbg: config: read file /etc/mail/spamassassin/tripwire.cf 0.00272 > [29269] dbg: config: read file /etc/mail/spamassassin/weeds.cf 0.00066 > [29269] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file 0.00816 > [29269] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf 0.00077 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.08558 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) 0.0161 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 0.00027 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa375c5c) 0.00421 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 0.0002 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa3c4af0) 0.00621 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC 0.00039 > [29269] dbg: dcc: local tests only, disabling DCC 0.01016 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0xa3792d4) 0.0003 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 0.00021 > [29269] dbg: pyzor: local tests only, disabling Pyzor 0.00426 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa42932c) 0.00025 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 0.00027 > [29269] dbg: reporter: local tests only, disabling SpamCop 0.00505 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa39b118) 0.00021 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC 0.00024 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa4359f4) 0.00594 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC 0.00021 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa44ea74) 0.00191 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC 0.00026 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa443d80) 0.00189 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC 0.00027 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa461690) 0.00225 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC 0.0002 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa3ef9a8) 0.0027 > [29269] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC 0.00018 > [29269] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0xa3efdec) 0.00464 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/empty.pre 0.00051 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/empty.pre" for included file 0.00012 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf 0.00026 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_html_tests.cf 0.00086 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf 0.01655 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf" for included file 0.00014 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/80_additional.cf 0.00117 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf 0.02436 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf" for included file 0.00014 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pl.cf 0.00144 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf 0.00829 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_razor2.cf 0.00026 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf 0.00115 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_spf.cf 0.00032 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf 0.00217 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dk.cf 0.00028 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf 0.00125 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/10_misc.cf 0.00044 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf 0.00314 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_es.cf 0.00059 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf 0.00231 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_nl.cf 0.00197 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf 0.00892 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_drugs.cf 0.00087 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf 0.01719 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/50_scores.cf 0.00181 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf 0.05813 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf" for included file 0.00014 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_accessdb.cf 0.00017 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf 0.00058 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_body_tests.cf 0.00045 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf 0.00555 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_pt_br.cf 0.00028 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf 0.00102 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_subject.cf 0.00026 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf 0.00107 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_pyzor.cf 0.00016 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf 0.00062 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_antivirus.cf 0.00023 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf 0.0008 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_anti_ratware.cf 0.00023 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf 0.00056 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf" for included file 0.00011 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_phrases.cf 0.00103 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf 0.01859 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dcc.cf 0.00017 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf 0.00062 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_uri_tests.cf 0.00061 > [29269] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i 0.00083 > [29269] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i 0.00023 > [29269] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i 0.00024 > [29269] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i 0.00022 > [29269] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i 0.00025 > [29269] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i 0.00027 > [29269] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i 0.00024 > [29269] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i 0.0003 > [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i 0.00039 > [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i 0.00037 > [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i 0.00039 > [29269] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i 0.00031 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf 0.00659 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_advance_fee.cf 0.00043 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf 0.00987 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_fr.cf 0.00179 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf 0.00881 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_hashcash.cf 0.00027 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf 0.00202 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_fake_helo_tests.cf 0.00067 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf 0.00705 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_meta_tests.cf 0.00031 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf 0.00536 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf" for included file 0.00015 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_dkim.cf 0.00026 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf 0.00115 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/70_iadb.cf 0.00075 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf 0.00748 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/23_bayes.cf 0.00027 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf 0.00191 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf" for included file 0.00011 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_awl.cf 0.00022 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf 0.0009 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_head_tests.cf 0.00166 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf 0.03575 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_ratware.cf 0.00089 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf 0.01752 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_replace.cf 0.00067 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf 0.01034 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_textcat.cf 0.00018 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf 0.00061 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_spf.cf 0.00033 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf 0.00325 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist.cf 0.00038 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf 0.00374 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_porn.cf 0.00035 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf 0.00444 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_dnsbl_tests.cf 0.00093 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf 0.00893 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/60_whitelist_dkim.cf 0.00028 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf 0.00109 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_net_tests.cf 0.00026 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf 0.00127 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_body_tests_pl.cf 0.00106 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf 0.00563 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf" for included file 0.00011 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/30_text_de.cf 0.0021 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf 0.01253 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/20_compensate.cf 0.00024 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf 0.00128 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf" for included file 0.00013 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_domainkeys.cf 0.00026 > [29269] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf 0.0011 > [29269] dbg: config: using "/var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf" for included file 0.00012 > [29269] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org/25_uribl.cf 0.0005 > [29269] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa3ef9a8) implements 'finish_parsing_end' 1.48345 > [29269] dbg: replacetags: replacing tags 0.00016 > [29269] dbg: replacetags: done replacing tags 0.03226 > [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.03705 > [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00081 > [29269] dbg: bayes: untie-ing DB file toks 0.00012 > [29269] dbg: config: score set 0 chosen. 0.0001 > [29269] dbg: message: ---- MIME PARSER START ---- 0.00045 > [29269] dbg: message: main message type: text/plain 0.00017 > [29269] dbg: message: parsing normal part 0.0001 > [29269] dbg: message: added part, type: text/plain 0.00017 > [29269] dbg: message: ---- MIME PARSER END ---- 0.0001 > [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.00063 > [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00038 > [29269] dbg: bayes: untie-ing DB file toks 0.00011 > [29269] dbg: dns: is DNS available? 0 0.0001 > [29269] dbg: metadata: X-Spam-Relays-Trusted: 0.00046 > [29269] dbg: metadata: X-Spam-Relays-Untrusted: 0.00011 > [29269] dbg: metadata: X-Spam-Relays-Internal: 0.0001 > [29269] dbg: metadata: X-Spam-Relays-External: 8E-05 > [29269] dbg: message: no encoding detected 0.00039 > [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'parsed_metadata' 0.00026 > [29269] dbg: rules: local tests only, ignoring RBL eval 0.00022 > [29269] dbg: check: running tests for priority: 0 0.00126 > [29269] dbg: rules: running header regexp tests; score so far=0 0.00012 > [29269] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" 0.64813 > [29269] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1177953262@lint_rules> 0.00084 > [29269] dbg: rules: " 7E-05 > [29269] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" 0.00083 > [29269] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" 0.01107 > [29269] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1177953262" 0.00799 > [29269] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org 0.00311 > [29269] dbg: eval: all '*To' addrs: 0.00156 > [29269] dbg: rules: ran eval rule NO_RELAYS ======> got hit 0.00081 > [29269] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit 0.00186 > [29269] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 0.00043 > [29269] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" 0.77554 > [29269] dbg: uri: running uri tests; score so far=-0.001 0.05781 > [29269] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks 0.07064 > [29269] warn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied 0.00078 > [29269] dbg: bayes: untie-ing DB file toks 0.00021 > [29269] dbg: bayes: not scoring message, returning undef 0.00024 > [29269] dbg: bayes: opportunistic call attempt failed, DB not readable 0.00024 > [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=-0.001 0.00911 > [29269] dbg: rules: running full-text regexp tests; score so far=-0.001 0.17779 > [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'check_tick' 0.01835 > [29269] dbg: check: running tests for priority: 500 0.00022 > [29269] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa35674c) implements 'check_post_dnsbl' 0.0001 > [29269] dbg: rules: running meta tests; score so far=-0.001 0.00017 > [29269] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' 0.0015 > [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' 0.02145 > [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' 8E-05 > [29269] info: rules: meta test SARE_HEAD_SUBJ_RAND has dependency 'X_AUTH_WARN_FAKED' with a zero score 7E-05 > [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' 0.00969 > [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' 7E-05 > [29269] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' 7E-05 > [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' 0.01129 > [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' 7E-05 > [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' 7E-05 > [29269] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' 7E-05 > [29269] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' 0.00031 > [29269] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' 0.0022 > [29269] dbg: rules: running header regexp tests; score so far=1.866 0.14259 > [29269] dbg: rules: running body-text per-line regexp tests; score so far=1.866 0.00011 > [29269] dbg: uri: running uri tests; score so far=1.866 0.0001 > [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 9E-05 > [29269] dbg: rules: running full-text regexp tests; score so far=1.866 9E-05 > [29269] dbg: check: running tests for priority: 1000 0.00013 > [29269] dbg: rules: running meta tests; score so far=1.866 7E-05 > [29269] dbg: rules: running header regexp tests; score so far=1.866 0.00012 > [29269] dbg: rules: running body-text per-line regexp tests; score so far=1.866 0.00044 > [29269] dbg: uri: running uri tests; score so far=1.866 7E-05 > [29269] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.866 8E-05 > [29269] dbg: rules: running full-text regexp tests; score so far=1.866 0.00012 > [29269] dbg: check: is spam? score=1.866 required=5 0.00027 > [29269] dbg: check: tests=MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE 8E-05 > [29269] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID 8E-05 > From list-mailscanner at linguaphone.com Mon Apr 30 19:41:31 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 30 19:41:46 2007 Subject: A lot of spam getting through In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Billy A. > Pumphrey > Sent: 30 April 2007 19:15 > To: MailScanner discussion > Subject: A lot of spam getting through > > > Hello everyone. I am having quite a few spam get through. I thought > that I had quite a few things installed and configured correctly. > Actually they used to work really well then when I had to rebuild bayes > as there were too many FP and turn off RBL's, then a lot of spam are > getting through. Somewhere around 50-100 per user are seemingly getting > through on a weekend. I have put down as much information as I thought > about for my configuration. I am looking for recommendations to > recrease my block rate. Please let me know if I left any information > out. jThank you. I would suggest a few things:- 1) Enable RBL's again. If you have FP of some of them then you can reduce the score a little manually. 2) Install Fuzzyocr which works well at detecting the image spams (http://www.gbnetwork.co.uk/mailscanner/ for the URL's) 3) Install and regularly update the KAM rules which are very frequently updated rules to catch the latest spams. Again the URL is on the site above. 4) Add this following custom rule to match those spams which just link to a picture. uri GRB_Imagehost /\.(?:|imageshack|2and2|afreeimagehost|imagehosting)\.(?:com|net|us)/i score GRB_Imagehost 1.0 describe GRB_Imagehost Linking to free image hosting service 5) Tweak any scores for you particular site. For example I tend to reduce the -ve scores bayes rules and increase the razor scores :- score BAYES_00 -0.5 score BAYES_05 -0.1 score BAYES_20 -0.01 score BAYES_40 -0.01 score BAYES_99 5.0 score DEAR_SOMETHING 1 score RAZOR2_CF_RANGE_51_100 1.0 score RAZOR2_CF_RANGE_E4_51_100 2.0 score RAZOR2_CF_RANGE_E8_51_100 2.0 score RAZOR2_CHECK 1.0 6) Make use of the whitelist feature for some addresses which tend to get blocked. You will always get some. From bpumphrey at woodmclaw.com Mon Apr 30 19:58:25 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Apr 30 19:58:28 2007 Subject: A lot of spam getting through In-Reply-To: <463633BF.9060100@nkpanama.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816E01@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans > Sent: Monday, April 30, 2007 2:22 PM > To: MailScanner discussion > Subject: Re: A lot of spam getting through > > Billy A. Pumphrey wrote: > > Hello everyone. I am having quite a few spam get through. I thought > > that I had quite a few things installed and configured correctly. > > Actually they used to work really well then when I had to rebuild bayes > > as there were too many FP and turn off RBL's, then a lot of spam are > > getting through. Somewhere around 50-100 per user are seemingly getting > > through on a weekend. I have put down as much information as I thought > > about for my configuration. I am looking for recommendations to > > recrease my block rate. Please let me know if I left any information > > out. jThank you. > > > > > You should use RBL's within spamassassin (as you have it set now) since > RBL's within spamassassin count towards the score and aren't a pass-fail > situation that can lead to FP's in your particular case. I, for one, use > RBL's at the MTA with few (if any) FPs, but rbl's are one of those > things where your mileage *will* vary, and a lot. > > You don't seem to mention running a local caching DNS server. SA could > be failing to find stuff on RBL's, for example. > > You can try using Rules_du_Jour as well, that should kick your scores up > a few notches. I do have Rules going which is in my directory listed below. I believe that I have a local DNS going. Do you have a quick way to check? Also, I do not know my way around RBL's in the MTA. Do you have a hint on where the settings are for sendmail? From TGFurnish at herffjones.com Mon Apr 30 20:07:51 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 30 20:07:59 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? Message-ID: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> This probably only applies to folks on the list with large counts of users, but I appreciate any input. I also realize it's not directly related to MailScanner, but I value the thoughts of this list's members as email administrators much more highly than any other list I know of, so please forgive me. If you suggest more appropriate lists, thank you in advance. Ok, enough pre-amble. :-) This is specificly related to aol.com, but generally the problem is I forward to about 150 addresses at a given domain (out of the ten thousand or so I accept mail for) and the relatively small number of spam I DON'T catch are being reported by those users to their ISP as spam, causing my outbound server's IP address to be blacklisted by their ISP. AOL makes this extremely convenient for their users (so convenient that quite a few of the messages reported aren't even spam, but are actually just mail they're too lazy to unscribe from). How do you handle mail that you forward? As I see it my only options for dealing with aol are: - Don't miss any spam (uh, I wish) so none is forward to aol.com addresses. - Don't forward to outside addresses (definitely the choice I wish I could implement, but not really an option). - Convince aol that even though I frequently forward spam, they should let me. (Again, doesn't seem likely to happen.) Anyone have any other suggestions? I would expect this happens to quite a few of you with large user counts, if not with aol then with some other large provider. In my case it's been 500 reported "spam" sent to 150 aol.com addresses in three weeks, so 3 messages per user per week missed. I don't yet have a way to know the total count of messages forwarded for those users, but I doubt 3.3/week is a very high false-negative rate. The problem is just that from aol.com's point of view they're all spam from me, even though they're actually just being forwarded by me upon request of their users. -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator Phone: 317.612.3519 Any sufficiently advanced technology is indistinguishable from Unix. From nerijusb at dtiltas.lt Mon Apr 30 20:36:17 2007 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Mon Apr 30 20:40:05 2007 Subject: Postfix milter with MailScanner , extra 0 problem In-Reply-To: <223f97700704240216u4cbd4cbey1df9503fa3a2c7f6@mail.gmail.com> References: <1177340488.25796.153.camel@localhost.localdomain><223f97700704230818t3ffae2e3u1f28b09aad5d454@mail.gmail.com><1177343963.25796.159.camel@localhost.localdomain> <223f97700704240216u4cbd4cbey1df9503fa3a2c7f6@mail.gmail.com> Message-ID: <20070430193605.B02521224A1@mx-b.vdnet.lt> On Tue, 24 Apr 2007 11:16:23 +0200 Glenn Steen wrote: > These patches are for use with Postfix 2.3... Although PFDiskStore.pm > will handle the body edits we need do some check to see that all the > body is there by spinning through the p records in ReadQf (in > Postfix.pm)... Or something smarter (I'm open to sugegstions:-). > If you need that (and run PF 2.4) I can probably find my patch for > that too ... somewhere...:-) BTW, can I use these patches with PF 2.4 if my milter modifies headers only (not body)? Or should I need your patch for 2.4? Regards, Nerijus From ssilva at sgvwater.com Mon Apr 30 21:21:31 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 30 21:29:09 2007 Subject: New Stable Release, Clamd and Postfix? In-Reply-To: <4635F88E.4040509@slackadelic.com> References: <4635F88E.4040509@slackadelic.com> Message-ID: Matt Hayes spake the following on 4/30/2007 7:09 AM: > Paul Hutchings wrote: >> My MailScanner box runs quite nicely running the previous stable version >> 4.58.9. >> >> I'm suffering from the slow clamscan performance issue, and noticed the >> new stable release supports clamd (which I'm running). >> >> Having looked at the manual it appears it should simply be a case of run >> the installer script, then use upgrade_MailScanner_conf to update >> MailScanner.conf with the new settings. >> >> Not having ever upgraded MailScanner before, I'd sooner ask the question >> than get caught out - is this all there is to it (barring something >> totally unforeseen happening)? >> >> Also as I run Postfix I have my MailScanner set to run as user "postfix" >> as per the docs. Will this cause me a problem (or can someone point me >> where to go to RTFM?) >> >> Cheers, >> Paul >> > > Paul, > > That is basically all there is to it. However, if you are like me, > anything custom that you've added like %rules-dir% files will more than > likely have to be re-entered in. If you use Mailwatch, some things with > quarantine configuration to allow for released messages to bypass spam > checks may have to be reconfigured. > > The great thing about the upgrade of mailscanner.. it leaves your old > installation in place :) > > -Matt > > The last statement isn't totally true. The rpm version will replace the running files. I have a backup script I run that copies the running system into a new directory and then I can upgrade or go back. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Apr 30 21:32:56 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 30 21:35:12 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 4/30/2007 12:07 PM: > This probably only applies to folks on the list with large counts of > users, but I appreciate any input. I also realize it's not directly > related to MailScanner, but I value the thoughts of this list's members > as email administrators much more highly than any other list I know of, > so please forgive me. If you suggest more appropriate lists, thank you > in advance. > > Ok, enough pre-amble. :-) > > This is specificly related to aol.com, but generally the problem is I > forward to about 150 addresses at a given domain (out of the ten > thousand or so I accept mail for) and the relatively small number of > spam I DON'T catch are being reported by those users to their ISP as > spam, causing my outbound server's IP address to be blacklisted by their > ISP. AOL makes this extremely convenient for their users (so convenient > that quite a few of the messages reported aren't even spam, but are > actually just mail they're too lazy to unscribe from). > > How do you handle mail that you forward? As I see it my only options > for dealing with aol are: > - Don't miss any spam (uh, I wish) so none is forward to aol.com > addresses. > - Don't forward to outside addresses (definitely the choice I wish I > could implement, but not really an option). > - Convince aol that even though I frequently forward spam, they > should let me. (Again, doesn't seem likely to happen.) > > Anyone have any other suggestions? I would expect this happens to quite > a few of you with large user counts, if not with aol then with some > other large provider. > > In my case it's been 500 reported "spam" sent to 150 aol.com addresses > in three weeks, so 3 messages per user per week missed. I don't yet > have a way to know the total count of messages forwarded for those > users, but I doubt 3.3/week is a very high false-negative rate. The > problem is just that from aol.com's point of view they're all spam from > me, even though they're actually just being forwarded by me upon request > of their users. > > -- I would put a smarthost on another IP address and only forward the AOL mail through that one. It will still choke on AOL, but it won't bring down the rest of your users. You could even put MailScanner on that host and check them again if you want. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From campbell at cnpapers.com Mon Apr 30 21:39:27 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Apr 30 21:39:39 2007 Subject: A lot of spam getting through References: <04D932B0071FE34FA63EBB1977B48D1502816E01@woodenex.woodmaclaw.local> Message-ID: <000c01c78b67$a5161a50$0705000a@ddf5dw71> ----- Original Message ----- From: "Billy A. Pumphrey" To: "MailScanner discussion" Sent: Monday, April 30, 2007 2:58 PM Subject: RE: A lot of spam getting through > I believe that I have a local DNS going. Do you have a quick way to > check? > I believe if you look in your resolv.conf file on the particular server in question, you should see something like 127.0.0.1 as a nameserver. Then do an old fashion nslookup for any address, and it should return 127.0.0.1 as the server that responded. You should also be able to do a 'ps' and determine if any DNS server is running (usually 'named' on a RH server.) A local nameserver is not necessarily a local caching nameserver, mind you. I think this is correct, but it'll tell you if you don't have a local nameserver running. Steve From bpumphrey at woodmclaw.com Mon Apr 30 21:44:40 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Apr 30 21:44:44 2007 Subject: A lot of spam getting through In-Reply-To: <000c01c78b67$a5161a50$0705000a@ddf5dw71> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816E99@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: Monday, April 30, 2007 4:39 PM > To: MailScanner discussion > Subject: Re: A lot of spam getting through > > > ----- Original Message ----- > From: "Billy A. Pumphrey" > To: "MailScanner discussion" > Sent: Monday, April 30, 2007 2:58 PM > Subject: RE: A lot of spam getting through > > > > I believe that I have a local DNS going. Do you have a quick way to > > check? > > > I believe if you look in your resolv.conf file on the particular server in > question, you should see something like 127.0.0.1 as a nameserver. > > Then do an old fashion nslookup for any address, and it should return > 127.0.0.1 as the server that responded. > > You should also be able to do a 'ps' and determine if any DNS server is > running (usually 'named' on a RH server.) > > A local nameserver is not necessarily a local caching nameserver, mind > you. > > I think this is correct, but it'll tell you if you don't have a local > nameserver running. > > Steve > > Ok, I had edited this file but it points to my local domain windows dns server. Does that mean that I should change it to something else? From bpumphrey at woodmclaw.com Mon Apr 30 21:46:46 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Apr 30 21:46:48 2007 Subject: A lot of spam getting through In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816E9A@woodenex.woodmaclaw.local> I have done quite a bit of the below. See my notes please. Thank you lots! > > I would suggest a few things:- > > 1) Enable RBL's again. If you have FP of some of them then you can reduce > the score a little manually. > > 2) Install Fuzzyocr which works well at detecting the image spams > (http://www.gbnetwork.co.uk/mailscanner/ for the URL's) I got this installed and a lint shows OK. > > 3) Install and regularly update the KAM rules which are very frequently > updated rules to catch the latest spams. Again the URL is on the site > above. > I got this installed and a lint shows OK. > 4) Add this following custom rule to match those spams which just link to > a > picture. > uri GRB_Imagehost > /\.(?:|imageshack|2and2|afreeimagehost|imagehosting)\.(?:com|net|us)/i > score GRB_Imagehost 1.0 > describe GRB_Imagehost Linking to free image hosting service > I got this installed and a lint shows OK. I assumed that I just create a file named xxxxx.cf and copy and paste it into the file? That is what I did. > 5) Tweak any scores for you particular site. For example I tend to reduce > the -ve scores bayes rules and increase the razor scores :- > score BAYES_00 -0.5 > score BAYES_05 -0.1 > score BAYES_20 -0.01 > score BAYES_40 -0.01 > score BAYES_99 5.0 > score DEAR_SOMETHING 1 > score RAZOR2_CF_RANGE_51_100 1.0 > score RAZOR2_CF_RANGE_E4_51_100 2.0 > score RAZOR2_CF_RANGE_E8_51_100 2.0 > score RAZOR2_CHECK 1.0 > Is the local.cf file where this goes? > 6) Make use of the whitelist feature for some addresses which tend to get > blocked. You will always get some. > Indeed. From list-mailscanner at linguaphone.com Mon Apr 30 21:51:06 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 30 21:51:17 2007 Subject: Slightly OT: How do you deal with domains you forward to whoconsider you a spammer based in user reports? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Furnish, > Trever G > Sent: 30 April 2007 20:08 > To: mailscanner@lists.mailscanner.info > Subject: Slightly OT: How do you deal with domains you forward to > whoconsider you a spammer based in user reports? > > > This probably only applies to folks on the list with large counts of > users, but I appreciate any input. I also realize it's not directly > related to MailScanner, but I value the thoughts of this list's members > as email administrators much more highly than any other list I know of, > so please forgive me. If you suggest more appropriate lists, thank you > in advance. > > Ok, enough pre-amble. :-) > > This is specificly related to aol.com, but generally the problem is I > forward to about 150 addresses at a given domain (out of the ten > thousand or so I accept mail for) and the relatively small number of > spam I DON'T catch are being reported by those users to their ISP as > spam, causing my outbound server's IP address to be blacklisted by their > ISP. AOL makes this extremely convenient for their users (so convenient > that quite a few of the messages reported aren't even spam, but are > actually just mail they're too lazy to unscribe from). > > How do you handle mail that you forward? As I see it my only options > for dealing with aol are: > - Don't miss any spam (uh, I wish) so none is forward to aol.com > addresses. > - Don't forward to outside addresses (definitely the choice I wish I > could implement, but not really an option). > - Convince aol that even though I frequently forward spam, they > should let me. (Again, doesn't seem likely to happen.) > > Anyone have any other suggestions? I would expect this happens to quite > a few of you with large user counts, if not with aol then with some > other large provider. > > In my case it's been 500 reported "spam" sent to 150 aol.com addresses > in three weeks, so 3 messages per user per week missed. I don't yet > have a way to know the total count of messages forwarded for those > users, but I doubt 3.3/week is a very high false-negative rate. The > problem is just that from aol.com's point of view they're all spam from > me, even though they're actually just being forwarded by me upon request > of their users. For AOL there is a service you can subscribe to and give details of the IP address of your mail servers and your email address. Any spam complaints they receive are then passed onto yourselves. We do that so if someone reports one of our newsletters as spam we can look at the headers to see who it was sent to and then remove them from the list. From ka at pacific.net Mon Apr 30 21:51:32 2007 From: ka at pacific.net (Ken A) Date: Mon Apr 30 21:51:34 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: <463656D4.4010200@pacific.net> Furnish, Trever G wrote: > This probably only applies to folks on the list with large counts of > users, but I appreciate any input. I also realize it's not directly > related to MailScanner, but I value the thoughts of this list's members > as email administrators much more highly than any other list I know of, > so please forgive me. If you suggest more appropriate lists, thank you > in advance. > > Ok, enough pre-amble. :-) > > This is specificly related to aol.com, but generally the problem is I > forward to about 150 addresses at a given domain (out of the ten > thousand or so I accept mail for) and the relatively small number of > spam I DON'T catch are being reported by those users to their ISP as > spam, causing my outbound server's IP address to be blacklisted by their > ISP. AOL makes this extremely convenient for their users (so convenient > that quite a few of the messages reported aren't even spam, but are > actually just mail they're too lazy to unscribe from). > > How do you handle mail that you forward? As I see it my only options > for dealing with aol are: > - Don't miss any spam (uh, I wish) so none is forward to aol.com > addresses. > - Don't forward to outside addresses (definitely the choice I wish I > could implement, but not really an option). > - Convince aol that even though I frequently forward spam, they > should let me. (Again, doesn't seem likely to happen.) > > Anyone have any other suggestions? I would expect this happens to quite > a few of you with large user counts, if not with aol then with some > other large provider. It doesn't cost anything to get an aol feedback loop for your ip space. postmaster.aol.com. Do that if you haven't already. You'll be notified when some luser at aol.com clicks 'this is spam', or whatever the bit red button says. This gives you a 'whitelisted' (sort of) status with aol.com, so they are no longer as trigger happy. When I came in this morning I had about 10 aol 'TOS notifications' from the weekend. Half of those were legitimate mailings from domains we host with one click opt-out links at the bottom, so I can quickly opt those lusers out! Of the other 5, 3 were forwards of jokes which you can't really do much about unless it's a violation of your TOS. The last 2 were domain forwards (NO CATCHALLS ALLOWED!) that our customers at aol.com clicked 'this is spam' on. If this is a repeat behavior by a certain customer, we send them a friendly note asking them not to do that on their domain mail, and if they keep doing it, we begin quarantining all low scoring spam. This has helped, but not solved the problem... ymmv. -- Ken Anderson Pacific.Net > > In my case it's been 500 reported "spam" sent to 150 aol.com addresses > in three weeks, so 3 messages per user per week missed. I don't yet > have a way to know the total count of messages forwarded for those > users, but I doubt 3.3/week is a very high false-negative rate. The > problem is just that from aol.com's point of view they're all spam from > me, even though they're actually just being forwarded by me upon request > of their users. > > -- > Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / > Network Administrator > Phone: 317.612.3519 > Any sufficiently advanced technology is indistinguishable from Unix. From campbell at cnpapers.com Mon Apr 30 21:52:26 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Apr 30 21:52:38 2007 Subject: A lot of spam getting through References: <04D932B0071FE34FA63EBB1977B48D1502816E99@woodenex.woodmaclaw.local> Message-ID: <000801c78b69$75df64b0$0705000a@ddf5dw71> ----- Original Message ----- From: "Billy A. Pumphrey" To: "MailScanner discussion" Sent: Monday, April 30, 2007 4:44 PM Subject: RE: A lot of spam getting through >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Steve Campbell >> Sent: Monday, April 30, 2007 4:39 PM >> To: MailScanner discussion >> Subject: Re: A lot of spam getting through >> >> >> ----- Original Message ----- >> From: "Billy A. Pumphrey" >> To: "MailScanner discussion" >> Sent: Monday, April 30, 2007 2:58 PM >> Subject: RE: A lot of spam getting through >> >> >> > I believe that I have a local DNS going. Do you have a quick way to >> > check? >> > >> I believe if you look in your resolv.conf file on the particular > server in >> question, you should see something like 127.0.0.1 as a nameserver. >> >> Then do an old fashion nslookup for any address, and it should return >> 127.0.0.1 as the server that responded. >> >> You should also be able to do a 'ps' and determine if any DNS server > is >> running (usually 'named' on a RH server.) >> >> A local nameserver is not necessarily a local caching nameserver, mind >> you. >> >> I think this is correct, but it'll tell you if you don't have a local >> nameserver running. >> >> Steve >> >> > > Ok, I had edited this file but it points to my local domain windows dns > server. Does that mean that I should change it to something else? > -- You should only change it if you have a caching nameserver on the server that is showing a lot of spam. Did you discover whether you are even running a local DNS server? What does ps show? What was in the file before you edited it? Steve From bpumphrey at woodmclaw.com Mon Apr 30 21:57:19 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Apr 30 21:57:21 2007 Subject: A lot of spam getting through In-Reply-To: <000801c78b69$75df64b0$0705000a@ddf5dw71> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816EA6@woodenex.woodmaclaw.local> > You should only change it if you have a caching nameserver on the server > that is showing a lot of spam. Did you discover whether you are even > running > a local DNS server? What does ps show? What was in the file before you > edited it? > > Steve > I believe the file was blank, I edited when I first set the machine up. PS shows: PID TTY TIME CMD 28182 pts/0 00:00:01 bash 2890 pts/0 00:00:00 ps From list-mailscanner at linguaphone.com Mon Apr 30 21:59:02 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 30 21:59:05 2007 Subject: A lot of spam getting through In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502816E9A@woodenex.woodmaclaw.local> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Billy A. > Pumphrey > Sent: 30 April 2007 21:47 > To: MailScanner discussion > Subject: RE: A lot of spam getting through > > > I have done quite a bit of the below. See my notes please. > Thank you lots! > > > > > I would suggest a few things:- > > > > 1) Enable RBL's again. If you have FP of some of them then you can > reduce > > the score a little manually. > > > > 2) Install Fuzzyocr which works well at detecting the image spams > > (http://www.gbnetwork.co.uk/mailscanner/ for the URL's) > > I got this installed and a lint shows OK. Have a look at http://www.freespamfilter.org/forum/viewforum.php?f=25 That forum although quiet has some good tips for additional fuzzyocr configuration such as additional words and scansets. Did you install gocr and ocrad OCR plugins? > > 4) Add this following custom rule to match those spams which just link > to > > a > > picture. > > uri GRB_Imagehost > > /\.(?:|imageshack|2and2|afreeimagehost|imagehosting)\.(?:com|net|us)/i > > score GRB_Imagehost 1.0 > > describe GRB_Imagehost Linking to free image hosting service > > > > I got this installed and a lint shows OK. I assumed that I just create > a file named xxxxx.cf and copy and paste it into the file? That is what > I did. Yes you could just add it to local.cf if you want. I have a file containing all my rules I have written myself so it is just part of that. For example for historical reasons there are addresses we have which only ever receive spam and lots of it. I have our server to delete any identified spam so I just see things that slip through. Typically these are new stock spam until razor and pyzor catch up but I normally immediatly write a new rule to catch them (similar to what the KAM author does). > > 5) Tweak any scores for you particular site. For example I tend to > reduce > > the -ve scores bayes rules and increase the razor scores :- > > score BAYES_00 -0.5 > > score BAYES_05 -0.1 > > score BAYES_20 -0.01 > > score BAYES_40 -0.01 > > score BAYES_99 5.0 > > score DEAR_SOMETHING 1 > > score RAZOR2_CF_RANGE_51_100 1.0 > > score RAZOR2_CF_RANGE_E4_51_100 2.0 > > score RAZOR2_CF_RANGE_E8_51_100 2.0 > > score RAZOR2_CHECK 1.0 > > > > Is the local.cf file where this goes? local.cf is fine. I put mine in mailscanner.cf just to keep the customisations together. From mogens at fumlersoft.dk Mon Apr 30 22:00:29 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Mon Apr 30 21:59:11 2007 Subject: {MCP?} Re: A lot of spam getting through In-Reply-To: <463633BF.9060100@nkpanama.com> References: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> <463633BF.9060100@nkpanama.com> Message-ID: <1471.90.184.17.152.1177966829.squirrel@mail.fumlersoft.dk> Talking about false positives. This is the headers from the mail starting this thread. Notice the MCP headers in the bottom :) Return-Path: Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) by gph.parkhotel.dk (8.13.8/8.13.8) with ESMTP id l3UIMxG5011900 for ; Mon, 30 Apr 2007 20:23:00 +0200 Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l3UIJ1wa000636; Mon, 30 Apr 2007 19:19:33 +0100 X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from woodenex.woodmaclaw.local (68-74-55-137.ded.ameritech.net [68.74.55.137]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l3UIEulP000342 for ; Mon, 30 Apr 2007 19:14:57 +0100 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C78B53.7493940B" X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 30 Apr 2007 14:14:56 -0400 Message-ID: <04D932B0071FE34FA63EBB1977B48D1502816DB1@woodenex.woodmaclaw.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: A lot of spam getting through Thread-Index: AceLU3Ta94n1RQJIQL63mg3nDOEQTA== From: "Billy A. Pumphrey" To: "MailScanner discussion" Subject: {MCP?} A lot of spam getting through X-BeenThere: mailscanner@lists.mailscanner.info X-Mailman-Version: 2.1.5 Precedence: list Reply-To: MailScanner discussion List-Id: MailScanner discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: mailscanner-bounces@lists.mailscanner.info Errors-To: mailscanner-bounces@lists.mailscanner.info X-trader-internet-MailScanner-OpenProtect-Information: Please contact the ISP for more information X-trader-internet-MailScanner-OpenProtect: Found to be clean X-trader-internet-MailScanner-OpenProtect-MCPCheck: MCP, MCP-Checker (score=3.573, required 3.5, DRUGS_ERECTILE 0.10, DRUGS_ERECTILE_OBFU 2.05, INFO_TLD 0.81, SARE_SXLIFE 0.61) X-trader-internet-MailScanner-OpenProtect-From: mailscanner-bounces@lists.mailscanner.info -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean. From dave.list at pixelhammer.com Mon Apr 30 22:01:24 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Apr 30 22:02:38 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: <46365924.7000202@pixelhammer.com> Furnish, Trever G wrote: > This probably only applies to folks on the list with large counts of > users, but I appreciate any input. I also realize it's not directly > related to MailScanner, but I value the thoughts of this list's members > as email administrators much more highly than any other list I know of, > so please forgive me. If you suggest more appropriate lists, thank you > in advance. > > Ok, enough pre-amble. :-) > > This is specificly related to aol.com, but generally the problem is I > forward to about 150 addresses at a given domain (out of the ten > thousand or so I accept mail for) and the relatively small number of > spam I DON'T catch are being reported by those users to their ISP as > spam, causing my outbound server's IP address to be blacklisted by their > ISP. AOL makes this extremely convenient for their users (so convenient > that quite a few of the messages reported aren't even spam, but are > actually just mail they're too lazy to unscribe from). An exasperating situation. We have been dealing with the same issue for quite a awhile. Our current solution is to use verp, if AOL returns the message in a scomp report we remove the users email address and add it to a subscriber black list. That email address is never allowed to subscribe to another mail list we host. So far, no client has complained, AOL is happy, our scomp reports have plummeted. You might see if there is a way to inject something into the headers that AOL will no redact. Then, if the user reports their forwarded mail as spam, simply stop forwarding. Not the best solution business wise, but the safe option for certain. If the user wants the authority to declare spam/not spam, they should be responsible for the actions they set into motion. In the end we all want to make the client happy, but protecting your network must come first. You can't make a client happy if no one will accept your server's mail. > > How do you handle mail that you forward? As I see it my only options > for dealing with aol are: As above, if AOL sends an scomp report, the forward stops immediately. This has happened only twice. Both time I sent the report to the client and explained the situation. There have been no repeat incidents. Good luck, DAve > - Don't miss any spam (uh, I wish) so none is forward to aol.com > addresses. > - Don't forward to outside addresses (definitely the choice I wish I > could implement, but not really an option). > - Convince aol that even though I frequently forward spam, they > should let me. (Again, doesn't seem likely to happen.) > > Anyone have any other suggestions? I would expect this happens to quite > a few of you with large user counts, if not with aol then with some > other large provider. > > In my case it's been 500 reported "spam" sent to 150 aol.com addresses > in three weeks, so 3 messages per user per week missed. I don't yet > have a way to know the total count of messages forwarded for those > users, but I doubt 3.3/week is a very high false-negative rate. The > problem is just that from aol.com's point of view they're all spam from > me, even though they're actually just being forwarded by me upon request > of their users. > > -- > Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / > Network Administrator > Phone: 317.612.3519 > Any sufficiently advanced technology is indistinguishable from Unix. -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From campbell at cnpapers.com Mon Apr 30 22:02:25 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Apr 30 22:02:43 2007 Subject: A lot of spam getting through References: <04D932B0071FE34FA63EBB1977B48D1502816EA6@woodenex.woodmaclaw.local> Message-ID: <001701c78b6a$ddc5caf0$0705000a@ddf5dw71> ----- Original Message ----- From: "Billy A. Pumphrey" To: "MailScanner discussion" Sent: Monday, April 30, 2007 4:57 PM Subject: RE: A lot of spam getting through >> You should only change it if you have a caching nameserver on the > server >> that is showing a lot of spam. Did you discover whether you are even >> running >> a local DNS server? What does ps show? What was in the file before you >> edited it? >> >> Steve >> > > I believe the file was blank, I edited when I first set the machine up. > PS shows: > > PID TTY TIME CMD > 28182 pts/0 00:00:01 bash > 2890 pts/0 00:00:00 ps > -- If you're running RH flavor OS, do one of the following as root: ps -ax | grep named chkconfig --list named ls /etc/rc.d/init.d/named netstat -an | grep 53 One of these should maybe give you an idea about a DNS server. If you're running some other OS, I can't really help. Steve From TGFurnish at herffjones.com Mon Apr 30 22:10:10 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 30 22:10:15 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: <57573D714A832C43B9D80EAFBDA48D03057BDABE@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: Monday, April 30, 2007 4:33 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Slightly OT: How do you deal with domains you > forward to who consider you a spammer based in user reports? > > I would put a smarthost on another IP address and only > forward the AOL mail through that one. It will still choke on > AOL, but it won't bring down the rest of your users. You > could even put MailScanner on that host and check them again > if you want. Thanks, Scott. This is actually how I react when the block goes into effect -- I either let the mail flow directly from internal systems to aol or I use a mailertable entry to bounce off of another of our relays on a different public address. Thankfully we haven't run out of addresses to relay through yet, but I'm hoping for a more permanent solution. From TGFurnish at herffjones.com Mon Apr 30 22:12:02 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 30 22:12:30 2007 Subject: Slightly OT: How do you deal with domains you forward towhoconsider you a spammer based in user reports? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: <57573D714A832C43B9D80EAFBDA48D03057BDABF@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gareth > Sent: Monday, April 30, 2007 4:51 PM > To: MailScanner discussion > Subject: RE: Slightly OT: How do you deal with domains you > forward towhoconsider you a spammer based in user reports? > > For AOL there is a service you can subscribe to and give > details of the IP address of your mail servers and your email > address. Any spam complaints they receive are then passed > onto yourselves. We do that so if someone reports one of our > newsletters as spam we can look at the headers to see who it > was sent to and then remove them from the list. Thanks, Gareth. I've already done that actually -- that's how I know that a small percentage of the messages aren't even spam, and that the remaining messages are simply spam we don't catch (and have little hope of catching, since they're the variety that still regularly eludes spamassassin and are coming from addresses not listed on any of the RBLs we use). From TGFurnish at herffjones.com Mon Apr 30 22:26:28 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 30 22:26:34 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <463656D4.4010200@pacific.net> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> <463656D4.4010200@pacific.net> Message-ID: <57573D714A832C43B9D80EAFBDA48D03057BDAC0@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: Monday, April 30, 2007 4:52 PM > To: MailScanner discussion > Subject: Re: Slightly OT: How do you deal with domains you > forward to who consider you a spammer based in user reports? Thanks for the response, Ken. > It doesn't cost anything to get an aol feedback loop for your > ip space. Yup, did that. > When I came in this morning I had about 10 aol 'TOS > notifications' from the weekend. Half of those were > legitimate mailings from domains we host with one click > opt-out links at the bottom, so I can quickly opt those > lusers out! ... Yup, on the very few messages that originate from inside or in mailing lists we control I've just opted the users out when I could tell what addresses the messages were sent to. Unfortunately most are just real spam from outside sent to an individual's forwarding address. We have a bunch of outside sales reps who have company domain addresses that simply forward to whatever address they actually use. They're mostly set up for inclusion in business cards and letterhead. I'm trying to get that type of set-up banned so that the norm is to force those outside users to pick up their mail from us instead of getting it forwarded, but not having much luck so far. > spam' on. If this is a repeat behavior by a certain customer, > we send them a friendly note asking them not to do that on > their domain mail ... We're starting down that road too -- hopefully that will help. The especially disheartening ones though are the actual purchasing customers who are reporting simple confirmation emails ("Your order has shipped. You ordered four yearbooks, four gowns, ... Here's your tracking number.") as spam instead of just hitting the delete button -- they're not even likely to ever receive another such message from us for at least a year. :-( Thanks for the response -- if nothing else talking to peers helps firm up my persuasiveness with management. -- Trever From TGFurnish at herffjones.com Mon Apr 30 22:34:36 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 30 22:34:39 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <46365924.7000202@pixelhammer.com> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> <46365924.7000202@pixelhammer.com> Message-ID: <57573D714A832C43B9D80EAFBDA48D03057BDAC1@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Monday, April 30, 2007 5:01 PM > To: MailScanner discussion > Subject: Re: Slightly OT: How do you deal with domains you > forward to who consider you a spammer based in user reports? > An exasperating situation. We have been dealing with the same > issue for quite a awhile. Our current solution is to use > verp, if AOL returns the message in a scomp report we remove > the users email address and add it to a subscriber black > list. That email address is never allowed to subscribe to > another mail list we host. So far, no client has complained, > AOL is happy, our scomp reports have plummeted. Are you using verp only in conjunction with mailing lists? Unfortunately my forwards aren't going through any kind of mailing list manager -- they're just coming in and getting forwarded immediately back out, since each address goes to an individual. The forwards were set up so that outside sales reps who don't pick up mail from out systems could still have a "company" email address -- a practice I'm hoping to end, but which I expect to continue. > You might see if there is a way to inject something into the > headers that AOL will no redact. Then, if the user reports > their forwarded mail as spam, simply stop forwarding. That might actually make a big difference. Any ideas on how to implement it, short of placing a footer in the body of the message? I've noted that aol "redacts" anything that looks like an email address in the headers, but not the body, but if I could insert a header that says, for example, "X-HJ-MailScanner-To: foo at foo dot com", they probably wouldn't redact that. I suppose I could modify that bit of code in mailscanner that adds that header...hmmm... Painful for upgrades, but better than nothing... > Not the > best solution business wise, but the safe option for certain. > If the user wants the authority to declare spam/not spam, > they should be responsible for the actions they set into motion. > > In the end we all want to make the client happy, but > protecting your network must come first. You can't make a > client happy if no one will accept your server's mail. Good points and it's nice to know I'm not the only one who feels that way. > > How do you handle mail that you forward? As I see it my > only options > > for dealing with aol are: > > As above, if AOL sends an scomp report, the forward stops > immediately. > This has happened only twice. Both time I sent the report to > the client and explained the situation. There have been no > repeat incidents. > > Good luck, > > DAve Thanks for the response, DAve. -- Trever From res at ausics.net Mon Apr 30 22:51:14 2007 From: res at ausics.net (Res) Date: Mon Apr 30 22:51:28 2007 Subject: {Spam?} Re: Announcement: New beta 4.59.2 released In-Reply-To: References: <46321205.1020007@ecs.soton.ac.uk> <223f97700704291626i69cedc12q42fc702b28e6084@mail.gmail.com> <20070430132221.GC20369@doctor.nl2k.ab.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Apr 2007, Hugo van der Kooij wrote: > I see you know Res ;-) Actually, I'm rather quiet on that list ;) and well behaved, because it has a clear charter and very clear rules about whats on/off topic, unlike this list where those that think OT is OK, until they dont like the thread that is. - -- Cheers Res Vote for your favourite MTA at http://polls.ausics.net/v3.php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNmTWsWhAmSIQh7MRAip9AJ9axksUPvGHJV8u3y6mEMyY7k0lnQCffAQ5 szA39stlnN/aUrVXeU0uFP0= =ZWEv -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Apr 30 22:57:59 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 30 22:58:31 2007 Subject: Slightly OT: How do you deal with domains you forward to who consider you a spammer based in user reports? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D03057BDAB2@inex3.herffjones.hj-int> Message-ID: On Mon, 30 Apr 2007, Furnish, Trever G wrote: > This is specificly related to aol.com, but generally the problem is I > forward to about 150 addresses at a given domain (out of the ten > thousand or so I accept mail for) and the relatively small number of > spam I DON'T catch are being reported by those users to their ISP as > spam, causing my outbound server's IP address to be blacklisted by their > ISP. AOL makes this extremely convenient for their users (so convenient > that quite a few of the messages reported aren't even spam, but are > actually just mail they're too lazy to unscribe from). Our company is rather simple in this regard. Anyone doing this sort of thing is disrupting computer services and is violating the company policy. They get one slap on the hand. The next slap is the sound of the pink slip being slapped on that persons desk. Then again we have almost half a dozen ways people can connect from hoem to read the company email so forwarding it is pointless. And smart forwarding rules should only forward if it really is addressed to you or your group and most spam would not match those criteria. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.)